update(userspace/engine): bump engine version and checksum.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.github/workflows/ci.yml

@@ -27,6 +27,7 @@ jobs:
       version: ${{ needs.fetch-version.outputs.version }}
       enable_debug: true
       enable_sanitizers: true
+      use_mimalloc: true
 
   build-dev-packages-arm64:
     needs: [fetch-version]
@@ -35,6 +36,7 @@ jobs:
       arch: aarch64
       version: ${{ needs.fetch-version.outputs.version }}
       enable_debug: true
+      use_mimalloc: true
 
   test-dev-packages:
     needs: [fetch-version, build-dev-packages-x86_64]

.github/workflows/release.yaml

@@ -56,6 +56,7 @@ jobs:
     with:
       arch: x86_64
       version: ${{ github.event.release.tag_name }}
+      use_jemalloc: true
     secrets: inherit
 
   build-packages-arm64:
@@ -64,6 +65,7 @@ jobs:
     with:
       arch: aarch64
       version: ${{ github.event.release.tag_name }}
+      use_jemalloc: true
     secrets: inherit
 
   test-packages:

.github/workflows/reusable_build_packages.yaml

@@ -20,6 +20,16 @@ on:
         required: false
         type: boolean
         default: false
+      use_jemalloc:
+        description: Use jemalloc memory allocator
+        required: false
+        type: boolean
+        default: false
+      use_mimalloc:
+        description: Use mimalloc memory allocator
+        required: false
+        type: boolean
+        default: false
 
 permissions:  
   contents: read
@@ -88,7 +98,8 @@ jobs:
               -DMODERN_BPF_SKEL_DIR=/tmp \
               -DBUILD_DRIVER=Off \
               -DBUILD_BPF=Off \
-              -DUSE_JEMALLOC=ON \
+              -DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
+              -DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
               -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
@@ -160,7 +171,8 @@ jobs:
               -DMODERN_BPF_SKEL_DIR=/tmp \
               -DBUILD_DRIVER=Off \
               -DBUILD_BPF=Off \
-              -DUSE_JEMALLOC=On \
+              -DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
+              -DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
               -DFALCO_VERSION=${{ inputs.version }}
 
       - name: Build project
@@ -209,6 +221,7 @@ jobs:
               -DBUILD_DRIVER=Off \
               -DBUILD_BPF=Off \
               -DUSE_JEMALLOC=Off \
+              -DUSE_MIMALLOC=Off \
               -DUSE_ASAN=On \
               -DFALCO_VERSION=${{ inputs.version }}
 
@@ -253,7 +266,8 @@ jobs:
                 -DCMAKE_BUILD_TYPE=Release \
                 -DCPACK_GENERATOR=TGZ \
                 -DBUILD_BPF=Off -DBUILD_DRIVER=Off \
-                -DUSE_JEMALLOC=On \
+                -DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
+                -DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
                 -DUSE_BUNDLED_DEPS=On \
                 -DMUSL_OPTIMIZED_BUILD=On \
                 -DFALCO_ETC_DIR=/etc/falco \

