aquasecurity · NDStrahilevitz · Dec 6, 2022 · Nov 29, 2022 · Nov 29, 2022 · Nov 30, 2022
diff --git a/docs/docs/tracing/output-formats.md b/docs/docs/tracing/output-formats.md
@@ -92,8 +92,8 @@ output and standard error:
 
 2. Error file
 
-    Redirect errors to your log files if needed:
+    Redirect logs to a file if needed:
 
     ```text
-    $ sudo TRACEE_BPF_FILE=do-not-exist ./dist/tracee-ebpf --output json --trace comm=bash --trace follow --trace event=openat --output out-file:/tmp/tracee.log --output err-file:/tmp/tracee.err
+    $ sudo TRACEE_BPF_FILE=do-not-exist ./dist/tracee-ebpf --output json --trace comm=bash --trace follow --trace event=openat --output out-file:/tmp/tracee.events --output log-file:/tmp/tracee.log
     ```
diff --git a/pkg/cmd/flags/flags_test.go b/pkg/cmd/flags/flags_test.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"os"
 	"testing"
 
 	"github.com/aquasecurity/tracee/pkg/cmd/flags"
@@ -421,88 +422,114 @@ func TestPrepareCapture(t *testing.T) {
 }
 
 func TestPrepareOutput(t *testing.T) {
-
 	testCases := []struct {
 		testName       string
 		outputSlice    []string
-		expectedOutput tracee.OutputConfig
+		expectedOutput flags.OutputConfig
 		expectedError  error
 	}{
 		{
 			testName:    "invalid output option",
 			outputSlice: []string{"foo"},
 			// it's not the preparer job to validate input. in this case foo is considered an implicit output format.
-			expectedOutput: tracee.OutputConfig{},
-			expectedError:  errors.New("unrecognized output format: foo. Valid format values: 'table', 'table-verbose', 'json', 'gob' or 'gotemplate='. Use '--output help' for more info"),
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+			},
+			expectedError: errors.New("unrecognized output format: foo. Valid format values: 'table', 'table-verbose', 'json', 'gob' or 'gotemplate='. Use '--output help' for more info"),
 		},
 		{
-			testName:       "invalid output option",
-			outputSlice:    []string{"option:"},
-			expectedOutput: tracee.OutputConfig{},
-			expectedError:  errors.New("invalid output option: , use '--output help' for more info"),
+			testName:    "invalid output option",
+			outputSlice: []string{"option:"},
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+			},
+			expectedError: errors.New("invalid output option: , use '--output help' for more info"),
 		},
 		{
-			testName:       "invalid output option 2",
-			outputSlice:    []string{"option:foo"},
-			expectedOutput: tracee.OutputConfig{},
-			expectedError:  errors.New("invalid output option: foo, use '--output help' for more info"),
+			testName:    "invalid output option 2",
+			outputSlice: []string{"option:foo"},
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+			},
+			expectedError: errors.New("invalid output option: foo, use '--output help' for more info"),
 		},
 		{
-			testName:       "empty val",
-			outputSlice:    []string{"out-file"},
-			expectedOutput: tracee.OutputConfig{},
-			expectedError:  errors.New("unrecognized output format: out-file. Valid format values: 'table', 'table-verbose', 'json', 'gob' or 'gotemplate='. Use '--output help' for more info"),
+			testName:    "empty val",
+			outputSlice: []string{"out-file"},
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+			},
+			expectedError: errors.New("unrecognized output format: out-file. Valid format values: 'table', 'table-verbose', 'json', 'gob' or 'gotemplate='. Use '--output help' for more info"),
 		},
+
 		{
 			testName:    "option stack-addresses",
 			outputSlice: []string{"option:stack-addresses"},
-			expectedOutput: tracee.OutputConfig{
-				StackAddresses: true,
-				ParseArguments: true,
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+				OutputConfig: tracee.OutputConfig{
+					StackAddresses: true,
+					ParseArguments: true,
+				},
 			},
 		},
 		{
 			testName:    "option detect-syscall",
 			outputSlice: []string{"option:detect-syscall"},
-			expectedOutput: tracee.OutputConfig{
-				DetectSyscall:  true,
-				ParseArguments: true,
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+				OutputConfig: tracee.OutputConfig{
+					DetectSyscall:  true,
+					ParseArguments: true,
+				},
 			},
 		},
 		{
 			testName:    "option exec-env",
 			outputSlice: []string{"option:exec-env"},
-			expectedOutput: tracee.OutputConfig{
-				ExecEnv:        true,
-				ParseArguments: true,
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+				OutputConfig: tracee.OutputConfig{
+					ExecEnv:        true,
+					ParseArguments: true,
+				},
 			},
 		},
 		{
 			testName:    "option exec-hash",
 			outputSlice: []string{"option:exec-hash"},
-			expectedOutput: tracee.OutputConfig{
-				ExecHash:       true,
-				ParseArguments: true,
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+				OutputConfig: tracee.OutputConfig{
+					ExecHash:       true,
+					ParseArguments: true,
+				},
 			},
 		},
 		{
 			testName:    "option sort-events",
 			outputSlice: []string{"option:sort-events"},
-			expectedOutput: tracee.OutputConfig{
-				ParseArguments: true,
-				EventsSorting:  true,
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+				OutputConfig: tracee.OutputConfig{
+					ParseArguments: true,
+					EventsSorting:  true,
+				},
 			},
 		},
 		{
 			testName:    "all options",
 			outputSlice: []string{"option:stack-addresses", "option:detect-syscall", "option:exec-env", "option:exec-hash", "option:sort-events"},
-			expectedOutput: tracee.OutputConfig{
-				StackAddresses: true,
-				DetectSyscall:  true,
-				ExecEnv:        true,
-				ExecHash:       true,
-				ParseArguments: true,
-				EventsSorting:  true,
+			expectedOutput: flags.OutputConfig{
+				LogFile: os.Stderr,
+				OutputConfig: tracee.OutputConfig{
+					StackAddresses: true,
+					DetectSyscall:  true,
+					ExecEnv:        true,
+					ExecHash:       true,
+					ParseArguments: true,
+					EventsSorting:  true,
+				},
 			},
 		},
 	}

