feat: support stdout in cscli support dump (#2939)

* feat: support stdout in cscli support dump

* fix: skip log.info if stdout

* fix: handle errors by returning to runE instead

.golangci.yml

@@ -3,7 +3,7 @@
 linters-settings:
   cyclop:
     # lower this after refactoring
-    max-complexity: 53
+    max-complexity: 48
 
   gci:
     sections:
@@ -22,7 +22,7 @@ linters-settings:
 
   gocyclo:
     # lower this after refactoring
-    min-complexity: 49
+    min-complexity: 48
 
   funlen:
     # Checks the number of lines in a function.
@@ -82,11 +82,6 @@ linters-settings:
           - "!**/pkg/apiserver/controllers/v1/errors.go"
       yaml:
         files:
-          - "!**/cmd/notification-dummy/main.go"
-          - "!**/cmd/notification-email/main.go"
-          - "!**/cmd/notification-http/main.go"
-          - "!**/cmd/notification-slack/main.go"
-          - "!**/cmd/notification-splunk/main.go"
           - "!**/pkg/acquisition/acquisition.go"
           - "!**/pkg/acquisition/acquisition_test.go"
           - "!**/pkg/acquisition/modules/appsec/appsec.go"

cmd/crowdsec-cli/support.go

@@ -319,7 +319,7 @@ cscli support dump -f /tmp/crowdsec-support.zip
 `,
 		Args:              cobra.NoArgs,
 		DisableAutoGenTag: true,
-		Run: func(_ *cobra.Command, _ []string) {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			var err error
 			var skipHub, skipDB, skipCAPI, skipLAPI, skipAgent bool
 			infos := map[string][]byte{
@@ -473,15 +473,19 @@ cscli support dump -f /tmp/crowdsec-support.zip
 
 			err = zipWriter.Close()
 			if err != nil {
-				log.Fatalf("could not finalize zip file: %s", err)
+				return fmt.Errorf("could not finalize zip file: %s", err)
 			}
 
+			if outFile == "-" {
+				_, err = os.Stdout.Write(w.Bytes())
+				return err
+			}
 			err = os.WriteFile(outFile, w.Bytes(), 0o600)
 			if err != nil {
-				log.Fatalf("could not write zip file to %s: %s", outFile, err)
+				return fmt.Errorf("could not write zip file to %s: %s", outFile, err)
 			}
-
 			log.Infof("Written zip file to %s", outFile)
+			return nil
 		},
 	}
 

cmd/notification-dummy/main.go

@@ -5,10 +5,11 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 	"github.com/hashicorp/go-hclog"
 	plugin "github.com/hashicorp/go-plugin"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
+
+	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 )
 
 type PluginConfig struct {
@@ -32,6 +33,7 @@ func (s *DummyPlugin) Notify(ctx context.Context, notification *protobufs.Notifi
 	if _, ok := s.PluginConfigByName[notification.Name]; !ok {
 		return nil, fmt.Errorf("invalid plugin config name %s", notification.Name)
 	}
+
 	cfg := s.PluginConfigByName[notification.Name]
 
 	if cfg.LogLevel != nil && *cfg.LogLevel != "" {
@@ -42,19 +44,22 @@ func (s *DummyPlugin) Notify(ctx context.Context, notification *protobufs.Notifi
 	logger.Debug(notification.Text)
 
 	if cfg.OutputFile != nil && *cfg.OutputFile != "" {
-		f, err := os.OpenFile(*cfg.OutputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+		f, err := os.OpenFile(*cfg.OutputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
 		if err != nil {
 			logger.Error(fmt.Sprintf("Cannot open notification file: %s", err))
 		}
+
 		if _, err := f.WriteString(notification.Text + "\n"); err != nil {
 			f.Close()
 			logger.Error(fmt.Sprintf("Cannot write notification to file: %s", err))
 		}
+
 		err = f.Close()
 		if err != nil {
 			logger.Error(fmt.Sprintf("Cannot close notification file: %s", err))
 		}
 	}
+
 	fmt.Println(notification.Text)
 
