github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-31 22:16:49 +00:00
Code Issues Projects Releases Wiki Activity

new(falco): add json_include_output_fields_property option

Browse Source 
Signed-off-by: Luca Guerra <luca@guerra.sh>
This commit is contained in:
Luca Guerra 2025-03-20 14:51:37 +00:00 committed by poiana
parent ca80e69baa
commit f70b28bfb4
9 changed files with 53 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
falco.yaml
View File

@ -568,6 +568,13 @@ json_include_output_property: true
# information.
json_include_message_property: false
# [Incubating] `json_include_output_fields_property`
#
# When using JSON output in Falco, you have the option to include the individual
# output fields for easier access. To reduce the logging volume, it is recommended
# to turn it off if it's not necessary for your use case.
json_include_output_fields_property: true
# [Stable] `json_include_tags_property`
#
# When using JSON output in Falco, you have the option to include the "tags"

60
userspace/engine/formats.cpp
View File

@ -24,11 +24,13 @@ falco_formats::falco_formats(std::shared_ptr<const falco_engine> engine,
bool json_include_output_property,
bool json_include_tags_property,
bool json_include_message_property,
bool json_include_output_fields_property,
bool time_format_iso_8601):
m_falco_engine(engine),
m_json_include_output_property(json_include_output_property),
m_json_include_tags_property(json_include_tags_property),
m_json_include_message_property(json_include_message_property),
m_json_include_output_fields_property(json_include_output_fields_property),
m_time_format_iso_8601(time_format_iso_8601) {}
falco_formats::~falco_formats() {}
@ -79,7 +81,9 @@ std::string falco_formats::format_event(sinsp_evt *evt,
std::string json_fields_prefix;
// Resolve message fields
message_formatter->tostring(evt, json_fields_message);
if(m_json_include_output_fields_property) {
message_formatter->tostring(evt, json_fields_message);
}
// Resolve prefix (e.g. time) fields
prefix_formatter->tostring(evt, json_fields_prefix);
@ -118,36 +122,38 @@ std::string falco_formats::format_event(sinsp_evt *evt,
event["message"] = message;
}
event["output_fields"] = nlohmann::json::parse(json_fields_message);
if(m_json_include_output_fields_property) {
event["output_fields"] = nlohmann::json::parse(json_fields_message);
auto prefix_fields = nlohmann::json::parse(json_fields_prefix);
if(prefix_fields.is_object()) {
for(auto const &el : prefix_fields.items()) {
event["output_fields"][el.key()] = el.value();
}
}
for(auto const &ef : extra_fields) {
std::string fformat = ef.second.first;
if(fformat.size() == 0) {
continue;
auto prefix_fields = nlohmann::json::parse(json_fields_prefix);
if(prefix_fields.is_object()) {
for(auto const &el : prefix_fields.items()) {
event["output_fields"][el.key()] = el.value();
}
}
if(!(fformat[0] == '*')) {
fformat = "*" + fformat;
}
for(auto const &ef : extra_fields) {
std::string fformat = ef.second.first;
if(fformat.size() == 0) {
continue;
}
if(ef.second.second) // raw field
{
std::string json_field_map;
auto field_formatter = m_falco_engine->create_formatter(source, fformat);
field_formatter->tostring_withformat(evt,
json_field_map,
sinsp_evt_formatter::OF_JSON);
auto json_obj = nlohmann::json::parse(json_field_map);
event["output_fields"][ef.first] = json_obj[ef.first];
} else {
event["output_fields"][ef.first] = format_string(evt, fformat, source);
if(!(fformat[0] == '*')) {
fformat = "*" + fformat;
}
if(ef.second.second) // raw field
{
std::string json_field_map;
auto field_formatter = m_falco_engine->create_formatter(source, fformat);
field_formatter->tostring_withformat(evt,
json_field_map,
sinsp_evt_formatter::OF_JSON);
auto json_obj = nlohmann::json::parse(json_field_map);
event["output_fields"][ef.first] = json_obj[ef.first];
} else {
event["output_fields"][ef.first] = format_string(evt, fformat, source);
}
}
}

2
userspace/engine/formats.h
View File

@ -27,6 +27,7 @@ public:
bool json_include_output_property,
bool json_include_tags_property,
bool json_include_message_property,
bool json_include_output_fields_property,
bool time_format_iso_8601);
virtual ~falco_formats();
@ -52,5 +53,6 @@ protected:
bool m_json_include_output_property;
bool m_json_include_tags_property;
bool m_json_include_message_property;
bool m_json_include_output_fields_property;
bool m_time_format_iso_8601;
};

1
userspace/falco/app/actions/init_outputs.cpp
View File

@ -64,6 +64,7 @@ falco::app::run_result falco::app::actions::init_outputs(falco::app::state& s) {
s.config->m_json_include_output_property,
s.config->m_json_include_tags_property,
s.config->m_json_include_message_property,
s.config->m_json_include_output_fields_property,
s.config->m_output_timeout,
s.config->m_buffered_outputs,
s.config->m_outputs_queue_capacity,

3
userspace/falco/config_json_schema.h
View File

@ -98,6 +98,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
"json_include_message_property": {
"type": "boolean"
},
"json_include_output_fields_property": {
"type": "boolean"
},
"json_include_tags_property": {
"type": "boolean"
},

3
userspace/falco/configuration.cpp
View File

@ -69,6 +69,7 @@ falco_configuration::falco_configuration():
m_json_include_output_property(true),
m_json_include_tags_property(true),
m_json_include_message_property(false),
m_json_include_output_fields_property(true),
m_rule_matching(falco_common::rule_matching::FIRST),
m_watch_config_files(true),
m_buffered_outputs(false),
@ -338,6 +339,8 @@ void falco_configuration::load_yaml(const std::string &config_name) {
m_json_include_tags_property = m_config.get_scalar<bool>("json_include_tags_property", true);
m_json_include_message_property =
m_config.get_scalar<bool>("json_include_message_property", false);
m_json_include_output_fields_property =
m_config.get_scalar<bool>("json_include_output_fields_property", true);
m_outputs.clear();
falco::outputs::config file_output;

1
userspace/falco/configuration.h
View File

@ -147,6 +147,7 @@ public:
bool m_json_include_output_property;
bool m_json_include_tags_property;
bool m_json_include_message_property;
bool m_json_include_output_fields_property;
std::string m_log_level;
std::vector<falco::outputs::config> m_outputs;

2
userspace/falco/falco_outputs.cpp
View File

@ -45,6 +45,7 @@ falco_outputs::falco_outputs(std::shared_ptr<falco_engine> engine,
bool json_include_output_property,
bool json_include_tags_property,
bool json_include_message_property,
bool json_include_output_fields_property,
uint32_t timeout,
bool buffered,
size_t outputs_queue_capacity,
@ -54,6 +55,7 @@ falco_outputs::falco_outputs(std::shared_ptr<falco_engine> engine,
json_include_output_property,
json_include_tags_property,
json_include_message_property,
json_include_output_fields_property,
time_format_iso_8601)),
m_buffered(buffered),
m_json_output(json_output),

1
userspace/falco/falco_outputs.h
View File

@ -46,6 +46,7 @@ public:
bool json_include_output_property,
bool json_include_tags_property,
bool json_include_message_property,
bool json_include_output_fields_property,
uint32_t timeout,
bool buffered,
size_t outputs_queue_capacity,