github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-16 15:51:55 +00:00
Code Issues Projects Releases Wiki Activity

Move output code into output.lua

Browse Source
This commit is contained in:
Henri DF 2016-05-04 17:39:30 -07:00
parent f6c8c4cb84
commit fc04ddfe40
2 changed files with 25 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
userspace/falco/lua/output.lua
View File

@ -2,6 +2,8 @@ local mod = {}
levels = {"Emergency", "Alert", "Critical", "Error", "Warning", "Notice", "Informational", "Debug"} levels = {"Emergency", "Alert", "Critical", "Error", "Warning", "Notice", "Informational", "Debug"}
local outputs = {}
function mod.stdout(evt, level, format) function mod.stdout(evt, level, format)
format = "%evt.time: "..levels[level+1].." "..format format = "%evt.time: "..levels[level+1].." "..format
formatter = falco.formatter(format) formatter = falco.formatter(format)
@ -39,4 +41,24 @@ function mod.syslog(evt, level, format)
falco.syslog(level, msg) falco.syslog(level, msg)
end end
function mod.event(event, level, format)
for index,o in ipairs(outputs) do
o.output(event, level, format, o.config)
end
end
function add_output(output_name, config)
if not (type(mod[output_name]) == 'function') then
error("rule_loader.add_output(): invalid output_name: "..output_name)
end
-- outputs can optionally define a validation function so that we don't
-- find out at runtime (when an event finally matches a rule!) that the config is invalid
if (type(mod[output_name.."_validate"]) == 'function') then
mod[output_name.."_validate"](config)
end
table.insert(outputs, {output = mod[output_name], config=config})
end
return mod return mod

24
userspace/falco/lua/rule_loader.lua
View File

@ -9,9 +9,11 @@ local DEFAULT_OUTPUT_FORMAT = "%evt.time: %evt.num %evt.cpu %proc.name (%thread.
local DEFAULT_PRIORITY = "WARNING" local DEFAULT_PRIORITY = "WARNING"
local output = require('output')
local compiler = require "compiler" local compiler = require "compiler"
local yaml = require"lyaml" local yaml = require"lyaml"
--[[ --[[
Traverse AST, adding the passed-in 'index' to each node that contains a relational expression Traverse AST, adding the passed-in 'index' to each node that contains a relational expression
--]] --]]
@ -175,32 +177,12 @@ function load_rules(filename)
io.flush() io.flush()
end end
local output_functions = require('output')
outputs = {}
function add_output(output_name, config)
if not (type(output_functions[output_name]) == 'function') then
error("rule_loader.add_output(): invalid output_name: "..output_name)
end
-- outputs can optionally define a validation function so that we don't
-- find out at runtime (when an event finally matches a rule!) that the config is invalid
if (type(output_functions[output_name.."_validate"]) == 'function') then
output_functions[output_name.."_validate"](config)
end
table.insert(outputs, {output = output_functions[output_name], config=config})
end
function on_event(evt_, rule_id) function on_event(evt_, rule_id)
if state.outputs[rule_id] == nil then if state.outputs[rule_id] == nil then
error ("rule_loader.on_event(): event with invalid rule_id: ", rule_id) error ("rule_loader.on_event(): event with invalid rule_id: ", rule_id)
end end
for index,o in ipairs(outputs) do output.event(evt_, state.outputs[rule_id].level, state.outputs[rule_id].format)
o.output(evt_, state.outputs[rule_id].level, state.outputs[rule_id].format, o.config)
end
end end