Skip to main content

Module logsource

Module logsource 

Source
Expand description

Event logsource extraction for opt-in, conflict-based logsource pruning.

A LogSourceExtractor derives a LogSource from an event by reading configurable field names (defaulting to the literals product, service, and category), falling back to optional static defaults. The result feeds the engine’s conflict-based pruning: an event tagged product: windows skips product: linux rules without dropping Windows-category or logsource-less rules.

Extraction is fail-open per dimension: a field that is absent, null, or blank leaves that dimension unset (after the static default is consulted), so a missing tag never prunes anything.

Structs§

LogSourceExtractor
Derives an event LogSource from configurable fields plus static defaults, for conflict-based logsource pruning on the evaluation hot path.