refactor: remove refs to gen_event class family

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2025-08-12 11:32:39 +00:00 · 2024-02-01 13:10:13 +00:00 · 2024-02-01 13:10:13 +00:00 · 4cffcedba1
commit 4cffcedba1
parent 0613f11980
21 changed files with 87 additions and 98 deletions
--- a/unit_tests/engine/test_add_source.cpp
+++ b/unit_tests/engine/test_add_source.cpp
@ -31,7 +31,7 @@ namespace
 class test_ruleset_factory : public evttype_index_ruleset_factory
 {
 public:
-	test_ruleset_factory(std::shared_ptr<gen_event_filter_factory> factory):
+	test_ruleset_factory(std::shared_ptr<sinsp_filter_factory> factory):
 		evttype_index_ruleset_factory(factory)
 	{
 		ruleset = evttype_index_ruleset_factory::new_ruleset();
@ -54,9 +54,9 @@ TEST(AddSource, basic)
 	sinsp inspector;
 	sinsp_filter_check_list filterchecks;
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 		new sinsp_evt_formatter_factory(&inspector, filterchecks));
 	test_ruleset_factory *test_factory = new test_ruleset_factory(filter_factory);
 	auto ruleset_factory = std::shared_ptr<filter_ruleset_factory>(test_factory);
--- a/unit_tests/engine/test_alt_rule_loader.cpp
+++ b/unit_tests/engine/test_alt_rule_loader.cpp
@ -124,7 +124,7 @@ protected:
 class test_ruleset : public evttype_index_ruleset
 {
 public:
-	test_ruleset(std::shared_ptr<gen_event_filter_factory> factory):
+	test_ruleset(std::shared_ptr<sinsp_filter_factory> factory):
 		evttype_index_ruleset(factory){};
 	virtual ~test_ruleset() = default;
@ -154,7 +154,7 @@ public:
 class test_ruleset_factory : public filter_ruleset_factory
 {
 public:
-	test_ruleset_factory(std::shared_ptr<gen_event_filter_factory> factory):
+	test_ruleset_factory(std::shared_ptr<sinsp_filter_factory> factory):
 		m_filter_factory(factory)
 	{
 	}
@ -167,7 +167,7 @@ public:
 		return ret;
 	}
-	std::shared_ptr<gen_event_filter_factory> m_filter_factory;
+	std::shared_ptr<sinsp_filter_factory> m_filter_factory;
 };
 }; // namespace
@ -235,9 +235,9 @@ static std::shared_ptr<rule_loader::configuration> create_configuration(sinsp& i
 									sinsp_filter_check_list& filterchecks,
 									indexed_vector<falco_source>& sources)
 {
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 		new sinsp_evt_formatter_factory(&inspector, filterchecks));
 	auto ruleset_factory = std::shared_ptr<filter_ruleset_factory>(
 		new evttype_index_ruleset_factory(filter_factory));
@ -330,9 +330,9 @@ TEST(engine_loader_alt_loader, falco_engine_alternate_loader)
 	sinsp inspector;
 	sinsp_filter_check_list filterchecks;
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 		new sinsp_evt_formatter_factory(&inspector, filterchecks));
 	auto ruleset_factory = std::shared_ptr<filter_ruleset_factory>(
 		new test_ruleset_factory(filter_factory));
--- a/unit_tests/engine/test_enable_rule.cpp
+++ b/unit_tests/engine/test_enable_rule.cpp
@ -56,9 +56,9 @@ static void load_rules(falco_engine& engine, sinsp& inspector, sinsp_filter_chec
 {
 	std::unique_ptr<falco::load_result> res;
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 		new sinsp_filter_factory(&inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 		new sinsp_evt_formatter_factory(&inspector, filterchecks));
 	engine.add_source("syscall", filter_factory, formatter_factory);
--- a/unit_tests/engine/test_rulesets.cpp
+++ b/unit_tests/engine/test_rulesets.cpp
@ -23,31 +23,31 @@ limitations under the License.
