From 05017db267560ef2a43ed0f11ae05b5886f22c78 Mon Sep 17 00:00:00 2001
From: Hilko Bengen <bengen@hilluzination.de>
Date: Mon, 20 Nov 2023 20:53:28 +0100
Subject: [PATCH] Drop SYSCALL.{syscall,arch} if drop-raw is set.

See #157
---
 etc/laurel/config.toml |  2 +-
 man/laurel.8.md        |  4 ++--
 src/coalesce.rs        | 12 ++++++++++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/etc/laurel/config.toml b/etc/laurel/config.toml
index 0e78acd..e350838 100644
--- a/etc/laurel/config.toml
+++ b/etc/laurel/config.toml
@@ -79,7 +79,7 @@ execve-argv = [ "array" ]
 universal = false
 # UID, GID values
 user-db = false
-# Drop raw (numeric) UID, GID values if they are translated
+# Drop raw (numeric) syscall, arch, UID, GID values if they are translated
 drop-raw = false
 
 [enrich]
diff --git a/man/laurel.8.md b/man/laurel.8.md
index 0404ee5..1f7353e 100644
--- a/man/laurel.8.md
+++ b/man/laurel.8.md
@@ -118,8 +118,8 @@ does when configured with `log_format=ENRICHED`.
 - `userdb`: Add translations for `uid` and `gid` fields. Default: false
 - `universal`: Add translations for everything else: `SYSCALL.arch`,
   `SYSCALL.syscall`, `SOCKADDR.saddr`
-- `drop-raw`: Drop raw (numeric) UID, GID values if they are
-  translated. Default: false
+- `drop-raw`: Drop raw (numeric) syscall, arch, UID, GID values if
+  they are translated. Default: false
 
 ## `[enrich]` section
 
diff --git a/src/coalesce.rs b/src/coalesce.rs
index ca27ec8..6f497e6 100644
--- a/src/coalesce.rs
+++ b/src/coalesce.rs
@@ -509,9 +509,17 @@ impl<'a> Coalesce<'a> {
                     }
                     (Key::ArgLen(_), _) => continue,
                     (Key::Common(c), Value::Number(n)) => match (c, n) {
-                        (Common::Arch, Number::Hex(n)) if arch.is_none() => arch = Some(*n as u32),
+                        (Common::Arch, Number::Hex(n)) if arch.is_none() => {
+                            arch = Some(*n as u32);
+                            if self.settings.translate_universal && self.settings.drop_translated {
+                                continue;
+                            }
+                        }
                         (Common::Syscall, Number::Dec(n)) if syscall.is_none() => {
-                            syscall = Some(*n as u32)
+                            syscall = Some(*n as u32);
+                            if self.settings.translate_universal && self.settings.drop_translated {
+                                continue;
+                            }
                         }
                         (Common::Pid, Number::Dec(n)) => proc.pid = *n as u32,
                         (Common::PPid, Number::Dec(n)) => proc.ppid = *n as u32,