 	return &protobufs.Empty{}, nil
@@ -64,11 +69,12 @@ func (s *DummyPlugin) Configure(ctx context.Context, config *protobufs.Config) (
 	d := PluginConfig{}
 	err := yaml.Unmarshal(config.Config, &d)
 	s.PluginConfigByName[d.Name] = d
+
 	return &protobufs.Empty{}, err
 }
 
 func main() {
-	var handshake = plugin.HandshakeConfig{
+	handshake := plugin.HandshakeConfig{
 		ProtocolVersion:  1,
 		MagicCookieKey:   "CROWDSEC_PLUGIN_KEY",
 		MagicCookieValue: os.Getenv("CROWDSEC_PLUGIN_KEY"),

cmd/notification-email/main.go

@@ -2,15 +2,17 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"time"
 
-	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 	"github.com/hashicorp/go-hclog"
 	plugin "github.com/hashicorp/go-plugin"
 	mail "github.com/xhit/go-simple-mail/v2"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
+
+	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 )
 
 var baseLogger hclog.Logger = hclog.New(&hclog.LoggerOptions{
@@ -72,19 +74,20 @@ func (n *EmailPlugin) Configure(ctx context.Context, config *protobufs.Config) (
 	}
 
 	if d.Name == "" {
-		return nil, fmt.Errorf("name is required")
+		return nil, errors.New("name is required")
 	}
 
 	if d.SMTPHost == "" {
-		return nil, fmt.Errorf("SMTP host is not set")
+		return nil, errors.New("SMTP host is not set")
 	}
 
 	if d.ReceiverEmails == nil || len(d.ReceiverEmails) == 0 {
-		return nil, fmt.Errorf("receiver emails are not set")
+		return nil, errors.New("receiver emails are not set")
 	}
 
 	n.ConfigByName[d.Name] = d
 	baseLogger.Debug(fmt.Sprintf("Email plugin '%s' use SMTP host '%s:%d'", d.Name, d.SMTPHost, d.SMTPPort))
+
 	return &protobufs.Empty{}, nil
 }
 
@@ -92,6 +95,7 @@ func (n *EmailPlugin) Notify(ctx context.Context, notification *protobufs.Notifi
 	if _, ok := n.ConfigByName[notification.Name]; !ok {
 		return nil, fmt.Errorf("invalid plugin config name %s", notification.Name)
 	}
+
 	cfg := n.ConfigByName[notification.Name]
 
 	logger := baseLogger.Named(cfg.Name)
@@ -117,6 +121,7 @@ func (n *EmailPlugin) Notify(ctx context.Context, notification *protobufs.Notifi
 		server.ConnectTimeout, err = time.ParseDuration(cfg.ConnectTimeout)
 		if err != nil {
 			logger.Warn(fmt.Sprintf("invalid connect timeout '%s', using default '10s'", cfg.ConnectTimeout))
+
 			server.ConnectTimeout = 10 * time.Second
 		}
 	}
@@ -125,15 +130,18 @@ func (n *EmailPlugin) Notify(ctx context.Context, notification *protobufs.Notifi
 		server.SendTimeout, err = time.ParseDuration(cfg.SendTimeout)
 		if err != nil {
 			logger.Warn(fmt.Sprintf("invalid send timeout '%s', using default '10s'", cfg.SendTimeout))
+
 			server.SendTimeout = 10 * time.Second
 		}
 	}
 
 	logger.Debug("making smtp connection")
+
 	smtpClient, err := server.Connect()
 	if err != nil {
 		return &protobufs.Empty{}, err
 	}
+
 	logger.Debug("smtp connection done")
 
 	email := mail.NewMSG()
@@ -146,12 +154,14 @@ func (n *EmailPlugin) Notify(ctx context.Context, notification *protobufs.Notifi
 	if err != nil {
 		return &protobufs.Empty{}, err
 	}
+
 	logger.Info(fmt.Sprintf("sent email to %v", cfg.ReceiverEmails))
+
 	return &protobufs.Empty{}, nil
 }
 
 func main() {
-	var handshake = plugin.HandshakeConfig{
+	handshake := plugin.HandshakeConfig{
 		ProtocolVersion:  1,
 		MagicCookieKey:   "CROWDSEC_PLUGIN_KEY",
 		MagicCookieValue: os.Getenv("CROWDSEC_PLUGIN_KEY"),

cmd/notification-http/main.go

@@ -12,10 +12,11 @@ import (
 	"os"
 	"strings"
 