CHANGELOG.md

@@ -1,5 +1,152 @@
 # Change Log
 
+## v0.41.3
+
+Released on 2025-07-01
+
+
+
+### Minor Changes
+
+* update: bump container plugin to v0.3.1 [[#3629](https://github.com/falcosecurity/falco/pull/3629)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      1 |
+| Total           |      1 |
+
+## v0.41.2
+
+Released on 2025-06-17
+
+
+
+### Minor Changes
+
+* update(build): update container plugin to 0.3.0 [[#3619](https://github.com/falcosecurity/falco/pull/3619)] - [@ekoops](https://github.com/ekoops)
+
+
+
+### Non user-facing changes
+
+* update(build): update container plugin to 0.2.6 [[#3611](https://github.com/falcosecurity/falco/pull/3611)] - [@leogr](https://github.com/leogr)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      1 |
+| Release note    |      1 |
+| Total           |      2 |
+
+## v0.41.1
+
+Released on 2025-06-05
+
+### Bug Fixes
+
+* fix(userspace/falco): when collecting metrics for stats_writer, create a `libs_metrics_collector` for each source [[#3585](https://github.com/falcosecurity/falco/pull/3585)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): only enable prometheus metrics once all inspectors have been opened [[#3588](https://github.com/falcosecurity/falco/pull/3588)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      2 |
+| Total           |      2 |
+
+## v0.41.0
+
+Released on 2025-05-29
+
+### Breaking Changes :warning:
+
+* cleanup(engine)!: only consider .yaml/.yml rule files [[#3551](https://github.com/falcosecurity/falco/pull/3551)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(userspace)!: deprecate print of `container.info` [[#3543](https://github.com/falcosecurity/falco/pull/3543)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(userspace/falco)!: drop deprecated in 0.40.0 CLI flags. [[#3496](https://github.com/falcosecurity/falco/pull/3496)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Major Changes
+
+* new(falco): add json_include_output_fields option [[#3527](https://github.com/falcosecurity/falco/pull/3527)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(build,userspace): switch to use container plugin [[#3482](https://github.com/falcosecurity/falco/pull/3482)] - [@FedeDP](https://github.com/FedeDP)
+* new(docker,scripts,ci): use an override config file to enable ISO 8601 output timeformat on docker images [[#3488](https://github.com/falcosecurity/falco/pull/3488)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* chore(build): update falcoctl to v0.11.2, rules for artifact follow to v4 [[#3580](https://github.com/falcosecurity/falco/pull/3580)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): bumped falcoctl to 0.11.1 and rules to 4.0.0. [[#3577](https://github.com/falcosecurity/falco/pull/3577)] - [@FedeDP](https://github.com/FedeDP)
+* update(containers): update opencontainers labels [[#3575](https://github.com/falcosecurity/falco/pull/3575)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(metrics): improve restart/hot_reload conditions inspection [[#3562](https://github.com/falcosecurity/falco/pull/3562)] - [@incertum](https://github.com/incertum)
+* update: empty `values` in `exceptions` won't emit a warning anymore [[#3529](https://github.com/falcosecurity/falco/pull/3529)] - [@leogr](https://github.com/leogr)
+* chore(falco.yaml): enable libs_logger by default with info level [[#3507](https://github.com/falcosecurity/falco/pull/3507)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Bug Fixes
+
+* fix(metrics/prometheus): gracefully handle multiple event sources, avoid erroneous duplicate metrics [[#3563](https://github.com/falcosecurity/falco/pull/3563)] - [@incertum](https://github.com/incertum)
+* fix(ci): properly install rpm systemd-rpm-macro package on building packages pipeline [[#3521](https://github.com/falcosecurity/falco/pull/3521)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): init cmdline options after loading all config files [[#3493](https://github.com/falcosecurity/falco/pull/3493)] - [@FedeDP](https://github.com/FedeDP)
+* fix(cmake): add support for 16K kernel page to jemalloc [[#3490](https://github.com/falcosecurity/falco/pull/3490)] - [@Darkness4](https://github.com/Darkness4)
+* fix(userspace/falco): fix jemalloc enabled in minimal build. [[#3478](https://github.com/falcosecurity/falco/pull/3478)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* chore(deps): Bump submodules/falcosecurity-rules from `4ccf111` to `cb17833` [[#3572](https://github.com/falcosecurity/falco/pull/3572)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake/rules): bump to falco-rules-4.0.0-rc1 [[#3567](https://github.com/falcosecurity/falco/pull/3567)] - [@leogr](https://github.com/leogr)
