From 7dcca4cac43ad58211d5d74de6f7b30cf314ce28 Mon Sep 17 00:00:00 2001 From: Lyonel Martinez Date: Tue, 15 Nov 2022 12:10:50 +0100 Subject: [PATCH] Update Pull Ruquest: "feat: Add hostname to payload" Signed-off-by: Lyonel Martinez --- outputs/alertmanager.go | 3 +++ outputs/alertmanager_test.go | 3 +-- outputs/aws.go | 7 ++++++- outputs/client_test.go | 2 +- outputs/cliq.go | 6 ++++++ outputs/cliq_test.go | 4 ++++ outputs/cloudevents.go | 4 ++++ outputs/constants.go | 1 + outputs/datadog.go | 3 +++ outputs/datadog_test.go | 3 +-- outputs/discord.go | 3 +++ outputs/discord_test.go | 5 +++++ outputs/googlechat.go | 4 ++++ outputs/googlechat_test.go | 6 ++++++ outputs/grafana.go | 4 ++++ outputs/influxdb.go | 4 ++++ outputs/influxdb_test.go | 3 +-- outputs/loki.go | 4 ++++ outputs/loki_test.go | 1 + outputs/mattermost.go | 6 ++++++ outputs/mattermost_test.go | 5 +++++ outputs/opsgenie.go | 3 +++ outputs/opsgenie_test.go | 1 + outputs/pagerduty.go | 3 +++ outputs/pagerduty_test.go | 4 ++-- outputs/rocketchat.go | 6 ++++++ outputs/rocketchat_test.go | 5 +++++ outputs/slack.go | 6 ++++++ outputs/slack_test.go | 5 +++++ outputs/smtp_templates.go | 5 +++++ outputs/teams.go | 5 +++++ outputs/teams_test.go | 4 ++++ outputs/wavefront.go | 4 ++++ types/types.go | 1 + 34 files changed, 123 insertions(+), 10 deletions(-) diff --git a/outputs/alertmanager.go b/outputs/alertmanager.go index 56c52b70c..df39da8aa 100644 --- a/outputs/alertmanager.go +++ b/outputs/alertmanager.go @@ -73,6 +73,9 @@ func newAlertmanagerPayload(falcopayload types.FalcoPayload, config *types.Confi amPayload.Labels["source"] = "falco" amPayload.Labels["rule"] = falcopayload.Rule amPayload.Labels["eventsource"] = falcopayload.Source + if falcopayload.Hostname != "" { + amPayload.Labels[Hostname] = falcopayload.Hostname + } if len(falcopayload.Tags) != 0 { amPayload.Labels["tags"] = strings.Join(falcopayload.Tags, ",") } diff --git a/outputs/alertmanager_test.go b/outputs/alertmanager_test.go index db13bee42..401bf181b 100644 --- a/outputs/alertmanager_test.go +++ b/outputs/alertmanager_test.go @@ -11,8 +11,7 @@ import ( ) func TestNewAlertmanagerPayloadO(t *testing.T) { - expectedOutput := `[{"labels":{"proc_name":"falcosidekick","priority":"Debug","proc_tty":"1234","eventsource":"syscalls","rule":"Test rule","source":"falco","tags":"test,example"},"annotations":{"info":"This is a test from falcosidekick","summary":"Test rule"}}]` - + expectedOutput := `[{"labels":{"proc_name":"falcosidekick","priority":"Debug","proc_tty":"1234","eventsource":"syscalls","hostname":"test-host","rule":"Test rule","source":"falco","tags":"test,example"},"annotations":{"info":"This is a test from falcosidekick","summary":"Test rule"}}]` var f types.FalcoPayload d := json.NewDecoder(strings.NewReader(falcoTestInput)) d.UseNumber() diff --git a/outputs/aws.go b/outputs/aws.go index 6ce8cc163..2078578d4 100644 --- a/outputs/aws.go +++ b/outputs/aws.go @@ -232,7 +232,12 @@ func (c *Client) PublishTopic(falcopayload types.FalcoPayload) { StringValue: aws.String(strings.Join(falcopayload.Tags, ",")), } } - + if falcopayload.Hostname != "" { + msg.MessageAttributes[Hostname] = &sns.MessageAttributeValue{ + DataType: aws.String("String"), + StringValue: aws.String(falcopayload.Hostname), + } + } for i, j := range falcopayload.OutputFields { switch v := j.