-	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 	"github.com/hashicorp/go-hclog"
 	plugin "github.com/hashicorp/go-plugin"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
+
+	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 )
 
 type PluginConfig struct {
@@ -90,18 +91,23 @@ func getTLSClient(c *PluginConfig) error {
 
 		tlsConfig.Certificates = []tls.Certificate{cert}
 	}
+
 	transport := &http.Transport{
 		TLSClientConfig: tlsConfig,
 	}
+
 	if c.UnixSocket != "" {
 		logger.Info(fmt.Sprintf("Using socket '%s'", c.UnixSocket))
+
 		transport.DialContext = func(_ context.Context, _, _ string) (net.Conn, error) {
 			return net.Dial("unix", strings.TrimSuffix(c.UnixSocket, "/"))
 		}
 	}
+
 	c.Client = &http.Client{
 		Transport: transport,
 	}
+
 	return nil
 }
 
@@ -109,6 +115,7 @@ func (s *HTTPPlugin) Notify(ctx context.Context, notification *protobufs.Notific
 	if _, ok := s.PluginConfigByName[notification.Name]; !ok {
 		return nil, fmt.Errorf("invalid plugin config name %s", notification.Name)
 	}
+
 	cfg := s.PluginConfigByName[notification.Name]
 
 	if cfg.LogLevel != nil && *cfg.LogLevel != "" {
@@ -121,11 +128,14 @@ func (s *HTTPPlugin) Notify(ctx context.Context, notification *protobufs.Notific
 	if err != nil {
 		return nil, err
 	}
+
 	for headerName, headerValue := range cfg.Headers {
 		logger.Debug(fmt.Sprintf("adding header %s: %s", headerName, headerValue))
 		request.Header.Add(headerName, headerValue)
 	}
+
 	logger.Debug(fmt.Sprintf("making HTTP %s call to %s with body %s", cfg.Method, cfg.URL, notification.Text))
+
 	resp, err := cfg.Client.Do(request.WithContext(ctx))
 	if err != nil {
 		logger.Error(fmt.Sprintf("Failed to make HTTP request : %s", err))
@@ -135,7 +145,7 @@ func (s *HTTPPlugin) Notify(ctx context.Context, notification *protobufs.Notific
 
 	respData, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read response body got error %s", err)
+		return nil, fmt.Errorf("failed to read response body got error %w", err)
 	}
 
 	logger.Debug(fmt.Sprintf("got response %s", string(respData)))
@@ -143,6 +153,7 @@ func (s *HTTPPlugin) Notify(ctx context.Context, notification *protobufs.Notific
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 		logger.Warn(fmt.Sprintf("HTTP server returned non 200 status code: %d", resp.StatusCode))
 		logger.Debug(fmt.Sprintf("HTTP server returned body: %s", string(respData)))
+
 		return &protobufs.Empty{}, nil
 	}
 
@@ -151,21 +162,25 @@ func (s *HTTPPlugin) Notify(ctx context.Context, notification *protobufs.Notific
 
 func (s *HTTPPlugin) Configure(ctx context.Context, config *protobufs.Config) (*protobufs.Empty, error) {
 	d := PluginConfig{}
+
 	err := yaml.Unmarshal(config.Config, &d)
 	if err != nil {
 		return nil, err
 	}
+
 	err = getTLSClient(&d)
 	if err != nil {
 		return nil, err
 	}
+
 	s.PluginConfigByName[d.Name] = d
 	logger.Debug(fmt.Sprintf("HTTP plugin '%s' use URL '%s'", d.Name, d.URL))
+
 	return &protobufs.Empty{}, err
 }
 
 func main() {
-	var handshake = plugin.HandshakeConfig{
+	handshake := plugin.HandshakeConfig{
 		ProtocolVersion:  1,
 		MagicCookieKey:   "CROWDSEC_PLUGIN_KEY",
 		MagicCookieValue: os.Getenv("CROWDSEC_PLUGIN_KEY"),

cmd/notification-slack/main.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 	"github.com/hashicorp/go-hclog"
 	plugin "github.com/hashicorp/go-plugin"
-
 	"github.com/slack-go/slack"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
+
+	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 )
 
 type PluginConfig struct {
@@ -33,13 +33,16 @@ func (n *Notify) Notify(ctx context.Context, notification *protobufs.Notificatio
 	if _, ok := n.ConfigByName[notification.Name]; !ok {
 		return nil, fmt.Errorf("invalid plugin config name %s", notification.Name)
 	}
+
 	cfg := n.ConfigByName[notification.Name]
 
 	if cfg.LogLevel != nil && *cfg.LogLevel != "" {
 		logger.SetLevel(hclog.LevelFromString(*cfg.LogLevel))
 	}
+
 	logger.Info(fmt.Sprintf("found notify signal for %s config", notification.Name))
 	logger.Debug(fmt.Sprintf("posting to %s webhook, message %s", cfg.Webhook, notification.Text))
+
 	err := slack.PostWebhookContext(ctx, n.ConfigByName[notification.Name].Webhook, &slack.WebhookMessage{
 		Text: notification.Text,
 	})
@@ -52,16 +55,19 @@ func (n *Notify) Notify(ctx context.Context, notification *protobufs.Notificatio
 
 func (n *Notify) Configure(ctx context.Context, config *protobufs.Config) (*protobufs.Empty, error) {
 	d := PluginConfig{}
+
 	if err := yaml.Unmarshal(config.Config, &d); err != nil {
 		return nil, err
 	}
+
 	n.ConfigByName[d.Name] = d
 	logger.Debug(fmt.Sprintf("Slack plugin '%s' use URL '%s'", d.Name, d.Webhook))
+
 	return &protobufs.Empty{}, nil
 }
 
 func main() {
-	var handshake = plugin.HandshakeConfig{
+	handshake := plugin.HandshakeConfig{
 		ProtocolVersion:  1,
 		MagicCookieKey:   "CROWDSEC_PLUGIN_KEY",
 		MagicCookieValue: os.Getenv("CROWDSEC_PLUGIN_KEY"),

cmd/notification-splunk/main.go

@@ -10,11 +10,11 @@ import (
 	"os"
 	"strings"
 
-	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 	"github.com/hashicorp/go-hclog"
 	plugin "github.com/hashicorp/go-plugin"
+	"gopkg.in/yaml.v3"
 
-	"gopkg.in/yaml.v2"
+	"github.com/crowdsecurity/crowdsec/pkg/protobufs"
 )
 
 var logger hclog.Logger = hclog.New(&hclog.LoggerOptions{
@@ -44,6 +44,7 @@ func (s *Splunk) Notify(ctx context.Context, notification *protobufs.Notificatio
 	if _, ok := s.PluginConfigByName[notification.Name]; !ok {
 		return &protobufs.Empty{}, fmt.Errorf("splunk invalid config name %s", notification.Name)
 	}
+
 	cfg := s.PluginConfigByName[notification.Name]
 
 	if cfg.LogLevel != nil && *cfg.LogLevel != "" {
@@ -53,6 +54,7 @@ func (s *Splunk) Notify(ctx context.Context, notification *protobufs.Notificatio
 	logger.Info(fmt.Sprintf("received notify signal for %s config", notification.Name))
 
 	p := Payload{Event: notification.Text}
+
 	data, err := json.Marshal(p)
 	if err != nil {
 		return &protobufs.Empty{}, err
@@ -65,6 +67,7 @@ func (s *Splunk) Notify(ctx context.Context, notification *protobufs.Notificatio
 
