libsysflow

[araujof]

Indicate project Collector

Is your feature request related to a problem? Please describe. Implement libsysflow, a library for creating SysFlow consumers. This library will define a concise API and export first-class SysFlow data types for consumers to transparently process SysFlow records and manage access to the underlying Falco libs and driver.

Describe the feature you'd like libsysflow will be packaged and distributed by a CI workflow in sf-collector.

• the main interface will accept a config object where a callback function can be set to process SysFlow records
• the config option will follow conventions and set optimal defaults that can be customized by the consumer
• the library will be packaged as a static (.a) library and distributed as an rpm/deb artifact with sf-collector releases

// consumer-defined callback function
void process_sysflow(sysflow::SFHeader* header, sysflow::Container* cont, sysflow::Process* proc, sysflow::File* f1, sysflow::File* f2, sysflow::SysFlow* rec) {
    // your switch block here
}

// example consumer
int main(int argc, char **argv) {
    SysFlowConfig* config = sysflowlibscpp::InitializeSysFlowConfig();
    config->callback = process_sysflow;
    sysflowlibscpp::SysFlowDriver *driver = new sysflowlibscpp::SysFlowDriver(config);
    driver->run();
}

Additionally, libsysflow will perform the checks to verify that the Falco probe is loaded, and output an exception otherwise. Consumers will load the Falco libs driver prior to running their main entrypoint, following the typical entrypoint recipe/script used by Falco and SysFlow.

Additional context libsysflow branch: https://github.com/sysflow-telemetry/sf-collector/tree/libsysflow

[araujof]

Merged into dev branch. Preparing release candidate. https://github.com/sysflow-telemetry/sf-collector/pull/44