update(userspace/falco): introduce message struct for outputs

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
2025-07-19 17:16:53 +00:00 · 2020-10-19 14:47:27 +02:00 · 2020-10-19 14:47:27 +02:00 · 8eb7d83ee8
commit 8eb7d83ee8
parent 3b78cda716
13 changed files with 43 additions and 86 deletions
--- a/userspace/falco/outputs.h
+++ b/userspace/falco/outputs.h
@ -37,6 +37,21 @@ struct config
 	std::map<std::string, std::string> options;
 };

+//
+// The message to be outputted. It can either refer to:
+//  - an event that has matched some rule,
+//  - or a generic message (e.g., a drop alert).
+//
+struct message
+{
+	uint64_t ts;
+	falco_common::priority_type priority;
+	std::string msg;
+	std::string rule;
+	std::string source;
+	map<std::string, std::string> fields;
+};
+
 //
 // This class acts as the primary interface for implementing
 // a Falco output class.
@ -52,15 +67,13 @@ public:
 		m_hostname = hostname;
 	}

-	// Output an event that has matched some rule.
-	virtual void output_event(gen_event *evt, std::string &rule, std::string &source,
-				  falco_common::priority_type priority, std::string &format, std::string &msg) = 0;
-
-	// Output a generic message. Not necessarily associated with any event.
-	virtual void output_msg(falco_common::priority_type priority, std::string &msg) = 0;
+	// Output a message.
+	virtual void output(const message *msg) = 0;

+	// Possibly close the output and open it again.
 	virtual void reopen() {}

+	// Possibly flush the output.
 	virtual void cleanup() {}

 protected:
--- a/userspace/falco/outputs_file.cpp
+++ b/userspace/falco/outputs_file.cpp
@ -31,16 +31,10 @@ void falco::outputs::output_file::open_file()
 	}
 }

-void falco::outputs::output_file::output_event(gen_event *evt, std::string &rule, std::string &source,
-					       falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_file::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_file::output(const message *msg)
 {
 	open_file();
-	m_outfile << msg + "\n";
+	m_outfile << msg->msg + "\n";

 	if(m_oc.options["keep_alive"] != "true")
 	{
--- a/userspace/falco/outputs_file.h
+++ b/userspace/falco/outputs_file.h
@ -27,10 +27,7 @@ namespace outputs

 class output_file : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);

 	void cleanup();

--- a/userspace/falco/outputs_grpc.cpp
+++ b/userspace/falco/outputs_grpc.cpp
@ -21,23 +21,21 @@ limitations under the License.
 #include "formats.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

-void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule, std::string &source,
-					       falco_common::priority_type priority, std::string &format,
-					       std::string &msg)
+void falco::outputs::output_grpc::output(const message *msg)
 {
 	falco::outputs::response grpc_res;

 	// time
 	auto timestamp = grpc_res.mutable_time();
-	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts());
+	*timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(msg->ts);

 	// rule
 	auto r = grpc_res.mutable_rule();
-	*r = rule;
+	*r = msg->rule;

 	// source
 	falco::schema::source s = falco::schema::source::SYSCALL;
-	if(!falco::schema::source_Parse(source, &s))
+	if(!falco::schema::source_Parse(msg->source, &s))
 	{
 		throw falco_exception("Unknown source passed to output_grpc::output_event()");
 	}
@ -45,7 +43,7 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule

 	// priority
 	falco::schema::priority p = falco::schema::priority::EMERGENCY;
-	if(!falco::schema::priority_Parse(falco_common::priority_names[priority], &p))
+	if(!falco::schema::priority_Parse(falco_common::priority_names[msg->priority], &p))
 	{
 		throw falco_exception("Unknown priority passed to output_grpc::output_event()");
 	}
@ -53,12 +51,11 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule

 	// output
 	auto output = grpc_res.mutable_output();
-	*output = msg;
+	*output = msg->msg;

 	// output fields
 	auto &fields = *grpc_res.mutable_output_fields();
-	auto resolvedTkns = falco_formats::resolve_tokens(evt, source, format);
-	for(const auto &kv : resolvedTkns)
+	for(const auto &kv : msg->fields)
 	{
 		fields[kv.first] = kv.second;
 	}
@ -68,9 +65,4 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule
 	*host = m_hostname;

 	falco::grpc::queue::get().push(grpc_res);
-}
-
-void falco::outputs::output_grpc::output_msg(falco_common::priority_type priority, std::string &msg)
-{
-	// todo(fntlnz, leodido, leogr) > gRPC does not support subscribing to dropped events yet
 }
--- a/userspace/falco/outputs_grpc.h
+++ b/userspace/falco/outputs_grpc.h
@ -25,10 +25,7 @@ namespace outputs

 class output_grpc : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);
 };

 } // namespace outputs
--- a/userspace/falco/outputs_http.cpp
+++ b/userspace/falco/outputs_http.cpp
@ -18,13 +18,7 @@ limitations under the License.
 #include "logger.h"
 #include "banned.h" // This raises a compilation error when certain functions are used

-void falco::outputs::output_http::output_event(gen_event *evt, std::string &rule, std::string &source,
-					       falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_http::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_http::output(const message *msg)
 {
 	CURL *curl = NULL;
 	CURLcode res = CURLE_FAILED_INIT;
@ -37,7 +31,7 @@ void falco::outputs::output_http::output_msg(falco_common::priority_type priorit
 		slist1 = curl_slist_append(slist1, "Content-Type: application/json");
 		curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1);
 		curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str());
-		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg.c_str());
+		curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str());
 		curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L);

 		res = curl_easy_perform(curl);
--- a/userspace/falco/outputs_http.h
+++ b/userspace/falco/outputs_http.h
@ -25,10 +25,7 @@ namespace outputs

 class output_http : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);
 };

 } // namespace outputs
--- a/userspace/falco/outputs_program.cpp
+++ b/userspace/falco/outputs_program.cpp
@ -31,17 +31,11 @@ void falco::outputs::output_program::open_pfile()
 	}
 }

-void falco::outputs::output_program::output_event(gen_event *evt, std::string &rule, std::string &source,
-						  falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_program::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_program::output(const message *msg)
 {
 	open_pfile();

-	fprintf(m_pfile, "%s\n", msg.c_str());
+	fprintf(m_pfile, "%s\n", msg->msg.c_str());

 	if(m_oc.options["keep_alive"] != "true")
 	{
--- a/userspace/falco/outputs_program.h
+++ b/userspace/falco/outputs_program.h
@ -25,10 +25,7 @@ namespace outputs

 class output_program : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);

 	void cleanup();

--- a/userspace/falco/outputs_stdout.cpp
+++ b/userspace/falco/outputs_stdout.cpp
@ -18,16 +18,10 @@ limitations under the License.
 #include <iostream>
 #include "banned.h" // This raises a compilation error when certain functions are used

-void falco::outputs::output_stdout::output_event(gen_event *evt, std::string &rule, std::string &source,
-						 falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_stdout::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_stdout::output(const message *msg)
 {
 	//
-	// By default, the stdout stream is fully buffered or line buffered 
+	// By default, the stdout stream is fully buffered or line buffered
 	// (if the stream can be determined to refer to an interactive device, e.g. in a TTY).
 	// Just enable automatic flushing when unbuffered output is desired.
 	// Note that it is set every time since other writings to the stdout can disable it.
@ -36,7 +30,7 @@ void falco::outputs::output_stdout::output_msg(falco_common::priority_type prior
 	{
 		std::cout << std::unitbuf;
 	}
-	std::cout << msg + "\n";
+	std::cout << msg->msg + "\n";
 }

 void falco::outputs::output_stdout::cleanup()
--- a/userspace/falco/outputs_stdout.h
+++ b/userspace/falco/outputs_stdout.h
@ -25,10 +25,7 @@ namespace outputs

 class output_stdout : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);

 	void cleanup();
 };
--- a/userspace/falco/outputs_syslog.cpp
+++ b/userspace/falco/outputs_syslog.cpp
@ -18,14 +18,8 @@ limitations under the License.
 #include <syslog.h>
 #include "banned.h" // This raises a compilation error when certain functions are used

-void falco::outputs::output_syslog::output_event(gen_event *evt, std::string &rule, std::string &source,
-						 falco_common::priority_type priority, std::string &format, std::string &msg)
-{
-	output_msg(priority, msg);
-}
-
-void falco::outputs::output_syslog::output_msg(falco_common::priority_type priority, std::string &msg)
+void falco::outputs::output_syslog::output(const message *msg)
 {
 	// Syslog output should not have any trailing newline
-	::syslog(priority, "%s", msg.c_str());
+	::syslog(msg->priority, "%s", msg->msg.c_str());
 }
--- a/userspace/falco/outputs_syslog.h
+++ b/userspace/falco/outputs_syslog.h
@ -25,10 +25,7 @@ namespace outputs

 class output_syslog : public abstract_output
 {
-	void output_event(gen_event *evt, std::string &rule, std::string &source,
-			  falco_common::priority_type priority, std::string &format, std::string &msg);
-
-	void output_msg(falco_common::priority_type priority, std::string &msg);
+	void output(const message *msg);
 };

 } // namespace outputs