wip: cleanup(config): new json_output_properties flags and output options consolidation

falco.yaml

@@ -240,7 +240,28 @@ priority: debug
 # programs to process and consume the data. By default, this option is disabled.
 json_output: false
 
-# [Stable] `json_include_output_property`
+# [Experimental] `json_output_properties`
+#
+# Customize the verbosity of JSON log lines.
+# The fields `rule` and `time` are not configurable. The fields `desc` and
+# `condition` cannot be included in the logs.
+# The `output` field represents the resolved output values as a string line,
+# while `output_fields` represents a formatted sub JSON containing fields
+# according to the rules' `output` definition.
+#
+# It is not recommended to include tags in order to save space and 
+# reduce logging volume. In addition, likely you only need either `output`
+# or `output_fields`. If you only have syscall rules, you can also skip
+# including the `source` field.
+json_output_properties:
+  output: true
+  priority: true
+  tags: true
+  hostname: true
+  source: true
+  output_fields: true
+
+# [Deprecation Notice for Falco 0.37] `json_include_output_property`
 #
 # When using JSON output in Falco, you have the option to include the "output"
 # property itself in the generated JSON output. The "output" property provides
@@ -249,7 +270,7 @@ json_output: false
 # case.
 json_include_output_property: true
 
-# [Stable] `json_include_tags_property`
+# [Deprecation Notice for Falco 0.37] `json_include_tags_property`
 #
 # When using JSON output in Falco, you have the option to include the "tags"
 # field of the rules in the generated JSON output. The "tags" field provides

userspace/engine/formats.cpp

@@ -16,16 +16,15 @@ limitations under the License.
 
 #include <json/json.h>
 
+#include "../falco/configuration_aux.h"
 #include "formats.h"
 #include "falco_engine.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 falco_formats::falco_formats(std::shared_ptr<const falco_engine> engine,
-			     bool json_include_output_property,
-			     bool json_include_tags_property)
+				 uint32_t json_output_flags)
 	: m_falco_engine(engine),
-	m_json_include_output_property(json_include_output_property),
-	m_json_include_tags_property(json_include_tags_property)
+	m_json_output_flags(json_output_flags)
 {
 }
 
@@ -82,17 +81,24 @@ std::string falco_formats::format_event(gen_event *evt, const std::string &rule,
 		iso8601evttime += time_ns;
 		event["time"] = iso8601evttime;
 		event["rule"] = rule;
-		event["priority"] = level;
-		event["source"] = source;
-		event["hostname"] = hostname;
 
-		if(m_json_include_output_property)
+		if(m_json_output_flags & CONFIG_JSON_OUTPUT_PROPERTIES_PRIORITY)
+		{
+			event["priority"] = level;
+		}
+		if(m_json_output_flags & CONFIG_JSON_OUTPUT_PROPERTIES_SOURCE)
+		{
+			event["source"] = source;
+		}
+		if(m_json_output_flags & CONFIG_JSON_OUTPUT_PROPERTIES_HOSTNAME)
+		{
+			event["hostname"] = hostname;
+		}
+		if(m_json_output_flags & CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT && m_json_output_flags & CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT_OLD_OPTION)
 		{
-			// This is the filled-in output line.
 			event["output"] = line;
 		}
-
-		if(m_json_include_tags_property)
+		if(m_json_output_flags & CONFIG_JSON_OUTPUT_PROPERTIES_TAGS && m_json_output_flags & CONFIG_JSON_OUTPUT_PROPERTIES_TAGS_OLD_OPTION)
 		{
 			if (tags.size() == 0)
 			{
@@ -122,8 +128,11 @@ std::string falco_formats::format_event(gen_event *evt, const std::string &rule,
 		// string. Avoids an unnecessary json parse just to
 		// merge the formatted fields at the object level.
 		full_line.pop_back();
-		full_line.append(", \"output_fields\": ");
-		full_line.append(json_line);
+		if(m_json_output_flags & CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT_FIELDS)
+		{
+			full_line.append(", \"output_fields\": ");
+			full_line.append(json_line);
+		}
 		full_line.append("}");
 		line = full_line;
 	}

userspace/engine/formats.h

@@ -25,8 +25,7 @@ class falco_formats
 {
 public:
 	falco_formats(std::shared_ptr<const falco_engine> engine,
-		      bool json_include_output_property,
-		      bool json_include_tags_property);
+			  uint32_t json_output_flags);
 	virtual ~falco_formats();
 
 	std::string format_event(gen_event *evt, const std::string &rule, const std::string &source,
@@ -38,6 +37,5 @@ class falco_formats
 
 protected:
 	std::shared_ptr<const falco_engine> m_falco_engine;
-	bool m_json_include_output_property;
-	bool m_json_include_tags_property;
+	uint32_t m_json_output_flags;
 };

userspace/falco/app/actions/init_outputs.cpp

@@ -59,8 +59,7 @@ falco::app::run_result falco::app::actions::init_outputs(falco::app::state& s)
 		s.engine,
 		s.config->m_outputs,
 		s.config->m_json_output,
-		s.config->m_json_include_output_property,
-		s.config->m_json_include_tags_property,
+		s.config->m_json_output_flags,
 		s.config->m_output_timeout,
 		s.config->m_buffered_outputs,
 		s.config->m_time_format_iso_8601,

userspace/falco/configuration.cpp

@@ -28,13 +28,17 @@ limitations under the License.
 #include "falco_utils.h"
 
