Use better way to skip falco events (#356)

* Use better way to skip falco events Use the new method falco_consider() to determine which events to skip. This centralizes the logic in a single function. All events will still be considered if falco was run with -A. This depends on https://github.com/draios/sysdig/pull/1105. * Add ability to specify -A flag in tests test attribute all_events corresponds to the -A flag. Add for some tests that would normally refer to skipped events.
2025-09-16 23:08:16 +00:00 · 2018-04-24 15:23:51 -07:00
parent 6be4830342
commit 9d3392e9b9
3 changed files with 13 additions and 4 deletions
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -151,7 +151,8 @@ uint64_t do_inspect(falco_engine *engine,
 		    falco_outputs *outputs,
 		    sinsp* inspector,
 		    uint64_t duration_to_tot_ns,
-		    string &stats_filename)
+		    string &stats_filename,
+		    bool all_events)
 {
 	uint64_t num_evts = 0;
 	int32_t res;
@@ -218,8 +219,7 @@ uint64_t do_inspect(falco_engine *engine,
 			}
 		}

-		if(!inspector->is_debug_enabled() &&
-			ev->get_category() & EC_INTERNAL)
+		if(!ev->falco_consider() && !all_events)
 		{
 			continue;
 		}
@@ -761,7 +761,8 @@ int falco_init(int argc, char **argv)
 				      outputs,
 				      inspector,
 				      uint64_t(duration_to_tot*ONE_SECOND_IN_NS),
-				      stats_filename);
+				      stats_filename,
+				      all_events);

 		duration = ((double)clock()) / CLOCKS_PER_SEC - duration;