Remove remaining digwatch references (really).

Try harder looking for remaining digwatch references, replacing with
falco.

.gitignore

@@ -1,4 +1,4 @@
 /build*
 
-userspace/digwatch/lua/re.lua
-userspace/digwatch/lua/lpeg.so
+userspace/falco/lua/re.lua
+userspace/falco/lua/lpeg.so

falco.yaml

@@ -1,4 +1,4 @@
-rules_file: /etc/digwatch_rules.conf
+rules_file: /etc/falco_rules.conf
 json_output: false
 
 log_stderr: true

userspace/falco/configuration.cpp

@@ -7,14 +7,14 @@ using namespace std;
 
 
 // If we don't have a configuration file, we just use stdout output and all other defaults
-void digwatch_configuration::init()
+void falco_configuration::init()
 {
 	output_config stdout_output;
 	stdout_output.name = "stdout";
 	m_outputs.push_back(stdout_output);
 }
 
-void digwatch_configuration::init(string conf_filename)
+void falco_configuration::init(string conf_filename)
 {
 	string m_config_file = conf_filename;
 	m_config = new yaml_configuration(m_config_file);
@@ -55,6 +55,6 @@ void digwatch_configuration::init(string conf_filename)
 		throw sinsp_exception("Error reading config file (" + m_config_file + "): No outputs configured. Please configure at least one output file output enabled but no filename in configuration block");
 	}
 
-	digwatch_logger::log_stderr = m_config->get_scalar<bool>("log_stderr", false);
-	digwatch_logger::log_syslog = m_config->get_scalar<bool>("log_syslog", true);
+	falco_logger::log_stderr = m_config->get_scalar<bool>("log_stderr", false);
+	falco_logger::log_syslog = m_config->get_scalar<bool>("log_syslog", true);
 }

userspace/falco/configuration.h

@@ -89,7 +89,7 @@ private:
 };
 
 
-class digwatch_configuration
+class falco_configuration
 {
  public:
 	void init(std::string conf_filename);

userspace/falco/falco.cpp

@@ -54,7 +54,7 @@ string lua_add_output = "add_output";
 // Event processing loop
 //
 void do_inspect(sinsp* inspector,
-		digwatch_rules* rules,
+		falco_rules* rules,
 		lua_State* ls)
 {
 	int32_t res;
@@ -182,11 +182,11 @@ void add_output(lua_State *ls, output_config oc)
 //
 // ARGUMENT PARSING AND PROGRAM SETUP
 //
-int digwatch_init(int argc, char **argv)
+int falco_init(int argc, char **argv)
 {
 	int result = EXIT_SUCCESS;
 	sinsp* inspector = NULL;
-	digwatch_rules* rules = NULL;
+	falco_rules* rules = NULL;
 	int op;
 	sinsp_evt::param_fmt event_buffer_format;
 	int long_index = 0;
@@ -254,7 +254,7 @@ int digwatch_init(int argc, char **argv)
 			conf_stream = new ifstream(conf_filename);
 			if (!conf_stream->good())
 			{
-				digwatch_logger::log(LOG_ERR, "Could not find configuration file at " + conf_filename + ". Exiting \n");
+				falco_logger::log(LOG_ERR, "Could not find configuration file at " + conf_filename + ". Exiting \n");
 				result = EXIT_FAILURE;
 				goto exit;
 			}
@@ -280,17 +280,17 @@ int digwatch_init(int argc, char **argv)
 			}
 		}
 
-		digwatch_configuration config;
+		falco_configuration config;
 		if (conf_filename.size())
 		{
 			config.init(conf_filename);
 			// log after config init because config determines where logs go
-			digwatch_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n");
+			falco_logger::log(LOG_INFO, "Falco initialized with configuration file " + conf_filename + "\n");
 		}
 		else
 		{
 			config.init();
-			digwatch_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
+			falco_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
 		}
 
 		if (rules_filename.size())
@@ -305,7 +305,7 @@ int digwatch_init(int argc, char **argv)
 			lua_main_filename = lua_dir + FALCO_LUA_MAIN;
 			if (!std::ifstream(lua_main_filename))
 			{
-				digwatch_logger::log(LOG_ERR, "Could not find Falco Lua libraries (tried " +
+				falco_logger::log(LOG_ERR, "Could not find Falco Lua libraries (tried " +
 						     string(FALCO_LUA_DIR FALCO_LUA_MAIN) + ", " +
 						     lua_main_filename + "). Exiting \n");
 				result = EXIT_FAILURE;
@@ -319,18 +319,18 @@ int digwatch_init(int argc, char **argv)
 		luaopen_lpeg(ls);
 		add_lua_path(ls, lua_dir);
 
