Status EventFactory::run(EventPublisherID& type_id) { // An interesting take on an event dispatched entrypoint. // There is little introspection into the event type. // Assume it can either make use of an entrypoint poller/selector or // take care of async callback registrations in setUp/configure/run // only once and handle event queueing/firing in callbacks. EventPublisherRef publisher; try { publisher = EventFactory::getInstance().getEventPublisher(type_id); } catch (std::out_of_range& e) { return Status(1, "No event type found"); } VLOG(1) << "Starting event publisher runloop: " + type_id; publisher->hasStarted(true); auto status = Status(0, "OK"); while (!publisher->isEnding() && status.ok()) { // Can optionally implement a global cooloff latency here. status = publisher->run(); osquery::publisherSleep(EVENTS_COOLOFF); } // The runloop status is not reflective of the event type's. publisher->tearDown(); VLOG(1) << "Event publisher " << publisher->type() << " runloop terminated for reason: " << status.getMessage(); return Status(0, "OK"); }
Status EventFactory::run(EventPublisherID& type_id) { if (FLAGS_disable_events) { return Status(0, "Events disabled"); } // An interesting take on an event dispatched entrypoint. // There is little introspection into the event type. // Assume it can either make use of an entrypoint poller/selector or // take care of async callback registrations in setUp/configure/run // only once and handle event queuing/firing in callbacks. EventPublisherRef publisher = nullptr; { auto& ef = EventFactory::getInstance(); WriteLock lock(getInstance().factory_lock_); publisher = ef.getEventPublisher(type_id); } if (publisher == nullptr) { return Status(1, "Event publisher is missing"); } else if (publisher->hasStarted()) { return Status(1, "Cannot restart an event publisher"); } VLOG(1) << "Starting event publisher run loop: " + type_id; publisher->hasStarted(true); auto status = Status(0, "OK"); while (!publisher->isEnding()) { // Can optionally implement a global cooloff latency here. status = publisher->run(); if (!status.ok()) { break; } publisher->restart_count_++; // This is a 'default' cool-off implemented in InterruptableRunnable. // If a publisher fails to perform some sort of interruption point, this // prevents the thread from thrashing through exiting checks. publisher->pause(); } if (!status.ok()) { // The runloop status is not reflective of the event type's. VLOG(1) << "Event publisher " << publisher->type() << " run loop terminated for reason: " << status.getMessage(); // Publishers auto tear down when their run loop stops. } publisher->tearDown(); // Do not remove the publisher from the event factory. // If the event factory's `end` method was called these publishers will be // cleaned up after their thread context is removed; otherwise, a removed // thread context and failed publisher will remain available for stats. return Status(0, "OK"); }
Status EventFactory::run(EventPublisherID& type_id) { auto& ef = EventFactory::getInstance(); if (FLAGS_disable_events) { return Status(0, "Events disabled"); } // An interesting take on an event dispatched entrypoint. // There is little introspection into the event type. // Assume it can either make use of an entrypoint poller/selector or // take care of async callback registrations in setUp/configure/run // only once and handle event queuing/firing in callbacks. EventPublisherRef publisher = ef.getEventPublisher(type_id); if (publisher == nullptr) { return Status(1, "Event publisher is missing"); } else if (publisher->hasStarted()) { return Status(1, "Cannot restart an event publisher"); } VLOG(1) << "Starting event publisher run loop: " + type_id; publisher->hasStarted(true); auto status = Status(0, "OK"); while (!publisher->isEnding() && status.ok()) { // Can optionally implement a global cooloff latency here. status = publisher->run(); publisher->restart_count_++; osquery::publisherSleep(EVENTS_COOLOFF); } // The runloop status is not reflective of the event type's. VLOG(1) << "Event publisher " << publisher->type() << " run loop terminated for reason: " << status.getMessage(); // Publishers auto tear down when their run loop stops. publisher->tearDown(); // Do not remove the publisher from the event factory. // If the event factory's `end` method was called these publishers will be // cleaned up after their thread context is removed; otherwise, a removed // thread context and failed publisher will remain available for stats. // ef.event_pubs_.erase(type_id); return Status(0, "OK"); }
Status EventFactory::deregisterEventPublisher(const EventPublisherRef& pub) { return EventFactory::deregisterEventPublisher(pub->type()); }