Skip to content

Commit

Permalink
update(falco): deprecated -S --snaplen option
Browse files Browse the repository at this point in the history
Signed-off-by: Luca Guerra <luca@guerra.sh>
  • Loading branch information
LucaGuerra committed Oct 2, 2024
1 parent e24c028 commit 19f8795
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 1 deletion.
1 change: 1 addition & 0 deletions userspace/falco/app/actions/init_inspectors.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ static void init_syscall_inspector(falco::app::state& s, std::shared_ptr<sinsp>
}
if(s.options.snaplen != 0) {
inspector->set_snaplen(s.options.snaplen);
falco_logger::log(falco_logger::level::WARNING, "The -S/--snaplen option is deprecated and will be removed. Use -o falco_libs.snaplen=<len> instead.");
}

if(s.is_driver_drop_failed_exit_enabled()) {
Expand Down
2 changes: 1 addition & 1 deletion userspace/falco/app/options.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ void options::define(cxxopts::Options& opts)
("p,print", "Print (or replace) additional information in the rule's output.\nUse -pc or -pcontainer to append container details to syscall events.\nUse -pk or -pkubernetes to add both container and Kubernetes details to syscall events.\nIf using gVisor, choose -pcg or -pkg variants (or -pcontainer-gvisor and -pkubernetes-gvisor, respectively).\nIf a syscall rule's output contains %container.info, it will be replaced with the corresponding details. Otherwise, these details will be directly appended to the rule's output.\nAlternatively, use -p <output_format> for a custom format. In this case, the given <output_format> will be appended to the rule's output without any replacement to all events, including plugin events.", cxxopts::value(print_additional), "<output_format>")
("P,pidfile", "Write PID to specified <pid_file> path. By default, no PID file is created.", cxxopts::value(pidfilename)->default_value(""), "<pid_file>")
("r", "Rules file or directory to be loaded. This option can be passed multiple times. Falco defaults to the values in the configuration file when this option is not specified.", cxxopts::value<std::vector<std::string>>(), "<rules_file>")
("S,snaplen", "Collect only the first <len> bytes of each I/O buffer for 'syscall' events. By default, the first 80 bytes are collected by the driver and sent to the user space for processing. Use this option with caution since it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "<len>")
("S,snaplen", "DEPRECATED: use -o falco_libs.snaplen=<len> instead. Collect only the first <len> bytes of each I/O buffer for 'syscall' events. By default, the first 80 bytes are collected by the driver and sent to the user space for processing. Use this option with caution since it can have a strong performance impact.", cxxopts::value(snaplen)->default_value("0"), "<len>")
("support", "Print support information, including version, rules files used, loaded configuration, etc., and exit. The output is in JSON format.", cxxopts::value(print_support)->default_value("false"))
("U,unbuffered", "Turn off output buffering for configured outputs. This causes every single line emitted by Falco to be flushed, which generates higher CPU usage but is useful when piping those outputs into another process or a script.", cxxopts::value(unbuffered_outputs)->default_value("false"))
("V,validate", "Read the contents of the specified <rules_file> file(s), validate the loaded rules, and exit. This option can be passed multiple times to validate multiple files.", cxxopts::value(validate_rules_filenames), "<rules_file>")
Expand Down

0 comments on commit 19f8795

Please sign in to comment.