-		rules = new digwatch_rules(inspector, ls, lua_main_filename);
+		rules = new falco_rules(inspector, ls, lua_main_filename);
 
-		digwatch_formats::init(inspector, ls);
-		digwatch_fields::init(inspector, ls);
+		falco_formats::init(inspector, ls);
+		falco_fields::init(inspector, ls);
 
-		digwatch_logger::init(ls);
+		falco_logger::init(ls);
 
 
 		inspector->set_drop_event_flags(EF_DROP_FALCO);
 		rules->load_rules(config.m_rules_filename);
 		inspector->set_filter(rules->get_filter());
-		digwatch_logger::log(LOG_INFO, "Parsed rules from file " + config.m_rules_filename + "\n");
+		falco_logger::log(LOG_INFO, "Parsed rules from file " + config.m_rules_filename + "\n");
 
 		inspector->set_hostname_and_port_resolution_mode(false);
 
@@ -363,7 +363,7 @@ int digwatch_init(int argc, char **argv)
 			{
 				if(system("modprobe " PROBE_NAME " > /dev/null 2> /dev/null"))
 				{
-					digwatch_logger::log(LOG_ERR, "Unable to load the driver. Exiting\n");
+					falco_logger::log(LOG_ERR, "Unable to load the driver. Exiting\n");
 				}
 				inspector->open();
 			}
@@ -376,13 +376,13 @@ int digwatch_init(int argc, char **argv)
 	}
 	catch(sinsp_exception& e)
 	{
-		digwatch_logger::log(LOG_ERR, "Runtime error: " + string(e.what()) + ". Exiting\n");
+		falco_logger::log(LOG_ERR, "Runtime error: " + string(e.what()) + ". Exiting\n");
 
 		result = EXIT_FAILURE;
 	}
 	catch(...)
 	{
-		digwatch_logger::log(LOG_ERR, "Unexpected error, Exiting\n");
+		falco_logger::log(LOG_ERR, "Unexpected error, Exiting\n");
 
 		result = EXIT_FAILURE;
 	}
@@ -406,5 +406,5 @@ exit:
 //
 int main(int argc, char **argv)
 {
-	return digwatch_init(argc, argv);
+	return falco_init(argc, argv);
 }

userspace/falco/fields.cpp

@@ -5,34 +5,34 @@
 
 extern sinsp_filter_check_list g_filterlist;
 
-const static struct luaL_reg ll_digwatch [] =
+const static struct luaL_reg ll_falco [] =
 {
-	{"field", &digwatch_fields::field},
+	{"field", &falco_fields::field},
 	{NULL,NULL}
 };
 
-sinsp* digwatch_fields::s_inspector = NULL;
+sinsp* falco_fields::s_inspector = NULL;
 
-std::map<string, sinsp_filter_check*> digwatch_fields::s_fieldname_map;
+std::map<string, sinsp_filter_check*> falco_fields::s_fieldname_map;
 
 
-void digwatch_fields::init(sinsp* inspector, lua_State *ls)
+void falco_fields::init(sinsp* inspector, lua_State *ls)
 {
 	s_inspector = inspector;
 
-	luaL_openlib(ls, "digwatch", ll_digwatch, 0);
+	luaL_openlib(ls, "falco", ll_falco, 0);
 }
 
-int digwatch_fields::field(lua_State *ls)
+int falco_fields::field(lua_State *ls)
 {
 
 	sinsp_filter_check* chk=NULL;
 
 	if (!lua_islightuserdata(ls, 1))
 	{
-		string err = "invalid argument passed to digwatch.field()";
+		string err = "invalid argument passed to falco.field()";
 		fprintf(stderr, "%s\n", err.c_str());
-		throw sinsp_exception("digwatch.field() error");
+		throw sinsp_exception("falco.field() error");
 	}
 	sinsp_evt* evt = (sinsp_evt*)lua_topointer(ls, 1);
 
@@ -47,9 +47,9 @@ int digwatch_fields::field(lua_State *ls)
 
 		if(chk == NULL)
 		{
-			string err = "nonexistent fieldname passed to digwatch.field(): " + string(fieldname);
+			string err = "nonexistent fieldname passed to falco.field(): " + string(fieldname);
 			fprintf(stderr, "%s\n", err.c_str());
-			throw sinsp_exception("digwatch.field() error");
+			throw sinsp_exception("falco.field() error");
 		}
 
 		chk->parse_field_name(fieldname.c_str(), true);

userspace/falco/fields.h

@@ -8,12 +8,12 @@ extern "C" {
 #include "lauxlib.h"
 }
 
-class digwatch_fields
+class falco_fields
 {
  public:
 	static void init(sinsp* inspector, lua_State *ls);
 
