github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-22 03:49:36 +00:00
Code Issues Projects Releases Wiki Activity
178 Commits 123 Branches 176 Tags
8b5fcf866a69a17d1e93ebd54b86348eaa739a35
Commit Graph

45 Commits

Author SHA1 Message Date
Henri DF
6d72619968 rename digwatch_syslog -> digwatch_logger 2016-04-22 16:01:00 -07:00
Henri DF
4c64295adc Digwatch logging 
Log digwatch messages to syslog and/or stderr
 2016-04-22 15:56:18 -07:00
Henri DF
5413935f15 Small tweak to usage message 2016-04-22 15:33:43 -07:00
Henri DF
fad88ee4b7 Remove signal handling 
Not currently serving any purpose
 2016-04-22 14:59:58 -07:00
Henri DF
45f8096dd3 Add support for json-formatted output 2016-04-21 16:30:51 -07:00
Henri DF
a529b11e0d Clean up usage message and choice of flags 2016-04-13 03:43:31 +00:00
Henri DF
86e2e17c33 Change rules file command-line setting 
Now is optional, and uses -u rather than passed as a positional arg.
 2016-04-13 03:43:31 +00:00
Henri DF
ef93844234 Rename digwatch.conf -> digwatch_rules.conf 2016-04-13 03:43:30 +00:00
Henri DF
357276b787 Fix opt def for scap input file 
(was 'R', should be 'r')
 2016-04-12 18:36:24 -07:00
Henri DF
b4bc2d52be rename infile -> scap_filename 2016-04-12 18:34:49 -07:00
Henri DF
d0e489b5c2 Remove unneccessary HAS_FILTERING conditional 2016-04-12 18:29:48 -07:00
Henri DF
89b1a55d9e Add file output 2016-04-13 01:19:27 +00:00
Henri DF
b2698f9d20 Set up outputs listed in configuration object 2016-04-13 01:19:21 +00:00
Henri DF
179e5519ce Small refactoring of output config 
This is a step towards being able to support multiple outputs of
different types (including file outputs which require their own config).
 2016-04-12 23:21:14 +00:00
Henri DF
42de0507fa search for yaml config file 
In order:
1) cmdline opt
2) in-tree path
3) /etc/digwatch.yaml
 2016-04-12 23:14:44 +00:00
Henri DF
dc099bfb91 Add configuration object and Yaml parser 
These aren't wired up yet.
 2016-04-12 23:13:15 +00:00
Henri DF
b4859015ea Add support for reading .scap files 2016-04-08 16:51:16 -07:00
Henri DF
709568b578 Command-line options simplification 
Remove -N and always turn resolution off. Given the possible performance
impact, there shouldn't even be a way to have it on.
 2016-04-07 15:12:15 -07:00
Henri DF
dcbae750c8 Remove the need for DIGWATCH_LUA_DIR env var 2016-04-06 23:05:41 +00:00
Henri DF
c7d0c7dbd9 Remove unneeded -m <lua_main_filename> param 2016-04-06 23:05:41 +00:00
Henri DF
f7ba825023 Remove dep on nixio by adding simple syslog lua function 2016-04-06 11:44:00 -07:00
Henri DF
77440750e6 Load probe 2016-04-04 18:39:42 -07:00
Henri DF
86e1eeffb2 Statically link in lpeg lua library 2016-04-04 15:07:16 -07:00
Henri DF
39b1f64510 Packaging: Bundle lua files 2016-03-31 21:18:23 -07:00
Henri DF
d6dee28bbe Output simplification 
The Output is now chosen globally (for all rules), on the command line.
 2016-03-30 14:27:19 -07:00
Henri DF
f44bd06f1d Remove unused/unimplemented options 2016-03-30 13:20:31 -07:00
Henri DF
aea9b0054b Minor error handling improvements 2016-03-29 19:31:34 -07:00
Henri DF
8c6bb8a236 Set Lua cpath along with path 2016-03-04 17:54:18 -08:00
Henri DF
5f681b1bd8 Signal handlers and clean(er) exit 2016-03-04 00:11:09 +00:00
Henri DF
26fcf3415d Add digwatch.fields() to Lua API 2016-03-01 21:54:20 +00:00
Henri DF
3195c8abea formats.{cpp,h}: Get rid of global vars 2016-03-01 21:54:18 +00:00
Henri DF
1c04ed7874 rework digwatch event output handling 
the high-level change is that events matching a rule are now send into a
lua "on_event" function for handling, rather than doing the handling
down in c++.

more specifics:

before, the lua "load_rule" function registered formatters with
associated IDs with the c++ side, which later used this state to
reconcile events with formats and print output accordingly.

now, no such state is kept on the c++ side. the lua "load_rule" function
maintains the id->formatters map, and uses it to print outputs when it
receives events.

this change simplifies the existing flow and will also make the forthcoming
implementation of function outputs far simpler than it would have been
in the current setup.
 2016-02-28 21:06:29 -08:00
Henri DF
f71de57a90 fix unused vars warning in digwatch.cpp 2016-02-28 20:28:47 -08:00
Henri DF
2428231c7a Remove unneeded code from digwatch main 2016-02-24 10:32:14 -08:00
Henri DF
1a70d12525 whitespace 2016-02-24 09:17:26 -08:00
Henri DF
a9d0268390 Move format handling into own class 2016-02-23 18:55:20 -08:00
Henri DF
636429c674 Move lua_State creation to digwatch main 2016-02-23 18:43:41 -08:00
Henri DF
3e73f01472 Always print events 
Before this change, events were only printed if they had all the
fields (same behavior as with sysdig when the output format doesn't have
a leading "*"). With this change, all events are printed; those that
don't have all fields are prefixed with a notification.
 2016-02-23 18:15:43 -08:00
Henri DF
87186df85a digwatch: use appropriate formatter for each event 2016-02-23 10:21:25 -08:00
Henri DF
3d58c3c9ae Compile and load digwatch rules! 2016-02-20 21:25:41 -08:00
Henri DF
9fef5a7b29 Rework loading of Lua and rules files 2016-02-20 16:21:56 -08:00
Henri DF
9899680064 Lua parser refactoring 
Move compiler loading out of libsinsp/lua_parser.cpp and into a new
class in digwatch/rules.cpp.

This way the libsinsp support is strictly about providing a lua API for
scripts to setup filters. Loading the actual parser and rules is logic
that belongs in the app (digwatch in this case, maybe sysdig down the
line) rather than there.
 2016-02-19 20:30:23 -08:00
Henri DF
208930fd55 Simplify error handling in digwatch main 2016-02-19 14:50:51 -08:00
Henri DF
32ad5673c6 Pass filter object into sinsp::set_filter() 2016-02-18 21:09:26 -08:00
Henri DF
0a294cd5e5 digwatch scaffolding 
basic cmake setup and digwatch binary, mostly pulled from sysdig
 2016-02-19 01:58:17 +00:00