 #include "configuration.h"
+#include "configuration_aux.h"
 #include "logger.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 
 falco_configuration::falco_configuration():
 	m_json_output(false),
-	m_json_include_output_property(true),
-	m_json_include_tags_property(true),
+	m_json_output_flags(CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT \
+			| CONFIG_JSON_OUTPUT_PROPERTIES_PRIORITY | CONFIG_JSON_OUTPUT_PROPERTIES_TAGS \
+			| CONFIG_JSON_OUTPUT_PROPERTIES_HOSTNAME | CONFIG_JSON_OUTPUT_PROPERTIES_SOURCE \
+			| CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT_FIELDS | CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT_OLD_OPTION \
+			| CONFIG_JSON_OUTPUT_PROPERTIES_TAGS_OLD_OPTION),
 	m_notifications_rate(0),
 	m_notifications_max_burst(1000),
 	m_watch_config_files(true),
@@ -119,8 +123,43 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 	}
 
 	m_json_output = config.get_scalar<bool>("json_output", false);
-	m_json_include_output_property = config.get_scalar<bool>("json_include_output_property", true);
-	m_json_include_tags_property = config.get_scalar<bool>("json_include_tags_property", true);
+	m_json_output_flags = 0;
+	if(m_json_output)
+	{
+		if(config.get_scalar<bool>("json_output_properties.output", true))
+		{
+			m_json_output_flags |= CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT;
+		}
+		if(config.get_scalar<bool>("json_output_properties.priority", true))
+		{
+			m_json_output_flags |= CONFIG_JSON_OUTPUT_PROPERTIES_PRIORITY;
+		}
+		if(config.get_scalar<bool>("json_output_properties.tags", true))
+		{
+			m_json_output_flags |= CONFIG_JSON_OUTPUT_PROPERTIES_TAGS;
+		}
+		if(config.get_scalar<bool>("json_output_properties.hostname", true))
+		{
+			m_json_output_flags |= CONFIG_JSON_OUTPUT_PROPERTIES_HOSTNAME;
+		}
+		if(config.get_scalar<bool>("json_output_properties.source", true))
+		{
+			m_json_output_flags |= CONFIG_JSON_OUTPUT_PROPERTIES_SOURCE;
+		}
+		if(config.get_scalar<bool>("json_output_properties.output_fields", true))
+		{
+			m_json_output_flags |= CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT_FIELDS;
+		}
+		// todo: deprecate `json_include_output_property` and `json_include_tags_property` for Falco 0.37
+		if(config.get_scalar<bool>("json_include_output_property", true))
+		{
+			m_json_output_flags |= CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT_OLD_OPTION;
+		}
+		if(config.get_scalar<bool>("json_include_tags_property", true))
+		{
+			m_json_output_flags |= CONFIG_JSON_OUTPUT_PROPERTIES_TAGS_OLD_OPTION;
+		}
+	}
 
 	m_outputs.clear();
 	falco::outputs::config file_output;

userspace/falco/configuration.h

@@ -59,8 +59,7 @@ class falco_configuration
 	// List of loaded rule folders
 	std::list<std::string> m_loaded_rules_folders;
 	bool m_json_output;
-	bool m_json_include_output_property;
-	bool m_json_include_tags_property;
+	uint32_t m_json_output_flags;
 	std::string m_log_level;
 	std::vector<falco::outputs::config> m_outputs;
 	uint32_t m_notifications_rate;

userspace/falco/configuration_aux.h

@@ -0,0 +1,29 @@
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+//
+// json_output_properties flags
+//
+#define CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT (1 << 0)
+#define CONFIG_JSON_OUTPUT_PROPERTIES_PRIORITY (1 << 1)
+#define CONFIG_JSON_OUTPUT_PROPERTIES_TAGS (1 << 2)
+#define CONFIG_JSON_OUTPUT_PROPERTIES_HOSTNAME (1 << 3)
+#define CONFIG_JSON_OUTPUT_PROPERTIES_SOURCE (1 << 4)
+#define CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT_FIELDS (1 << 5)
+#define CONFIG_JSON_OUTPUT_PROPERTIES_OUTPUT_OLD_OPTION (1 << 6) // todo: deprecate for Falco 0.37
+#define CONFIG_JSON_OUTPUT_PROPERTIES_TAGS_OLD_OPTION (1 << 7) // todo: deprecate for Falco 0.37

userspace/falco/falco_outputs.cpp

@@ -43,14 +43,13 @@ falco_outputs::falco_outputs(
 	std::shared_ptr<falco_engine> engine,
 	const std::vector<falco::outputs::config>& outputs,
 	bool json_output,
-	bool json_include_output_property,
-	bool json_include_tags_property,
+	uint32_t json_output_flags,
 	uint32_t timeout,
 	bool buffered,
 	bool time_format_iso_8601,
 	const std::string& hostname)
 {
-	m_formats.reset(new falco_formats(engine, json_include_output_property, json_include_tags_property));
+	m_formats.reset(new falco_formats(engine, json_output_flags));
 
 	m_json_output = json_output;
 

userspace/falco/falco_outputs.h

@@ -42,8 +42,7 @@ class falco_outputs
 		std::shared_ptr<falco_engine> engine,
 		const std::vector<falco::outputs::config>& outputs,
 		bool json_output,
-		bool json_include_output_property,
-		bool json_include_tags_property,
+		uint32_t json_output_flags,
 		uint32_t timeout,
 		bool buffered,
 		bool time_format_iso_8601,