Module falco_plugin::parse

Event parsing support

Plugins with event parsing capability can hook into an event stream and receive all of its events sequentially. The parsing phase is the stage in the event processing loop in which the Falcosecurity libraries inspect the content of the events’ payload and use it to apply internal state updates or implement additional logic. This phase happens before any field extraction for a given event. Each event in a given stream is guaranteed to be received at most once.

For your plugin to support event parsing, you will need to implement the parse::ParsePlugin trait and invoke the parse_plugin macro, for example:

use std::ffi::{CStr, CString};
use std::sync::Arc;
use std::sync::atomic::{AtomicBool, Ordering};
use std::thread::JoinHandle;
use anyhow::Error;
use falco_event::{ };
use falco_event::events::types::EventType;
use falco_plugin::base::{InitInput, Plugin};
use falco_plugin::{EventInputExt, FailureReason, parse_plugin, plugin};
use falco_plugin::parse::{EventInput, ParseInput, ParsePlugin};
use falco_plugin_api::{ss_plugin_event_input, ss_plugin_event_parse_input};

struct MyParsePlugin;

impl Plugin for MyParsePlugin {
    // ...
}

impl ParsePlugin for MyParsePlugin {
    const EVENT_TYPES: &'static [EventType] = &[]; // inspect all events...
    const EVENT_SOURCES: &'static [&'static str] = &[]; // ... from all event sources

    fn parse_event(&mut self, event: &EventInput, parse_input: &ParseInput)
        -> anyhow::Result<()> {
        let event = event.event()?;
        let event = event.load_any()?;

        // any processing you want here, e.g. involving tables

        Ok(())
    }
}

plugin!(MyParsePlugin);
parse_plugin!(MyParsePlugin);

Structs

• EventInput
• ParseInput

Traits

• EventParseInput
  Allow table access during event parsing
• ParsePlugin
  Support for event parse plugins