mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-04 16:20:18 +00:00
Use factories to provide filters/formatting
Instead of having hard-coded support for syscall/k8s_audit events, use the notions of filter factories/formatter factories to provide generic support for events having a given source: - Within the engine, maps m_filter_factories / m_rulesets / m_format_factories map from a given source to something that can create filters, hold filters, and create formatters for a given source. The hard-coded sinsp_factory/json_factory objects are removed. - The specific add_xxx_filter/process_xxx_event are general purpose and take an event source. - A new method create_formatter() takes a source/output format and provides a shared_ptr to a formatter than can resolve format strings. This is used by the falco outputs code. - In falco main, create the syscall/k8s_audit filter and formatter factories and pass them to the engine. Later, we might make this configurable/selective. With all of the above changes, the falco engine doesn't need a direct inspector any longer, so remove it. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
poiana
@@ -48,11 +48,6 @@ falco_common::~falco_common()
|
||||
}
|
||||
}
|
||||
|
||||
void falco_common::set_inspector(sinsp *inspector)
|
||||
{
|
||||
m_inspector = inspector;
|
||||
}
|
||||
|
||||
void falco_common::init(const char *lua_main_filename, const char *alternate_lua_dir)
|
||||
{
|
||||
ifstream is;
|
||||
|
||||
Reference in New Issue
Block a user