new(userspace): honor new plugins exposed suggested output formats #3388
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/milestone 0.40.0 |
|
/cc @jasondellaluce |
|
CI is failing because there is some problem with the install-zig action :/ |
FedeDP
force-pushed
the
new/suggested_formats
branch
from
e65e004 to
073c74b
Compare
FedeDP
changed the title
There was a problem hiding this comment.
I'm all in for this. From a consistency standpoint, since we have the similar append_output in the config already, what do you think about being this part of it? I'm thinking something like:
append_output:
- match:
source: syscall
suggested_fields: true
This way we can also control it per-source. We can still enable this by default for all sources.
I really like the idea! Will implement it asap! |
| # This means that any extractor plugin that indicates some of its fields | ||
| # as suggested output formats, will see these fields in the output | ||
| # in the form "foo_bar=$foo.bar" | ||
| append_output: |
There was a problem hiding this comment.
By default, we enable suggested_output for all rules, tags and sources.
FedeDP
force-pushed
the
new/suggested_formats
branch
from
e8f8312 to
7af2445
Compare
| @@ -100,6 +100,7 @@ class falco_configuration { | |||
| std::set<std::string> m_tags; | |||
| std::string m_rule; | |||
| std::string m_format; | |||
| bool m_suggested_output = false; | |||
There was a problem hiding this comment.
When missing, default value is false.
There was a problem hiding this comment.
Is there any particular reason why it is enabled by default in the config but disabled if missing?
Not saying this is wrong, I'm just wondering why.
There was a problem hiding this comment.
That's because i want it to be effective only when explicitly enabled; i don't want it to have any effect if you specify eg:
append_output:
- match:
source: syscall
extra_output: "on CPU %evt.cpu"
Ie: in this example, i only want on CPU %evt.cpu to be appended to output, not the plugin suggested fields, unless suggested_output: true is also set.
But i am also open for more opinions.
|
/cc @LucaGuerra |
FedeDP
force-pushed
the
new/suggested_formats
branch
from
7af2445 to
71dda9f
Compare
FedeDP
force-pushed
the
new/suggested_formats
branch
from
71dda9f to
4452195
Compare
…ats. Signed-off-by: Federico Di Pierro <[email protected]>
Signed-off-by: Federico Di Pierro <[email protected]>
…output` configuration. Signed-off-by: Federico Di Pierro <[email protected]>
FedeDP
force-pushed
the
new/suggested_formats
branch
from
4452195 to
95cab34
Compare
|
/cc @LucaGuerra that first worked on the new output configs. |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
Since falcosecurity/libs#2116, the plugin API now exposes a way for extractor plugins to declare that certain fields should be used as output formats.
Honor the request, and add a
suggested_formatsconfig option to eventually disable the suggested formats.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: