Export a source conversion/transformation method as part of the SDK

[sboschman]

Motivation

Some plugins, for example the k8saudit-xxx plugins, require an additional step to ingest events. The event from the source is not in the format as expected by the field extraction. E.g. in case of the k8saudit-gke plugin, the raw source event is a Google specific logging event. To be able to use the k8saudit plugin field extraction and rules a conversion/transformation is required.

To guarantee some sort of method signature and documentation for an optional conversion/transformation method, this method should preferably be part of the SDK. This allows building on top of the plugin code and reuse the conversion/transformation logic and extraction method.

Feature

Introduce a convert/transform method as part of the SDK api, just like the Open and Extract methods. Ideally the framework takes care of wiring everything together. This convert/transform method should maybe be part of the event sourcing capability:

• open stream
• collect events
  • get raw event from source
  • optionally, convert/transform the raw event into the format supported by field extraction
• close stream

Alternatives

Additional context

For reference, falcosecurity/plugins issue #490

[sboschman]

@jasondellaluce and @leogr , I opened this issue as not to lose track of Jason' comment.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale