diff --git a/userspace/engine/formats.cpp b/userspace/engine/formats.cpp index b09ed9c8..65f83744 100644 --- a/userspace/engine/formats.cpp +++ b/userspace/engine/formats.cpp @@ -31,9 +31,9 @@ const static struct luaL_reg ll_falco [] = { {"formatter", &falco_formats::formatter}, {"free_formatter", &falco_formats::free_formatter}, - {"free_formatters", &falco_formats::free_formatters}, - {"format_event", &falco_formats::format_event}, - {"resolve_tokens", &falco_formats::resolve_tokens}, + {"free_formatters", &falco_formats::free_formatters_lua}, + {"format_event", &falco_formats::format_event_lua}, + {"resolve_tokens", &falco_formats::resolve_tokens_lua}, {NULL,NULL} }; @@ -112,103 +112,78 @@ int falco_formats::free_formatter(lua_State *ls) return 0; } -int falco_formats::free_formatters(lua_State *ls) +void falco_formats::free_formatters() { if(s_formatters) { delete(s_formatters); s_formatters = NULL; } +} + +int falco_formats::free_formatters_lua(lua_State *ls) +{ + free_formatters(); return 0; } -int falco_formats::format_event (lua_State *ls) +string falco_formats::format_event(const gen_event* evt, const std::string &rule, const std::string &source, + const std::string &level, const std::string &format) { + string line; string json_line; - - if (!lua_isstring(ls, -1) || - !lua_isstring(ls, -2) || - !lua_isstring(ls, -3) || - !lua_isstring(ls, -4) || - !lua_islightuserdata(ls, -5)) { - lua_pushstring(ls, "Invalid arguments passed to format_event()"); - lua_error(ls); - } - gen_event* evt = (gen_event*)lua_topointer(ls, 1); - const char *rule = (char *) lua_tostring(ls, 2); - const char *source = (char *) lua_tostring(ls, 3); - const char *level = (char *) lua_tostring(ls, 4); - const char *format = (char *) lua_tostring(ls, 5); - string sformat = format; - if(strcmp(source, "syscall") == 0) + if(strcmp(source.c_str(), "syscall") == 0) { - try { - // This is "output" - s_formatters->tostring((sinsp_evt *) evt, sformat, &line); + // This is "output" + s_formatters->tostring((sinsp_evt *) evt, sformat, &line); - if(s_json_output) - { - sinsp_evt::param_fmt cur_fmt = s_inspector->get_buffer_format(); - switch(cur_fmt) - { - case sinsp_evt::PF_NORMAL: - s_inspector->set_buffer_format(sinsp_evt::PF_JSON); - break; - case sinsp_evt::PF_EOLS: - s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS); - break; - case sinsp_evt::PF_HEX: - s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX); - break; - case sinsp_evt::PF_HEXASCII: - s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII); - break; - case sinsp_evt::PF_BASE64: - s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64); - break; - default: - // do nothing - break; - } - // This is output fields - s_formatters->tostring((sinsp_evt *) evt, sformat, &json_line); - - // The formatted string might have a leading newline. If it does, remove it. - if (json_line[0] == '\n') - { - json_line.erase(0, 1); - } - s_inspector->set_buffer_format(cur_fmt); - } - } - catch (sinsp_exception& e) + if(s_json_output) { - string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'"; - lua_pushstring(ls, err.c_str()); - lua_error(ls); + sinsp_evt::param_fmt cur_fmt = s_inspector->get_buffer_format(); + switch(cur_fmt) + { + case sinsp_evt::PF_NORMAL: + s_inspector->set_buffer_format(sinsp_evt::PF_JSON); + break; + case sinsp_evt::PF_EOLS: + s_inspector->set_buffer_format(sinsp_evt::PF_JSONEOLS); + break; + case sinsp_evt::PF_HEX: + s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEX); + break; + case sinsp_evt::PF_HEXASCII: + s_inspector->set_buffer_format(sinsp_evt::PF_JSONHEXASCII); + break; + case sinsp_evt::PF_BASE64: + s_inspector->set_buffer_format(sinsp_evt::PF_JSONBASE64); + break; + default: + // do nothing + break; + } + // This is output fields + s_formatters->tostring((sinsp_evt *) evt, sformat, &json_line); + + // The formatted