 #define RULESET_2 2
 /* Helpers methods */
-static std::shared_ptr<gen_event_filter_factory> create_factory(filter_check_list& list)
+static std::shared_ptr<sinsp_filter_factory> create_factory(filter_check_list& list)
 {
-	std::shared_ptr<gen_event_filter_factory> ret(new sinsp_filter_factory(NULL, list));
+	std::shared_ptr<sinsp_filter_factory> ret(new sinsp_filter_factory(NULL, list));
 	return ret;
 }
-static std::shared_ptr<filter_ruleset> create_ruleset(std::shared_ptr<gen_event_filter_factory> f)
+static std::shared_ptr<filter_ruleset> create_ruleset(std::shared_ptr<sinsp_filter_factory> f)
 {
 	std::shared_ptr<filter_ruleset> ret(new evttype_index_ruleset(f));
 	return ret;
 }
-static std::shared_ptr<libsinsp::filter::ast::expr> create_ast(std::shared_ptr<gen_event_filter_factory> f)
+static std::shared_ptr<libsinsp::filter::ast::expr> create_ast(std::shared_ptr<sinsp_filter_factory> f)
 {
 	libsinsp::filter::parser parser("evt.type=open");
 	std::shared_ptr<libsinsp::filter::ast::expr> ret(parser.parse());
 	return ret;
 }
-static std::shared_ptr<gen_event_filter> create_filter(
+static std::shared_ptr<sinsp_filter> create_filter(
-	std::shared_ptr<gen_event_filter_factory> f,
+	std::shared_ptr<sinsp_filter_factory> f,
 	std::shared_ptr<libsinsp::filter::ast::expr> ast)
 {
 	sinsp_filter_compiler compiler(f, ast.get());
-	std::shared_ptr<gen_event_filter> filter(compiler.compile());
+	std::shared_ptr<sinsp_filter> filter(compiler.compile());
 	return filter;
 }
--- a/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
+++ b/unit_tests/falco/app/actions/test_configure_interesting_sets.cpp
@ -79,9 +79,9 @@ static std::shared_ptr<falco_engine> mock_engine_from_filters(const strset_t& fi
 	// create a falco engine and load the ruleset
 	sinsp_filter_check_list filterlist;
 	std::shared_ptr<falco_engine> res(new falco_engine());
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 			new sinsp_filter_factory(nullptr, filterlist));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 			new sinsp_evt_formatter_factory(nullptr, filterlist));
 	res->add_source(s_sample_source, filter_factory, formatter_factory);
 	res->load_rules(dummy_rules, "dummy_rules.yaml");
--- a/userspace/engine/evttype_index_ruleset.cpp
+++ b/userspace/engine/evttype_index_ruleset.cpp
@ -20,7 +20,7 @@ limitations under the License.