diff --git a/pkg/cmd/flags/output.go b/pkg/cmd/flags/output.go
@@ -19,7 +19,7 @@ Possible options:
 [format:]gob                                       output events in gob format
 [format:]gotemplate=/path/to/template              output events formatted using a given gotemplate file
 out-file:/path/to/file                             write the output to a specified file. create/trim the file if exists (default: stdout)
-err-file:/path/to/file                             write the errors to a specified file. create/trim the file if exists (default: stderr)
+log-file:/path/to/file                             write the logs to a specified file. create/trim the file if exists (default: stderr)
 none                                               ignore stream of events output, usually used with --capture
 option:{stack-addresses,detect-syscall,exec-env,relative-time,exec-hash,parse-arguments,sort-events}
                                                    augment output according to given options (default: none)
@@ -35,18 +35,23 @@ option:{stack-addresses,detect-syscall,exec-env,relative-time,exec-hash,parse-ar
 Examples:
   --output json                                            | output as json
   --output gotemplate=/path/to/my.tmpl                     | output as the provided go template
-  --output out-file:/my/out --output err-file:/my/err      | output to /my/out and errors to /my/err
+  --output out-file:/my/out --output log-file:/my/log      | output to /my/out and logs to /my/log
   --output none                                            | ignore events output
 Use this flag multiple times to choose multiple output options
 `
 }
 
-func PrepareOutput(outputSlice []string) (tracee.OutputConfig, printer.Config, error) {
-	outcfg := tracee.OutputConfig{}
+type OutputConfig struct {
+	tracee.OutputConfig
+	LogPath string
+	LogFile *os.File
+}
+
+func PrepareOutput(outputSlice []string) (OutputConfig, printer.Config, error) {
+	outcfg := OutputConfig{}
 	printcfg := printer.Config{}
 	printerKind := "table"
 	outPath := ""
-	errPath := ""
 	for _, o := range outputSlice {
 		outputParts := strings.SplitN(o, ":", 2)
 		numParts := len(outputParts)
@@ -69,8 +74,8 @@ func PrepareOutput(outputSlice []string) (tracee.OutputConfig, printer.Config, e
 			}
 		case "out-file":
 			outPath = outputParts[1]
-		case "err-file":
-			errPath = outputParts[1]
+		case "log-file":
+			outcfg.LogPath = outputParts[1]
 		case "option":
 			switch outputParts[1] {
 			case "stack-addresses":
@@ -121,17 +126,17 @@ func PrepareOutput(outputSlice []string) (tracee.OutputConfig, printer.Config, e
 		}
 	}
 
-	if errPath == "" {
-		printcfg.ErrFile = os.Stderr
+	if outcfg.LogPath == "" {
+		outcfg.LogFile = os.Stderr
 	} else {
-		printcfg.ErrPath = errPath
+		errPath := outcfg.LogPath
 		fileInfo, err := os.Stat(errPath)
 		if err == nil && fileInfo.IsDir() {
 			return outcfg, printcfg, fmt.Errorf("cannot use a path of existing directory %s", errPath)
 		}
 		dir := filepath.Dir(errPath)
 		os.MkdirAll(dir, 0755)
-		printcfg.ErrFile, err = os.Create(errPath)
+		outcfg.LogFile, err = os.Create(errPath)
 		if err != nil {
 			return outcfg, printcfg, fmt.Errorf("failed to create output path: %v", err)
 		}