From be2abdea94a7ace873cc6c4e184cb2857a197ba0 Mon Sep 17 00:00:00 2001 From: Graham Gilbert Date: Thu, 20 Oct 2022 13:01:12 -0700 Subject: [PATCH] Allow passing a log level --- tables/unifiedlog/unified_log.go | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/tables/unifiedlog/unified_log.go b/tables/unifiedlog/unified_log.go index fcb548a..e5d07ef 100644 --- a/tables/unifiedlog/unified_log.go +++ b/tables/unifiedlog/unified_log.go @@ -65,12 +65,14 @@ func UnifiedLogColumns() []table.ColumnDefinition { table.TextColumn("time_zone_name"), table.TextColumn("predicate"), table.TextColumn("last"), + table.TextColumn("log_level"), } } func UnifiedLogGenerate(ctx context.Context, queryContext table.QueryContext) ([]map[string]string, error) { predicate := "" last := "" + logLevel := "" if constraintList, present := queryContext.Constraints["predicate"]; present { // 'predicate' is in the where clause @@ -90,6 +92,15 @@ func UnifiedLogGenerate(ctx context.Context, queryContext table.QueryContext) ([ } } + if constraintList, present := queryContext.Constraints["log_level"]; present { + // 'last' is in the where clause + for _, constraint := range constraintList.Constraints { + if constraint.Operator == table.OperatorEquals { + logLevel = constraint.Expression + } + } + } + // If there's no predicate, return empty results. This prevents crashing // osquery or the extension when the table attempts to load everything in // the unified log. This behavior is consistent with osquery tables like @@ -98,14 +109,14 @@ func UnifiedLogGenerate(ctx context.Context, queryContext table.QueryContext) ([ return []map[string]string{}, nil } - output, err := execute(predicate, last) + output, err := execute(predicate, last, logLevel) if err != nil { return nil, err } return output, nil } -func execute(predicate string, last string) ([]map[string]string, error) { +func execute(predicate string, last string, logLevel string) ([]map[string]string, error) { var output []map[string]string var unifiedlogs []UnifiedLog bin := "/usr/bin/log" @@ -120,6 +131,16 @@ func execute(predicate string, last string) ([]map[string]string, error) { args = append(args, "--last") args = append(args, last) } + + if logLevel == "debug" { + args = append(args, "--debug") + args = append(args, "--info") + } + + if logLevel == "info" { + args = append(args, "--info") + } + cmd := exec.Command(bin, args...) stdout, err := cmd.Output() if err != nil {