 #include <algorithm>
 evttype_index_ruleset::evttype_index_ruleset(
-	std::shared_ptr<gen_event_filter_factory> f): m_filter_factory(f)
+	std::shared_ptr<sinsp_filter_factory> f): m_filter_factory(f)
 {
 }
@ -111,7 +111,7 @@ uint64_t evttype_index_ruleset::ruleset_filters::num_filters()
 	return m_filters.size();
 }
-bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& match)
+bool evttype_index_ruleset::ruleset_filters::run(sinsp_evt *evt, falco_rule& match)
 {
    if(evt->get_type() < m_filter_by_event_type.size())
    {
@ -138,7 +138,7 @@ bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, falco_rule& mat
 	return false;
 }
-bool evttype_index_ruleset::ruleset_filters::run(gen_event *evt, std::vector<falco_rule>& matches)
+bool evttype_index_ruleset::ruleset_filters::run(sinsp_evt *evt, std::vector<falco_rule>& matches)
 {
 	bool match_found = false;
@ -194,7 +194,7 @@ libsinsp::events::set<ppm_event_code> evttype_index_ruleset::ruleset_filters::ev
 void evttype_index_ruleset::add(
 		const falco_rule& rule,
-		std::shared_ptr<gen_event_filter> filter,
+		std::shared_ptr<sinsp_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition)
 {
 	try
@ -332,7 +332,7 @@ uint64_t evttype_index_ruleset::enabled_count(uint16_t ruleset_id)
 	return m_rulesets[ruleset_id]->num_filters();
 }
-bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t ruleset_id)
+bool evttype_index_ruleset::run(sinsp_evt *evt, falco_rule& match, uint16_t ruleset_id)
 {
 	if(m_rulesets.size() < (size_t)ruleset_id + 1)
 	{
@ -342,7 +342,7 @@ bool evttype_index_ruleset::run(gen_event *evt, falco_rule& match, uint16_t rule
 	return m_rulesets[ruleset_id]->run(evt, match);
 }
-bool evttype_index_ruleset::run(gen_event *evt, std::vector<falco_rule>& matches, uint16_t ruleset_id)
+bool evttype_index_ruleset::run(sinsp_evt *evt, std::vector<falco_rule>& matches, uint16_t ruleset_id)
 {
 	if(m_rulesets.size() < (size_t)ruleset_id + 1)
 	{
--- a/userspace/engine/evttype_index_ruleset.h
+++ b/userspace/engine/evttype_index_ruleset.h
@ -27,7 +27,6 @@ limitations under the License.
 #include <libsinsp/sinsp.h>
 #include <libsinsp/filter.h>
 #include <libsinsp/event.h>
 #include <libsinsp/gen_filter.h>
 /*!
 	\brief A filter_ruleset that indexes enabled rules by event type,
@ -36,18 +35,18 @@ limitations under the License.
 class evttype_index_ruleset: public filter_ruleset
 {
 public:
-	evttype_index_ruleset(std::shared_ptr<gen_event_filter_factory> factory);
+	evttype_index_ruleset(std::shared_ptr<sinsp_filter_factory> factory);
 	virtual ~evttype_index_ruleset();
 	void add(
 		const falco_rule& rule,
-		std::shared_ptr<gen_event_filter> filter,
+		std::shared_ptr<sinsp_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition) override;
 	void clear() override;
-	bool run(gen_event *evt, falco_rule& match, uint16_t ruleset_id) override;
+	bool run(sinsp_evt *evt, falco_rule& match, uint16_t ruleset_id) override;
-	bool run(gen_event *evt, std::vector<falco_rule>&matches, uint16_t ruleset_id) override;
+	bool run(sinsp_evt *evt, std::vector<falco_rule>&matches, uint16_t ruleset_id) override;
 	uint64_t enabled_count(uint16_t ruleset_id) override;
@ -102,7 +101,7 @@ private:
 		falco_rule rule;
 		libsinsp::events::set<ppm_sc_code> sc_codes;
 		libsinsp::events::set<ppm_event_code> event_codes;
-		std::shared_ptr<gen_event_filter> filter;
+		std::shared_ptr<sinsp_filter> filter;
 	};
 	typedef std::list<std::shared_ptr<filter_wrapper>> filter_wrapper_list;
@ -121,11 +120,11 @@ private:
 		// Evaluate an event against the ruleset and return the first rule
 		// that matched.
-		bool run(gen_event *evt, falco_rule& match);
+		bool run(sinsp_evt *evt, falco_rule& match);
 		//  Evaluate an event against the ruleset and return all the 
 		//	matching rules. 
