ERROR failed to parse execsnoop output: " print $1"

[Eeems]

Due to how execsnoop outputs arguments by default, if there is a newline in them, it'll output those newlines, which will cause parsing the fail as it's expecting each line to be in a specific format.

Some options I see from some initial investigation (based largely on publicly available manpages):

• -q/--quote
  • Some execsnoop/execsnoop-bpfcc implementations provide -q or --quote flags to quote all arguments, replacing newlines with \n.
  • This will require updating the cmd parsing to deserialize these strings.
• --max-args=1
  • All implementations of execsnoop/execsnoop-bpfcc that I've seen from a cursory glance provide a --max-args= flag that you can use to limit to 1 argument, which would just be the executable being run and no arguments.
  • For providing the cmd for a process it would probably make sense to just pull from procfs.
• Handle parsing args with line continuations.
  • This seems complex and error prone.