diff --git a/userspace/falco/outputs.h b/userspace/falco/outputs.h index bb26fb88..27a0b220 100644 --- a/userspace/falco/outputs.h +++ b/userspace/falco/outputs.h @@ -37,6 +37,21 @@ struct config std::map options; }; +// +// The message to be outputted. It can either refer to: +// - an event that has matched some rule, +// - or a generic message (e.g., a drop alert). +// +struct message +{ + uint64_t ts; + falco_common::priority_type priority; + std::string msg; + std::string rule; + std::string source; + map fields; +}; + // // This class acts as the primary interface for implementing // a Falco output class. @@ -52,15 +67,13 @@ public: m_hostname = hostname; } - // Output an event that has matched some rule. - virtual void output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg) = 0; - - // Output a generic message. Not necessarily associated with any event. - virtual void output_msg(falco_common::priority_type priority, std::string &msg) = 0; + // Output a message. + virtual void output(const message *msg) = 0; + // Possibly close the output and open it again. virtual void reopen() {} + // Possibly flush the output. virtual void cleanup() {} protected: diff --git a/userspace/falco/outputs_file.cpp b/userspace/falco/outputs_file.cpp index d62cb081..2706cf38 100644 --- a/userspace/falco/outputs_file.cpp +++ b/userspace/falco/outputs_file.cpp @@ -31,16 +31,10 @@ void falco::outputs::output_file::open_file() } } -void falco::outputs::output_file::output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg) -{ - output_msg(priority, msg); -} - -void falco::outputs::output_file::output_msg(falco_common::priority_type priority, std::string &msg) +void falco::outputs::output_file::output(const message *msg) { open_file(); - m_outfile << msg + "\n"; + m_outfile << msg->msg + "\n"; if(m_oc.options["keep_alive"] != "true") { diff --git a/userspace/falco/outputs_file.h b/userspace/falco/outputs_file.h index 8a5ad79d..0fff6ff7 100644 --- a/userspace/falco/outputs_file.h +++ b/userspace/falco/outputs_file.h @@ -27,10 +27,7 @@ namespace outputs class output_file : public abstract_output { - void output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg); - - void output_msg(falco_common::priority_type priority, std::string &msg); + void output(const message *msg); void cleanup(); diff --git a/userspace/falco/outputs_grpc.cpp b/userspace/falco/outputs_grpc.cpp index 2580ffc3..8b286e60 100644 --- a/userspace/falco/outputs_grpc.cpp +++ b/userspace/falco/outputs_grpc.cpp @@ -21,23 +21,21 @@ limitations under the License. #include "formats.h" #include "banned.h" // This raises a compilation error when certain functions are used -void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, - std::string &msg) +void falco::outputs::output_grpc::output(const message *msg) { falco::outputs::response grpc_res; // time auto timestamp = grpc_res.mutable_time(); - *timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(evt->get_ts()); + *timestamp = google::protobuf::util::TimeUtil::NanosecondsToTimestamp(msg->ts); // rule auto r = grpc_res.mutable_rule(); - *r = rule; + *r = msg->rule; // source falco::schema::source s = falco::schema::source::SYSCALL; - if(!falco::schema::source_Parse(source, &s)) + if(!falco::schema::source_Parse(msg->source, &s)) { throw falco_exception("Unknown source passed to output_grpc::output_event()"); } @@ -45,7 +43,7 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule // priority falco::schema::priority p = falco::schema::priority::EMERGENCY; - if(!falco::schema::priority_Parse(falco_common::priority_names[priority], &p)) + if(!falco::schema::priority_Parse(falco_common::priority_names[msg->priority], &p)) { throw falco_exception("Unknown priority passed to output_grpc::output_event()"); } @@ -53,12 +51,11 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule // output auto output = grpc_res.mutable_output(); - *output = msg; + *output = msg->msg; // output fields auto &fields = *grpc_res.mutable_output_fields(); - auto resolvedTkns = falco_formats::resolve_tokens(evt, source, format); - for(const auto &kv : resolvedTkns) + for(const auto &kv : msg->fields) { fields[kv.first] = kv.second; } @@ -68,9 +65,4 @@ void falco::outputs::output_grpc::output_event(gen_event *evt, std::string &rule *host = m_hostname; falco::grpc::queue::get().push(grpc_res); -} - -void falco::outputs::output_grpc::output_msg(falco_common::priority_type priority, std::string &msg) -{ - // todo(fntlnz, leodido, leogr) > gRPC does not support subscribing to dropped events yet } \ No newline at end of file diff --git a/userspace/falco/outputs_grpc.h b/userspace/falco/outputs_grpc.h index 43564231..6cfb4c80 100644 --- a/userspace/falco/outputs_grpc.h +++ b/userspace/falco/outputs_grpc.h @@ -25,10 +25,7 @@ namespace outputs class output_grpc : public abstract_output { - void output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg); - - void output_msg(falco_common::priority_type priority, std::string &msg); + void output(const message *msg); }; } // namespace outputs diff --git a/userspace/falco/outputs_http.cpp b/userspace/falco/outputs_http.cpp index 737bdd4e..5a2b30f1 100644 --- a/userspace/falco/outputs_http.cpp +++ b/userspace/falco/outputs_http.cpp @@ -18,13 +18,7 @@ limitations under the License. #include "logger.h" #include "banned.h" // This raises a compilation error when certain functions are used -void falco::outputs::output_http::output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg) -{ - output_msg(priority, msg); -} - -void