Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

program_output does not work for any command other than "mail" #422

Closed
mirislam opened this issue Sep 22, 2018 · 4 comments
Closed

program_output does not work for any command other than "mail" #422

mirislam opened this issue Sep 22, 2018 · 4 comments

Comments

@mirislam
Copy link

So here is an odd problem. Looks like the program_output does not work for any binary other than mail. I am suspecting that there is a whitelist of binary which can be used in program_output but not documented. To validate that theory, I replaced my "mail" binary and put a shell script called "mail" which calls the binary I want (in this case curl to post to elasticsearch). Sure enough that worked.

Is this a bug or a feature? If it is a feature where is the documentation for the allowed programs?

# Possible additional things you might want to do with program output:
#   - send to a slack webhook:
#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
#   - logging (alternate method than syslog):
#         program: logger -t falco-test
#   - send over a network connection:
#         program: nc host.example.com 80

# If keep_alive is set to true, the program will be started once and
# continuously written to, with each output message on its own
# line. If keep_alive is set to false, the program will be re-spawned
# for each output message.
#
# Also, the program will be closed and reopened if falco is signaled with
# SIGUSR1.
program_output:
  enabled: false
  keep_alive: false
  program: mail -s "Falco Notification" root

program_output:
  enabled: true
  keep_alive: true
  program: mail "Nothing here"

# sent to elasticsearch
program_output:
  enabled: true
  keep_alive: false
  program: "jq '{text: .output}' | curl -d @- -X POST http://localhost:9200/falco"

program_output:
  enabled: true
  keep_alive: true
  program: "curl  -H 'Content-Type: application/json' -d @- -X POST http://localhost:9200/falco"
@mirislam
Copy link
Author

BTW forgot to mention this is similar to issue #127

@mfdii
Copy link
Member

mfdii commented Sep 22, 2018 via email

@mirislam
Copy link
Author

Thanks. I tried and when there is only one program_output, it worked. Having multiple program_output will be a very useful feature. I guess I can always wrap multiple commands in a bash script

@mstemm mstemm mentioned this issue Nov 6, 2018
Closed
@mstemm
Copy link
Contributor

mstemm commented Nov 6, 2018

The docs have been updated. I filed a new issue #458 to track the feature request. Closing this issue.

@mstemm mstemm closed this as completed Nov 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mfdii @mirislam @mstemm