falco_plugin::parse

Trait ParsePlugin

Source 
pub trait ParsePlugin: Plugin + ParsePluginExported {
    const EVENT_TYPES: &'static [EventType];
    const EVENT_SOURCES: &'static [&'static str];

    // Required method
    fn parse_event(
        &mut self,
        event: &EventInput,
        parse_input: &ParseInput<'_>,
    ) -> Result<()>;
}
Expand description

§Support for event parse plugins

Required Associated Constants§

Source

const EVENT_TYPES: &'static [EventType]

§Supported event types

This list contains the event types that this plugin will receive for event parsing. Events that are not included in this list will not be received by the plugin.

This is a non-functional filter that should not influence the plugin’s functional behavior. Instead, this is a performance optimization with the goal of avoiding unnecessary communication between the framework and the plugin for events that are known to be not used for event parsing.

If this list is empty, then:

Note: some notable event types are:

Source

const EVENT_SOURCES: &'static [&'static str]

§Supported event sources

This list contains the event sources that this plugin is capable of parsing.

If this list is empty, then if plugin has sourcing capability, and implements a specific event source, it will only receive events matching its event source, otherwise it will receive events from all event sources.

Note: one notable event source is called syscall

Required Methods§

Source

fn parse_event( &mut self, event: &EventInput, parse_input: &ParseInput<'_>, ) -> Result<()>

§Parse an event

Receives an event from the current capture and parses its content. The plugin is guaranteed to receive an event at most once, after any operation related the event sourcing capability, and before any operation related to the field extraction capability.

Dyn Compatibility§

This trait is not dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety", so this trait is not object safe.

Implementors§