Move container.info handling to falco engine.

container.info handling used to be handled by the the falco_outputs object. However, this caused problems for applications that only used the falco engine, doing their own output formatting for matching events. Fix this by moving output formatting into the falco engine itself. The part that replaces %container.info/adds extra formatting to the end of a rule's output now happens while loading the rule.
2025-09-02 23:26:24 +00:00 · 2016-11-28 11:31:36 -08:00
parent c6c074ef60
commit 0d46fcf819
8 changed files with 57 additions and 49 deletions
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -38,7 +38,8 @@ string lua_print_stats = "print_stats";
 using namespace std;

 falco_engine::falco_engine(bool seed_rng)
-	: m_rules(NULL), m_sampling_ratio(1), m_sampling_multiplier(0)
+	: m_rules(NULL), m_sampling_ratio(1), m_sampling_multiplier(0),
+	  m_replace_container_info(false)
 {
 	luaopen_lpeg(m_ls);
 	luaopen_yaml(m_ls);
@@ -72,7 +73,7 @@ void falco_engine::load_rules(const string &rules_content, bool verbose, bool al
 	{
 		m_rules = new falco_rules(m_inspector, this, m_ls);
 	}
-	m_rules->load_rules(rules_content, verbose, all_events);
+	m_rules->load_rules(rules_content, verbose, all_events, m_extra, m_replace_container_info);
 }

 void falco_engine::load_rules_file(const string &rules_filename, bool verbose, bool all_events)
@@ -184,6 +185,12 @@ void falco_engine::set_sampling_multiplier(double sampling_multiplier)
 	m_sampling_multiplier = sampling_multiplier;
 }

+void falco_engine::set_extra(string &extra, bool replace_container_info)
+{
+	m_extra = extra;
+	m_replace_container_info = replace_container_info;
+}
+
 inline bool falco_engine::should_drop_evt()
 {
 	if(m_sampling_multiplier == 0)