string might have a leading newline. If it does, remove it. + if (json_line[0] == '\n') + { + json_line.erase(0, 1); + } + s_inspector->set_buffer_format(cur_fmt); } } else { - try { + json_event_formatter formatter(s_engine->json_factory(), sformat); - json_event_formatter formatter(s_engine->json_factory(), sformat); + line = formatter.tostring((json_event *) evt); - line = formatter.tostring((json_event *) evt); - - if(s_json_output) - { - json_line = formatter.tojson((json_event *) evt); - } - } - catch (exception &e) + if(s_json_output) { - string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'"; - lua_pushstring(ls, err.c_str()); - lua_error(ls); + json_line = formatter.tojson((json_event *) evt); } } @@ -261,11 +236,63 @@ int falco_formats::format_event (lua_State *ls) line = full_line; } + return line.c_str(); +} + +int falco_formats::format_event_lua(lua_State *ls) +{ + string line; + string json_line; + + if (!lua_isstring(ls, -1) || + !lua_isstring(ls, -2) || + !lua_isstring(ls, -3) || + !lua_isstring(ls, -4) || + !lua_islightuserdata(ls, -5)) { + lua_pushstring(ls, "Invalid arguments passed to format_event()"); + lua_error(ls); + } + gen_event* evt = (gen_event*)lua_topointer(ls, 1); + const char *rule = (char *) lua_tostring(ls, 2); + const char *source = (char *) lua_tostring(ls, 3); + const char *level = (char *) lua_tostring(ls, 4); + const char *format = (char *) lua_tostring(ls, 5); + + string sformat = format; + + try { + line = format_event(evt, rule, source, level, format); + } + catch (sinsp_exception& e) + { + string err = "Invalid output format '" + sformat + "': '" + string(e.what()) + "'"; + lua_pushstring(ls, err.c_str()); + lua_error(ls); + } + lua_pushstring(ls, line.c_str()); return 1; } -int falco_formats::resolve_tokens(lua_State *ls) +map falco_formats::resolve_tokens(const gen_event* evt, const std::string &source, const std::string &format) +{ + string sformat = format; + map values; + if(source == "syscall") + { + s_formatters->resolve_tokens((sinsp_evt *)evt, sformat, values); + } + // k8s_audit + else + { + json_event_formatter json_formatter(s_engine->json_factory(), sformat); + values = json_formatter.tomap((json_event*) evt); + } + return values; +} + + +int falco_formats::resolve_tokens_lua(lua_State *ls) { if(!lua_isstring(ls, -1) || !lua_isstring(ls, -2) || @@ -280,16 +307,8 @@ int falco_formats::resolve_tokens(lua_State *ls) string sformat = format; map values; - if(source == "syscall") - { - s_formatters->resolve_tokens((sinsp_evt *)evt, sformat, values); - } - // k8s_audit - else - { - json_event_formatter json_formatter(s_engine->json_factory(), sformat); - values = json_formatter.tomap((json_event*) evt); - } + + values = resolve_tokens(evt, source, sformat); lua_newtable(ls); for(auto const& v : values) diff --git a/userspace/engine/formats.h b/userspace/engine/formats.h index 7003f04d..18c845f7 100644 --- a/userspace/engine/formats.h +++ b/userspace/engine/formats.h @@ -44,14 +44,22 @@ class falco_formats // falco.free_formatter(formatter) static int free_formatter(lua_State *ls); + static void free_formatters(); + // falco.free_formatters() - static int free_formatters(lua_State *ls); + static int free_formatters_lua(lua_State *ls); + + static string format_event(const gen_event* evt, const std::string &rule, const std::string &source, + const std::string &level, const std::string &format); // formatted_string = falco.format_event(evt, formatter) - static int format_event(lua_State *ls); + static int format_event_lua(lua_State *ls); + + static map resolve_tokens(const gen_event* evt, const std::string &source, + const std::string &format); // resolve_tokens = falco.resolve_tokens(evt, formatter) - static int resolve_tokens(lua_State *ls); + static int resolve_tokens_lua(lua_State *ls); static sinsp* s_inspector; static falco_engine *s_engine;