+* cleanup(userspace/falco): drop unused `libs_metrics_collector` variable. [[#3566](https://github.com/falcosecurity/falco/pull/3566)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3564](https://github.com/falcosecurity/falco/pull/3564)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(build): fixed container custom_target `sed` command. [[#3556](https://github.com/falcosecurity/falco/pull/3556)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `ae6ed41` to `4ccf111` [[#3555](https://github.com/falcosecurity/falco/pull/3555)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(cmake): fix bundled c-ares cmake issue with e.g. SLES [[#3559](https://github.com/falcosecurity/falco/pull/3559)] - [@terror96](https://github.com/terror96)
+* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `ae6ed41` [[#3553](https://github.com/falcosecurity/falco/pull/3553)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: revert "chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431`" [[#3552](https://github.com/falcosecurity/falco/pull/3552)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3550](https://github.com/falcosecurity/falco/pull/3550)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3549](https://github.com/falcosecurity/falco/pull/3549)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(adopters): added SafeDep as adopter [[#3548](https://github.com/falcosecurity/falco/pull/3548)] - [@KunalSin9h](https://github.com/KunalSin9h)
+* update(cmake): update libs and driver to latest master [[#3547](https://github.com/falcosecurity/falco/pull/3547)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3541](https://github.com/falcosecurity/falco/pull/3541)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(userspace): fixed engine `openssl` dep. [[#3535](https://github.com/falcosecurity/falco/pull/3535)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): fix outputs_http timeout [[#3523](https://github.com/falcosecurity/falco/pull/3523)] - [@benierc](https://github.com/benierc)
+* fix(ci): use clang-19 to build modern_ebpf skeleton. [[#3537](https://github.com/falcosecurity/falco/pull/3537)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3531](https://github.com/falcosecurity/falco/pull/3531)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3530](https://github.com/falcosecurity/falco/pull/3530)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3525](https://github.com/falcosecurity/falco/pull/3525)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3520](https://github.com/falcosecurity/falco/pull/3520)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3516](https://github.com/falcosecurity/falco/pull/3516)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* docs(README.md): cleanups and enhancements [[#3514](https://github.com/falcosecurity/falco/pull/3514)] - [@leogr](https://github.com/leogr)
+* update(cmake): update libs and driver to latest master [[#3511](https://github.com/falcosecurity/falco/pull/3511)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431` [[#3510](https://github.com/falcosecurity/falco/pull/3510)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): update libs and driver to latest master [[#3508](https://github.com/falcosecurity/falco/pull/3508)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3506](https://github.com/falcosecurity/falco/pull/3506)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(userspace/falco): when counting `-M` timeout, do not account for async events [[#3505](https://github.com/falcosecurity/falco/pull/3505)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `d8415c1` to `1d2c6b1` [[#3504](https://github.com/falcosecurity/falco/pull/3504)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(proposals): correct typo in example [[#3499](https://github.com/falcosecurity/falco/pull/3499)] - [@leogr](https://github.com/leogr)
+* fix(docker): fixed entrypoints paths with new docker context. [[#3492](https://github.com/falcosecurity/falco/pull/3492)] - [@FedeDP](https://github.com/FedeDP)
+* feat(falco/app): move actions not using config before `load_config` [[#3483](https://github.com/falcosecurity/falco/pull/3483)] - [@ekoops](https://github.com/ekoops)
+* refactor(falco/app): apply early return pattern in actions code [[#3484](https://github.com/falcosecurity/falco/pull/3484)] - [@ekoops](https://github.com/ekoops)
+* chore(deps): Bump submodules/falcosecurity-rules from `abf6637` to `d8415c1` [[#3489](https://github.com/falcosecurity/falco/pull/3489)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Add NETWAYS Web Services to ADOPTERS.md [[#3487](https://github.com/falcosecurity/falco/pull/3487)] - [@mocdaniel](https://github.com/mocdaniel)
+* chore: add back Falco static package to the release template. [[#3472](https://github.com/falcosecurity/falco/pull/3472)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |     36 |
+| Release note    |     17 |
+| Total           |     53 |
+
 ## v0.40.0
 