-		bool run(gen_event *evt, std::vector<falco_rule>& matches);
+		bool run(sinsp_evt *evt, std::vector<falco_rule>& matches);
 		libsinsp::events::set<ppm_sc_code> sc_codes();
@ -152,7 +151,7 @@ private:
 	// All filters added. The set of enabled filters is held in m_rulesets
 	std::set<std::shared_ptr<filter_wrapper>> m_filters;
-	std::shared_ptr<gen_event_filter_factory> m_filter_factory;
+	std::shared_ptr<sinsp_filter_factory> m_filter_factory;
 	std::vector<std::string> m_ruleset_names;
 };
@ -160,7 +159,7 @@ class evttype_index_ruleset_factory: public filter_ruleset_factory
 {
 public:
 	inline evttype_index_ruleset_factory(
-		std::shared_ptr<gen_event_filter_factory> factory
+		std::shared_ptr<sinsp_filter_factory> factory
 	): m_filter_factory(factory) { }
 	inline std::shared_ptr<filter_ruleset> new_ruleset() override
@ -171,5 +170,5 @@ public:
 	}
 private:
-	std::shared_ptr<gen_event_filter_factory> m_filter_factory;
+	std::shared_ptr<sinsp_filter_factory> m_filter_factory;
 };
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@ -115,7 +115,7 @@ std::shared_ptr<rule_loader::compiler> falco_engine::get_rule_compiler()
 // Return a key that uniquely represents a field class.
 // For now, we assume name + shortdesc is unique.
-static std::string fieldclass_key(const gen_event_filter_factory::filter_fieldclass_info &fld_info)
+static std::string fieldclass_key(const sinsp_filter_factory::filter_fieldclass_info &fld_info)
 {
 	return fld_info.name + fld_info.shortdesc;
 }
@ -372,14 +372,14 @@ libsinsp::events::set<ppm_event_code> falco_engine::event_codes_for_ruleset(cons
 	return find_source(source)->ruleset->enabled_event_codes(find_ruleset_id(ruleset));
 }
-std::shared_ptr<gen_event_formatter> falco_engine::create_formatter(const std::string &source,
+std::shared_ptr<sinsp_evt_formatter> falco_engine::create_formatter(const std::string &source,
 								    const std::string &output) const
 {
 	return find_source(source)->formatter_factory->create_formatter(output);
 }
 std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx,
-	gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy)
+	sinsp_evt *ev, uint16_t ruleset_id, falco_common::rule_matching strategy)
 {
 	// note: there are no thread-safety guarantees on the filter_ruleset::run()
 	// method, but the thread-safety assumptions of falco_engine::process_event()
@ -437,14 +437,14 @@ std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_ev
 }
 std::unique_ptr<std::vector<falco_engine::rule_result>> falco_engine::process_event(std::size_t source_idx,
-	gen_event *ev, falco_common::rule_matching strategy)
+	sinsp_evt *ev, falco_common::rule_matching strategy)
 {
 	return process_event(source_idx, ev, m_default_ruleset_id, strategy);
 }
 std::size_t falco_engine::add_source(const std::string &source,
-				     std::shared_ptr<gen_event_filter_factory> filter_factory,
+				     std::shared_ptr<sinsp_filter_factory> filter_factory,
-				     std::shared_ptr<gen_event_formatter_factory> formatter_factory)
+				     std::shared_ptr<sinsp_evt_formatter_factory> formatter_factory)
 {
 	// evttype_index_ruleset is the default ruleset implementation
 	std::shared_ptr<filter_ruleset_factory> ruleset_factory(
@ -460,8 +460,8 @@ std::size_t falco_engine::add_source(const std::string &source,
 }
 std::size_t falco_engine::add_source(const std::string &source,
-	std::shared_ptr<gen_event_filter_factory> filter_factory,
+	std::shared_ptr<sinsp_filter_factory> filter_factory,
-	std::shared_ptr<gen_event_formatter_factory> formatter_factory,
+	std::shared_ptr<sinsp_evt_formatter_factory> formatter_factory,
 	std::shared_ptr<filter_ruleset_factory> ruleset_factory)
 {
 	falco_source src;
@ -892,22 +892,22 @@ bool falco_engine::is_source_valid(const std::string &source) const
 	return m_sources.at(source) != nullptr;
 }
