new(outputs): add source and tags to json output

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2025-09-07 17:54:07 +00:00 · 2021-08-31 15:51:16 +00:00
parent b0562242e8
commit 8273e57598
4 changed files with 14 additions and 5 deletions
--- a/userspace/engine/formats.cpp
+++ b/userspace/engine/formats.cpp
@@ -114,7 +114,7 @@ int falco_formats::lua_free_formatter(lua_State *ls)
 }
 string falco_formats::format_event(const gen_event *evt, const std::string &rule, const std::string &source,
-				   const std::string &level, const std::string &format)
+				   const std::string &level, const std::string &format, std::set<std::string> &tags)
 {
 	string line;
@@ -181,8 +181,10 @@ string falco_formats::format_event(const gen_event *evt, const std::string &rule
 	if(s_json_output)
 	{
 		Json::Value event;
 		Json::Value rule_tags;
 		Json::FastWriter writer;
 		string full_line;
 		unsigned int rule_tags_idx = 0;
 		// Convert the time-as-nanoseconds to a more json-friendly ISO8601.
 		time_t evttime = evt->get_ts() / 1000000000;
@@ -197,12 +199,19 @@ string falco_formats::format_event(const gen_event *evt, const std::string &rule
 		event["time"] = iso8601evttime;
 		event["rule"] = rule;
 		event["priority"] = level;
 		event["source"] = source;
 		if(s_json_include_output_property)
 		{
 			// This is the filled-in output line.
 			event["output"] = line;
 		}
 		for (auto &tag : tags)
 		{
 			rule_tags[rule_tags_idx++] = tag;
 		}
 		event["tags"] = rule_tags;
 		full_line = writer.write(event);
--- a/userspace/engine/formats.h
+++ b/userspace/engine/formats.h
@@ -46,7 +46,7 @@ public:
 	static int lua_free_formatter(lua_State *ls);
 	static string format_event(const gen_event *evt, const std::string &rule, const std::string &source,
-				   const std::string &level, const std::string &format);
+				   const std::string &level, const std::string &format, std::set<std::string> &tags);
 	static map<string, string> resolve_tokens(const gen_event *evt, const std::string &source,
 						  const std::string &format);
--- a/userspace/falco/falco_outputs.cpp
+++ b/userspace/falco/falco_outputs.cpp
@@ -142,7 +142,7 @@ void falco_outputs::add_output(falco::outputs::config oc)
 }
 void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
-				 falco_common::priority_type priority, string &format, std::set<std::string> tags)
+				 falco_common::priority_type priority, string &format, std::set<std::string> &tags)
 {
 	if(!m_notifications_tb.claim())
 	{
@@ -190,7 +190,7 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 		sformat += " " + format;
 	}
-	cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat);
+	cmsg.msg = falco_formats::format_event(evt, rule, source, falco_common::priority_names[priority], sformat, tags);
 	cmsg.fields = falco_formats::resolve_tokens(evt, source, sformat);
 	cmsg.tags.insert(tags.begin(), tags.end());
--- a/userspace/falco/falco_outputs.h
+++ b/userspace/falco/falco_outputs.h
@@ -48,7 +48,7 @@ public:
 	// Format then send the event to all configured outputs (`evt` is an event that has matched some rule).
 	void handle_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::set<std::string> tags);
+			  falco_common::priority_type priority, std::string &format, std::set<std::string> &tags);
 	// Format then send a generic message to all outputs. Not necessarily associated with any event.
 	void handle_msg(uint64_t now,