 Released on 2025-01-28

CMakeLists.txt

@@ -29,7 +29,18 @@ option(BUILD_FALCO_UNIT_TESTS "Build falco unit tests" OFF)
 option(USE_ASAN "Build with AddressSanitizer" OFF)
 option(USE_UBSAN "Build with UndefinedBehaviorSanitizer" OFF)
 option(UBSAN_HALT_ON_ERROR "Halt on error when building with UBSan" ON)
-option(USE_JEMALLOC "Use jemalloc allocator" OFF)
+
+# Mem allocators - linux only for now
+if(NOT WIN32
+   AND NOT APPLE
+   AND NOT MINIMAL_BUILD
+   AND NOT EMSCRIPTEN
+)
+	# If one enables multiple allocators, cmake will fail since all of the allocators cmake modules
+	# create a `malloc` target.
+	option(USE_JEMALLOC "Use jemalloc allocator, linux only" OFF)
+	option(USE_MIMALLOC "Use mimalloc (microsoft) allocator, linux only" OFF)
+endif()
 
 if(WIN32)
 	if(POLICY CMP0091)
@@ -142,19 +153,29 @@ set(CMD_MAKE make)
 
 include(ExternalProject)
 
-if(USE_JEMALLOC)
-	if(USE_ASAN)
-		message(WARNING "Jemalloc and ASAN are known to have issues when combined")
-	endif()
-	include(jemalloc)
-endif()
-
 # libs
 include(falcosecurity-libs)
 
 # compute FALCO_VERSION (depends on libs)
 include(falco-version)
 
+# Mem allocators - linux only for now
+if(NOT WIN32
+   AND NOT APPLE
+   AND NOT MINIMAL_BUILD
+   AND NOT EMSCRIPTEN
+)
+
+	if(USE_JEMALLOC)
+		include(jemalloc)
+	endif()
+	if(USE_MIMALLOC)
+		include(mimalloc)
+	endif()
+
+	message(STATUS "Will use mem allocator library: ${MALLOC_LIB}")
+endif()
+
 # nlohmann-json
 include(njson)
 

OWNERS

@@ -4,7 +4,6 @@ approvers:
   - jasondellaluce
   - fededp
   - andreagit97
-  - incertum
   - LucaGuerra
   - sgaist
 reviewers:
@@ -13,3 +12,4 @@ emeritus_approvers:
   - fntlnz
   - kris-nova
   - leodido
+  - incertum

RELEASE.md

@@ -66,7 +66,7 @@ Changes and new features are organized into [milestones](https://github.com/falc
 
 The release process is mostly automated, requiring only a few manual steps to initiate and complete.
 
-Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [weekly community call](https://github.com/falcosecurity/community).
+Moreover, we assign owners for each release (typically pairing a new person with an experienced one). Assignees and due dates for releases are proposed during the [community call](https://github.com/falcosecurity/community).
 
 At a high level each Falco release needs to follow a pre-determined sequencing of releases and build order:
 
@@ -84,11 +84,15 @@ Before proceeding with the release, make sure to complete the following preparat
 
 ### 1. Release notes
 - Find the previous release date (`YYYY-MM-DD`) by looking at the [Falco releases](https://github.com/falcosecurity/falco/releases)
+- Double-check, by using the following filters, if there is any closed issue/merge PR with no milestone assigned:
+  - `is:issue state:closed no:milestone closed:>YYYY-MM-DD`
+    [filter](https://github.com/falcosecurity/falco/issues?q=is%3Aissue%20state%3Aclosed%20no%3Amilestone%20closed%3A%3EYYYY-MM-DD)
+  - `is:pr state:closed no:milestone closed:>YYYY-MM-DD`
+    [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD)
+- Assign any issue/PR identified in the previous point to the milestone corresponding to the currently undergoing release
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
     - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
     - If the PR has no milestone, assign it to the milestone currently undergoing release
-- Check issues without a milestone (using `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD) ) and add them to the milestone currently undergoing release
-- Double-check that there are no more merged PRs without the target milestone assigned with the `is:pr is:merged no:milestone closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+no%3Amilestone+closed%3A%3EYYYY-MM-DD), if any, update those missing
 
 ### 2. Milestones
 
@@ -102,7 +106,7 @@ Its naming will be `release/M.m.x`; for example: `release/0.34.x`.
 The same branch will then be used for any eventual cherry pick for patch releases.  
 
 For patch releases, instead, the `release/M.m.x` branch should already be in place; no more steps are needed.  
-Double check that any PR that should be part of the tag has been cherry-picked from master!
+Double-check that any PR that should be part of the tag has been cherry-picked from master!
 
 ### 4. Release PR
 
@@ -112,7 +116,7 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
     - If any, manually correct it then open an issue to automate version number bumping later
     - Versions table in the `README.md` updates itself automatically
 - Generate the change log using [rn2md](https://github.com/leodido/rn2md):
-    - Execute `rn2md -o falcosecurity -m <version> -r falco`
+    - Execute `rn2md -r falcosecurity/falco -m M.m.p -b release/M.m.x`
     - In case `rn2md` emits error try to generate an GitHub OAuth access token and provide it with the `-t` flag
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
@@ -125,7 +129,7 @@ The release PR is meant to be made against the respective `release/M.m.x` branch
 Core maintainers and/or the release manager can decide to publish pre-releases at any time before the final release
 is live for development and testing purposes.
 
-The prerelease tag must be formatted as `M.m.p-r`where `r` is the prerelease version information (e.g. `0.35.0-rc1`.)
+The prerelease tag must be formatted as `M.m.p-r` where `r` is the prerelease version information (e.g. `0.35.0-rc1`.)
 
 To do so:
 
@@ -158,7 +162,7 @@ For each release we archive the meeting notes in git for historical purposes.
 
  - The notes from the Falco meetings can be [found here](https://hackmd.io/3qYPnZPUQLGKCzR14va_qg).
     - Note: There may be other notes from working groups that can optionally be added as well as needed.
- - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/master/meeting-notes](https://github.com/falcosecurity/community/tree/master/meeting-notes) as a new file labeled `release-M.m.p.md`
+ - Add the entire content of the document to a new file in [github.com/falcosecurity/community/tree/main/meeting-notes](https://github.com/falcosecurity/community/tree/main/meeting-notes) as a new file labeled `release-M.m.p.md`
  - Open up a pull request with the new change.
 
 
@@ -166,10 +170,10 @@ For each release we archive the meeting notes in git for historical purposes.
 
 Announce the new release to the world!
 
+- IFF the ongoing release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
 - Publish a blog on [Falco website](https://github.com/falcosecurity/falco-website) ([example](https://github.com/falcosecurity/falco-website/blob/master/content/en/blog/falco-0-28-1.md))
 - Send an announcement to cncf-falco-dev@lists.cncf.io (plain text, please)
 - Let folks in the slack #falco channel know about a new release came out
-- IFF the on going release introduces a **new minor version**, [archive a snapshot of the Falco website](https://github.com/falcosecurity/falco-website/blob/master/release.md#documentation-versioning)
 
 
 ## Falco Components Versioning
@@ -181,9 +185,7 @@ This section provides more details around the versioning of the components that
 - Falco version is a git tag (`x.y.z`), see [Procedures](#procedures) section. Note that the Falco version is a sem-ver-like schema, but not fully compatible with sem-ver.
 - [FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/userspace/engine/falco_engine_version.h) is not sem-ver and must be bumped either when a backward incompatible change has been introduced to the rules files syntax and loading logic, and/or when `FALCO_ENGINE_CHECKSUM` has changed. The checksum is computed by considering the available rules fields (see currently supported [Falco fields](https://falco.org/docs/reference/rules/supported-fields/)), the event types (see currently supported [Falco events](https://falco.org/docs/reference/rules/supported-events/)), and the supported driver schema version. A checksum indicates that something was not available in previous engine versions. See the [rules release guidelines](https://github.com/falcosecurity/rules/blob/main/RELEASE.md#versioning-a-ruleset) to understand how this affects the versioning of Falco rules. Breaking changes introduced in the Falco engine are not necessarily tied to the drivers or libs versions. The version number must be incremented every time and only when a single change or an atomic group of changes - which meet the criteria described above - is included in the `master` branch. Thus, a version bump can occur multiple times during the development and testing phases of a given release cycle. A given version bump must not group multiple changes that occurred sporadically during the release cycle.
 - During development and release preparation, libs and driver reference commits are often bumped in Falco's cmake setup ([falcosecurity-libs cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/falcosecurity-libs.cmake#L30) and [driver cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/driver.cmake#L29)) in order to merge new Falco features. In practice, they are mostly bumped at the same time referencing the same `libs` commit. However, for the official Falco build `FALCOSECURITY_LIBS_VERSION` flag that references the stable libs version is used (read below).
-- Similarly, Falco plugins versions are bumped in Falco's cmake setup ([plugins cmake](https://github.com/falcosecurity/falco/blob/master/cmake/modules/plugins.cmake)) and those versions are the ones used for the Falco release.
 - At release time Plugin, Libs and Driver versions are compatible with Falco.
-- If you use the standard Falco setup leveraging driver-loader, [driver-loader script](https://github.com/falcosecurity/falco/blob/master/scripts/falco-driver-loader) will fetch the kernel space artifact (object file) corresponding to the default `DRIVER_VERSION` Falco was shipped with (read more below under Libs).
 
