github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-22 03:49:36 +00:00
Code Issues Projects Releases Wiki Activity

rework digwatch event output handling

Browse Source 
the high-level change is that events matching a rule are now send into a
lua "on_event" function for handling, rather than doing the handling
down in c++.

more specifics:

before, the lua "load_rule" function registered formatters with
associated IDs with the c++ side, which later used this state to
reconcile events with formats and print output accordingly.

now, no such state is kept on the c++ side. the lua "load_rule" function
maintains the id->formatters map, and uses it to print outputs when it
receives events.

this change simplifies the existing flow and will also make the forthcoming
implementation of function outputs far simpler than it would have been
in the current setup.
This commit is contained in:
Henri DF
2016-02-28 21:06:29 -08:00
parent f71de57a90
commit 1c04ed7874
5 changed files with 67 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
userspace/digwatch/lua/compiler.lua
View File

@@ -173,7 +173,7 @@ end
local function rule(filter, output)
if not output then
output = outputformat("")
output = outputformat(nil)
end
return {type = "Rule", filter = filter, output = output}
end

23
userspace/digwatch/lua/rule_loader.lua
View File

@@ -5,6 +5,8 @@
--]]
local DEFAULT_OUTPUT_FORMAT = "%evt.num %evt.time %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.args"
local compiler = require "compiler"
--[[
@@ -72,7 +74,7 @@ local state
to the line-oriented compiler.
--]]
local function init()
return {macros={}, filter_ast=nil, n_rules=0}
return {macros={}, filter_ast=nil, n_rules=0, outputs={}}
end
@@ -90,8 +92,16 @@ function load_rule(r)
error ("Unexpected type in load_rule: "..line_ast.type)
end
-- Register a formatter with the output string from this rule
digwatch.set_formatter(state.n_rules, line_ast.output.value)
state.n_rules = state.n_rules + 1
local format
if line_ast.output.value==nil then
format = DEFAULT_OUTPUT_FORMAT
else
format = line_ast.output.value
end
state.outputs[state.n_rules] = digwatch.formatter(format)
-- Store the index of this formatter in each relational expression that
-- this rule contains.
@@ -100,8 +110,6 @@ function load_rule(r)
-- event.
mark_relational_nodes(line_ast.filter.value, state.n_rules)
state.n_rules = state.n_rules + 1
-- Rule ASTs are merged together into one big AST, with "OR" between each
-- rule.
if (state.filter_ast == nil) then
@@ -114,3 +122,8 @@ end
function on_done()
install_filter(state.filter_ast)
end
function on_event(evt, rule_id)
print(digwatch.format_event(evt, state.outputs[rule_id]))
end