draios · therealbobo · Dec 10, 2025 · Dec 4, 2025 · Dec 3, 2025 · Dec 9, 2025
@@ -27,7 +27,7 @@
          fetch-depth: 0

      - name: Install deps
        run: |
          cp -v scripts/zig-cc  /usr/bin/
          cp -v scripts/zig-c++ /usr/bin/
          apt update && \
@@ -110,13 +110,13 @@
     name: build-sysdig-${{ matrix.os }}-${{ matrix.arch }}
     strategy:
       matrix:
-        os: [windows-latest, macos-13, macos-14]
+        os: [windows-latest, macos-15-intel, macos-14]
         include:
           - os: windows-latest
             artifact_name: win
             artifact_ext: exe
             arch: x86_64
-          - os: macos-13
+          - os: macos-15-intel
             artifact_name: osx
             artifact_ext: dmg
             arch: x86_64

@@ -37,7 +37,7 @@
          fetch-depth: 0

      - name: Install deps
        run: |
          cp -v scripts/zig-cc  /usr/bin/
          cp -v scripts/zig-c++ /usr/bin/
          apt update && \
@@ -105,13 +105,13 @@
     name: build-release-others
     strategy:
       matrix:
-        os: [windows-latest, macos-13, macos-14]
+        os: [windows-latest, macos-15-intel, macos-14]
         include:
           - os: windows-latest
             artifact_name: win
             artifact_ext: exe
             arch: x86_64
-          - os: macos-13
+          - os: macos-15-intel
             artifact_name: osx
             artifact_ext: dmg
             arch: x86_64
@@ -220,10 +220,10 @@
        run: printenv PRIVATE_KEY | gpg --import -

      - name: Sign DEBs
        run: debsigs --sign=origin --default-key="${{ env.KEY_ID }}" *.deb

      - name: Sign RPMs
        run: rpm --define "_gpg_name ${{ env.KEY_ID }}" --define "_binary_filedigest_algorithm 8" --addsign *.rpm

      - name: Upload Signed Packages
        uses: actions/upload-artifact@v4

@@ -17,17 +17,17 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} PLUGINS_SYSTEM_NAME)
 
-set(CONTAINER_VERSION "0.5.0")
+set(CONTAINER_VERSION "0.6.0")
 
 if(UNIX AND NOT APPLE)
 
 	set(CONTAINER_LIBRARY
 		"${CMAKE_BINARY_DIR}/container_plugin-prefix/src/container_plugin/libcontainer.so"
 	)
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-		set(CONTAINER_HASH "717020a51d2c0a58a777fef724be53cb802d687815e336f17d9cb0bbdb79fcb1")
+		set(CONTAINER_HASH "f9c322dc2aa4cbda492a5e6258532f771e960db45509a53bc1a528a01f4b6168")
 	else() # arm64
-		set(CONTAINER_HASH "2de25ef29eaadd719507441dbf1610bf094e9c41e9aa8cdb5f6a70c4ec8bba75")
+		set(CONTAINER_HASH "f2015a5c758b5eb79869ec1593352adf5c955990e58e08047b4c1344c6b07676")
 	endif()
 
 	if(NOT TARGET container_plugin)
@@ -75,7 +75,7 @@ else()
 		ExternalProject_Add(
 			container_plugin
 			URL "https://github.com/falcosecurity/plugins/archive/refs/tags/plugins/container/v${CONTAINER_VERSION}.tar.gz"
-			URL_HASH "SHA256=b3e3fc3f26bf405c3332a8d75377fbbdd298066d46c21813a4a2bbb0f352f7fb"
+			URL_HASH "SHA256=308354b7a92c8d4fb0240e22a62cf0ac35c4b5b2ecf73863365d60d4d0a1d58f"
 			SOURCE_SUBDIR plugins/container
 			BUILD_IN_SOURCE 1
 			BUILD_BYPRODUCTS "${CONTAINER_LIBRARY}"

@@ -251,7 +251,7 @@ void chiselinfo::set_callback_precise_interval(uint64_t interval)
 ///////////////////////////////////////////////////////////////////////////////
 // chisel implementation
 ///////////////////////////////////////////////////////////////////////////////
-sinsp_chisel::sinsp_chisel(sinsp* inspector, std::string filename, bool is_file)
+sinsp_chisel::sinsp_chisel(sinsp* inspector, std::string filename, std::shared_ptr<sinsp_filter_check_list> filter_list, bool is_file)
 {
 	m_inspector = inspector;
 	m_ls = NULL;
@@ -261,6 +261,7 @@ sinsp_chisel::sinsp_chisel(sinsp* inspector, std::string filename, bool is_file)
 	m_lua_last_interval_sample_time = 0;
 	m_lua_last_interval_ts = 0;
 	m_udp_socket = 0;
+	m_filter_check_list = std::move(filter_list);
 
 	load(filename, is_file);
 }

@@ -135,7 +135,7 @@ class chiselinfo
 class sinsp_chisel
 {
 public:
-	sinsp_chisel(sinsp* inspector, std::string filename, bool is_file = true);
+    sinsp_chisel(sinsp* inspector, std::string filename, std::shared_ptr<sinsp_filter_check_list> filter_list, bool is_file = true);
 	~sinsp_chisel();
 
 	static void add_lua_package_path(lua_State* ls, const std::string& path);

