Expand description
§Event parsing support
Plugins with event parsing capability can hook into an event stream and receive all of its events sequentially. The parsing phase is the stage in the event processing loop in which the Falcosecurity libraries inspect the content of the events’ payload and use it to apply internal state updates or implement additional logic. This phase happens before any field extraction for a given event. Each event in a given stream is guaranteed to be received at most once.
For your plugin to support event parsing, you will need to implement the parse::ParsePlugin
trait and invoke the parse_plugin macro, for example:
use falco_plugin::anyhow::Error;
use falco_plugin::event::events::types::EventType;
use falco_plugin::base::Plugin;
use falco_plugin::{parse_plugin, plugin};
use falco_plugin::parse::{EventInput, ParseInput, ParsePlugin};
struct MyParsePlugin;
impl Plugin for MyParsePlugin {
// ...
}
impl ParsePlugin for MyParsePlugin {
const EVENT_TYPES: &'static [EventType] = &[]; // inspect all events...
const EVENT_SOURCES: &'static [&'static str] = &[]; // ... from all event sources
fn parse_event(&mut self, event: &EventInput, parse_input: &ParseInput)
-> Result<(), Error> {
let event = event.event()?;
let event = event.load_any()?;
// any processing you want here, e.g. involving tables
Ok(())
}
}
plugin!(MyParsePlugin);
parse_plugin!(MyParsePlugin);Structs§
- Event
Input - An event from which additional data may be extracted
- Parse
Input - The input to a parse plugin
Traits§
- Parse
Plugin - Support for event parse plugins