new(userspace,cmake): honor new plugins exposed suggested output formats.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

falco.yaml

@@ -575,6 +575,12 @@ buffered_outputs: false
 # deploying it in production.
 rule_matching: first
 
+# [Incubating] `suggested_formats`
+#
+# When enabled, Falco will honor requests by extractor plugins
+# that suggest certain fields to be part of outputs.
+suggested_formats: true
+
 # [Stable] `outputs_queue`
 #
 # Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter

userspace/falco/app/actions/init_falco_engine.cpp

@@ -18,10 +18,23 @@ limitations under the License.
 #include "actions.h"
 #include <libsinsp/plugin_manager.h>
 #include <falco_common.h>
+#include <algorithm>
 
 using namespace falco::app;
 using namespace falco::app::actions;
 
+static inline std::string format_suggested_field(const filter_check_info* info) {
+	std::ostringstream out;
+
+	// Replace "foo.bar" with "foo_bar"
+	auto name = info->m_name;
+	std::replace(name.begin(), name.end(), '.', '_');
+
+	// foo_bar=%foo.bar
+	out << name << "=%" << info->m_name;
+	return out.str();
+}
+
 void configure_output_format(falco::app::state& s) {
 	for(auto& eo : s.config->m_append_output) {
 		if(eo.m_format != "") {
@@ -45,6 +58,25 @@ void configure_output_format(falco::app::state& s) {
 		}
 	}
 
+	// Add suggested filtercheck formats to each source output
+	if(s.config->m_suggested_formats) {
+		for(auto& src : s.loaded_sources) {
+			auto src_info = s.source_infos.at(src);
+			auto& filterchecks = *src_info->filterchecks;
+			std::vector<const filter_check_info*> fields;
+			filterchecks.get_all_fields(fields);
+			for(const auto& fld : fields) {
+				if(fld->m_flags & EPF_FORMAT_SUGGESTED) {
+					s.engine->add_extra_output_format(format_suggested_field(fld),
+					                                  src,
+					                                  {},
+					                                  "",
+					                                  false);
+				}
+			}
+		}
+	}
+
 	// See https://falco.org/docs/rules/style-guide/
 	const std::string container_info =
 	        "container_id=%container.id container_image=%container.image.repository "

userspace/falco/configuration.cpp

@@ -72,6 +72,7 @@ falco_configuration::falco_configuration():
         m_rule_matching(falco_common::rule_matching::FIRST),
         m_watch_config_files(true),
         m_buffered_outputs(false),
+        m_suggested_formats(true),
         m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE),
         m_time_format_iso_8601(false),
         m_buffer_format_base64(false),
@@ -484,6 +485,7 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_buffered_outputs = m_config.get_scalar<bool>("buffered_outputs", false);
+	m_suggested_formats = m_config.get_scalar<bool>("suggested_formats", true);
 	m_outputs_queue_capacity =
 	        m_config.get_scalar<size_t>("outputs_queue.capacity",
 	                                    DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE);

userspace/falco/configuration.h

@@ -155,6 +155,7 @@ public:
 	bool m_time_format_iso_8601;
 	bool m_buffer_format_base64;
 	uint32_t m_output_timeout;
+	bool m_suggested_formats;
 
 	bool m_grpc_enabled;
 	uint32_t m_grpc_threadiness;