This directory contains the json extractor plugin, which can extract values from any json payload. It is used to extract information from json payloads like k8s_audit events or from event payloads generated by source plugins like cloudtrail, which happen to represent their event payload as json.
The Json plugin is an extractor plugin, and as a result does not have an event source.
Here is the current set of supported fields:
| NAME | TYPE | ARG | DESCRIPTION |
|---|---|---|---|
json.value |
string |
Key, Required | Extracts a value from a JSON-encoded input. Syntax is json.value[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901) |
json.obj |
string |
None | The full json message as a text string. |
json.rawtime |
string |
None | The time of the event, identical to evt.rawtime. |
jevt.value |
string |
Key, Required | Alias for json.value, provided for backwards compatibility. |
jevt.obj |
string |
None | Alias for json.obj, provided for backwards compatibility. |
jevt.rawtime |
string |
None | Alias for json.rawtime, provided for backwards compatibility. |
This plugin does not have any configuration. Any initialization value passed to plugin_init() is ignored.
Here is a complete falco.yaml snippet showing valid configurations for the dummy plugin:
plugins:
- name: json
library_path: libjson.so
init_config: ""
open_params: ""
# Optional. If not specified the first entry in plugins is used.
load_plugins: [json]