@@ -1152,7 +1152,7 @@ int lua_cbacks::get_container_table(lua_State *ls)
 	// Go through the list
 	//
 	if(ctable != nullptr) {
-		auto fld_id = ctable->get_field<std::string>("container_id");
+		auto fld_id = ctable->get_field<std::string>("id");
 		auto fld_name = ctable->get_field<std::string>("name");
 		auto fld_image = ctable->get_field<std::string>("image");
 		auto fld_type = ctable->get_field<int>("type");
@@ -1178,6 +1178,9 @@ int lua_cbacks::get_container_table(lua_State *ls)
 			lua_pushliteral(ls, "type");
 			switch (type)
 			{
+			case container_type::CT_HOST:
+				lua_pushstring(ls, "");
+				break;
 			case container_type::CT_DOCKER:
 				lua_pushstring(ls, "docker");
 				break;

@@ -129,7 +129,12 @@ const char* spy_text_renderer::process_event_spy(sinsp_evt* evt, int64_t* len)
 	//
 	// Get and validate the length
 	//
-	const sinsp_evt_param* parinfo = evt->get_param(0);
+	const sinsp_evt_param* parinfo;
+    try {
+        parinfo = evt->get_param(0);
+    } catch (...) {
+        return NULL;
+    }
 	ASSERT(parinfo->m_len == sizeof(int64_t));
 	*len = *(int64_t*)parinfo->m_val;
 	if(*len <= 0)

@@ -45,12 +45,16 @@ else()
 endif()
 
 list(APPEND SOURCE_FILES
+    filterchecks/sinsp_filtercheck_syslog.cpp
+    utils/sinsp_syslog.cpp
 	utils/sinsp_opener.cpp
 	utils/plugin_utils.cpp
 	utils/supported_events.cpp
 	utils/supported_fields.cpp)
 
 list(APPEND SOURCE_FILES_CSYSDIG
+    filterchecks/sinsp_filtercheck_syslog.cpp
+    utils/sinsp_syslog.cpp
 	utils/sinsp_opener.cpp
 	utils/plugin_utils.cpp
 	utils/supported_events.cpp

@@ -44,6 +44,7 @@ limitations under the License.
 #include "utils/plugin_utils.h"
 #include "utils/sinsp_opener.h"
 #include "utils/supported_fields.h"
+#include "filterchecks/sinsp_filtercheck_syslog.h"
 
 #ifdef _WIN32
 #include "win32/getopt.h"
@@ -258,7 +259,8 @@ static void print_views(chisel_view_manager* view_manager)
 captureinfo do_inspect(sinsp* inspector,
 					   uint64_t cnt,
 					   sinsp_cursesui* ui,
-					   const chisel_table::output_type& output_type)
+					   const chisel_table::output_type& output_type,
+                       std::shared_ptr<sinsp_syslog_decoder> syslog_decoder)
 {
 	captureinfo retval;
 	int32_t res;
@@ -279,7 +281,9 @@ captureinfo do_inspect(sinsp* inspector,
 			break;
 		}
 
+        syslog_decoder->reset();
 		res = inspector->next(&ev);
+        syslog_decoder->parse(ev);
 
 		if(res == SCAP_TIMEOUT || res == SCAP_FILTERED_EVENT)
 		{
@@ -352,6 +356,7 @@ sysdig_init_res csysdig_init(int argc, char **argv)
 	int32_t json_last_row = 0;
 	int32_t sorting_col = -1;
 	bool list_views = false;
+    std::shared_ptr<sinsp_syslog_decoder> syslog_decoder = std::make_shared<sinsp_syslog_decoder>();
 
 #ifndef _WIN32
 	chisel_table::output_type output_type = chisel_table::OT_CURSES;
@@ -643,6 +648,7 @@ sysdig_init_res csysdig_init(int argc, char **argv)
 
 		// TODO(therealbobo): add plugins filterchecks
 		filter_list = std::make_shared<sinsp_filter_check_list>();
+        filter_list->add_filter_check(std::make_unique<sinsp_filter_check_syslog>(syslog_decoder));
 		plugins.init_loaded_plugins(inspector, filter_list.get());
 
 		for (auto plugin : inspector->m_plugin_manager->plugins())
@@ -895,10 +901,7 @@ sysdig_init_res csysdig_init(int argc, char **argv)
 			//
 			// Start the capture loop
 			//
-			cinfo = do_inspect(inspector,
-				cnt,
-				&ui,
-				output_type);
+            cinfo = do_inspect(inspector, cnt, &ui, output_type, syslog_decoder);
 