-std::shared_ptr<gen_event_filter_factory> falco_engine::filter_factory_for_source(const std::string& source)
+std::shared_ptr<sinsp_filter_factory> falco_engine::filter_factory_for_source(const std::string& source)
 {
 	return find_source(source)->filter_factory;
 }
-std::shared_ptr<gen_event_filter_factory> falco_engine::filter_factory_for_source(std::size_t source_idx)
+std::shared_ptr<sinsp_filter_factory> falco_engine::filter_factory_for_source(std::size_t source_idx)
 {
 	return find_source(source_idx)->filter_factory;
 }
-std::shared_ptr<gen_event_formatter_factory> falco_engine::formatter_factory_for_source(const std::string& source)
+std::shared_ptr<sinsp_evt_formatter_factory> falco_engine::formatter_factory_for_source(const std::string& source)
 {
 	return find_source(source)->formatter_factory;
 }
-std::shared_ptr<gen_event_formatter_factory> falco_engine::formatter_factory_for_source(std::size_t source_idx)
+std::shared_ptr<sinsp_evt_formatter_factory> falco_engine::formatter_factory_for_source(std::size_t source_idx)
 {
 	return find_source(source_idx)->formatter_factory;
 }
--- a/userspace/engine/falco_engine.h
+++ b/userspace/engine/falco_engine.h
@ -15,12 +15,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Gen filtering TODO
 //  - DONE Clean up use/sharing of factories amongst engine-related classes.
 //  - DONE Fix outputs to actually use factories
 //  - Review gen_filter apis to see if they have only the required interfaces
 //  - Fix json filterchecks to split json and evt.time filterchecks.
 #pragma once
 #include <atomic>
@ -30,7 +24,6 @@ limitations under the License.
 #include <nlohmann/json.hpp>
 #include <libsinsp/gen_filter.h>
 #include "filter_ruleset.h"
 #include "rule_loader.h"
 #include "rule_loader_reader.h"
@ -180,7 +173,7 @@ public:
 	// Represents the result of matching an event against a set of
 	// rules.
 	struct rule_result {
-		gen_event *evt;
+		sinsp_evt *evt;
 		std::string rule;
 		std::string source;
 		falco_common::priority_type priority_num;
@ -214,7 +207,7 @@ public:
 	// concurrently with the same source_idx would inherently cause data races
 	// and lead to undefined behavior.
 	std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx,
-		gen_event *ev, uint16_t ruleset_id, falco_common::rule_matching strategy);
+		sinsp_evt *ev, uint16_t ruleset_id, falco_common::rule_matching strategy);
 	//
 	// Wrapper assuming the default ruleset.
@ -222,7 +215,7 @@ public:
 	// This inherits the same thread-safety guarantees.
 	//
 	std::unique_ptr<std::vector<rule_result>> process_event(std::size_t source_idx,
-		gen_event *ev, falco_common::rule_matching strategy);
+		sinsp_evt *ev, falco_common::rule_matching strategy);
 	//
 	// Configure the engine to support events with the provided
@ -230,16 +223,16 @@ public:
 	// Return source index for fast lookup.
 	//
 	std::size_t add_source(const std::string &source,
-			       std::shared_ptr<gen_event_filter_factory> filter_factory,
+			       std::shared_ptr<sinsp_filter_factory> filter_factory,
-			       std::shared_ptr<gen_event_formatter_factory> formatter_factory);
+			       std::shared_ptr<sinsp_evt_formatter_factory> formatter_factory);
 	//
 	// Equivalent to above, but allows specifying a ruleset factory
 	// for the newly added source.
 	//
 	std::size_t add_source(const std::string &source,
-			       std::shared_ptr<gen_event_filter_factory> filter_factory,
+			       std::shared_ptr<sinsp_filter_factory> filter_factory,
-			       std::shared_ptr<gen_event_formatter_factory> formatter_factory,
+			       std::shared_ptr<sinsp_evt_formatter_factory> formatter_factory,
 			       std::shared_ptr<filter_ruleset_factory> ruleset_factory);
 	// Return whether or not there is a valid filter/formatter
@ -250,15 +243,15 @@ public:
 	// Given a source, return a formatter factory that can create
 	// filters for events of that source.
 	//
-	std::shared_ptr<gen_event_filter_factory> filter_factory_for_source(const std::string& source);
+	std::shared_ptr<sinsp_filter_factory> filter_factory_for_source(const std::string& source);
-	std::shared_ptr<gen_event_filter_factory> filter_factory_for_source(std::size_t source_idx);
+	std::shared_ptr<sinsp_filter_factory> filter_factory_for_source(std::size_t source_idx);
 	//
 	// Given a source, return a formatter factory that can create
 	// formatters for an event.
 	//
-	std::shared_ptr<gen_event_formatter_factory> formatter_factory_for_source(const std::string& source);
+	std::shared_ptr<sinsp_evt_formatter_factory> formatter_factory_for_source(const std::string& source);
-	std::shared_ptr<gen_event_formatter_factory> formatter_factory_for_source(std::size_t source_idx);
+	std::shared_ptr<sinsp_evt_formatter_factory> formatter_factory_for_source(std::size_t source_idx);
 	//
 	// Given a source, return a ruleset factory that can create
@ -300,10 +293,10 @@ public:
 	//
 	// Given a source and output string, return an
-	// gen_event_formatter that can format output strings for an
+	// sinsp_evt_formatter that can format output strings for an
 	// event.
 	//
-	std::shared_ptr<gen_event_formatter> create_formatter(const std::string &source,
+	std::shared_ptr<sinsp_evt_formatter> create_formatter(const std::string &source,
 							      const std::string &output) const;
 	// The rule loader definition is aliased as it is exactly what we need
--- a/userspace/engine/falco_rule.h
+++ b/userspace/engine/falco_rule.h
@ -83,5 +83,5 @@ struct falco_rule
 	std::set<std::string> exception_fields;
 	falco_common::priority_type priority;
 	std::shared_ptr<libsinsp::filter::ast::expr> condition;
-	std::shared_ptr<gen_event_filter> filter;
+	std::shared_ptr<sinsp_filter> filter;
 };
--- a/userspace/engine/falco_source.h
+++ b/userspace/engine/falco_source.h
@ -49,8 +49,8 @@ struct falco_source
 	std::string name;
 	std::shared_ptr<filter_ruleset> ruleset;
 	std::shared_ptr<filter_ruleset_factory> ruleset_factory;
-	std::shared_ptr<gen_event_filter_factory> filter_factory;
+	std::shared_ptr<sinsp_filter_factory> filter_factory;
-	std::shared_ptr<gen_event_formatter_factory> formatter_factory;
+	std::shared_ptr<sinsp_evt_formatter_factory> formatter_factory;
 	// Used by the filter_ruleset interface. Filled in when a rule
 	// matches an event.
--- a/userspace/engine/filter_ruleset.h
+++ b/userspace/engine/filter_ruleset.h
@ -22,7 +22,6 @@ limitations under the License.
 #include <libsinsp/filter/ast.h>
 #include <libsinsp/filter.h>
 #include <libsinsp/event.h>
 #include <libsinsp/gen_filter.h>
 #include <libsinsp/events/sinsp_events.h>
 /*!
@ -61,7 +60,7 @@ public:
 	*/
 	virtual void add(
 		const falco_rule& rule,
-		std::shared_ptr<gen_event_filter> filter,
+		std::shared_ptr<sinsp_filter> filter,
 		std::shared_ptr<libsinsp::filter::ast::expr> condition) = 0;
 	/*!