 	req.Header.Add("Authorization", fmt.Sprintf("Splunk %s", cfg.Token))
 	logger.Debug(fmt.Sprintf("posting event %s to %s", string(data), req.URL))
+
 	resp, err := s.Client.Do(req.WithContext(ctx))
 	if err != nil {
 		return &protobufs.Empty{}, err
@@ -73,15 +76,19 @@ func (s *Splunk) Notify(ctx context.Context, notification *protobufs.Notificatio
 	if resp.StatusCode != http.StatusOK {
 		content, err := io.ReadAll(resp.Body)
 		if err != nil {
-			return &protobufs.Empty{}, fmt.Errorf("got non 200 response and failed to read error %s", err)
+			return &protobufs.Empty{}, fmt.Errorf("got non 200 response and failed to read error %w", err)
 		}
+
 		return &protobufs.Empty{}, fmt.Errorf("got non 200 response %s", string(content))
 	}
+
 	respData, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return &protobufs.Empty{}, fmt.Errorf("failed to read response body got error %s", err)
+		return &protobufs.Empty{}, fmt.Errorf("failed to read response body got error %w", err)
 	}
+
 	logger.Debug(fmt.Sprintf("got response %s", string(respData)))
+
 	return &protobufs.Empty{}, nil
 }
 
@@ -90,11 +97,12 @@ func (s *Splunk) Configure(ctx context.Context, config *protobufs.Config) (*prot
 	err := yaml.Unmarshal(config.Config, &d)
 	s.PluginConfigByName[d.Name] = d
 	logger.Debug(fmt.Sprintf("Splunk plugin '%s' use URL '%s'", d.Name, d.URL))
+
 	return &protobufs.Empty{}, err
 }
 
 func main() {
-	var handshake = plugin.HandshakeConfig{
+	handshake := plugin.HandshakeConfig{
 		ProtocolVersion:  1,
 		MagicCookieKey:   "CROWDSEC_PLUGIN_KEY",
 		MagicCookieValue: os.Getenv("CROWDSEC_PLUGIN_KEY"),

pkg/parser/node.go

@@ -65,26 +65,27 @@ type Node struct {
 }
 
 func (n *Node) validate(pctx *UnixParserCtx, ectx EnricherCtx) error {
-
 	// stage is being set automagically
 	if n.Stage == "" {
-		return fmt.Errorf("stage needs to be an existing stage")
+		return errors.New("stage needs to be an existing stage")
 	}
 
 	/* "" behaves like continue */
 	if n.OnSuccess != "continue" && n.OnSuccess != "next_stage" && n.OnSuccess != "" {
 		return fmt.Errorf("onsuccess '%s' not continue,next_stage", n.OnSuccess)
 	}
+
 	if n.Filter != "" && n.RunTimeFilter == nil {
 		return fmt.Errorf("non-empty filter '%s' was not compiled", n.Filter)
 	}
 
 	if n.Grok.RunTimeRegexp != nil || n.Grok.TargetField != "" {
 		if n.Grok.TargetField == "" && n.Grok.ExpValue == "" {
-			return fmt.Errorf("grok requires 'expression' or 'apply_on'")
+			return errors.New("grok requires 'expression' or 'apply_on'")
 		}
+
 		if n.Grok.RegexpName == "" && n.Grok.RegexpValue == "" {
-			return fmt.Errorf("grok needs 'pattern' or 'name'")
+			return errors.New("grok needs 'pattern' or 'name'")
 		}
 	}
 
@@ -93,6 +94,7 @@ func (n *Node) validate(pctx *UnixParserCtx, ectx EnricherCtx) error {
 			if static.ExpValue == "" {
 				return fmt.Errorf("static %d : when method is set, expression must be present", idx)
 			}
+
 			if _, ok := ectx.Registered[static.Method]; !ok {
 				log.Warningf("the method '%s' doesn't exist or the plugin has not been initialized", static.Method)
 			}
@@ -100,6 +102,7 @@ func (n *Node) validate(pctx *UnixParserCtx, ectx EnricherCtx) error {
 			if static.Meta == "" && static.Parsed == "" && static.TargetByName == "" {
 				return fmt.Errorf("static %d : at least one of meta/event/target must be set", idx)
 			}
+
 			if static.Value == "" && static.RunTimeValue == nil {
 				return fmt.Errorf("static %d value or expression must be set", idx)
 			}
@@ -110,15 +113,19 @@ func (n *Node) validate(pctx *UnixParserCtx, ectx EnricherCtx) error {
 		if stash.Name == "" {
 			return fmt.Errorf("stash %d : name must be set", idx)
 		}
+
 		if stash.Value == "" {
 			return fmt.Errorf("stash %s : value expression must be set", stash.Name)
 		}
+
 		if stash.Key == "" {
 			return fmt.Errorf("stash %s : key expression must be set", stash.Name)
 		}
+
 		if stash.TTL == "" {
 			return fmt.Errorf("stash %s : ttl must be set", stash.Name)
 		}
+
 		if stash.Strategy == "" {
 			stash.Strategy = "LRU"
 		}
@@ -127,23 +134,23 @@ func (n *Node) validate(pctx *UnixParserCtx, ectx EnricherCtx) error {
 			stash.MaxMapSize = 100
 		}
 	}
+
 	return nil
 }
 
