github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-14 20:33:31 +00:00
Code Issues Projects Releases Wiki Activity

Allow outputs to keep file/program open

Browse Source 
Add the ability to keep file/program outputs open (i.e. writing to the
same open file/program for multiple notifications). A new option to the
file/program output "keep_alive", if true, keeps the file/program pipe
open across events.

This makes the need for unbuffered output aka
https://github.com/draios/falco/issues/211 more pressing. Will add that next.
This commit is contained in:
Mark Stemm 2017-10-06 14:57:41 -07:00
parent 5420d0e3a0
commit 1635d08df0
3 changed files with 46 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
falco.yaml
View File

@ -53,8 +53,13 @@ outputs:
syslog_output: syslog_output:
enabled: true enabled: true
# If keep_alive is set to true, the file will be opened once and
# continuously written to, with each output message on its own
# line. If keep_alive is set to false, the file will be re-opened
# for each output message.
file_output: file_output:
enabled: false enabled: false
keep_alive: false
filename: ./events.txt filename: ./events.txt
stdout_output: stdout_output:
@ -65,6 +70,8 @@ stdout_output:
# program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" # program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
# - logging (alternate method than syslog): # - logging (alternate method than syslog):
# program: logger -t falco-test # program: logger -t falco-test
# - send over a network connection:
# program: nc host.example.com 80
# If keep_alive is set to true, the program will be started once and # If keep_alive is set to true, the program will be started once and
# continuously written to, with each output message on its own # continuously written to, with each output message on its own

12
userspace/falco/configuration.cpp
View File

@ -71,13 +71,17 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
file_output.name = "file"; file_output.name = "file";
if (m_config->get_scalar<bool>("file_output", "enabled", false)) if (m_config->get_scalar<bool>("file_output", "enabled", false))
{ {
string filename; string filename, keep_alive;
filename = m_config->get_scalar<string>("file_output", "filename", ""); filename = m_config->get_scalar<string>("file_output", "filename", "");
if (filename == string("")) if (filename == string(""))
{ {
throw invalid_argument("Error reading config file (" + m_config_file + "): file output enabled but no filename in configuration block"); throw invalid_argument("Error reading config file (" + m_config_file + "): file output enabled but no filename in configuration block");
} }
file_output.options["filename"] = filename; file_output.options["filename"] = filename;
keep_alive = m_config->get_scalar<string>("file_output", "keep_alive", "");
file_output.options["keep_alive"] = keep_alive;
m_outputs.push_back(file_output); m_outputs.push_back(file_output);
} }
@ -99,13 +103,17 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
program_output.name = "program"; program_output.name = "program";
if (m_config->get_scalar<bool>("program_output", "enabled", false)) if (m_config->get_scalar<bool>("program_output", "enabled", false))
{ {
string program; string program, keep_alive;
program = m_config->get_scalar<string>("program_output", "program", ""); program = m_config->get_scalar<string>("program_output", "program", "");
if (program == string("")) if (program == string(""))
{ {
throw sinsp_exception("Error reading config file (" + m_config_file + "): program output enabled but no program in configuration block"); throw sinsp_exception("Error reading config file (" + m_config_file + "): program output enabled but no program in configuration block");
} }
program_output.options["program"] = program; program_output.options["program"] = program;
keep_alive = m_config->get_scalar<string>("program_output", "keep_alive", "");
program_output.options["keep_alive"] = keep_alive;
m_outputs.push_back(program_output); m_outputs.push_back(program_output);
} }

34
userspace/falco/lua/output.lua
View File

@ -29,7 +29,7 @@ function mod.file_validate(options)
error("File output needs to be configured with a valid filename") error("File output needs to be configured with a valid filename")
end end
file, err = io.open(options.filename, "a+") local file, err = io.open(options.filename, "a+")
if file == nil then if file == nil then
error("Error with file output: "..err) error("Error with file output: "..err)
end end
@ -38,9 +38,21 @@ function mod.file_validate(options)
end end
function mod.file(priority, priority_num, msg, options) function mod.file(priority, priority_num, msg, options)
file = io.open(options.filename, "a+") if options.keep_alive == "true" then
if file == nil then
file = io.open(options.filename, "a+")
end
else
file = io.open(options.filename, "a+")
end
file:write(msg, "\n") file:write(msg, "\n")
file:close()
if options.keep_alive == nil or
options.keep_alive ~= "true" then
file:close()
file = nil
end
end end
function mod.syslog(priority, priority_num, msg, options) function mod.syslog(priority, priority_num, msg, options)
@ -52,10 +64,22 @@ function mod.program(priority, priority_num, msg, options)
-- successfully. However, the luajit we're using returns true even -- successfully. However, the luajit we're using returns true even
-- when the shell can't run the program. -- when the shell can't run the program.
file = io.popen(options.program, "w") -- Note: options are all strings
if options.keep_alive == "true" then
if file == nil then
file = io.popen(options.program, "w")
end
else
file = io.popen(options.program, "w")
end
file:write(msg, "\n") file:write(msg, "\n")
file:close()
if options.keep_alive == nil or
options.keep_alive ~= "true" then
file:close()
file = nil
end
end end
function output_event(event, rule, priority, priority_num, format) function output_event(event, rule, priority, priority_num, format)