Closed
Description
Motivation
I attempting to ship falco events via http_output to logstash's http input. I am missing a field that would identify the incoming events as produced by falco. http_user_agent is also empty.
Feature
An ability to add additional field to http payload (or a fixed field) that would help identify the incoming data in logstash. e.g.
"source" => "falco"
Alternatives
Custom script that would wrap the log message with additional fields. But ideally http_output ought to be a little bit customizable.
Additional context
Example of data that comes into logstash http input via falco's http_output, for reference (as seen in logstash) :
{
"output_fields" => {
"fd.name" => "172.17.255.86:45264->10.117.196.70:22",
"proc.pname" => "sshd",
"proc.cmdline" => "sshd",
"user.name" => "root",
"fd.sip" => "10.117.196.70",
"evt.time.iso8601" => 1640956206668757005,
"container.id" => "confes02_prod",
"fd.num" => 0,
"user.loginuid" => 1000,
"container.name" => "confes02_prod",
"container.image.repository" => nil,
"fd.type" => "ipv4",
"proc.name" => "sshd",
"proc.tty" => 0
},
"output" => "2021-12-31T13:10:06.668757005+0000: Warning Redirect stdout/stdin to network connection (user=root user_loginuid=1000 confes02_prod (id=confes02_prod) process=sshd parent=sshd cmdline=sshd terminal=0 container_id
=confes02_prod image=<NA> fd.name=172.17.255.86:45264->10.117.196.70:22 fd.num=0 fd.type=ipv4 fd.sip=10.117.196.70)",
"headers" => {
"http_accept" => "*/*",
"content_type" => "application/json",
"http_version" => "HTTP/1.1",
"request_path" => "/",
"request_method" => "POST",
"http_host" => "172.20.4.82:8080",
"content_length" => "870",
"http_user_agent" => nil
},
"@timestamp" => 2021-12-31T13:10:06.743Z,
"host" => "172.17.3.37",
"@version" => "1",
"rule" => "Redirect STDOUT/STDIN to Network Connection in Container",
"time" => "2021-12-31T13:10:06.668757005Z",
"source" => "syscall",
"priority" => "Warning",
"tags" => []
}
Activity