github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-08 01:34:03 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #105 from draios/add-process-output

Browse Source 
Add ability to write output to a program
This commit is contained in:
Mark Stemm 2016-08-04 16:20:48 -07:00 committed by GitHub
commit 00107537b6
3 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
falco.yaml
View File

@ -23,3 +23,6 @@ file_output:
stdout_output: stdout_output:
enabled: true enabled: true
program_output:
enabled: false
program: mail -s "Falco Notification" someone@example.com

14
userspace/falco/configuration.cpp
View File

@ -54,6 +54,20 @@ void falco_configuration::init(string conf_filename, std::list<std::string> &cmd
m_outputs.push_back(syslog_output); m_outputs.push_back(syslog_output);
} }
output_config program_output;
program_output.name = "program";
if (m_config->get_scalar<bool>("program_output", "enabled", false))
{
string program;
program = m_config->get_scalar<string>("program_output", "program", "");
if (program == string(""))
{
throw sinsp_exception("Error reading config file (" + m_config_file + "): program output enabled but no program in configuration block");
}
program_output.options["program"] = program;
m_outputs.push_back(program_output);
}
if (m_outputs.size() == 0) if (m_outputs.size() == 0)
{ {
throw sinsp_exception("Error reading config file (" + m_config_file + "): No outputs configured. Please configure at least one output file output enabled but no filename in configuration block"); throw sinsp_exception("Error reading config file (" + m_config_file + "): No outputs configured. Please configure at least one output file output enabled but no filename in configuration block");

18
userspace/falco/lua/output.lua
View File

@ -27,7 +27,7 @@ function mod.file_validate(options)
end end
function mod.file(evt, rule, level, format, options) function mod.file(evt, rule, level, format, options)
format = "%evt.time: "..levels[level+1].." "..format format = "*%evt.time: "..levels[level+1].." "..format
formatter = falco.formatter(format) formatter = falco.formatter(format)
msg = falco.format_event(evt, rule, levels[level+1], formatter) msg = falco.format_event(evt, rule, levels[level+1], formatter)
@ -43,6 +43,22 @@ function mod.syslog(evt, rule, level, format)
falco.syslog(level, msg) falco.syslog(level, msg)
end end
function mod.program(evt, rule, level, format, options)
format = "*%evt.time: "..levels[level+1].." "..format
formatter = falco.formatter(format)
msg = falco.format_event(evt, rule, levels[level+1], formatter)
-- XXX Ideally we'd check that the program ran
-- successfully. However, the luajit we're using returns true even
-- when the shell can't run the program.
file = io.popen(options.program, "w")
file:write(msg, "\n")
file:close()
end
function mod.event(event, rule, level, format) function mod.event(event, rule, level, format)
for index,o in ipairs(outputs) do for index,o in ipairs(outputs) do
o.output(event, rule, level, format, o.config) o.output(event, rule, level, format, o.config)