Null output_fields object in falco output for k8s audit events

[tspearconquest]

Describe the bug
The output_fields object in falco output for k8s audit log events in an AKS cluster is null, but should either be an empty hash or have the output fields properly parsed and dropped into the object for log analysis tools.

Currently fluentd cannot process these log entries and throws a parsing error

How to reproduce it

• Configure the sysdig aks audit log forwarder in an azure kubernetes cluster as per https://github.com/sysdiglabs/aks-audit-log/blob/master/docs/readme-dev.md
• Configure Falco to receive the events from the forwarder.
  • This requires a docker image to be created from a dev binary build of falco due to Forwarding audit logs to falco from an AKS cluster using sysdiglabs/aks-audit-log #1702 so we used https://download.falco.org/packages/bin-dev/x86_64/falco-0.30.0-97%2Bbb8b75a2-x86_64.tar.gz

Expected behaviour
output_fields has a value, even if it is just an empty hash

Environment

• Falco version: 0.30.0-bb8b75a2

• System info:

• Cloud provider or hardware configuration: Azure
• OS: Ubuntu 18.04

• Kernel:

• Installation method: Kubernetes

Additional context
After successfully configuring falco and the sysdig audit log forwarder to work together in an AKS cluster, we observed that the k8s audit events have a null value for the output_fields object.

Because of this, fluentd's json parser cannot parse these events without first mutating the output to include an empty hash for the output_fields object. If we leave it null, the fluent throws a parser error for every log entry with a null value.

All of our k8s audit log events in falco have this issue, it is not limited to a specific rule or set of rules in falco.

The output in question looks like below:

{"output":"15:17:01.590452992: Notice Attach/Exec to pod (user=system:serviceaccount:glab:gitlab-runner pod=runner-mxnwd6zb-project-17542877-concurrent-0l2p7t ns=glab action=exec command=gitlab-runner-helper)","priority":"Notice","rule":"Attach/Exec Pod","source":"k8s_audit","tags":["k8s"],"time":"2022-01-07T15:17:01.590452992Z", "output_fields": }

It should look like below:

{"output":"15:17:01.590452992: Notice Attach/Exec to pod (user=system:serviceaccount:glab:gitlab-runner pod=runner-mxnwd6zb-project-17542877-concurrent-0l2p7t ns=glab action=exec command=gitlab-runner-helper)","priority":"Notice","rule":"Attach/Exec Pod","source":"k8s_audit","tags":["k8s"],"time":"2022-01-07T15:17:01.590452992Z","output_fields":{}}

Please check and correct this issue.