Export a source conversion/transformation method as part of the SDK

[sboschman]

Motivation

Some plugins, for example the k8saudit-xxx plugins, require an additional step to ingest events. The event from the source is not in the format as expected by the field extraction. E.g. in case of the k8saudit-gke plugin, the raw source event is a Google specific logging event. To be able to use the k8saudit plugin field extraction and rules a conversion/transformation is required.

To guarantee some sort of method signature and documentation for an optional conversion/transformation method, this method should preferably be part of the SDK. This allows building on top of the plugin code and reuse the conversion/transformation logic and extraction method.

Feature

Introduce a convert/transform method as part of the SDK api, just like the Open and Extract methods. Ideally the framework takes care of wiring everything together. This convert/transform method should maybe be part of the event sourcing capability:

• open stream
• collect events
  • get raw event from source
  • optionally, convert/transform the raw event into the format supported by field extraction
• close stream

Alternatives

Additional context

For reference, falcosecurity/plugins issue #490

[sboschman]

@jasondellaluce and @leogr , I opened this issue as not to lose track of Jason' comment.