sample

Documentation

Overview

This plugin is an example of plugin that supports both the event sourcing and the field extraction capabilities.

Index

• Constants
• type Plugin
  • func (p *Plugin) Destroy()
  • func (p *Plugin) Extract(req sdk.ExtractRequest, evt sdk.EventReader) error
  • func (p *Plugin) Fields() []sdk.FieldEntry
  • func (m *Plugin) Info() *plugins.Info
  • func (p *Plugin) Init(config string) error
  • func (p *Plugin) InitSchema() *sdk.SchemaInfo
  • func (m *Plugin) Open(params string) (source.Instance, error)
• type PluginConfig
  • func (p *PluginConfig) Reset()

Constants

const (
	// note: 999 is for development only. Once released, plugins need to
	// get assigned an ID in the public Falcosecurity registry.
	// See: https://github.com/falcosecurity/plugins#plugin-registry
	PluginID          uint32 = 999
	PluginName               = "sample"
	PluginDescription        = "Template Sample of a Falco Plugin"
	PluginContact            = "github.com/jasondellaluce/falco-plugin-template"
	PluginVersion            = "0.1.0"
	PluginEventSource        = "sample"
)

Types

type Plugin

type Plugin struct {
	plugins.BasePlugin
	Config PluginConfig
}

Defining a type for the plugin. Composing the struct with plugins.BasePlugin is the recommended practice as it provides the boilerplate code that satisfies most of the interface requirements of the SDK.

State variables to store in the plugin must be defined here.

func (*Plugin) Destroy

func (p *Plugin) Destroy()

Destroy is gets called by the SDK when the plugin gets deinitialized. This is useful to release any open resource used by the plugin. This method is optional.

func (*Plugin) Extract

func (p *Plugin) Extract(req sdk.ExtractRequest, evt sdk.EventReader) error

This method is mandatory the field extraction capability. If the Extract method is defined, the framework expects an Fields method to be specified too.

func (*Plugin) Fields

func (p *Plugin) Fields() []sdk.FieldEntry

Fields return the list of extractor fields exported by this plugin. This method is mandatory the field extraction capability. If the Fields method is defined, the framework expects an Extract method to be specified too.

func (*Plugin) Info

func (m *Plugin) Info() *plugins.Info

Info returns a pointer to a plugin.Info struct, containing all the general information about this plugin. This method is mandatory.

func (*Plugin) Init

func (p *Plugin) Init(config string) error

Init initializes this plugin with a given config string. Since this plugin defines the InitSchema() method, we can assume that the configuration is pre-validated by the framework and always well-formed according to the provided schema. This method is mandatory.

func (*Plugin) InitSchema

func (p *Plugin) InitSchema() *sdk.SchemaInfo

InitSchema is gets called by the SDK before initializing the plugin. This returns a schema representing the configuration expected by the plugin to be passed to the Init() method. Defining InitSchema() allows the framework to automatically validate the configuration, so that the plugin can assume that it to be always be well-formed when passed to Init(). This is ignored if the return value is nil. The returned schema must follow the JSON Schema specific. See: https://json-schema.org/ This method is optional.

func (*Plugin) Open

func (m *Plugin) Open(params string) (source.Instance, error)

Open opens the plugin source and starts a new capture session (e.g. stream of events), creating a new plugin instance. The state of each instance can be initialized here. This method is mandatory for the event sourcing capability.

type PluginConfig

type PluginConfig struct {
}

Defining a type for the plugin configuration. In this simple example, users can define the starting value the event counter. the `jsonschema` tags is used to automatically generate a JSON Schema definition, so that the framework can perform automatic validations.

func (*PluginConfig) Reset

func (p *PluginConfig) Reset()

Resets sets the configuration to its default values