Use 'syscall' source in extractor plugin #85
Comments
|
Hi @Snailll, this is not supported yet but is in high demand in the community. This will be on the project roadmap, but I think no progress has been made so far. |
|
Hi @jasondellaluce ,thanks for your reply. How about the feasibility of writing a custom ebpf driver , a source plugin and a extractor plugin. |
|
From a feasibility perspective, you can make something like this work even right now. However, the events coming from your source plugin will only be of "plugin type" from the standpoint of libsinsp and libscap, and so existing fields ( I hope we will able to change this in the future. An OK solution will be to let plugins generate events of any type (not just "plugin type"). Note that the event type is a very meaningful information used by both libscap and libsinsp to implement things like capture reproduction ( On the bright side, if you plan to built a plugin on top of other non syscall-related features of eBPF, than that would make sense even now and would be a cool project/contribution to attempt! 😄 |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
|
Rotten issues close after 30d of inactivity. Reopen the issue with Mark the issue as fresh with Provide feedback via https://github.com/falcosecurity/community. |
|
@poiana: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/remove-lifecycle rotten |
|
@jasondellaluce: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
Motivation
I want to make a custom extractor plugin to extend some field in the syscall events, just like some file stats .
So can I use 'syscall' source in my custom extractor plugin?
Feature
Alternatives
Additional context
The text was updated successfully, but these errors were encountered: