Falco outputs refactoring

.gitignore

@@ -11,8 +11,6 @@ test/.phoronix-test-suite
 test/results*.json.*
 test/build
 
-userspace/falco/lua/re.lua
-userspace/falco/lua/lpeg.so
 userspace/engine/lua/lyaml
 userspace/engine/lua/lyaml.lua
 

.luacheckrc

@@ -1,7 +1,6 @@
 std = "min"
 cache = true
 include_files = {
-    "userspace/falco/lua/*.lua",
     "userspace/engine/lua/*.lua",
     "userspace/engine/lua/lyaml/*.lua",
     "*.luacheckrc"

test/falco_test.py

@@ -224,13 +224,14 @@ def setUp(self):
                     output['actual'] = key
                     output['expected'] = value
                     output_strictly_contains.append(output)
-                    # Clean up file from previous tests, if any
-                    if not output['actual'] == 'stdout' and os.path.exists(output['actual']):
-                        os.remove(output['actual'])
-                    filedir = os.path.dirname(output['expected'])
-                    # Create the parent directory for the file if it doesn't exist.
-                    if not os.path.isdir(filedir):
-                        os.makedirs(filedir)
+                    if not output['actual'] == 'stdout':
+                        # Clean up file from previous tests, if any
+                        if os.path.exists(output['actual']):
+                            os.remove(output['actual'])
+                        # Create the parent directory for the file if it doesn't exist.
+                        filedir = os.path.dirname(output['actual'])
+                        if not os.path.isdir(filedir):
+                            os.makedirs(filedir)
             self.output_strictly_contains = output_strictly_contains
 
         self.grpcurl_res = None

test/falco_tests.yaml

@@ -659,6 +659,7 @@ trace_files: !mux
       - rules/single_rule.yaml
     conf_file: confs/stdout_output.yaml
     trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
     output_strictly_contains:
       - stdout: output_files/single_rule_with_cat_write.txt
 
@@ -670,6 +671,7 @@ trace_files: !mux
       - rules/single_rule.yaml
     conf_file: confs/stdout_output.yaml
     trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
     output_strictly_contains:
       - stdout: output_files/single_rule_with_cat_write.json
 
@@ -680,6 +682,7 @@ trace_files: !mux
       - rules/single_rule.yaml
     conf_file: confs/file_output.yaml
     trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
     output_strictly_contains:
       - /tmp/falco_outputs/file_output.txt: output_files/single_rule_with_cat_write.txt
 
@@ -690,6 +693,7 @@ trace_files: !mux
       - rules/single_rule.yaml
     conf_file: confs/program_output.yaml
     trace_file: trace_files/cat_write.scap
+    time_iso_8601: true
     output_strictly_contains:
       - /tmp/falco_outputs/program_output.txt: output_files/single_rule_with_cat_write.txt
 
@@ -701,6 +705,7 @@ trace_files: !mux
     conf_file: confs/grpc_unix_socket.yaml
     trace_file: trace_files/cat_write.scap
     run_duration: 5
+    time_iso_8601: true
     grpc:
       address: unix:///tmp/falco/falco.sock
       proto: outputs.proto
@@ -711,10 +716,10 @@ trace_files: !mux
         - "seconds:1470327477 nanos:881781397"
         - "priority: WARNING"
         - "rule: \"open_from_cat\""
-        - "output: \"18:17:57.881781397: Warning An open was seen (command=cat /dev/null)\""
+        - "output: \"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)\""
         # output fields
-        - "key: \"evt.time\""
-        - "value: \"18:17:57.881781397\""
+        - "key: \"evt.time.iso8601\""
+        - "value: \"2016-08-04T16:17:57.881781397+0000\""
         - "key: \"proc.cmdline\""
         - "value: \"cat /dev/null\""
         # For the hostname, since we don't know that beforehand,

test/output_files/single_rule_with_cat_write.json

@@ -1,8 +1,8 @@
-{"output":"18:17:57.881781397: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
-{"output":"18:17:57.881785348: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
-{"output":"18:17:57.881796705: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
-{"output":"18:17:57.881799840: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
-{"output":"18:17:57.882003104: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
-{"output":"18:17:57.882008208: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
-{"output":"18:17:57.882045694: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
-{"output":"18:17:57.882054739: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time":1470327477882054739,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881781397Z", "output_fields": {"evt.time.iso8601":1470327477881781397,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881785348Z", "output_fields": {"evt.time.iso8601":1470327477881785348,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881796705Z", "output_fields": {"evt.time.iso8601":1470327477881796705,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.881799840Z", "output_fields": {"evt.time.iso8601":1470327477881799840,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882003104Z", "output_fields": {"evt.time.iso8601":1470327477882003104,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882008208Z", "output_fields": {"evt.time.iso8601":1470327477882008208,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882045694Z", "output_fields": {"evt.time.iso8601":1470327477882045694,"proc.cmdline":"cat /dev/null"}}
+{"output":"2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)","priority":"Warning","rule":"open_from_cat","time":"2016-08-04T16:17:57.882054739Z", "output_fields": {"evt.time.iso8601":1470327477882054739,"proc.cmdline":"cat /dev/null"}}

test/output_files/single_rule_with_cat_write.txt

@@ -1,8 +1,8 @@
-18:17:57.881781397: Warning An open was seen (command=cat /dev/null)
-18:17:57.881785348: Warning An open was seen (command=cat /dev/null)
-18:17:57.881796705: Warning An open was seen (command=cat /dev/null)
-18:17:57.881799840: Warning An open was seen (command=cat /dev/null)
-18:17:57.882003104: Warning An open was seen (command=cat /dev/null)
-18:17:57.882008208: Warning An open was seen (command=cat /dev/null)
-18:17:57.882045694: Warning An open was seen (command=cat /dev/null)
-18:17:57.882054739: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881785348+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881796705+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.881799840+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882003104+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882008208+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882045694+0000: Warning An open was seen (command=cat /dev/null)
+2016-08-04T16:17:57.882054739+0000: Warning An open was seen (command=cat /dev/null)

userspace/engine/falco_engine.cpp

@@ -171,9 +171,8 @@ void falco_engine::load_rules(const string &rules_content, bool verbose, bool al
 					  m_ls);
 	}
 
-	// Note that falco_formats is added to both the lua state used
-	// by the falco engine as well as the separate lua state used
-	// by falco outputs.  Within the engine, only
+	// Note that falco_formats is added to the lua state used
+	// by the falco engine only. Within the engine, only
 	// formats.formatter is used, so we can unconditionally set
 	// json_output to false.
 	bool json_output = false;