-func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[string]interface{}) (bool, error) {
+func (n *Node) processFilter(cachedExprEnv map[string]interface{}) (bool, error) {
-	var NodeState bool
-	var NodeHasOKGrok bool
 	clog := n.Logger
+	if n.RunTimeFilter == nil {
+		clog.Tracef("Node has not filter, enter")
+		return true, nil
+	}
 
-	cachedExprEnv := expressionEnv
-
-	clog.Tracef("Event entering node")
-	if n.RunTimeFilter != nil {
 	// Evaluate node's filter
 	output, err := exprhelpers.Run(n.RunTimeFilter, cachedExprEnv, clog, n.Debug)
 	if err != nil {
 		clog.Warningf("failed to run filter : %v", err)
 		clog.Debugf("Event leaving node : ko")
+
 		return false, nil
 	}
 
@@ -156,26 +163,26 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 	default:
 		clog.Warningf("Expr '%s' returned non-bool, abort : %T", n.Filter, output)
 		clog.Debugf("Event leaving node : ko")
+
 		return false, nil
 	}
-		NodeState = true
+
-	} else {
+	return true, nil
-		clog.Tracef("Node has not filter, enter")
-		NodeState = true
 }
 
-	if n.Name != "" {
+func (n *Node) processWhitelist(cachedExprEnv map[string]interface{}, p *types.Event) (bool, error) {
-		NodesHits.With(prometheus.Labels{"source": p.Line.Src, "type": p.Line.Module, "name": n.Name}).Inc()
+	var exprErr error
-	}
+
-	exprErr := error(nil)
 	isWhitelisted := n.CheckIPsWL(p)
 	if !isWhitelisted {
 		isWhitelisted, exprErr = n.CheckExprWL(cachedExprEnv, p)
 	}
+
 	if exprErr != nil {
 		// Previous code returned nil if there was an error, so we keep this behavior
 		return false, nil //nolint:nilerr
 	}
+
 	if isWhitelisted && !p.Whitelisted {
 		p.Whitelisted = true
 		p.WhitelistReason = n.Whitelist.Reason
@@ -185,13 +192,46 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 			for k := range p.Overflow.Sources {
 				ips = append(ips, k)
 			}
-			clog.Infof("Ban for %s whitelisted, reason [%s]", strings.Join(ips, ","), n.Whitelist.Reason)
+
+			n.Logger.Infof("Ban for %s whitelisted, reason [%s]", strings.Join(ips, ","), n.Whitelist.Reason)
+
 			p.Overflow.Whitelisted = true
 		}
 	}
 
