chore(userspace/falco): add new suggested_output option to `append_…

…output` configuration.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

falco.yaml

@@ -571,12 +571,6 @@ buffered_outputs: false
 # deploying it in production.
 rule_matching: first
 
-# [Incubating] `suggested_formats`
-#
-# When enabled, Falco will honor requests by extractor plugins
-# that suggest certain fields to be part of outputs.
-suggested_formats: true
-
 # [Stable] `outputs_queue`
 #
 # Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter
@@ -624,6 +618,7 @@ outputs_queue:
 #             affect the regular Falco message in any way. These can be specified as a
 #             custom name with a custom format or as any supported field
 #             (see: https://falco.org/docs/reference/rules/supported-fields/)
+#   `suggested_output`: enable the use of extractor plugins suggested fields for the matching source output.
 #
 # Example:
 # 
@@ -640,6 +635,13 @@ outputs_queue:
 # property you will find three new ones: "evt.cpu", "home_directory" which will contain the value of the
 # environment variable $HOME, and "evt.hostname" which will contain the hostname.
 
+# By default, we enable suggested_output for any source.
+# This means that any extractor plugin that indicates some of its fields
+# as suggested output formats, will see these fields in the output
+# in the form "foo_bar=$foo.bar"
+append_output:
+  - suggested_output: true
+
 
 ##########################
 # Falco outputs channels #

userspace/falco/app/actions/init_falco_engine.cpp

@@ -35,6 +35,27 @@ static inline std::string format_suggested_field(const filter_check_info* info)
 	return out.str();
 }
 
+static void add_suggested_output(const falco::app::state& s,
+                                 const std::string& src,
+                                 const falco_configuration::append_output_config& eo) {
+	auto src_info = s.source_infos.at(src);
+	if(!src_info) {
+		return;
+	}
+	auto& filterchecks = *src_info->filterchecks;
+	std::vector<const filter_check_info*> fields;
+	filterchecks.get_all_fields(fields);
+	for(const auto& fld : fields) {
+		if(fld->m_fields->is_format_suggested()) {
+			s.engine->add_extra_output_format(format_suggested_field(fld),
+			                                  src,
+			                                  eo.m_tags,
+			                                  eo.m_rule,
+			                                  false);
+		}
+	}
+}
+
 void configure_output_format(falco::app::state& s) {
 	for(auto& eo : s.config->m_append_output) {
 		if(eo.m_format != "") {
@@ -45,6 +66,17 @@ void configure_output_format(falco::app::state& s) {
 			                                  false);
 		}
 
+		// Add suggested filtercheck formats to each source output
+		if(eo.m_suggested_output) {
+			if(eo.m_source.empty()) {
+				for(auto& src : s.loaded_sources) {
+					add_suggested_output(s, src, eo);
+				}
+			} else {
+				add_suggested_output(s, eo.m_source, eo);
+			}
+		}
+
 		for(auto const& ff : eo.m_formatted_fields) {
 			s.engine->add_extra_output_formatted_field(ff.first,
 			                                           ff.second,
@@ -58,25 +90,6 @@ void configure_output_format(falco::app::state& s) {
 		}
 	}
 
-	// Add suggested filtercheck formats to each source output
-	if(s.config->m_suggested_formats) {
-		for(auto& src : s.loaded_sources) {
-			auto src_info = s.source_infos.at(src);
-			auto& filterchecks = *src_info->filterchecks;
-			std::vector<const filter_check_info*> fields;
-			filterchecks.get_all_fields(fields);
-			for(const auto& fld : fields) {
-				if(fld->m_flags & EPF_FORMAT_SUGGESTED) {
-					s.engine->add_extra_output_format(format_suggested_field(fld),
-					                                  src,
-					                                  {},
-					                                  "",
-					                                  false);
-				}
-			}
-		}
-	}
-
 	// See https://falco.org/docs/rules/style-guide/
 	const std::string container_info =
 	        "container_id=%container.id container_image=%container.image.repository "

userspace/falco/config_json_schema.h

@@ -101,9 +101,6 @@ const char config_schema_string[] = LONG_STRING_CONST(
                 "buffered_outputs": {
                     "type": "boolean"
                 },
-                "suggested_formats": {
-                    "type": "boolean"
-                },
                 "rule_matching": {
                     "type": "string"
                 },
@@ -276,6 +273,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                             }
                         ]
                     }
+                },
+                "suggested_output": {
+                    "type": "boolean"
                 }
             }
         },

userspace/falco/configuration.cpp

@@ -72,7 +72,6 @@ falco_configuration::falco_configuration():
         m_rule_matching(falco_common::rule_matching::FIRST),
         m_watch_config_files(true),
         m_buffered_outputs(false),
-        m_suggested_formats(true),
         m_outputs_queue_capacity(DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE),
         m_time_format_iso_8601(false),
         m_buffer_format_base64(false),
@@ -484,7 +483,6 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 	}
 
 	m_buffered_outputs = m_config.get_scalar<bool>("buffered_outputs", false);
-	m_suggested_formats = m_config.get_scalar<bool>("suggested_formats", true);
 	m_outputs_queue_capacity =
 	        m_config.get_scalar<size_t>("outputs_queue.capacity",
 	                                    DEFAULT_OUTPUTS_QUEUE_CAPACITY_UNBOUNDED_MAX_LONG_VALUE);

userspace/falco/configuration.h

@@ -100,6 +100,7 @@ class falco_configuration {
 		std::set<std::string> m_tags;
 		std::string m_rule;
 		std::string m_format;
+		bool m_suggested_output = false;
 		std::unordered_map<std::string, std::string> m_formatted_fields;
 		std::set<std::string> m_raw_fields;
 	};
@@ -155,7 +156,6 @@ class falco_configuration {
 	bool m_time_format_iso_8601;
 	bool m_buffer_format_base64;
 	uint32_t m_output_timeout;
-	bool m_suggested_formats;
 
 	bool m_grpc_enabled;
 	uint32_t m_grpc_threadiness;
@@ -291,6 +291,10 @@ struct convert<falco_configuration::append_output_config> {
 			}
 		}
 
+		if(node["suggested_output"]) {
+			rhs.m_suggested_output = node["suggested_output"].as<bool>();
+		}
+
 		return true;
 	}
 };