Trait falco_plugin::source::SourcePlugin

source · 
pub trait SourcePlugin: Plugin {
    type Instance: SourcePluginInstance<Plugin = Self>;

    const EVENT_SOURCE: &'static CStr;
    const PLUGIN_ID: u32;

    // Required methods
    fn open(&mut self, params: Option<&str>) -> Result<Self::Instance, Error>;
    fn event_to_string(&mut self, event: &EventInput) -> Result<CString, Error>;

    // Provided methods
    fn list_open_params(&mut self) -> Result<&CStr, Error> { ... }
    fn close(&mut self, _instance: &mut Self::Instance) { ... }
}
Expand description

§Support for event sourcing plugins

Required Associated Types§

source

type Instance: SourcePluginInstance<Plugin = Self>

§Instance type

Each source plugin defines an instance type. The instance is the object responsible for actual generation of events. The plugin type mostly serves as a way to create and destroy instances.

Note: while there may be multiple instances for a particular plugin, there will be at most one at any given time.

Required Associated Constants§

source

const EVENT_SOURCE: &'static CStr

§Event source name

This string describes the event source. One notable event source name is syscall, for plugins collecting syscall information.

If the plugin defines both EVENT_SOURCE and PLUGIN_ID, it will only be allowed to emit events of type PluginEvent with the plugin_id field matching PLUGIN_ID in the definition of this trait.

This constant must be a non-empty string if PLUGIN_ID is set.

source

const PLUGIN_ID: u32

§Plugin ID

This is the unique ID of the plugin.

If the plugin defines both EVENT_SOURCE and PLUGIN_ID, it will only be allowed to emit events of type PluginEvent with the plugin_id field matching PLUGIN_ID in the definition of this trait.

EVERY PLUGIN WITH EVENT SOURCING CAPABILITY IMPLEMENTING A SPECIFIC EVENT SOURCE MUST OBTAIN AN OFFICIAL ID FROM THE FALCOSECURITY ORGANIZATION, OTHERWISE IT WON’T PROPERLY COEXIST WITH OTHER PLUGINS.

Required Methods§

source

fn open(&mut self, params: Option<&str>) -> Result<Self::Instance, Error>

§Open a capture instance

This method receives the open parameter from Falco configuration and returns a new instance of the source plugin.

source

fn event_to_string(&mut self, event: &EventInput) -> Result<CString, Error>

§Render an event to string

This string will be available as %evt.plugininfo in Falco rules.

Provided Methods§

source

fn list_open_params(&mut self) -> Result<&CStr, Error>

§List sample open parameters

Return a list of suggested open parameters supported by this plugin. Any of the values in the returned list are valid parameters for open().

The default implementation returns an empty string, but you can use crate::source::serialize_open_params and crate::source::OpenParam to build a description of what the SourcePlugin::open method expects.

Note: as of API version 3.4.0, this appears unused.

source

fn close(&mut self, _instance: &mut Self::Instance)

§Close a capture instance

The default implementation does nothing, leaving all cleanup to the instance type’s Drop implementation, if any.

Object Safety§

This trait is not object safe.

Implementors§