new(userspace): honor new plugins exposed suggested output formats

falco.yaml

@@ -618,6 +618,7 @@ outputs_queue:
 #             affect the regular Falco message in any way. These can be specified as a
 #             custom name with a custom format or as any supported field
 #             (see: https://falco.org/docs/reference/rules/supported-fields/)
+#   `suggested_output`: enable the use of extractor plugins suggested fields for the matching source output.
 #
 # Example:
 # 
@@ -634,6 +635,13 @@ outputs_queue:
 # property you will find three new ones: "evt.cpu", "home_directory" which will contain the value of the
 # environment variable $HOME, and "evt.hostname" which will contain the hostname.
 
+# By default, we enable suggested_output for any source.
+# This means that any extractor plugin that indicates some of its fields
+# as suggested output formats, will see these fields in the output
+# in the form "foo_bar=$foo.bar"
+append_output:
+  - suggested_output: true
+
 
 ##########################
 # Falco outputs channels #

userspace/falco/app/actions/init_falco_engine.cpp

@@ -18,10 +18,44 @@ limitations under the License.
 #include "actions.h"
 #include <libsinsp/plugin_manager.h>
 #include <falco_common.h>
+#include <algorithm>
 
 using namespace falco::app;
 using namespace falco::app::actions;
 
+static inline std::string format_suggested_field(const filter_check_info* info) {
+	std::ostringstream out;
+
+	// Replace "foo.bar" with "foo_bar"
+	auto name = info->m_name;
+	std::replace(name.begin(), name.end(), '.', '_');
+
+	// foo_bar=%foo.bar
+	out << name << "=%" << info->m_name;
+	return out.str();
+}
+
+static void add_suggested_output(const falco::app::state& s,
+                                 const std::string& src,
+                                 const falco_configuration::append_output_config& eo) {
+	auto src_info = s.source_infos.at(src);
+	if(!src_info) {
+		return;
+	}
+	auto& filterchecks = *src_info->filterchecks;
+	std::vector<const filter_check_info*> fields;
+	filterchecks.get_all_fields(fields);
+	for(const auto& fld : fields) {
+		if(fld->m_fields->is_format_suggested()) {
+			s.engine->add_extra_output_format(format_suggested_field(fld),
+			                                  src,
+			                                  eo.m_tags,
+			                                  eo.m_rule,
+			                                  false);
+		}
+	}
+}
+
 void configure_output_format(falco::app::state& s) {
 	for(auto& eo : s.config->m_append_output) {
 		if(eo.m_format != "") {
@@ -32,6 +66,17 @@ void configure_output_format(falco::app::state& s) {
 			                                  false);
 		}
 
+		// Add suggested filtercheck formats to each source output
+		if(eo.m_suggested_output) {
+			if(eo.m_source.empty()) {
+				for(auto& src : s.loaded_sources) {
+					add_suggested_output(s, src, eo);
+				}
+			} else {
+				add_suggested_output(s, eo.m_source, eo);
+			}
+		}
+
 		for(auto const& ff : eo.m_formatted_fields) {
 			s.engine->add_extra_output_formatted_field(ff.first,
 			                                           ff.second,

userspace/falco/config_json_schema.h

@@ -273,6 +273,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                             }
                         ]
                     }
+                },
+                "suggested_output": {
+                    "type": "boolean"
                 }
             }
         },

userspace/falco/configuration.h

@@ -100,6 +100,7 @@ class falco_configuration {
 		std::set<std::string> m_tags;
 		std::string m_rule;
 		std::string m_format;
+		bool m_suggested_output = false;
 		std::unordered_map<std::string, std::string> m_formatted_fields;
 		std::set<std::string> m_raw_fields;
 	};
@@ -290,6 +291,10 @@ struct convert<falco_configuration::append_output_config> {
 			}
 		}
 
+		if(node["suggested_output"]) {
+			rhs.m_suggested_output = node["suggested_output"].as<bool>();
+		}
+
 		return true;
 	}
 };