new(outputs): expose rule tags and event source in gRPC and json outputs#1714
Conversation
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
|
Welcome @jasondellaluce! It looks like this is your first PR to falcosecurity/falco 🎉 |
|
/milestone 0.30.0 |
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
jasondellaluce
changed the title
There was a problem hiding this comment.
Just found a spacing issue (see the comment below), otherwise LGTM!
Btw, great improvements, thank you! 👍
Note for reviewers: since the Lua code has been changed, to avoid a headache, make sure your local Falco's built is pointing to the correct Lua files 😺
|
cc @Issif |
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
|
LGTM label has been added. DetailsGit tree hash: e81a8c7a4fb3ef9c28bf009a85e0f09c7f34c363 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jasondellaluce, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Late to the party... Have you folks considered making the output of the tags configurable? The reason they were not there was also that, as far as I remember, the Furthermore, a test covering such a scenario (no tags defined in the rule) would have been helpful to understand what's the resulting json in that case (empty array? other? valid json?). |
leodido
left a comment
leodido
left a comment
There was a problem hiding this comment.
Great job Jason!
Left two comments
|
|
||
| // tags | ||
| auto tags = grpc_res.mutable_tags(); | ||
| *tags = {msg->tags.begin(), msg->tags.end()}; |
There was a problem hiding this comment.
Let's check what we end up with when a Falco rule does not have tags defined.
Do we obtain ...,"tags":[],... or not? I'd prefer a clean JSON, but that's my personal preference only :)
There was a problem hiding this comment.
I don't have any preferences. Anyway, I agree with @leodido that a test covering such a scenario (especially for the JSON output format) would be really helpful to clarify the expected result.
There was a problem hiding this comment.
Thank you for your review! I opened a PR to address these concerns, so we can eventually move this conversation there: #1733
|
I'm really happy of this PR, when Falco 0.30.0 is out, I'll update the format of json in Falcosidekick either 👍 . |
6 participants
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
outputsservice.Which issue(s) this PR fixes:
Fixes #1647, #1713
Does this PR introduce a user-facing change?: