ignore truncated lines to avoid parsing errors

Signed-off-by: Thomas Labarussias <[email protected]>

plugins/k8saudit-eks/CHANGELOG.md

@@ -1,19 +1,21 @@
 # Changelog
 
-## v0.2.1
+## v0.3.0
+
+* Ignore truncated log lines to avoid parsing errors
 
+## v0.2.1
 
 ## v0.2.0
 
+* Upgrade the `plugin-sdk-go` for the plugin framework >3.0.0
 
 ## v0.1.2
 
-
 ## v0.1.1
 
 * [`e9a1ef4`](https://github.com/falcosecurity/plugins/commit/e9a1ef4) docs(plugins/k8saudit-eks): document required aws iam permissions
 
-
 ## v0.1.0
 
 * [`fa60639`](https://github.com/falcosecurity/plugins/commit/fa60639) update(plugins/k8saudit-eks): point k8saudit dependency to latest stable tag

plugins/k8saudit-eks/README.md

@@ -258,3 +258,8 @@ serviceAccount:
  annotations:
  - eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/${ROLE} #if you use an OIDC provider, you can attach a role to the service account
 ```
+Note the three placeholders REGION, ACCOUNT_ID, and CLUSTER_NAME which must be replaced with fitting values.
+
+### Warning
+
+AWS Cloudwatch Logs truncates log lines with more than 10,000 characters, as these lines can't be parsed by the plugin they are ignored and some events may be missed.

plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go

@@ -23,6 +23,7 @@ import (
  "fmt"
  "log"
  "os"
+ "strings"
  "time"
 
  "github.com/falcosecurity/plugin-sdk-go/pkg/sdk"
@@ -58,7 +59,7 @@ func (k *Plugin) Info() *plugins.Info {
  Name: pluginName,
  Description: "Read Kubernetes Audit Events for EKS from Cloudwatch Logs",
  Contact: "github.com/falcosecurity/plugins",
- Version: "0.2.1",
+ Version: "0.3.0",
  EventSource: "k8s_audit",
  }
 }
@@ -138,6 +139,10 @@ func (p *Plugin) Open(clustername string) (source.Instance, error) {
  for {
  select {
  case i := <-eventsC:
+ message := *i.Message
+ if strings.Contains(message, "[Truncated...]") {
+ continue
+ }
  values, err := p.Plugin.ParseAuditEventsPayload([]byte(*i.Message))
  if err != nil {
  p.Logger.Println(err)