This directory contains the dummy plugin, which is an example plugin written in Go. It's referenced in the Plugins Go SDK Walkthrough as an implementation example of a plugin with both event sourcing and field extraction capabilities.
It generates synthetic events and doesn't serve any purpose other than for documentation.
The event source for dummy events is dummy.
Here is the current set of supported fields:
| NAME | TYPE | ARG | DESCRIPTION |
|---|---|---|---|
dummy.divisible |
uint64 |
Index, Required | Return 1 if the value is divisible by the provided divisor, 0 otherwise |
dummy.value |
uint64 |
None | The sample value in the event |
dummy.strvalue |
string |
None | The sample value in the event, as a string |
The format of the initialization string is a json object. Here's an example:
{"jitter": 10}The json object has the following properties:
jitter: Controls the random value that is added to each event returned in next().
The init string can be the empty string, which is treated identically to {}.
The format of the open params string is a json object. Here's an example:
{"start": 1, "maxEvents": 20}The json object has the following properties:
start: denotes the initial value of the samplemaxEvents: denotes the number of events to return before returning EOF.
The open params string can be the empty string, which is treated identically to {}.
Here is a complete falco.yaml snippet showing valid configurations for the dummy plugin:
plugins:
- name: dummy
library_path: libdummy.so
init_config: '{"jitter": 10}'
open_params: '{"start": 1, "maxEvents": 20}'
# Optional. If not specified the first entry in plugins is used.
load_plugins: [dummy]Run Falco using dummy_rules.yaml
sudo ./usr/bin/falco -c falco.yaml -r dummy_rules.yaml --disable-source=syscall