update(outputs): make tags configurable in json output

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>

falco.yaml

@@ -46,6 +46,12 @@ json_output: false
 # (user=root ....") in the json output.
 json_include_output_property: true
 
+# When using json output, whether or not to include the "tags" property
+# itself in the json output. If set to true, outputs caused by rules
+# with no tags will have a "tags" field set to an empty array. If set to
+# false, the "tags" field will not be included in the json output at all.
+json_include_tags_property: true
+
 # Send information logs to stderr and/or syslog Note these are *not* security
 # notification logs! These are just Falco lifecycle (and possibly error) logs.
 log_stderr: true

userspace/engine/falco_engine.cpp

@@ -177,7 +177,8 @@ void falco_engine::load_rules(const string &rules_content, bool verbose, bool al
 	// json_output to false.
 	bool json_output = false;
 	bool json_include_output_property = false;
-	falco_formats::init(m_inspector, this, m_ls, json_output, json_include_output_property);
+	bool json_include_tags_property = false;
+	falco_formats::init(m_inspector, this, m_ls, json_output, json_include_output_property, json_include_tags_property);
 
 	m_rules->load_rules(rules_content, verbose, all_events, m_extra, m_replace_container_info, m_min_priority, required_engine_version);
 }

userspace/engine/formats.cpp

@@ -24,6 +24,7 @@ sinsp *falco_formats::s_inspector = NULL;
 falco_engine *falco_formats::s_engine = NULL;
 bool falco_formats::s_json_output = false;
 bool falco_formats::s_json_include_output_property = true;
+bool falco_formats::s_json_include_tags_property = true;
 std::unique_ptr<sinsp_evt_formatter_cache> falco_formats::s_formatters = NULL;
 
 const static struct luaL_Reg ll_falco[] =
@@ -36,12 +37,14 @@ void falco_formats::init(sinsp *inspector,
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
-			 bool json_include_output_property)
+			 bool json_include_output_property,
+			 bool json_include_tags_property)
 {
 	s_inspector = inspector;
 	s_engine = engine;
 	s_json_output = json_output;
 	s_json_include_output_property = json_include_output_property;
+	s_json_include_tags_property = json_include_tags_property;
 
 	// todo(leogr): we should have used std::make_unique, but we cannot since it's not C++14
 	s_formatters = std::unique_ptr<sinsp_evt_formatter_cache>(new sinsp_evt_formatter_cache(s_inspector));
@@ -207,11 +210,22 @@ string falco_formats::format_event(const gen_event *evt, const std::string &rule
 			event["output"] = line;
 		}
 		
-		for (auto &tag : tags)
+		if(s_json_include_tags_property)
 		{
-			rule_tags[rule_tags_idx++] = tag;
+			if (tags.size() == 0) 
+			{
+				// This sets an empty array
+				rule_tags = Json::arrayValue;
+			}
+			else
+			{
+				for (auto &tag : tags)
+				{
+					rule_tags[rule_tags_idx++] = tag;
+				}
+			}
+			event["tags"] = rule_tags;
 		}
-		event["tags"] = rule_tags;
 
 		full_line = writer.write(event);
 

userspace/engine/formats.h

@@ -37,7 +37,8 @@ public:
 			 falco_engine *engine,
 			 lua_State *ls,
 			 bool json_output,
-			 bool json_include_output_property);
+			 bool json_include_output_property,
+			 bool json_include_tags_property);
 
 	// formatter = falco.formatter(format_string)
 	static int lua_formatter(lua_State *ls);
@@ -56,4 +57,5 @@ public:
 	static std::unique_ptr<sinsp_evt_formatter_cache> s_formatters;
 	static bool s_json_output;
 	static bool s_json_include_output_property;
+	static bool s_json_include_tags_property;
 };

userspace/falco/configuration.cpp

@@ -71,6 +71,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio
 
 	m_json_output = m_config->get_scalar<bool>("json_output", false);
 	m_json_include_output_property = m_config->get_scalar<bool>("json_include_output_property", true);
+	m_json_include_tags_property = m_config->get_scalar<bool>("json_include_tags_property", true);
 
 	falco::outputs::config file_output;
 	file_output.name = "file";

userspace/falco/configuration.h

@@ -195,6 +195,7 @@ public:
 	std::list<std::string> m_rules_filenames;
 	bool m_json_output;
 	bool m_json_include_output_property;
+	bool m_json_include_tags_property;
 	std::string m_log_level;
 	std::vector<falco::outputs::config> m_outputs;
 	uint32_t m_notifications_rate;

userspace/falco/falco.cpp

@@ -1122,6 +1122,7 @@ int falco_init(int argc, char **argv)
 
 		outputs->init(config.m_json_output,
 			config.m_json_include_output_property,
+			config.m_json_include_tags_property,
 			config.m_output_timeout,
 			config.m_notifications_rate, config.m_notifications_max_burst,
 			config.m_buffered_outputs,

userspace/falco/falco_outputs.cpp

@@ -62,6 +62,7 @@ falco_outputs::~falco_outputs()
 
 void falco_outputs::init(bool json_output,
 		  bool json_include_output_property,
+		  bool json_include_tags_property,
 		  uint32_t timeout,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
 		  bool time_format_iso_8601, std::string hostname)
@@ -79,6 +80,7 @@ void falco_outputs::init(bool json_output,
 	// So we can safely update them.
 	falco_formats::s_json_output = json_output;
 	falco_formats::s_json_include_output_property = json_include_output_property;
+	falco_formats::s_json_include_tags_property = json_include_tags_property;
 
 	m_timeout = std::chrono::milliseconds(timeout);
 

userspace/falco/falco_outputs.h

@@ -40,6 +40,7 @@ public:
 
 	void init(bool json_output,
 		  bool json_include_output_property,
+		  bool json_include_tags_property,
 		  uint32_t timeout,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
 		  bool time_format_iso_8601, std::string hostname);