(type) { case string: diff --git a/outputs/client_test.go b/outputs/client_test.go index 5ec4e37dd..0502640ae 100644 --- a/outputs/client_test.go +++ b/outputs/client_test.go @@ -25,7 +25,7 @@ import ( "github.com/falcosecurity/falcosidekick/types" ) -var falcoTestInput = `{"output":"This is a test from falcosidekick","priority":"Debug","rule":"Test rule", "time":"2001-01-01T01:10:00Z","source":"syscalls","output_fields": {"proc.name":"falcosidekick", "proc.tty": 1234}, "tags":["test","example"]}` +var falcoTestInput = `{"output":"This is a test from falcosidekick","priority":"Debug","rule":"Test rule", "time":"2001-01-01T01:10:00Z","source":"syscalls","output_fields": {"proc.name":"falcosidekick", "proc.tty": 1234}, "tags":["test","example"], "hostname":"test-host"}` func TestNewClient(t *testing.T) { u, _ := url.Parse("http://localhost") diff --git a/outputs/cliq.go b/outputs/cliq.go index b58647c58..97f007089 100644 --- a/outputs/cliq.go +++ b/outputs/cliq.go @@ -100,6 +100,12 @@ func newCliqPayload(falcopayload types.FalcoPayload, config *types.Configuration field.Value = falcopayload.Priority.String() table.Rows = append(table.Rows, field) + if falcopayload.Hostname != "" { + field.Field = Hostname + field.Value = falcopayload.Hostname + table.Rows = append(table.Rows, field) + } + for _, i := range getSortedStringKeys(falcopayload.OutputFields) { field.Field = i field.Value = falcopayload.OutputFields[i].(string) diff --git a/outputs/cliq_test.go b/outputs/cliq_test.go index 4d2812aad..91b091137 100644 --- a/outputs/cliq_test.go +++ b/outputs/cliq_test.go @@ -39,6 +39,10 @@ func TestNewCliqPayload(t *testing.T) { Field: "priority", Value: "Debug", }, + { + Field: "hostname", + Value: "test-host", + }, { Field: "proc.name", Value: "falcosidekick", diff --git a/outputs/cloudevents.go b/outputs/cloudevents.go index 67b673377..e6aac4e7d 100644 --- a/outputs/cloudevents.go +++ b/outputs/cloudevents.go @@ -33,6 +33,10 @@ func (c *Client) CloudEventsSend(falcopayload types.FalcoPayload) { event.SetExtension("rule", falcopayload.Rule) event.SetExtension("source", falcopayload.Source) + if falcopayload.Hostname != "" { + event.SetExtension(Hostname, falcopayload.Hostname) + } + // Set Extensions. for k, v := range c.Config.CloudEvents.Extensions { event.SetExtension(k, v) diff --git a/outputs/constants.go b/outputs/constants.go index b8f3ff01f..d05c4d1f7 100644 --- a/outputs/constants.go +++ b/outputs/constants.go @@ -29,6 +29,7 @@ const ( Plaintext string = "plaintext" JSON string = "json" Markdown string = "markdown" + Hostname string = "hostname" DefaultFooter string = "https://github.com/falcosecurity/falcosidekick" DefaultIconURL string = "https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick.png" diff --git a/outputs/datadog.go b/outputs/datadog.go index 058f59f9a..a05756098 100644 --- a/outputs/datadog.go +++ b/outputs/datadog.go @@ -32,6 +32,9 @@ func newDatadogPayload(falcopayload types.FalcoPayload) datadogPayload { } } tags = append(tags, "source:"+falcopayload.Source) + if falcopayload.Hostname != "" { + tags = append(tags, Hostname+":"+falcopayload.Hostname) + } if len(falcopayload.Tags) != 0 { tags = append(tags, falcopayload.Tags...) } diff --git a/outputs/datadog_test.go b/outputs/datadog_test.go index 86ea966f8..962ea0a70 100644 --- a/outputs/datadog_test.go +++ b/outputs/datadog_test.go @@ -10,8 +10,7 @@ import ( ) func TestNewDatadogPayload(t *testing.T) { - expectedOutput := `{"title":"Test rule","text":"This is a test from falcosidekick","alert_type":"info","source_type_name":"falco","tags":["proc.name:falcosidekick", "source:syscalls", "test", "example"]}` - + expectedOutput := `{"title":"Test rule","text":"This is a test from falcosidekick","alert_type":"info","source_type_name":"falco","tags":["proc.name:falcosidekick", "source:syscalls", "hostname:test-host", "test", "example"]}` var f types.FalcoPayload json.Unmarshal([]byte(falcoTestInput), &f) s, _ := json.Marshal(newDatadogPayload(f)) diff --git a/outputs/discord.go b/outputs/discord.go index c46abc5c3..3941a5458 100644 --- a/outputs/discord.go +++ b/outputs/discord.go @@ -74,6 +74,9 @@ func newDiscordPayload(falcopayload types.FalcoPayload, config *types.Configurat embedFields = append(embedFields, discordEmbedFieldPayload{Rule, falcopayload.Rule, true}) embedFields = append(embedFields, discordEmbedFieldPayload{Priority, falcopayload.Priority.String(), true}) embedFields = append(embedFields, discordEmbedFieldPayload{Source, falcopayload.Source, true}) + if falcopayload.Hostname != "" { + embedFields = append(embedFields, discordEmbedFieldPayload{Hostname, falcopayload.Hostname, true}) + } if len(falcopayload.Tags) != 0 { embedFields = append(embedFields, discordEmbedFieldPayload{Tags, strings.Join(falcopayload.Tags, ", "), true}) } diff --git a/outputs/discord_test.go b/outputs/discord_test.go index 226a3a212..425040a46 100644 --- a/outputs/discord_test.go +++ b/outputs/discord_test.go @@ -40,6 +40,11 @@ func TestNewDiscordPayload(t *testing.T) { Value: "syscalls", Inline: true, }, + { + Name: "hostname", + Value: "test-host", + Inline: true, + }, { Name: "tags", Value: "test, example", diff --git a/outputs/googlechat.go b/outputs/googlechat.go index d7caf433e..f39ffa15d 100644 --- a/outputs/googlechat.go +++ b/outputs/googlechat.go @@ -68,6 +68,10 @@ func newGooglechatPayload(falcopayload types.FalcoPayload, config *types.Configu widgets = append(widgets, widget{KeyValue: keyValue{"priority", falcopayload.Priority.String()}}) widgets = append(widgets, widget{KeyValue: keyValue{"source", falcopayload.Source}}) + if falcopayload.Hostname != "" { + widgets = append(widgets, widget{KeyValue: keyValue{Hostname, falcopayload.Hostname}}) + } + if len(falcopayload.Tags) != 0 { widgets = append(widgets, widget{ KeyValue: keyValue{ diff --git a/outputs/googlechat_test.go b/outputs/googlechat_test.go index a0d038806..69e8c5de6 100644 --- a/outputs/googlechat_test.go +++ b/outputs/googlechat_test.go @@ -42,6 +42,12 @@ func TestNewGoogleChatPayload(t *testing.T) { Content: "syscalls", }, }, + { + keyValue{ + TopLabel: "hostname", + Content: "test-host", + }, + }, { keyValue{ TopLabel: "tags", diff --git a/outputs/grafana.go b/outputs/grafana.go index 905b989e0..044fa92e5 100644 --- a/outputs/grafana.go +++ b/outputs/grafana.go @@ -26,6 +26,10 @@ func newGrafanaPayload(falcopayload types.FalcoPayload, config *types.Configurat falcopayload.Rule, falcopayload.Source, } + if falcopayload.Hostname != "" { + tags = append(tags, falcopayload.Hostname) + } + if config.Grafana.AllFieldsAsTags { for _, i := range falcopayload.OutputFields { tags = append(tags, fmt.Sprintf("%v", i)) diff --git a/outputs/influxdb.go b/outputs/influxdb.go index 1a09d56ef..5637d7903 100644 --- a/outputs/influxdb.go +++ b/outputs/influxdb.go @@ -21,6 +21,10 @@ func newInfluxdbPayload(falcopayload types.FalcoPayload, config *types.Configura } } + if falcopayload.Hostname != "" { + s += "," + Hostname + "=" + falcopayload.Hostname + } + if len(falcopayload.Tags) != 0 { s += ",tags=" + strings.Join(falcopayload.Tags, "_") } diff --git a/outputs/influxdb_test.go b/outputs/influxdb_test.go index 66e72c2da..bfbf4550b 100644 --- a/outputs/influxdb_test.go +++ b/outputs/influxdb_test.go @@ -10,8 +10,7 @@ import ( ) func TestNewInfluxdbPayload(t *testing.T) { - expectedOutput := `"events,rule=Test_rule,priority=Debug,source=syscalls,proc.name=falcosidekick,tags=test_example value=\"This is a test from falcosidekick\""` - + expectedOutput := `"events,rule=Test_rule,priority=Debug,source=syscalls,proc.name=falcosidekick,hostname=test-host,tags=test_example value=\"This is a test from falcosidekick\""` var f types.FalcoPayload require.Nil(t, json.Unmarshal([]byte(falcoTestInput), &f)) diff --git a/outputs/loki.go b/outputs/loki.go index ddb1f63d3..c4cb6dbae 100644 --- a/outputs/loki.go +++ b/outputs/loki.go @@ -46,6 +46,10 @@ func newLokiPayload(falcopayload types.FalcoPayload, config *types.Configuration } } + if falcopayload.Hostname != "" { + s[Hostname] = falcopayload.Hostname + } + if len(falcopayload.Tags) != 0 { s["tags"] = strings.Join(falcopayload.Tags, ",") } diff --git a/outputs/loki_test.go b/outputs/loki_test.go index 58d0a2568..3aa68f7eb 100644 --- a/outputs/loki_test.go +++ b/outputs/loki_test.go @@ -14,6 +14,7 @@ func TestNewLokiPayload(t *testing.T) { Streams: []lokiStream{ { Stream: map[string]string{ + "hostname": "test-host", "tags": "test,example", "rule": "Test rule", "source": "syscalls", diff --git a/outputs/mattermost.go b/outputs/mattermost.go index 75cfdbf90..ddc02b38f 100644 --- a/outputs/mattermost.go +++ b/outputs/mattermost.go @@ -22,6 +22,12 @@ func newMattermostPayload(falcopayload types.FalcoPayload, config *types.Configu field.Value = falcopayload.Rule field.Short = true fields = append(fields, field) + if falcopayload.Hostname != "" { + field.Title = Hostname + field.Value = falcopayload.Hostname + field.Short = true + fields = append(fields, field) + } field.Title = Priority field.Value = falcopayload.Priority.String() field.Short = true diff --git a/outputs/mattermost_test.go b/outputs/mattermost_test.go index 08bfc4dc8..b20170f30 100644 --- a/outputs/mattermost_test.go +++ b/outputs/mattermost_test.go @@ -27,6 +27,11 @@ func TestMattermostPayload(t *testing.T) { Value: "Test rule", Short: true, }, + { + Title: "hostname", + Value: "test-host", + Short: true, + }, { Title: "priority", Value: "Debug", diff --git a/outputs/opsgenie.go b/outputs/opsgenie.go index b8bb8d98f..21d386495 