Add notion of generic formatters/formatter factories #77
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mstemm
force-pushed
the
general-purpose-formatters
branch
from
9e173ce to
c301856
Compare
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Aug 26, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <[email protected]>
gnosek
reviewed
Sep 9, 2021
mstemm
force-pushed
the
general-purpose-formatters
branch
from
2e19f82 to
d7b7fb3
Compare
|
/test build-libs |
|
/test build-libs-with-chisels |
leogr
previously approved these changes
Sep 17, 2021
|
LGTM label has been added. Git tree hash: e197fd830089ad2fa969a2fb4657bbf6b2326d2c
|
mstemm
force-pushed
the
general-purpose-formatters
branch
from
27e0ecb to
3f1123e
Compare
gnosek
previously approved these changes
Oct 1, 2021
|
LGTM label has been added. Git tree hash: 95ea41f503d52f247f1be655f357d469e0cee0e1
|
mstemm
force-pushed
the
general-purpose-formatters
branch
from
3f1123e to
6ae437b
Compare
gnosek
previously approved these changes
Oct 1, 2021
|
LGTM label has been added. Git tree hash: b9c0994277c309231bae5d30f2b9df166dfa7c01
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leogr, mstemm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Add the notion of "generic" event formatters and formatter factories
that can create a formatter for a given format string:
- gen_filter.h defines two new classes: gen_event_formatter provides
the interface to format events:
- set_format(): set the output format and format string
- tostring(): resolve the format with info from a gen_event,
populating a resolved string.
- tostring_withformat(): like tostring() but with a one-off output
format.
- get_field_values(): return all templated field names and values
from the configured format string.
- get_output_format(): get the current output format.
- gen_event_formatter_factory performs a similar role as the existing
sinsp_evt_formatter_cache, in that it maintains a cache of previously
used format strings/formatters, to avoid the overhead of creating
formatters. It simply returns a formatter, though, rather than
duplicating the format methods like sinsp_evt_formatter_cache does.
This can be used in programs like falco to format general purpose
events without having a direct connection to an
inspector/filterchecks/etc.
- The eventformatter changes simply add gen_event_formatter as a
parent class and implements the interfaces. To aid in backwards
compatibility with other parts of libsinsp, this only adds new
methods as needed to conform to the gen_event_formatter
interface. In some cases, the new methods just call existing methods
that did the same thing.
Signed-off-by: Mark Stemm <[email protected]>
mstemm
force-pushed
the
general-purpose-formatters
branch
from
6ae437b to
805e466
Compare
gnosek
approved these changes
Oct 4, 2021
|
LGTM label has been added. Git tree hash: 5b20a78ca3875e164fcb5faeed84e1163579dbdf
|
leogr
approved these changes
Oct 4, 2021
mstemm
added a commit
to leogr/falco
that referenced
this pull request
Oct 4, 2021
Pinned to a commit that contains PRs falcosecurity/libs#74, falcosecurity/libs#75, falcosecurity/libs#76, falcosecurity/libs#77 Signed-off-by: Mark Stemm <[email protected]>
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Oct 4, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <[email protected]>
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Oct 4, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <[email protected]>
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Oct 5, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <[email protected]>
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Oct 5, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <[email protected]>
mstemm
added a commit
to falcosecurity/falco
that referenced
this pull request
Oct 5, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <[email protected]>
poiana
pushed a commit
to falcosecurity/falco
that referenced
this pull request
Oct 12, 2021
Modify falco_formats to only be responsible for resolving a rule's output string or coming up with a map of field name->field values from a given output string. It relies on the changes in falcosecurity/libs#77 to use generic formatters for a given source. Remove lua bindings to create a formatter/free a formatter. Those were unused as of the changes in #1451, so finally remove them now. Signed-off-by: Mark Stemm <[email protected]>
mstemm
added a commit
that referenced
this pull request
Jan 26, 2022
In #74 we pushed down some code from falco that determines the sinsp event types that are applicable for a given filter. The set of event types starts with "all events", and as the filter condition is parsed, including logical operators like "and", "or", "not", etc, the set of event types is changed, honoring the logical operators. For example, for a condition proc.name=nginx, the filter is applicable for all event types, as the condition does not include any evt.type field. For a more complicated condition like evt.type=openat and proc.name=nginx, the first field restricts the event types to openat, which is logical anded against all event types from proc.name, resulting in only the event type openat. With the introduction of plugins, there's also a need to segregate plugin-related filterchecks from non-plugin-related filterchecks by event source, but that's handled at a higher level, using a notion of filter factories and formatter factories (#77). The bug is that plugin filtercheck fields like ct.name, json.value were mistakenly being restricted to only the plugin event PPME_PLUGINEVENT_E. This was being mistakenly inverted when conditions had a "not" operator, with the result being that they did not run on any event types at all. The fix is to treat plugin fields as working with all event types, just like almost all other fields like proc.name, etc. are. This allows the logical operators to combine event type sets properly. This, along with other small changes in falco + plugins, fixes falcosecurity/plugins#56. Signed-off-by: Mark Stemm <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add the notion of "generic" event formatters and formatter factories
that can create a formatter for a given format string:
the interface to format events:
populating a resolved string.
format.
from the configured format string.
sinsp_evt_formatter_cache, in that it maintains a cache of previously
used format strings/formatters, to avoid the overhead of creating
formatters. It simply returns a formatter, though, rather than
duplicating the format methods like sinsp_evt_formatter_cache does.
This can be used in programs like falco to format general purpose
events without having a direct connection to an
inspector/filterchecks/etc.
parent class and implements the interfaces. To aid in backwards
compatibility with other parts of libsinsp, this only adds new
methods as needed to conform to the gen_event_formatter
interface. In some cases, the new methods just call existing methods
that did the same thing.
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area libsinsp
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: