diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp index a63a19ebbfb..97eeef16e26 100644 --- a/userspace/engine/falco_engine.cpp +++ b/userspace/engine/falco_engine.cpp @@ -333,8 +333,6 @@ std::shared_ptr falco_engine::create_formatter(const std::s unique_ptr falco_engine::process_event(std::size_t source_idx, gen_event *ev, uint16_t ruleset_id) { - falco_rule rule; - // note: there are no thread-safety guarantees on the filter_ruleset::run() // method, but the thread-safety assumptions of falco_engine::process_event() // imply that concurrent invokers use different and non-switchable values of @@ -359,13 +357,13 @@ unique_ptr falco_engine::process_event(std::size_t so unique_ptr res(new rule_result()); res->evt = ev; - res->rule = rule.name; - res->source = rule.source; - res->format = rule.output; - res->priority_num = rule.priority; - res->tags = rule.tags; - res->exception_fields = rule.exception_fields; - m_rule_stats_manager.on_event(rule); + res->rule = source->m_rule.name; + res->source = source->m_rule.source; + res->format = source->m_rule.output; + res->priority_num = source->m_rule.priority; + res->tags = source->m_rule.tags; + res->exception_fields = source->m_rule.exception_fields; + m_rule_stats_manager.on_event(source->m_rule); return res; } diff --git a/userspace/engine/falco_source.h b/userspace/engine/falco_source.h index cff54cf8083..b068cb8ae7b 100644 --- a/userspace/engine/falco_source.h +++ b/userspace/engine/falco_source.h @@ -32,6 +32,10 @@ struct falco_source std::shared_ptr filter_factory; std::shared_ptr formatter_factory; + // Used by the filter_ruleset interface. Filled in when a rule + // matches an event. + mutable falco_rule m_rule; + inline bool is_field_defined(std::string field) const { auto *chk = filter_factory->new_filtercheck(field.c_str());