Trait falco_plugin::extract::ExtractPlugin
source · pub trait ExtractPlugin: Plugin + Sizedwhere
Self: 'static,{
type ExtractContext: Default + 'static;
const EVENT_TYPES: &'static [EventType];
const EVENT_SOURCES: &'static [&'static str];
const EXTRACT_FIELDS: &'static [ExtractFieldInfo<Self>];
// Provided methods
fn get_fields() -> &'static CStr { ... }
fn extract_fields<'a>(
&'a mut self,
event_input: &EventInput,
table_reader: TableReader,
fields: &mut [ss_plugin_extract_field],
storage: &'a mut FieldStorage
) -> Result<(), Error> { ... }
}
Expand description
§Support for field extraction plugins
Required Associated Types§
sourcetype ExtractContext: Default + 'static
type ExtractContext: Default + 'static
The extraction context
It might be useful if your plugin supports multiple fields, and they all share some common preprocessing steps. Instead of redoing the preprocessing for each field, intermediate results can be stored in the context for subsequent extractions (from the same event).
If you do not need a context to share between extracting fields of the same event, use ()
as the type.
Required Associated Constants§
sourceconst EVENT_TYPES: &'static [EventType]
const EVENT_TYPES: &'static [EventType]
The set of event types supported by this plugin
If empty, the plugin will get invoked for all event types, otherwise it will only get invoked for event types from this list.
sourceconst EVENT_SOURCES: &'static [&'static str]
const EVENT_SOURCES: &'static [&'static str]
The set of event sources supported by this plugin
If empty, the plugin will get invoked for events coming from all sources, otherwise it will only get invoked for events from sources named in this list.
Note: one notable event source is called syscall
sourceconst EXTRACT_FIELDS: &'static [ExtractFieldInfo<Self>]
const EXTRACT_FIELDS: &'static [ExtractFieldInfo<Self>]
The actual list of extractable fields
The required signature corresponds to a method like:
use anyhow::Error;
use falco_plugin::extract::{EventInput, ExtractFieldRequestArg};
use falco_plugin::tables::TableReader;
fn extract_sample(
&mut self,
context: &mut (),
arg: ExtractFieldRequestArg,
event: &EventInput,
tables: &TableReader,
) -> Result<R, Error> {
}
where R
is one of the following types or a Vec
of them:
The context
may be shared between all extractions for a particular event.
arg
is the actual argument passed along with the field (see ExtractFieldRequestArg
)
event
is the event being processed (see EventInputExt
)
tables
is an interface to access tables exposed from Falco core and other plugins (see
tables
)
Note: while the returned field type is automatically determined based on the return type
of the function, the argument type defaults to ExtractArgType::None
and must be explicitly specified
using ExtractFieldInfo::with_arg
if the function expects an argument.
Provided Methods§
sourcefn get_fields() -> &'static CStr
fn get_fields() -> &'static CStr
Generate the field schema for the Falco plugin framework
The default implementation inspects all fields from Self::EXTRACT_FIELDS
and generates
a JSON description in the format expected by the framework.
sourcefn extract_fields<'a>(
&'a mut self,
event_input: &EventInput,
table_reader: TableReader,
fields: &mut [ss_plugin_extract_field],
storage: &'a mut FieldStorage
) -> Result<(), Error>
fn extract_fields<'a>( &'a mut self, event_input: &EventInput, table_reader: TableReader, fields: &mut [ss_plugin_extract_field], storage: &'a mut FieldStorage ) -> Result<(), Error>
Perform the actual field extraction
The default implementation creates an empty context and loops over all extraction requests, invoking the relevant function to actually generate the field value.