@ -114,7 +113,7 @@ public:
 		\param ruleset_id The id of the ruleset to be used
 	*/
 	virtual bool run(
-		gen_event *evt,
+		sinsp_evt *evt,
 		falco_rule& match,
 		uint16_t ruleset_id) = 0;
@ -127,7 +126,7 @@ public:
 		\param ruleset_id The id of the ruleset to be used
 	*/
 	virtual bool run(
-		gen_event *evt,
+		sinsp_evt *evt,
 		std::vector<falco_rule>& matches,
 		uint16_t ruleset_id) = 0;
--- a/userspace/engine/formats.cpp
+++ b/userspace/engine/formats.cpp
@ -33,20 +33,20 @@ falco_formats::~falco_formats()
 {
 }
-std::string falco_formats::format_event(gen_event *evt, const std::string &rule, const std::string &source,
+std::string falco_formats::format_event(sinsp_evt *evt, const std::string &rule, const std::string &source,
 				   const std::string &level, const std::string &format, std::set<std::string> &tags,
 				   const std::string &hostname) const
 {
 	std::string line;
-	std::shared_ptr<gen_event_formatter> formatter;
+	std::shared_ptr<sinsp_evt_formatter> formatter;
 	formatter = m_falco_engine->create_formatter(source, format);
 	// Format the original output string, regardless of output format
-	formatter->tostring_withformat(evt, line, gen_event_formatter::OF_NORMAL);
+	formatter->tostring_withformat(evt, line, sinsp_evt_formatter::OF_NORMAL);
-	if(formatter->get_output_format() == gen_event_formatter::OF_JSON)
+	if(formatter->get_output_format() == sinsp_evt_formatter::OF_JSON)
 	{
 		std::string json_line;
@ -131,10 +131,10 @@ std::string falco_formats::format_event(gen_event *evt, const std::string &rule,
 	return line.c_str();
 }
-std::map<std::string, std::string> falco_formats::get_field_values(gen_event *evt, const std::string &source,
+std::map<std::string, std::string> falco_formats::get_field_values(sinsp_evt *evt, const std::string &source,
 						    const std::string &format) const
 {
-	std::shared_ptr<gen_event_formatter> formatter;
+	std::shared_ptr<sinsp_evt_formatter> formatter;
 	formatter = m_falco_engine->create_formatter(source, format);
--- a/userspace/engine/formats.h
+++ b/userspace/engine/formats.h
@ -19,7 +19,6 @@ limitations under the License.
 #include <string>
 #include <map>
 #include <libsinsp/gen_filter.h>
 #include "falco_engine.h"
 class falco_formats
@ -30,11 +29,11 @@ public:
 		      bool json_include_tags_property);
 	virtual ~falco_formats();
-	std::string format_event(gen_event *evt, const std::string &rule, const std::string &source,
+	std::string format_event(sinsp_evt *evt, const std::string &rule, const std::string &source,
 				 const std::string &level, const std::string &format, std::set<std::string> &tags,
 				 const std::string &hostname) const;
-	std::map<std::string, std::string> get_field_values(gen_event *evt, const std::string &source,
+	std::map<std::string, std::string> get_field_values(sinsp_evt *evt, const std::string &source,
 					     const std::string &format) const ;
 protected:
--- a/userspace/engine/rule_loader_compiler.cpp
+++ b/userspace/engine/rule_loader_compiler.cpp
@ -60,7 +60,7 @@ static bool is_format_valid(const falco_source& source, std::string fmt, std::st
 {
 	try
 	{
-		std::shared_ptr<gen_event_formatter> formatter;
+		std::shared_ptr<sinsp_evt_formatter> formatter;
 		formatter = source.formatter_factory->create_formatter(fmt);
 		return true;
 	}
@ -410,13 +410,13 @@ bool rule_loader::compiler::compile_condition(
 	indexed_vector<falco_list>& lists,
 	const indexed_vector<rule_loader::macro_info>& macros,
 	const std::string& condition,
-	std::shared_ptr<gen_event_filter_factory> filter_factory,
+	std::shared_ptr<sinsp_filter_factory> filter_factory,
 	rule_loader::context cond_ctx,