+	return isWhitelisted, nil
+}
+
+func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[string]interface{}) (bool, error) {
+	var NodeHasOKGrok bool
+
+	clog := n.Logger
+
+	cachedExprEnv := expressionEnv
+
+	clog.Tracef("Event entering node")
+
+	NodeState, err := n.processFilter(cachedExprEnv)
+	if err != nil {
+		return false, err
+	}
+
+	if !NodeState {
+		return false, nil
+	}
+
+	if n.Name != "" {
+		NodesHits.With(prometheus.Labels{"source": p.Line.Src, "type": p.Line.Module, "name": n.Name}).Inc()
+	}
+
+	isWhitelisted, err := n.processWhitelist(cachedExprEnv, p)
+	if err != nil {
+		return false, err
+	}
+
 	// Process grok if present, should be exclusive with nodes :)
 	gstr := ""
+
 	if n.Grok.RunTimeRegexp != nil {
 		clog.Tracef("Processing grok pattern : %s : %p", n.Grok.RegexpName, n.Grok.RunTimeRegexp)
 		// for unparsed, parsed etc. set sensible defaults to reduce user hassle
@@ -211,6 +251,7 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 				clog.Warningf("failed to run RunTimeValue : %v", err)
 				NodeState = false
 			}
+
 			switch out := output.(type) {
 			case string:
 				gstr = out
@@ -229,10 +270,12 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 		} else {
 			groklabel = n.Grok.RegexpName
 		}
+
 		grok := n.Grok.RunTimeRegexp.Parse(gstr)
 		if len(grok) > 0 {
 			/*tag explicitly that the *current* node had a successful grok pattern. it's important to know success state*/
 			NodeHasOKGrok = true
+
 			clog.Debugf("+ Grok '%s' returned %d entries to merge in Parsed", groklabel, len(grok))
 			// We managed to grok stuff, merged into parse
 			for k, v := range grok {
@@ -250,7 +293,6 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 			clog.Debugf("+ Grok '%s' didn't return data on '%s'", groklabel, gstr)
 			NodeState = false
 		}
-
 	} else {
 		clog.Tracef("! No grok pattern : %p", n.Grok.RunTimeRegexp)
 	}
@@ -258,12 +300,16 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 	// Process the stash (data collection) if : a grok was present and succeeded, or if there is no grok
 	if NodeHasOKGrok || n.Grok.RunTimeRegexp == nil {
 		for idx, stash := range n.Stash {
-			var value string
+			var (
-			var key string
+				key   string
+				value string
+			)
+
 			if stash.ValueExpression == nil {
 				clog.Warningf("Stash %d has no value expression, skipping", idx)
 				continue
 			}
+
 			if stash.KeyExpression == nil {
 				clog.Warningf("Stash %d has no key expression, skipping", idx)
 				continue
@@ -307,7 +353,9 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 			clog.Debugf("Event leaving node : ko")
 			return false, err
 		}
+
 		clog.Tracef("\tsub-node (%s) ret : %v (strategy:%s)", leaf.rn, ret, n.OnSuccess)
+
 		if ret {
 			NodeState = true
 			/* if child is successful, stop processing */
@@ -333,7 +381,9 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 		if n.Name != "" {
 			NodesHitsKo.With(prometheus.Labels{"source": p.Line.Src, "type": p.Line.Module, "name": n.Name}).Inc()
 		}
+
 		clog.Debugf("Event leaving node : ko")
+
 		return NodeState, nil
 	}
 
@@ -360,6 +410,7 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 	if NodeState {
 		clog.Debugf("Event leaving node : ok")
 		log.Tracef("node is successful, check strategy")
+
 		if n.OnSuccess == "next_stage" {
 			idx := stageidx(p.Stage, ctx.Stages)
 			// we're at the last stage
@@ -375,15 +426,16 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 	} else {
 		clog.Debugf("Event leaving node : ko")
 	}
+
 	clog.Tracef("Node successful, continue")
+
 	return NodeState, nil
 }
 
 func (n *Node) compile(pctx *UnixParserCtx, ectx EnricherCtx) error {
 	var err error
-	var valid bool
 
