github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-10 11:09:37 +00:00
Code Issues Projects Releases Wiki Activity

Skip output json format (#342)

Browse Source 
* Add option to exclude output property in json fmt

New falco.yaml option json_include_output_property controls where the
formatted string "output" is included in the json object when json
output is enabled. By default the string is included.

* Add tests for new json output option

New test sets json_include_output_property to false and then verifies
that the json output does *not* contain the surrounding text "Warning an
open...".
This commit is contained in:
Mark Stemm
2018-03-28 11:24:09 -07:00
committed by GitHub
parent a3f53138d3
commit 2a3ca21779
11 changed files with 45 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
userspace/engine/falco_engine.cpp
View File

@@ -88,7 +88,8 @@ void falco_engine::load_rules(const string &rules_content, bool verbose, bool al
// formats.formatter is used, so we can unconditionally set
// json_output to false.
bool json_output = false;
falco_formats::init(m_inspector, m_ls, json_output);
bool json_include_output_property = false;
falco_formats::init(m_inspector, m_ls, json_output, json_include_output_property);
m_rules->load_rules(rules_content, verbose, all_events, m_extra, m_replace_container_info, m_min_priority);
}

12
userspace/engine/formats.cpp
View File

@@ -25,6 +25,7 @@ along with falco. If not, see <http://www.gnu.org/licenses/>.
sinsp* falco_formats::s_inspector = NULL;
bool falco_formats::s_json_output = false;
bool falco_formats::s_json_include_output_property = true;
sinsp_evt_formatter_cache *falco_formats::s_formatters = NULL;
const static struct luaL_reg ll_falco [] =
@@ -36,10 +37,11 @@ const static struct luaL_reg ll_falco [] =
{NULL,NULL}
};
void falco_formats::init(sinsp* inspector, lua_State *ls, bool json_output)
void falco_formats::init(sinsp* inspector, lua_State *ls, bool json_output, bool json_include_output_property)
{
s_inspector = inspector;
s_json_output = json_output;
s_json_include_output_property = json_include_output_property;
if(!s_formatters)
{
s_formatters = new sinsp_evt_formatter_cache(s_inspector);
@@ -155,8 +157,12 @@ int falco_formats::format_event (lua_State *ls)
event["time"] = iso8601evttime;
event["rule"] = rule;
event["priority"] = level;
// This is the filled-in output line.
event["output"] = line;
if(s_json_include_output_property)
{
// This is the filled-in output line.
event["output"] = line;
}
full_line = writer.write(event);

3
userspace/engine/formats.h
View File

@@ -31,7 +31,7 @@ class sinsp_evt_formatter;
class falco_formats
{
public:
static void init(sinsp* inspector, lua_State *ls, bool json_output);
static void init(sinsp* inspector, lua_State *ls, bool json_output, bool json_include_output_property);
// formatter = falco.formatter(format_string)
static int formatter(lua_State *ls);
@@ -48,4 +48,5 @@ class falco_formats
static sinsp* s_inspector;
static sinsp_evt_formatter_cache *s_formatters;
static bool s_json_output;
static bool s_json_include_output_property;
};