diff --git a/falco.yaml b/falco.yaml index 7486af11..85fd86c6 100644 --- a/falco.yaml +++ b/falco.yaml @@ -568,6 +568,13 @@ json_include_output_property: true # information. json_include_message_property: false +# [Incubating] `json_include_output_fields_property` +# +# When using JSON output in Falco, you have the option to include the individual +# output fields for easier access. To reduce the logging volume, it is recommended +# to turn it off if it's not necessary for your use case. +json_include_output_fields_property: true + # [Stable] `json_include_tags_property` # # When using JSON output in Falco, you have the option to include the "tags" diff --git a/userspace/engine/formats.cpp b/userspace/engine/formats.cpp index cfbd3939..ef99957b 100644 --- a/userspace/engine/formats.cpp +++ b/userspace/engine/formats.cpp @@ -24,11 +24,13 @@ falco_formats::falco_formats(std::shared_ptr engine, bool json_include_output_property, bool json_include_tags_property, bool json_include_message_property, + bool json_include_output_fields_property, bool time_format_iso_8601): m_falco_engine(engine), m_json_include_output_property(json_include_output_property), m_json_include_tags_property(json_include_tags_property), m_json_include_message_property(json_include_message_property), + m_json_include_output_fields_property(json_include_output_fields_property), m_time_format_iso_8601(time_format_iso_8601) {} falco_formats::~falco_formats() {} @@ -79,7 +81,9 @@ std::string falco_formats::format_event(sinsp_evt *evt, std::string json_fields_prefix; // Resolve message fields - message_formatter->tostring(evt, json_fields_message); + if(m_json_include_output_fields_property) { + message_formatter->tostring(evt, json_fields_message); + } // Resolve prefix (e.g. time) fields prefix_formatter->tostring(evt, json_fields_prefix); @@ -118,36 +122,38 @@ std::string falco_formats::format_event(sinsp_evt *evt, event["message"] = message; } - event["output_fields"] = nlohmann::json::parse(json_fields_message); + if(m_json_include_output_fields_property) { + event["output_fields"] = nlohmann::json::parse(json_fields_message); - auto prefix_fields = nlohmann::json::parse(json_fields_prefix); - if(prefix_fields.is_object()) { - for(auto const &el : prefix_fields.items()) { - event["output_fields"][el.key()] = el.value(); - } - } - - for(auto const &ef : extra_fields) { - std::string fformat = ef.second.first; - if(fformat.size() == 0) { - continue; + auto prefix_fields = nlohmann::json::parse(json_fields_prefix); + if(prefix_fields.is_object()) { + for(auto const &el : prefix_fields.items()) { + event["output_fields"][el.key()] = el.value(); + } } - if(!(fformat[0] == '*')) { - fformat = "*" + fformat; - } + for(auto const &ef : extra_fields) { + std::string fformat = ef.second.first; + if(fformat.size() == 0) { + continue; + } - if(ef.second.second) // raw field - { - std::string json_field_map; - auto field_formatter = m_falco_engine->create_formatter(source, fformat); - field_formatter->tostring_withformat(evt, - json_field_map, - sinsp_evt_formatter::OF_JSON); - auto json_obj = nlohmann::json::parse(json_field_map); - event["output_fields"][ef.first] = json_obj[ef.first]; - } else { - event["output_fields"][ef.first] = format_string(evt, fformat, source); + if(!(fformat[0] == '*')) { + fformat = "*" + fformat; + } + + if(ef.second.second) // raw field + { + std::string json_field_map; + auto field_formatter = m_falco_engine->create_formatter(source, fformat); + field_formatter->tostring_withformat(evt, + json_field_map, + sinsp_evt_formatter::OF_JSON); + auto json_obj = nlohmann::json::parse(json_field_map); + event["output_fields"][ef.first] = json_obj[ef.first]; + } else { + event["output_fields"][ef.first] = format_string(evt, fformat, source); + } } } diff --git a/userspace/engine/formats.h b/userspace/engine/formats.h index 6b70e70a..6518e7be 100644 --- a/userspace/engine/formats.h +++ b/userspace/engine/formats.h @@ -27,6 +27,7 @@ public: bool json_include_output_property, bool json_include_tags_property, bool json_include_message_property, + bool json_include_output_fields_property, bool time_format_iso_8601); virtual ~falco_formats(); @@ -52,5 +53,6 @@ protected: bool m_json_include_output_property; bool m_json_include_tags_property; bool m_json_include_message_property; + bool m_json_include_output_fields_property; bool m_time_format_iso_8601; }; diff --git a/userspace/falco/app/actions/init_outputs.cpp b/userspace/falco/app/actions/init_outputs.cpp index 6f9f98bc..e7de5cf4 100644 --- a/userspace/falco/app/actions/init_outputs.cpp +++ b/userspace/falco/app/actions/init_outputs.cpp @@ -64,6 +64,7 @@ falco::app::run_result falco::app::actions::init_outputs(falco::app::state& s) { s.config->m_json_include_output_property, s.config->m_json_include_tags_property, s.config->m_json_include_message_property, + s.config->m_json_include_output_fields_property, s.config->m_output_timeout, s.config->m_buffered_outputs, s.config->m_outputs_queue_capacity, diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h index 4d2d0844..bb0ca3b2 100644 --- a/userspace/falco/config_json_schema.h +++ b/userspace/falco/config_json_schema.h @@ -98,6 +98,9 @@ const char config_schema_string[] = LONG_STRING_CONST( "json_include_message_property": { "type": "boolean" }, + "json_include_output_fields_property": { + "type": "boolean" + }, "json_include_tags_property": { "type": "boolean" }, diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index ef3674e0..6e98ce83 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -69,6 +69,7 @@ falco_configuration::falco_configuration(): m_json_include_output_property(true), m_json_include_tags_property(true), m_json_include_message_property(false), + m_json_include_output_fields_property(true), m_rule_matching(falco_common::rule_matching::FIRST), m_watch_config_files(true), m_buffered_outputs(false), @@ -338,6 +339,8 @@ void falco_configuration::load_yaml(const std::string &config_name) { m_json_include_tags_property = m_config.get_scalar("json_include_tags_property", true); m_json_include_message_property = m_config.get_scalar("json_include_message_property", false); + m_json_include_output_fields_property = + m_config.get_scalar("json_include_output_fields_property", true); m_outputs.clear(); falco::outputs::config file_output; diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index dcda7fee..54516cd5 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -147,6 +147,7 @@ public: bool m_json_include_output_property; bool m_json_include_tags_property; bool m_json_include_message_property; + bool m_json_include_output_fields_property; std::string m_log_level; std::vector m_outputs; diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp index 7808ca8a..0023756c 100644 --- a/userspace/falco/falco_outputs.cpp +++ b/userspace/falco/falco_outputs.cpp @@ -45,6 +45,7 @@ falco_outputs::falco_outputs(std::shared_ptr engine, bool json_include_output_property, bool json_include_tags_property, bool json_include_message_property, + bool json_include_output_fields_property, uint32_t timeout, bool buffered, size_t outputs_queue_capacity, @@ -54,6 +55,7 @@ falco_outputs::falco_outputs(std::shared_ptr engine, json_include_output_property, json_include_tags_property, json_include_message_property, + json_include_output_fields_property, time_format_iso_8601)), m_buffered(buffered), m_json_output(json_output), diff --git a/userspace/falco/falco_outputs.h b/userspace/falco/falco_outputs.h index e6561b5f..adfe0f6e 100644 --- a/userspace/falco/falco_outputs.h +++ b/userspace/falco/falco_outputs.h @@ -46,6 +46,7 @@ public: bool json_include_output_property, bool json_include_tags_property, bool json_include_message_property, + bool json_include_output_fields_property, uint32_t timeout, bool buffered, size_t outputs_queue_capacity,