Expand description
Event logsource extraction for opt-in, conflict-based logsource pruning.
A LogSourceExtractor derives a LogSource from an event by reading
configurable field names (defaulting to the literals product, service,
and category), falling back to optional static defaults. The result feeds
the engine’s conflict-based pruning: an event tagged product: windows
skips product: linux rules without dropping Windows-category or
logsource-less rules.
Extraction is fail-open per dimension: a field that is absent, null, or blank leaves that dimension unset (after the static default is consulted), so a missing tag never prunes anything.
Structs§
- LogSource
Extractor - Derives an event
LogSourcefrom configurable fields plus static defaults, for conflict-based logsource pruning on the evaluation hot path.