falco::outputs::output_http::output_msg(falco_common::priority_type priority, std::string &msg) +void falco::outputs::output_http::output(const message *msg) { CURL *curl = NULL; CURLcode res = CURLE_FAILED_INIT; @@ -37,7 +31,7 @@ void falco::outputs::output_http::output_msg(falco_common::priority_type priorit slist1 = curl_slist_append(slist1, "Content-Type: application/json"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist1); curl_easy_setopt(curl, CURLOPT_URL, m_oc.options["url"].c_str()); - curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg.c_str()); + curl_easy_setopt(curl, CURLOPT_POSTFIELDS, msg->msg.c_str()); curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, -1L); res = curl_easy_perform(curl); diff --git a/userspace/falco/outputs_http.h b/userspace/falco/outputs_http.h index 8072c70d..d3c9eb66 100644 --- a/userspace/falco/outputs_http.h +++ b/userspace/falco/outputs_http.h @@ -25,10 +25,7 @@ namespace outputs class output_http : public abstract_output { - void output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg); - - void output_msg(falco_common::priority_type priority, std::string &msg); + void output(const message *msg); }; } // namespace outputs diff --git a/userspace/falco/outputs_program.cpp b/userspace/falco/outputs_program.cpp index 50035fec..3c4492c5 100644 --- a/userspace/falco/outputs_program.cpp +++ b/userspace/falco/outputs_program.cpp @@ -31,17 +31,11 @@ void falco::outputs::output_program::open_pfile() } } -void falco::outputs::output_program::output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg) -{ - output_msg(priority, msg); -} - -void falco::outputs::output_program::output_msg(falco_common::priority_type priority, std::string &msg) +void falco::outputs::output_program::output(const message *msg) { open_pfile(); - fprintf(m_pfile, "%s\n", msg.c_str()); + fprintf(m_pfile, "%s\n", msg->msg.c_str()); if(m_oc.options["keep_alive"] != "true") { diff --git a/userspace/falco/outputs_program.h b/userspace/falco/outputs_program.h index 0a92cdd8..1b6ba33d 100644 --- a/userspace/falco/outputs_program.h +++ b/userspace/falco/outputs_program.h @@ -25,10 +25,7 @@ namespace outputs class output_program : public abstract_output { - void output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg); - - void output_msg(falco_common::priority_type priority, std::string &msg); + void output(const message *msg); void cleanup(); diff --git a/userspace/falco/outputs_stdout.cpp b/userspace/falco/outputs_stdout.cpp index a14d97e3..e2b962e2 100644 --- a/userspace/falco/outputs_stdout.cpp +++ b/userspace/falco/outputs_stdout.cpp @@ -18,16 +18,10 @@ limitations under the License. #include #include "banned.h" // This raises a compilation error when certain functions are used -void falco::outputs::output_stdout::output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg) -{ - output_msg(priority, msg); -} - -void falco::outputs::output_stdout::output_msg(falco_common::priority_type priority, std::string &msg) +void falco::outputs::output_stdout::output(const message *msg) { // - // By default, the stdout stream is fully buffered or line buffered + // By default, the stdout stream is fully buffered or line buffered // (if the stream can be determined to refer to an interactive device, e.g. in a TTY). // Just enable automatic flushing when unbuffered output is desired. // Note that it is set every time since other writings to the stdout can disable it. @@ -36,7 +30,7 @@ void falco::outputs::output_stdout::output_msg(falco_common::priority_type prior { std::cout << std::unitbuf; } - std::cout << msg + "\n"; + std::cout << msg->msg + "\n"; } void falco::outputs::output_stdout::cleanup() diff --git a/userspace/falco/outputs_stdout.h b/userspace/falco/outputs_stdout.h index 920f02e4..e16bdb50 100644 --- a/userspace/falco/outputs_stdout.h +++ b/userspace/falco/outputs_stdout.h @@ -25,10 +25,7 @@ namespace outputs class output_stdout : public abstract_output { - void output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg); - - void output_msg(falco_common::priority_type priority, std::string &msg); + void output(const message *msg); void cleanup(); }; diff --git a/userspace/falco/outputs_syslog.cpp b/userspace/falco/outputs_syslog.cpp index 6780d70a..dc779bf9 100644 --- a/userspace/falco/outputs_syslog.cpp +++ b/userspace/falco/outputs_syslog.cpp @@ -18,14 +18,8 @@ limitations under the License. #include #include "banned.h" // This raises a compilation error when certain functions are used -void falco::outputs::output_syslog::output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg) -{ - output_msg(priority, msg); -} - -void falco::outputs::output_syslog::output_msg(falco_common::priority_type priority, std::string &msg) +void falco::outputs::output_syslog::output(const message *msg) { // Syslog output should not have any trailing newline - ::syslog(priority, "%s", msg.c_str()); + ::syslog(msg->priority, "%s", msg->msg.c_str()); } diff --git a/userspace/falco/outputs_syslog.h b/userspace/falco/outputs_syslog.h index 47799433..6ea92aff 100644 --- a/userspace/falco/outputs_syslog.h +++ b/userspace/falco/outputs_syslog.h @@ -25,10 +25,7 @@ namespace outputs class output_syslog : public abstract_output { - void output_event(gen_event *evt, std::string &rule, std::string &source, - falco_common::priority_type priority, std::string &format, std::string &msg); - - void output_msg(falco_common::priority_type priority, std::string &msg); + void output(const message *msg); }; } // namespace outputs