github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 08:32:12 +00:00
Code Issues Projects Releases Wiki Activity

Add ability to write trace files.

Browse Source 
Bring over functionality from sysdig to write trace files. This is easy
as all of the code to actually write the files is in the inspector. This
just handles the -w option and arguments.

This can be useful to write a trace file in parallel with live event
monitoring so you can reproduce it later.
This commit is contained in:
Mark Stemm 2016-10-21 15:42:02 -07:00
parent 4915fdfc3a
commit d2d6118b9b
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
userspace/falco/falco.cpp
View File

@ -192,6 +192,7 @@ int falco_init(int argc, char **argv)
int long_index = 0; int long_index = 0;
string scap_filename; string scap_filename;
string conf_filename; string conf_filename;
string outfile;
list<string> rules_filenames; list<string> rules_filenames;
bool daemon = false; bool daemon = false;
string pidfilename = "/var/run/falco.pid"; string pidfilename = "/var/run/falco.pid";
@ -205,6 +206,13 @@ int falco_init(int argc, char **argv)
string output_format = ""; string output_format = "";
bool replace_container_info = false; bool replace_container_info = false;
// Used for writing trace files
int duration_seconds = 0;
int rollover_mb = 0;
int file_limit = 0;
unsigned long event_limit = 0L;
bool compress = false;
static struct option long_options[] = static struct option long_options[] =
{ {
{"help", no_argument, 0, 'h' }, {"help", no_argument, 0, 'h' },
@ -215,6 +223,7 @@ int falco_init(int argc, char **argv)
{"option", required_argument, 0, 'o'}, {"option", required_argument, 0, 'o'},
{"print", required_argument, 0, 'p' }, {"print", required_argument, 0, 'p' },
{"pidfile", required_argument, 0, 'P' }, {"pidfile", required_argument, 0, 'P' },
{"writefile", required_argument, 0, 'w' },
{0, 0, 0, 0} {0, 0, 0, 0}
}; };
@ -228,7 +237,7 @@ int falco_init(int argc, char **argv)
// Parse the args // Parse the args
// //
while((op = getopt_long(argc, argv, while((op = getopt_long(argc, argv,
"hc:AdD:e:k:K:Ll:m:o:P:p:r:v", "hc:AdD:e:k:K:Ll:m:o:P:p:r:vw:",
long_options, &long_index)) != -1) long_options, &long_index)) != -1)
{ {
switch(op) switch(op)
@ -303,6 +312,9 @@ int falco_init(int argc, char **argv)
case 'v': case 'v':
verbose = true; verbose = true;
break; break;
case 'w':
outfile = optarg;
break;
case '?': case '?':
result = EXIT_FAILURE; result = EXIT_FAILURE;
goto exit; goto exit;
@ -500,6 +512,12 @@ int falco_init(int argc, char **argv)
open("/dev/null", O_RDWR); open("/dev/null", O_RDWR);
} }
if(outfile != "")
{
inspector->setup_cycle_writer(outfile, rollover_mb, duration_seconds, file_limit, event_limit, compress);
inspector->autodump_next_file();
}
// //
// run k8s, if required // run k8s, if required
// //