-	valid = false
+	valid := false
 
 	dumpr := spew.ConfigState{MaxDepth: 1, DisablePointerAddresses: true}
 	n.rn = seed.Generate()
@@ -393,10 +445,11 @@ func (n *Node) compile(pctx *UnixParserCtx, ectx EnricherCtx) error {
 	/* if the node has debugging enabled, create a specific logger with debug
 	that will be used only for processing this node ;) */
 	if n.Debug {
-		var clog = log.New()
+		clog := log.New()
 		if err = types.ConfigureLogger(clog); err != nil {
 			log.Fatalf("While creating bucket-specific logger : %s", err)
 		}
+
 		clog.SetLevel(log.DebugLevel)
 		n.Logger = clog.WithFields(log.Fields{
 			"id": n.rn,
@@ -425,12 +478,15 @@ func (n *Node) compile(pctx *UnixParserCtx, ectx EnricherCtx) error {
 	/* handle pattern_syntax and groks */
 	for _, pattern := range n.SubGroks {
 		n.Logger.Tracef("Adding subpattern '%s' : '%s'", pattern.Key, pattern.Value)
+
 		if err = pctx.Grok.Add(pattern.Key.(string), pattern.Value.(string)); err != nil {
 			if errors.Is(err, grokky.ErrAlreadyExist) {
 				n.Logger.Warningf("grok '%s' already registred", pattern.Key)
 				continue
 			}
+
 			n.Logger.Errorf("Unable to compile subpattern %s : %v", pattern.Key, err)
+
 			return err
 		}
 	}
@@ -438,28 +494,36 @@ func (n *Node) compile(pctx *UnixParserCtx, ectx EnricherCtx) error {
 	/* load grok by name or compile in-place */
 	if n.Grok.RegexpName != "" {
 		n.Logger.Tracef("+ Regexp Compilation '%s'", n.Grok.RegexpName)
+
 		n.Grok.RunTimeRegexp, err = pctx.Grok.Get(n.Grok.RegexpName)
 		if err != nil {
 			return fmt.Errorf("unable to find grok '%s' : %v", n.Grok.RegexpName, err)
 		}
+
 		if n.Grok.RunTimeRegexp == nil {
 			return fmt.Errorf("empty grok '%s'", n.Grok.RegexpName)
 		}
+
 		n.Logger.Tracef("%s regexp: %s", n.Grok.RegexpName, n.Grok.RunTimeRegexp.String())
+
 		valid = true
 	} else if n.Grok.RegexpValue != "" {
 		if strings.HasSuffix(n.Grok.RegexpValue, "\n") {
 			n.Logger.Debugf("Beware, pattern ends with \\n : '%s'", n.Grok.RegexpValue)
 		}
+
 		n.Grok.RunTimeRegexp, err = pctx.Grok.Compile(n.Grok.RegexpValue)
 		if err != nil {
 			return fmt.Errorf("failed to compile grok '%s': %v", n.Grok.RegexpValue, err)
 		}
+
 		if n.Grok.RunTimeRegexp == nil {
 			// We shouldn't be here because compilation succeeded, so regexp shouldn't be nil
 			return fmt.Errorf("grok compilation failure: %s", n.Grok.RegexpValue)
 		}
+
 		n.Logger.Tracef("%s regexp : %s", n.Grok.RegexpValue, n.Grok.RunTimeRegexp.String())
+
 		valid = true
 	}
 
@@ -482,6 +546,7 @@ func (n *Node) compile(pctx *UnixParserCtx, ectx EnricherCtx) error {
 				return err
 			}
 		}
+
 		valid = true
 	}
 
@@ -526,14 +591,18 @@ func (n *Node) compile(pctx *UnixParserCtx, ectx EnricherCtx) error {
 		if !n.LeavesNodes[idx].Debug && n.Debug {
 			n.LeavesNodes[idx].Debug = true
 		}
+
 		if !n.LeavesNodes[idx].Profiling && n.Profiling {
 			n.LeavesNodes[idx].Profiling = true
 		}
+
 		n.LeavesNodes[idx].Stage = n.Stage
+
 		err = n.LeavesNodes[idx].compile(pctx, ectx)
 		if err != nil {
 			return err
 		}
+
 		valid = true
 	}
 
@@ -546,6 +615,7 @@ func (n *Node) compile(pctx *UnixParserCtx, ectx EnricherCtx) error {
 				return err
 			}
 		}
+
 		valid = true
 	}
 
@@ -554,13 +624,15 @@ func (n *Node) compile(pctx *UnixParserCtx, ectx EnricherCtx) error {
 	if err != nil {
 		return err
 	}
+
 	valid = valid || whitelistValid
 
 	if !valid {
 		/* node is empty, error force return */
 		n.Logger.Error("Node is empty or invalid, abort")
 		n.Stage = ""
-		return fmt.Errorf("Node is empty")
+
+		return errors.New("Node is empty")
 	}
 
 	if err := n.validate(pctx, ectx); err != nil {