-	// value = digwatch.field(evt, fieldname)
+	// value = falco.field(evt, fieldname)
 	static int field(lua_State *ls);
 
 	static sinsp* s_inspector;

userspace/falco/formats.cpp

@@ -2,23 +2,23 @@
 #include "logger.h"
 
 
-sinsp* digwatch_formats::s_inspector = NULL;
+sinsp* falco_formats::s_inspector = NULL;
 
-const static struct luaL_reg ll_digwatch [] =
+const static struct luaL_reg ll_falco [] =
 {
-	{"formatter", &digwatch_formats::formatter},
-	{"format_event", &digwatch_formats::format_event},
+	{"formatter", &falco_formats::formatter},
+	{"format_event", &falco_formats::format_event},
 	{NULL,NULL}
 };
 
-void digwatch_formats::init(sinsp* inspector, lua_State *ls)
+void falco_formats::init(sinsp* inspector, lua_State *ls)
 {
 	s_inspector = inspector;
 
-	luaL_openlib(ls, "digwatch", ll_digwatch, 0);
+	luaL_openlib(ls, "falco", ll_falco, 0);
 }
 
-int digwatch_formats::formatter(lua_State *ls)
+int falco_formats::formatter(lua_State *ls)
 {
 	string format = luaL_checkstring(ls, 1);
 	sinsp_evt_formatter* formatter;
@@ -28,7 +28,7 @@ int digwatch_formats::formatter(lua_State *ls)
 	}
 	catch(sinsp_exception& e)
 	{
-		digwatch_logger::log(LOG_ERR, "Invalid output format '" + format + "'.\n");
+		falco_logger::log(LOG_ERR, "Invalid output format '" + format + "'.\n");
 
 		throw sinsp_exception("set_formatter error");
 	}
@@ -38,12 +38,12 @@ int digwatch_formats::formatter(lua_State *ls)
 	return 1;
 }
 
-int digwatch_formats::format_event (lua_State *ls)
+int falco_formats::format_event (lua_State *ls)
 {
 	string line;
 
 	if (!lua_islightuserdata(ls, -1) || !lua_islightuserdata(ls, -2)) {
-		digwatch_logger::log(LOG_ERR, "Invalid arguments passed to format_event()\n");
+		falco_logger::log(LOG_ERR, "Invalid arguments passed to format_event()\n");
 		throw sinsp_exception("format_event error");
 	}
 	sinsp_evt* evt = (sinsp_evt*)lua_topointer(ls, 1);

userspace/falco/formats.h

@@ -10,15 +10,15 @@ extern "C" {
 
 class sinsp_evt_formatter;
 
-class digwatch_formats
+class falco_formats
 {
  public:
 	static void init(sinsp* inspector, lua_State *ls);
 
-	// formatter = digwatch.formatter(format_string)
+	// formatter = falco.formatter(format_string)
 	static int formatter(lua_State *ls);
 
-	// formatted_string = digwatch.format_event(evt, formatter)
+	// formatted_string = falco.format_event(evt, formatter)
 	static int format_event(lua_State *ls);
 
 	static sinsp* s_inspector;

userspace/falco/logger.cpp

@@ -5,23 +5,23 @@
 
 
 
-const static struct luaL_reg ll_digwatch [] =
+const static struct luaL_reg ll_falco [] =
 {
-	{"syslog", &digwatch_logger::syslog},
+	{"syslog", &falco_logger::syslog},
 	{NULL,NULL}
 };
 
 
-void digwatch_logger::init(lua_State *ls)
+void falco_logger::init(lua_State *ls)
 {
-	luaL_openlib(ls, "digwatch", ll_digwatch, 0);
+	luaL_openlib(ls, "falco", ll_falco, 0);
 }
 
-int digwatch_logger::syslog(lua_State *ls) {
+int falco_logger::syslog(lua_State *ls) {
 	int priority = luaL_checknumber(ls, 1);
 
 	if (priority > LOG_DEBUG) {
-		return luaL_argerror(ls, 1, "digwatch.syslog: priority must be a number between 0 and 7");
+		return luaL_argerror(ls, 1, "falco.syslog: priority must be a number between 0 and 7");
 	}
 
 	const char *msg = luaL_checkstring(ls, 2);
@@ -30,15 +30,15 @@ int digwatch_logger::syslog(lua_State *ls) {
 	return 0;
 }
 
-bool digwatch_logger::log_stderr;
-bool digwatch_logger::log_syslog;
+bool falco_logger::log_stderr;
+bool falco_logger::log_syslog;
 
-void digwatch_logger::log(int priority, const string msg) {
-	if (digwatch_logger::log_syslog) {
+void falco_logger::log(int priority, const string msg) {
+	if (falco_logger::log_syslog) {
 		::syslog(priority, "%s", msg.c_str());
 	}
 
-	if (digwatch_logger::log_stderr) {
+	if (falco_logger::log_stderr) {
 		std::time_t result = std::time(nullptr);
 		string tstr = std::asctime(std::localtime(&result));
 		tstr = tstr.substr(0, 24);// remove trailling newline

userspace/falco/logger.h

@@ -9,12 +9,12 @@ extern "C" {
 #include "lauxlib.h"
 }
 
-class digwatch_logger
+class falco_logger
 {
  public:
 	static void init(lua_State *ls);
 
-	// value = digwatch.syslog(level, message)
+	// value = falco.syslog(level, message)
 	static int syslog(lua_State *ls);
 
 	static void log(int priority, const string msg);

userspace/falco/lua/compiler.lua

@@ -510,7 +510,7 @@ end
 
 
 --[[
-   Compiles a single line from a digwatch ruleset and updates the passed-in macros table. Returns the AST of the line.
+   Compiles a single line from a falco ruleset and updates the passed-in macros table. Returns the AST of the line.
 --]]
 function compiler.compile_line(line, macro_defs)
    local ast, error_msg = compiler.parser.parse_line(line)

userspace/falco/lua/output.lua

@@ -4,8 +4,8 @@ levels = {"Emergency", "Alert", "Critical", "Error", "Warning", "Notice", "Infor
 
 function mod.stdout(evt, level, format)
    format = "%evt.time: "..levels[level+1].." "..format
-   formatter = digwatch.formatter(format)
-   msg = digwatch.format_event(evt, formatter)
+   formatter = falco.formatter(format)
+   msg = falco.format_event(evt, formatter)
    print (msg)
 end
 
@@ -24,8 +24,8 @@ end
 
 function mod.file(evt, level, format, options)
    format = "%evt.time: "..levels[level+1].." "..format
-   formatter = digwatch.formatter(format)
-   msg = digwatch.format_event(evt, formatter)
+   formatter = falco.formatter(format)
+   msg = falco.format_event(evt, formatter)
 
    file = io.open(options.filename, "a+")
    file:write(msg, "\n")
@@ -34,9 +34,9 @@ end
 
 function mod.syslog(evt, level, format)
 
-   formatter = digwatch.formatter(format)
-   msg = digwatch.format_event(evt, formatter)
-   digwatch.syslog(level, msg)
+   formatter = falco.formatter(format)
+   msg = falco.format_event(evt, formatter)
+   falco.syslog(level, msg)
 end
 
 return mod

userspace/falco/lua/rule_loader.lua

@@ -1,7 +1,7 @@
 --[[
-   Compile and install digwatch rules.
+   Compile and install falco rules.
 
-   This module exports functions that are called from digwatch c++-side to compile and install a set of rules.
+   This module exports functions that are called from falco c++-side to compile and install a set of rules.
 
 --]]
 

userspace/falco/rules.cpp

@@ -7,7 +7,7 @@ extern "C" {
 }
 
 
-digwatch_rules::digwatch_rules(sinsp* inspector, lua_State *ls, string lua_main_filename)
+falco_rules::falco_rules(sinsp* inspector, lua_State *ls, string lua_main_filename)
 {
 	m_ls = ls;
 
@@ -17,7 +17,7 @@ digwatch_rules::digwatch_rules(sinsp* inspector, lua_State *ls, string lua_main_
 }
 
 
-void digwatch_rules::load_compiler(string lua_main_filename)
+void falco_rules::load_compiler(string lua_main_filename)
 {
 	ifstream is;
 	is.open(lua_main_filename);
@@ -39,7 +39,7 @@ void digwatch_rules::load_compiler(string lua_main_filename)
 	}
 }
 
-void digwatch_rules::load_rules(string rules_filename)
+void falco_rules::load_rules(string rules_filename)
 {
 	ifstream is;
 	is.open(rules_filename);
@@ -85,12 +85,12 @@ void digwatch_rules::load_rules(string rules_filename)
 
 }
 
-sinsp_filter* digwatch_rules::get_filter()
+sinsp_filter* falco_rules::get_filter()
 {
 	return m_lua_parser->get_filter();
 }
 
-digwatch_rules::~digwatch_rules()
+falco_rules::~falco_rules()
 {
 	delete m_lua_parser;
 }

userspace/falco/rules.h

@@ -3,11 +3,11 @@
 #include "sinsp.h"
 #include "lua_parser.h"
 
-class digwatch_rules
+class falco_rules
 {
  public:
-	digwatch_rules(sinsp* inspector, lua_State *ls, string lua_main_filename);
-	~digwatch_rules();
+	falco_rules(sinsp* inspector, lua_State *ls, string lua_main_filename);
+	~falco_rules();
 	void load_rules(string rules_filename);
 	sinsp_filter* get_filter();