100644 --- a/outputs/opsgenie.go +++ b/outputs/opsgenie.go @@ -29,6 +29,9 @@ func newOpsgeniePayload(falcopayload types.FalcoPayload, config *types.Configura details["source"] = falcopayload.Source details["rule"] = falcopayload.Rule details["priority"] = falcopayload.Priority.String() + if falcopayload.Hostname != "" { + details[Hostname] = falcopayload.Hostname + } if len(falcopayload.Tags) != 0 { details["tags"] = strings.Join(falcopayload.Tags, ", ") } diff --git a/outputs/opsgenie_test.go b/outputs/opsgenie_test.go index fe9b8d81b..9debfb17f 100644 --- a/outputs/opsgenie_test.go +++ b/outputs/opsgenie_test.go @@ -15,6 +15,7 @@ func TestNewOpsgeniePayload(t *testing.T) { Entity: "Falcosidekick", Description: "Test rule", Details: map[string]string{ + "hostname": "test-host", "priority": "Debug", "tags": "test, example", "proc_name": "falcosidekick", diff --git a/outputs/pagerduty.go b/outputs/pagerduty.go index a0cf07ff0..e7f188966 100644 --- a/outputs/pagerduty.go +++ b/outputs/pagerduty.go @@ -35,6 +35,9 @@ func createPagerdutyEvent(falcopayload types.FalcoPayload, config types.Pagerdut details["rule"] = falcopayload.Rule details["priority"] = falcopayload.Priority.String() details["source"] = falcopayload.Source + if len(falcopayload.Hostname) != 0 { + falcopayload.OutputFields[Hostname] = falcopayload.Hostname + } if len(falcopayload.Tags) != 0 { details["tags"] = strings.Join(falcopayload.Tags, ", ") } diff --git a/outputs/pagerduty_test.go b/outputs/pagerduty_test.go index e03bed661..693992228 100644 --- a/outputs/pagerduty_test.go +++ b/outputs/pagerduty_test.go @@ -11,8 +11,7 @@ import ( ) func TestPagerdutyPayload(t *testing.T) { - var falcoTestInput = `{"output":"This is a test from falcosidekick","priority":"Debug","rule":"Test rule","time":"2001-01-01T01:10:00Z","output_fields": {"proc.name":"falcosidekick", "proc.tty": 1234}}` - + var falcoTestInput = `{"output":"This is a test from falcosidekick","priority":"Debug","rule":"Test rule","hostname":"test-host","time":"2001-01-01T01:10:00Z","output_fields": {"hostname": "test-host", "proc.name":"falcosidekick", "proc.tty": 1234}}` var excpectedOutput = pagerduty.V2Event{ RoutingKey: "", Action: "trigger", @@ -25,6 +24,7 @@ func TestPagerdutyPayload(t *testing.T) { Group: "", Class: "", Details: map[string]interface{}{ + "hostname": "test-host", "proc.name": "falcosidekick", "proc.tty": float64(1234), }, diff --git a/outputs/rocketchat.go b/outputs/rocketchat.go index 8f5c09c56..fe63fc612 100644 --- a/outputs/rocketchat.go +++ b/outputs/rocketchat.go @@ -52,6 +52,12 @@ func newRocketchatPayload(falcopayload types.FalcoPayload, config *types.Configu field.Short = false field.Value = falcopayload.Time.String() fields = append(fields, field) + if falcopayload.Hostname != "" { + field.Title = Hostname + field.Value = falcopayload.Hostname + field.Short = true + fields = append(fields, field) + } } attachment.Fallback = falcopayload.Output diff --git a/outputs/rocketchat_test.go b/outputs/rocketchat_test.go index 21d0cb259..3cbe2c643 100644 --- a/outputs/rocketchat_test.go +++ b/outputs/rocketchat_test.go @@ -52,6 +52,11 @@ func TestNewRocketchatPayload(t *testing.T) { Value: "2001-01-01 01:10:00 +0000 UTC", Short: false, }, + { + Title: "hostname", + Value: "test-host", + Short: true, + }, }, }, }, diff --git a/outputs/slack.go b/outputs/slack.go index e6adec11f..b9a88423a 100644 --- a/outputs/slack.go +++ b/outputs/slack.go @@ -55,6 +55,12 @@ func newSlackPayload(falcopayload types.FalcoPayload, config *types.Configuratio field.Value = falcopayload.Source field.Short = true fields = append(fields, field) + if falcopayload.Hostname != "" { + field.Title = Hostname + field.Value = falcopayload.Hostname + field.Short = true + fields = append(fields, field) + } if len(falcopayload.Tags) != 0 { field.Title = Tags field.Value = strings.Join(falcopayload.Tags, ", ") diff --git a/outputs/slack_test.go b/outputs/slack_test.go index 1f167672a..2ea8d4e0f 100644 --- a/outputs/slack_test.go +++ b/outputs/slack_test.go @@ -37,6 +37,11 @@ func TestNewSlackPayload(t *testing.T) { Value: "syscalls", Short: true, }, + { + Title: "hostname", + Value: "test-host", + Short: true, + }, { Title: "tags", Value: "test, example", diff --git a/outputs/smtp_templates.go b/outputs/smtp_templates.go index 083f93dd0..e28204542 100644 --- a/outputs/smtp_templates.go +++ b/outputs/smtp_templates.go @@ -4,6 +4,7 @@ var plaintextTmpl = `Priority: {{ .Priority }} Output: {{ .Output }} Rule: {{ .Rule }} Source: {{ .Source }} +Hostname: {{ .Hostname }} Tags: {{ range .Tags }}{{ . }} {{ end }} Time: {{ .Time }} @@ -59,6 +60,10 @@ var htmlTmpl = ` Source {{ .Source }} + + + Hostname + {{ .Hostname }} Tags diff --git a/outputs/teams.go b/outputs/teams.go index 92fb25855..ddaf2ea46 100644 --- a/outputs/teams.go +++ b/outputs/teams.go @@ -69,6 +69,11 @@ func newTeamsPayload(falcopayload types.FalcoPayload, config *types.Configuratio fact.Name = Source fact.Value = falcopayload.Source facts = append(facts, fact) + if falcopayload.Hostname != "" { + fact.Name = Hostname + fact.Value = falcopayload.Hostname + facts = append(facts, fact) + } if len(falcopayload.Tags) != 0 { fact.Name = Tags fact.Value = strings.Join(falcopayload.Tags, ", ") diff --git a/outputs/teams_test.go b/outputs/teams_test.go index a2034dea1..6b4852528 100644 --- a/outputs/teams_test.go +++ b/outputs/teams_test.go @@ -37,6 +37,10 @@ func TestNewTeamsPayload(t *testing.T) { Name: "source", Value: "syscalls", }, + { + Name: "hostname", + Value: "test-host", + }, { Name: "tags", Value: "test, example", diff --git a/outputs/wavefront.go b/outputs/wavefront.go index b50787f9e..a0749f8c5 100644 --- a/outputs/wavefront.go +++ b/outputs/wavefront.go @@ -71,6 +71,10 @@ func (c *Client) WavefrontPost(falcopayload types.FalcoPayload) { tags["rule"] = falcopayload.Rule tags["source"] = falcopayload.Source + if falcopayload.Hostname != "" { + tags[Hostname] = falcopayload.Hostname + } + for tag, value := range falcopayload.OutputFields { switch v := value.(type) { case string: diff --git a/types/types.go b/types/types.go index 4a79f59dd..896b82a9b 100644 --- a/types/types.go +++ b/types/types.go @@ -19,6 +19,7 @@ type FalcoPayload struct { OutputFields map[string]interface{} `json:"output_fields"` Source string `json:"source"` Tags []string `json:"tags,omitempty"` + Hostname string `json:"hostname,omitempty"` } func (f FalcoPayload) String() string {