 	rule_loader::context parent_ctx,
 	bool allow_unknown_fields,
 	indexed_vector<falco_macro>& macros_out,
 	std::shared_ptr<libsinsp::filter::ast::expr>& ast_out,
-	std::shared_ptr<gen_event_filter>& filter_out) const
+	std::shared_ptr<sinsp_filter>& filter_out) const
 {
 	std::set<falco::load_result::load_result::warning_code> warn_codes;
 	filter_warning_resolver warn_resolver;
--- a/userspace/engine/rule_loader_compiler.h
+++ b/userspace/engine/rule_loader_compiler.h
@ -64,13 +64,13 @@ protected:
 		indexed_vector<falco_list>& lists,
 		const indexed_vector<rule_loader::macro_info>& macros,
 		const std::string& condition,
-		std::shared_ptr<gen_event_filter_factory> filter_factory,
+		std::shared_ptr<sinsp_filter_factory> filter_factory,
 		rule_loader::context cond_ctx,
 		rule_loader::context parent_ctx,
 		bool allow_unknown_fields,
 		indexed_vector<falco_macro>& macros_out,
 		std::shared_ptr<libsinsp::filter::ast::expr>& ast_out,
-		std::shared_ptr<gen_event_filter>& filter_out) const;
+		std::shared_ptr<sinsp_filter>& filter_out) const;
 private:
 	void compile_list_infos(
--- a/userspace/falco/app/actions/init_falco_engine.cpp
+++ b/userspace/falco/app/actions/init_falco_engine.cpp
@ -69,14 +69,14 @@ void add_source_to_engine(falco::app::state& s, const std::string& src)
 	auto& filterchecks = *src_info->filterchecks.get();
 	auto* inspector = src_info->inspector.get();
-	auto filter_factory = std::shared_ptr<gen_event_filter_factory>(
+	auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
 		new sinsp_filter_factory(inspector, filterchecks));
-	auto formatter_factory = std::shared_ptr<gen_event_formatter_factory>(
+	auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
 		new sinsp_evt_formatter_factory(inspector, filterchecks));
 	if(s.config->m_json_output)
 	{
-		formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
+		formatter_factory->set_output_format(sinsp_evt_formatter::OF_JSON);
 	}
 	src_info->engine_idx = s.engine->add_source(src, filter_factory, formatter_factory);
--- a/userspace/falco/app/options.h
+++ b/userspace/falco/app/options.h
@ -22,6 +22,7 @@ limitations under the License.
 #include <string>
 #include <vector>
 #include <set>
 #include <list>
 namespace cxxopts { class Options; };
--- a/userspace/falco/falco_outputs.cpp
+++ b/userspace/falco/falco_outputs.cpp
@ -135,7 +135,7 @@ void falco_outputs::add_output(falco::outputs::config oc)
 	}
 }
-void falco_outputs::handle_event(gen_event *evt, std::string &rule, std::string &source,
+void falco_outputs::handle_event(sinsp_evt *evt, std::string &rule, std::string &source,
 				 falco_common::priority_type priority, std::string &format, std::set<std::string> &tags)
 {
 	falco_outputs::ctrl_msg cmsg = {};
--- a/userspace/falco/falco_outputs.h
+++ b/userspace/falco/falco_outputs.h
@ -20,7 +20,6 @@ limitations under the License.
 #include <memory>
 #include <map>
 #include <libsinsp/gen_filter.h>
 #include "falco_common.h"
 #include "falco_engine.h"
 #include "outputs.h"
@ -59,7 +58,7 @@ public:
 		\brief Format then send the event to all configured outputs (`evt`
 		is an event that has matched some rule).
 	*/
-	void handle_event(gen_event *evt, std::string &rule, std::string &source,
+	void handle_event(sinsp_evt *evt, std::string &rule, std::string &source,
 			  falco_common::priority_type priority, std::string &format, std::set<std::string> &tags);
 	/*!
--- a/userspace/falco/outputs.h
+++ b/userspace/falco/outputs.h
@ -21,7 +21,6 @@ limitations under the License.
 #include <map>
 #include "falco_common.h"
 #include <libsinsp/gen_filter.h>
 #include <nlohmann/json.hpp>
 namespace falco