New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change the format of the 'output' field in the JSON payload #2985
Comments
Someone else brought that up a while ago, had started something here https://github.com/falcosecurity/falco/pull/2670/files maybe let's discuss? I can see a bit of a better cleanup even under the hood than that wip PR. @falcosecurity/falco-maintainers |
the proposed changes make sense! There is no reason to duplicate the timestamp information in the output, or at least nothing I can think about at the moment! |
Hey @Issif @incertum @Andreagit97 , i would like to work on this issue. Please guide me how can I start on this. Thanks!! |
/assign |
👍 |
@h4l0gen thank you for tackling this! falco/userspace/engine/formats.cpp Line 47 in f4aef00
there is no need to change the diff --git a/userspace/engine/formats.cpp b/userspace/engine/formats.cpp
index 106a58b7..c6bd07c5 100644
--- a/userspace/engine/formats.cpp
+++ b/userspace/engine/formats.cpp
@@ -43,9 +43,6 @@ std::string falco_formats::format_event(gen_event *evt, const std::string &rule,
formatter = m_falco_engine->create_formatter(source, format);
- // Format the original output string, regardless of output format
- formatter->tostring_withformat(evt, line, gen_event_formatter::OF_NORMAL);
-
if(formatter->get_output_format() == gen_event_formatter::OF_JSON)
{
std::string json_line;
@@ -89,6 +86,7 @@ std::string falco_formats::format_event(gen_event *evt, const std::string &rule,
if(m_json_include_output_property)
{
// This is the filled-in output line.
+ formatter->tostring_withformat(evt, line, gen_event_formatter::OF_JSON);
event["output"] = line;
}
@@ -127,6 +125,11 @@ std::string falco_formats::format_event(gen_event *evt, const std::string &rule,
full_line.append("}");
line = full_line;
}
+ else
+ {
+ // Obtain `line` in the normal format
+ formatter->tostring_withformat(evt, line, gen_event_formatter::OF_NORMAL);
+ }
return line.c_str();
} BTW just to answer your question on slack:
The function |
BTW I propose to switch from {
"output": "14:37:27.505989596: Warning Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)",
"priority": "WARNING",
"rule": "PTRACE attached to process",
"time": "2023-12-20T14:37:27.505989596Z",
"output_fields": {
"container.info": "container.info",
"evt.arg.flags": "evt.arg.flags",
"evt.type": "evt.type",
"proc.cmdline": "proc.cmdline",
"proc.exepath": "proc.exepath",
"proc.name": "proc.name",
"proc.pcmdline": "proc.pcmdline",
"proc.pname": "proc.pname",
"proc.tty": "proc.tty",
"user.loginuid": "user.loginuid",
"user.name": "user.name",
"user.uid": "user.uid"
},
"hostname": "host-7.local",
"source": "syscalls",
"tags": [
"maturity_stable",
"host",
"container",
"process",
"mitre_privilege_escalation",
"T1055.008"
]
} to {
"output": "(proc_pcmdline=%proc.pcmdline evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)",
"priority": "WARNING",
"rule": "PTRACE attached to process",
"time": "2023-12-20T14:37:27.505989596Z",
"output_fields": {
"container.info": "container.info",
"evt.arg.flags": "evt.arg.flags",
"evt.type": "evt.type",
"proc.cmdline": "proc.cmdline",
"proc.exepath": "proc.exepath",
"proc.name": "proc.name",
"proc.pcmdline": "proc.pcmdline",
"proc.pname": "proc.pname",
"proc.tty": "proc.tty",
"user.loginuid": "user.loginuid",
"user.name": "user.name",
"user.uid": "user.uid"
},
"hostname": "host-7.local",
"source": "syscalls",
"tags": [
"maturity_stable",
"host",
"container",
"process",
"mitre_privilege_escalation",
"T1055.008"
]
} @Issif @falcosecurity/falco-maintainers If we agree on this the proposed patch #2985 (comment) should be enough |
It's good to me. FYI, our example is not 100% accurate, the
See: https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml#L1105,L1117 |
Oh you are right |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Any updates on this? Is there any blocker? 🤔 |
The blocker is this #3037 (comment), we need to decide what to do:
|
I vote for option 2. This was my initial proposal after all. Correct me if I'm wrong, by the |
Yep we don't have the exact content of the "output": "14:37:27.505989596: Warning Detected ptrace PTRACE_ATTACH attempt ...",
"rule": "PTRACE attached to process", So |
This is a particular case, the |
Hi @Andreagit97, @Issif, and @leogr. Since we've encountered such a significant change in Falco, I'll wait for your decision on this PR before making any further changes. While I don't have a strong opinion on this at the moment, though as @Issif mentioned, the second option looks good to me for now |
I still have to double-check, but I believe the 2nd option is ok. cc @falcosecurity/falco-maintainers wdyt? |
Motivation
Right now, the default output for Falco is stdout with
basic text
as format. The generated log lines follow this pattern<timestamp> <Priority> <output>
:By choosing the JSON format we get the same content in the
output
field, with same elementstimestamp
andPriority
, but these elements are also contained in specific fields of the JSON:It implies we have a duplication of the information between the fields, and it creates a mess for systems trying to deduplicate alerts. See this issue for Falcosidekick.
Feature
I propose to allow an opt-in to remove the timestamp and/or the priority from the
outpout
when the JSON format is used.Alternatives
I created a PR for Falcosidekick allowing to reformat the output field. See PR#729
Additional context
The text was updated successfully, but these errors were encountered: