added new syslog output

Signed-off-by: bluca <bruno.luca@mercadolibre.com>

config.go

@@ -280,6 +280,11 @@ func getConfig() *types.Configuration {
 	v.SetDefault("Yandex.S3.Prefix", "falco")
 	v.SetDefault("Yamdex.S3.MinimumPriority", "")
 
+	v.SetDefault("Syslog.Host", "")
+	v.SetDefault("Syslog.Port", "")
+	v.SetDefault("Syslog.Mode", "")
+	v.SetDefault("Syslog.MinimumPriority", "")
+
 	v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
 	v.AutomaticEnv()
 	if *configFile != "" {
@@ -374,6 +379,7 @@ func getConfig() *types.Configuration {
 	c.Rabbitmq.MinimumPriority = checkPriority(c.Rabbitmq.MinimumPriority)
 	c.Wavefront.MinimumPriority = checkPriority(c.Wavefront.MinimumPriority)
 	c.Yandex.S3.MinimumPriority = checkPriority(c.Yandex.S3.MinimumPriority)
+	c.Syslog.MinimumPriority = checkPriority(c.Syslog.MinimumPriority)
 
 	c.Slack.MessageFormatTemplate = getMessageFormatTemplate("Slack", c.Slack.MessageFormat)
 	c.Rocketchat.MessageFormatTemplate = getMessageFormatTemplate("Rocketchat", c.Rocketchat.MessageFormat)

handlers.go

@@ -268,4 +268,8 @@ func forwardEvent(falcopayload types.FalcoPayload) {
 	if config.Yandex.S3.Bucket != "" && (falcopayload.Priority >= types.Priority(config.Yandex.S3.MinimumPriority) || falcopayload.Rule == testRule) {
 		go yandexClient.UploadYandexS3(falcopayload)
 	}
+
+	if config.Syslog.Host != "" && (falcopayload.Priority >= types.Priority(config.Syslog.MinimumPriority) || falcopayload.Rule == testRule) {
+		go syslogClient.SyslogPost(falcopayload)
+	}
 }

main.go

@@ -49,6 +49,7 @@ var (
 	fissionClient       *outputs.Client
 	grafanaClient       *outputs.Client
 	yandexClient        *outputs.Client
+	syslogClient        *outputs.Client
 
 	statsdClient, dogstatsdClient *statsd.Client
 	config                        *types.Configuration
@@ -475,6 +476,18 @@ func init() {
 			}
 		}
 	}
+
+	if config.Syslog.Host != "" {
+		var err error
+		syslogClient, err = outputs.NewSyslogClient(config, stats, promStats, statsdClient, dogstatsdClient)
+		if err != nil {
+			config.Syslog.Host = ""
+			log.Printf("[ERROR] : Syslog - %v\n", err)
+		} else {
+			outputs.EnabledOutputs = append(outputs.EnabledOutputs, "Syslog")
+		}
+	}
+
 	log.Printf("[INFO]  : Enabled Outputs : %s\n", outputs.EnabledOutputs)
 
 }

outputs/constants.go

@@ -39,4 +39,5 @@ const (
 	Kubeless string = "Kubeless"
 	Openfaas string = "OpenFaas"
 	Fission  string = "Fission"
+	Falco    string = "Falco"
 )

outputs/syslog.go

@@ -0,0 +1,69 @@
+package outputs
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/DataDog/datadog-go/statsd"
+	"github.com/falcosecurity/falcosidekick/types"
+	"log"
+	"log/syslog"
+)
+
+func NewSyslogClient(config *types.Configuration, stats *types.Statistics, promStats *types.PromStatistics, statsdClient, dogstatsdClient *statsd.Client) (*Client, error) {
+	return &Client{
+		OutputType:      "Syslog",
+		Config:          config,
+		Stats:           stats,
+		PromStats:       promStats,
+		StatsdClient:    statsdClient,
+		DogstatsdClient: dogstatsdClient,
+	}, nil
+}
+
+func (c *Client) SyslogPost(falcopayload types.FalcoPayload) {
+	c.Stats.Syslog.Add(Total, 1)
+	endpoint := fmt.Sprintf("%s:%s", c.Config.Syslog.Host, c.Config.Syslog.Port)
+
+	var priority syslog.Priority
+	switch falcopayload.Priority {
+	case types.Emergency:
+		priority = syslog.LOG_EMERG
+	case types.Alert:
+		priority = syslog.LOG_ALERT
+	case types.Critical:
+		priority = syslog.LOG_CRIT
+	case types.Error:
+		priority = syslog.LOG_ERR
+	case types.Warning:
+		priority = syslog.LOG_WARNING
+	case types.Notice:
+		priority = syslog.LOG_NOTICE
+	case types.Informational:
+		priority = syslog.LOG_INFO
+	case types.Debug:
+		priority = syslog.LOG_DEBUG
+	}
+
+	sysLog, err := syslog.Dial(c.Config.Syslog.Mode, endpoint, priority, Falco)
+	if err != nil {
+		go c.CountMetric(Outputs, 1, []string{"output:syslog", "status:error"})
+		c.Stats.Syslog.Add(Error, 1)
+		c.PromStats.Outputs.With(map[string]string{"destination": "syslog", "status": Error}).Inc()
+		log.Printf("[ERROR] : Syslog - %v\n", err)
+		return
+	}
+
+	b, _ := json.Marshal(falcopayload)
+	_, err = sysLog.Write(b)
+	if err != nil {
+		go c.CountMetric(Outputs, 1, []string{"output:syslog", "status:error"})
+		c.Stats.Syslog.Add(Error, 1)
+		c.PromStats.Outputs.With(map[string]string{"destination": "syslog", "status": Error}).Inc()
+		log.Printf("[ERROR] : Syslog - %v\n", err)
+		return
+	}
+
+	go c.CountMetric(Outputs, 1, []string{"output:syslog", "status:ok"})
+	c.Stats.Syslog.Add(OK, 1)
+	c.PromStats.Outputs.With(map[string]string{"destination": "syslog", "status": OK}).Inc()
+}

stats.go

@@ -62,6 +62,7 @@ func getInitStats() *types.Statistics {
 		Fission:           getOutputNewMap("fission"),
 		Grafana:           getOutputNewMap("grafana"),
 		YandexS3:          getOutputNewMap("yandexs3"),
+		Syslog:            getOutputNewMap("Syslog"),
 	}
 	stats.Falco.Add(outputs.Emergency, 0)
 	stats.Falco.Add(outputs.Alert, 0)

types/types.go

@@ -58,6 +58,7 @@ type Configuration struct {
 	Fission            fissionConfig
 	Grafana            grafanaOutputConfig
 	Yandex             YandexOutputConfig
+	Syslog             SyslogConfig
 }
 
 // SlackOutputConfig represents parameters for Slack
@@ -409,6 +410,13 @@ type YandexS3Config struct {
 	MinimumPriority string
 }
 
+type SyslogConfig struct {
+	Host            string
+	Port            string
+	Mode            string
+	MinimumPriority string
+}
+
 // Statistics is a struct to store stastics
 type Statistics struct {
 	Requests          *expvar.Map
@@ -455,6 +463,7 @@ type Statistics struct {
 	Fission           *expvar.Map
 	Grafana           *expvar.Map
 	YandexS3          *expvar.Map
+	Syslog            *expvar.Map
 }
 
 // PromStatistics is a struct to store prometheus metrics