 			if(output_type == chisel_table::OT_JSON)
 			{

@@ -0,0 +1,96 @@
+#include "sinsp_filtercheck_syslog.h"
+#include <libsinsp/sinsp.h>
+#include <libsinsp/sinsp_int.h>
+
+using namespace std;
+
+#define RETURN_EXTRACT_VAR(x)  \
+	do {                       \
+		*len = sizeof((x));    \
+		return (uint8_t*)&(x); \
+	} while(0)
+
+#define RETURN_EXTRACT_STRING(x)      \
+	do {                              \
+		*len = (x).size();            \
+		return (uint8_t*)(x).c_str(); \
+	} while(0)
+
+#define RETURN_EXTRACT_CSTR(x)           \
+	do {                                 \
+		if((x)) {                        \
+			*len = strlen((char*)((x))); \
+		}                                \
+		return (uint8_t*)((x));          \
+	} while(0)
+
+static const filtercheck_field_info sinsp_filter_check_syslog_fields[] = {
+        {PT_CHARBUF, EPF_NONE, PF_NA, "syslog.facility.str", "Facility", "facility as a string."},
+        {PT_UINT32,
+         EPF_NONE,
+         PF_DEC,
+         "syslog.facility",
+         "Numeric Facility",
+         "facility as a number (0-23)."},
+        {PT_CHARBUF,
+         EPF_NONE,
+         PF_NA,
+         "syslog.severity.str",
+         "Severity",
+         "severity as a string. Can have one of these values: emerg, alert, crit, err, warn, "
+         "notice, info, debug"},
+        {PT_UINT32,
+         EPF_NONE,
+         PF_DEC,
+         "syslog.severity",
+         "Numeric Severity",
+         "severity as a number (0-7)."},
+        {PT_CHARBUF, EPF_NONE, PF_NA, "syslog.message", "Message", "message sent to syslog."},
+};
+
+sinsp_filter_check_syslog::sinsp_filter_check_syslog(std::shared_ptr<sinsp_syslog_decoder> syslog_decoder) {
+	static const filter_check_info s_field_infos = {
+	        "syslog",
+	        "",
+	        "Content of Syslog messages.",
+	        sizeof(sinsp_filter_check_syslog_fields) / sizeof(sinsp_filter_check_syslog_fields[0]),
+	        sinsp_filter_check_syslog_fields,
+	        filter_check_info::FL_NONE,
+	};
+	m_info = &s_field_infos;
+    m_syslog_decoder = syslog_decoder;
+}
+
+std::unique_ptr<sinsp_filter_check> sinsp_filter_check_syslog::allocate_new() {
+	return std::make_unique<sinsp_filter_check_syslog>(m_syslog_decoder);
+}
+
+uint8_t* sinsp_filter_check_syslog::extract_single(sinsp_evt* evt,
+                                                   uint32_t* len,
+                                                   bool sanitize_strings) {
+	*len = 0;
+	if(!m_syslog_decoder->is_data_valid()) {
+		return NULL;
+	}
+
+	switch(m_field_id) {
+	case TYPE_FACILITY:
+		m_storageu32 = m_syslog_decoder->get_facility();
+		RETURN_EXTRACT_VAR(m_storageu32);
+	case TYPE_FACILITY_STR:
+		mstrstorage = m_syslog_decoder->get_facility_str();
+		RETURN_EXTRACT_STRING(mstrstorage);
+	case TYPE_SEVERITY:
+		m_storageu32 = m_syslog_decoder->get_severity();
+		RETURN_EXTRACT_VAR(m_storageu32);
+	case TYPE_SEVERITY_STR:
+		mstrstorage = m_syslog_decoder->get_severity_str();
+		RETURN_EXTRACT_STRING(mstrstorage);
+	case TYPE_MESSAGE:
+		mstrstorage = m_syslog_decoder->get_msg();
+		RETURN_EXTRACT_STRING(mstrstorage);
+	default:
+		ASSERT(false);
+		return NULL;
+	}
+}
@@ -0,0 +1,28 @@
+#pragma once
+
+#include <libsinsp/sinsp_filtercheck.h>
+#include "../utils/sinsp_syslog.h"
+
+class sinsp_filter_check_syslog : public sinsp_filter_check {
+public:
+	enum check_type {
+		TYPE_FACILITY_STR = 0,
+		TYPE_FACILITY,
+		TYPE_SEVERITY_STR,
+		TYPE_SEVERITY,
+		TYPE_MESSAGE,
+	};
+
+	sinsp_filter_check_syslog(std::shared_ptr<sinsp_syslog_decoder> syslog_decoder);
+	virtual ~sinsp_filter_check_syslog() = default;
+
+	std::unique_ptr<sinsp_filter_check> allocate_new() override;
+
+protected:
+	uint8_t* extract_single(sinsp_evt*, uint32_t* len, bool sanitize_strings = true) override;
+
+private:
+	uint32_t m_storageu32;
+	std::string mstrstorage;
+	std::shared_ptr<sinsp_syslog_decoder> m_syslog_decoder;
+};