From 8fbf49bbba9c80b16e0246e138df9303fbaafcae Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Tue, 22 Aug 2023 18:13:20 +0200
Subject: [PATCH] update(userspace/falco): new defaults for `-p` presets

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 userspace/falco/app/actions/init_falco_engine.cpp | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/userspace/falco/app/actions/init_falco_engine.cpp b/userspace/falco/app/actions/init_falco_engine.cpp
index 54b1019239f..a32e804fb63 100644
--- a/userspace/falco/app/actions/init_falco_engine.cpp
+++ b/userspace/falco/app/actions/init_falco_engine.cpp
@@ -22,27 +22,32 @@ using namespace falco::app::actions;
 
 void configure_output_format(falco::app::state& s)
 {
+	// See https://falco.org/docs/rules/style-guide/
+	const std::string container_info = "container_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name";
+	const std::string k8s_info = "k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name";
+	const std::string gvisor_info = "vpid=%proc.vpid vtid=%thread.vtid";
+
 	std::string output_format;
 	bool replace_container_info = false;
 
 	if(s.options.print_additional == "c" || s.options.print_additional == "container")
 	{
-		output_format = "container=%container.name (id=%container.id)";
+		output_format = container_info;
 		replace_container_info = true;
 	}
 	else if(s.options.print_additional == "cg" || s.options.print_additional == "container-gvisor")
 	{
-		output_format = "container=%container.name (id=%container.id) vpid=%proc.vpid vtid=%thread.vtid";
+		output_format = gvisor_info + " " + container_info;
 		replace_container_info = true;
 	}
 	else if(s.options.print_additional == "k" || s.options.print_additional == "kubernetes")
 	{
-		output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id";
+		output_format = container_info + " " + k8s_info;
 		replace_container_info = true;
 	}
 	else if(s.options.print_additional == "kg" || s.options.print_additional == "kubernetes-gvisor")
 	{
-		output_format = "k8s.ns=%k8s.ns.name k8s.pod=%k8s.pod.name container=%container.id vpid=%proc.vpid vtid=%thread.vtid";
+		output_format = gvisor_info + " " + container_info + " " + k8s_info;
 		replace_container_info = true;
 	}
 	else if(!s.options.print_additional.empty())