-
Notifications
You must be signed in to change notification settings - Fork 910
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new(userspace): honor new plugins exposed suggested output formats #3388
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/milestone 0.40.0 |
/cc @jasondellaluce |
CI is failing because there is some problem with the install-zig action :/ |
e65e004
to
073c74b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm all in for this. From a consistency standpoint, since we have the similar append_output
in the config already, what do you think about being this part of it? I'm thinking something like:
append_output:
- match:
source: syscall
suggested_fields: true
This way we can also control it per-source. We can still enable this by default for all sources.
I really like the idea! Will implement it asap! |
# This means that any extractor plugin that indicates some of its fields | ||
# as suggested output formats, will see these fields in the output | ||
# in the form "foo_bar=$foo.bar" | ||
append_output: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By default, we enable suggested_output
for all rules, tags and sources.
e8f8312
to
7af2445
Compare
@@ -100,6 +100,7 @@ class falco_configuration { | |||
std::set<std::string> m_tags; | |||
std::string m_rule; | |||
std::string m_format; | |||
bool m_suggested_output = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When missing, default value is false.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any particular reason why it is enabled by default in the config but disabled if missing?
Not saying this is wrong, I'm just wondering why.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's because i want it to be effective only when explicitly enabled; i don't want it to have any effect if you specify eg:
append_output:
- match:
source: syscall
extra_output: "on CPU %evt.cpu"
Ie: in this example, i only want on CPU %evt.cpu
to be appended to output, not the plugin suggested fields, unless suggested_output: true
is also set.
But i am also open for more opinions.
/cc @LucaGuerra |
7af2445
to
71dda9f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
71dda9f
to
4452195
Compare
…ats. Signed-off-by: Federico Di Pierro <[email protected]>
Signed-off-by: Federico Di Pierro <[email protected]>
…output` configuration. Signed-off-by: Federico Di Pierro <[email protected]>
4452195
to
95cab34
Compare
/cc @LucaGuerra that first worked on the new output configs. |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
Since falcosecurity/libs#2116, the plugin API now exposes a way for extractor plugins to declare that certain fields should be used as output formats.
Honor the request, and add a
suggested_formats
config option to eventually disable the suggested formats.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: