diff --git a/userspace/engine/formats.cpp b/userspace/engine/formats.cpp index 33fb8bbe..fdbcbaf3 100644 --- a/userspace/engine/formats.cpp +++ b/userspace/engine/formats.cpp @@ -114,7 +114,7 @@ int falco_formats::lua_free_formatter(lua_State *ls) } string falco_formats::format_event(const gen_event *evt, const std::string &rule, const std::string &source, - const std::string &level, const std::string &format) + const std::string &level, const std::string &format, std::set &tags) { string line; @@ -181,8 +181,10 @@ string falco_formats::format_event(const gen_event *evt, const std::string &rule if(s_json_output) { Json::Value event; + Json::Value rule_tags; Json::FastWriter writer; string full_line; + unsigned int rule_tags_idx = 0; // Convert the time-as-nanoseconds to a more json-friendly ISO8601. time_t evttime = evt->get_ts() / 1000000000; @@ -197,12 +199,19 @@ string falco_formats::format_event(const gen_event *evt, const std::string &rule event["time"] = iso8601evttime; event["rule"] = rule; event["priority"] = level; + event["source"] = source; if(s_json_include_output_property) { // This is the filled-in output line. event["output"] = line; } + + for (auto &tag : tags) + { + rule_tags[rule_tags_idx++] = tag; + } + event["tags"] = rule_tags; full_line = writer.write(event); diff --git a/userspace/engine/formats.h b/userspace/engine/formats.h index f1302dd7..adbbd978 100644 --- a/userspace/engine/formats.h +++ b/userspace/engine/formats.h @@ -46,7 +46,7 @@ public: static int lua_free_formatter(lua_State *ls); static string format_event(const gen_event *evt, const std::string &rule, const std::string &source, - const std::string &level, const std::string &format); + const std::string &level, const std::string &format, std::set &tags); static map resolve_tokens(const gen_event *evt, const std::string &source, const std::string &format); diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp index a148927d..ae9f9688 100644 --- a/userspace/falco/falco_outputs.cpp +++ b/userspace/falco/falco_outputs.cpp @@ -142,7 +142,7 @@ void falco_outputs::add_output(falco::outputs::config oc) } void falco_outputs::handle_event(gen_event *evt, string &rule, string &source, - falco_common::priority_type priority, string &format, std::set tags) + falco_common::priority_type priority, string &format, std::set &tags) { if(!m_notifications_tb.claim()) { @@ -190,7 +190,7 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source, sformat += " " + format; } - cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat); + cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat, tags); cmsg.fields = falco_formats::resolve_tokens(evt, source, sformat); cmsg.tags.insert(tags.begin(), tags.end()); diff --git a/userspace/falco/falco_outputs.h b/userspace/falco/falco_outputs.h index 56065b47..dcd676fa 100644 --- a/userspace/falco/falco_outputs.h +++ b/userspace/falco/falco_outputs.h @@ -48,7 +48,7 @@ public: // Format then send the event to all configured outputs (`evt` is an event that has matched some rule). void handle_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::set tags); + falco_common::priority_type priority, std::string &format, std::set &tags); // Format then send a generic message to all outputs. Not necessarily associated with any event. void handle_msg(uint64_t now,