 
 ```

cmake/modules/cpp-httplib.cmake

@@ -20,11 +20,14 @@ if(USE_BUNDLED_CPPHTTPLIB)
 	set(HTTPLIB_REQUIRE_BROTLI OFF)
 	set(HTTPLIB_USE_ZLIB_IF_AVAILABLE OFF)
 	set(HTTPLIB_REQUIRE_ZLIB OFF)
+	set(HTTPLIB_USE_ZSTD_IF_AVAILABLE OFF)
+	set(HTTPLIB_REQUIRE_ZSTD OFF)
+	set(HTTPLIB_USE_NON_BLOCKING_GETADDRINFO OFF)
 	include(FetchContent)
 	FetchContent_Declare(
 		cpp-httplib
-		URL https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.15.3.tar.gz
-		URL_HASH SHA256=2121bbf38871bb2aafb5f7f2b9b94705366170909f434428352187cb0216124e
+		URL https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.23.1.tar.gz
+		URL_HASH SHA256=410a1347ed6bcbcc4a19af8ed8ad3873fe9fa97731d52db845c4c78f3f9c31e6
 	)
 	FetchContent_MakeAvailable(cpp-httplib)
 else()

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "9c2734a64338abff04c4a8274d3770e40c964e21")
+		set(DRIVER_VERSION "8cd5fbf687020039e115e1aadcffb510b993a67b")
 		set(DRIVER_CHECKSUM
-			"SHA256=8094cfb04c77b317a4e5a69cf8556dccb54067d1decf9ec920c7cc3fa1ea831a"
+			"SHA256=517f5a405540b16b175ff420b469dd324ad2e4ae874c91b912d4613036494a6f"
 		)
 	endif()
 

cmake/modules/falcoctl.cmake

@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
 if(ADD_FALCOCTL_DEPENDENCY)
 	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-	set(FALCOCTL_VERSION "0.11.0")
+	set(FALCOCTL_VERSION "0.11.2")
 
 	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
 
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
 		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-		set(FALCOCTL_HASH "b9d0e0f50813e7172a945f36f70c5c3c16a677ab4c85b35b6f7a155bc92768fc")
+		set(FALCOCTL_HASH "8d55818987c90e54f7406e1c1441a18df1f485db858bb0b3efda5db217be3b48")
 	else() # aarch64
 		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-		set(FALCOCTL_HASH "689c625d1d414cbf53d39ef94083a53dda3ea4ac4908799fb85f4519e21442e0")
+		set(FALCOCTL_HASH "7c36404b5b7a515df25e7dc6d827a74ebc8526b1b49850954bbdd40860961bc2")
 	endif()
 
 	ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "9c2734a64338abff04c4a8274d3770e40c964e21")
+		set(FALCOSECURITY_LIBS_VERSION "8cd5fbf687020039e115e1aadcffb510b993a67b")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=8094cfb04c77b317a4e5a69cf8556dccb54067d1decf9ec920c7cc3fa1ea831a"
+			"SHA256=517f5a405540b16b175ff420b469dd324ad2e4ae874c91b912d4613036494a6f"
 		)
 	endif()
 

cmake/modules/grpc.cmake

@@ -181,6 +181,10 @@ else()
 			sh
 			-c
 			"sed -i '20s/^/#include <cstdint>/' ${GRPC_SRC}/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h"
+			&&
+			sh
+			-c
+			"sed -i 's|off64_t|off_t|g' ${GRPC_SRC}/third_party/abseil-cpp/absl/base/internal/direct_mmap.h"
 		)
 
 		# Zig workaround: Add a PATCH_COMMAND to grpc cmake to fixup emitted -march by abseil-cpp

cmake/modules/jemalloc.cmake

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2024 The Falco Authors.
+# Copyright (C) 2025 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
 # in compliance with the License. You may obtain a copy of the License at
@@ -25,9 +25,9 @@ elseif(NOT USE_BUNDLED_JEMALLOC)
 	else()
 		set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
 	endif()
-	find_library(JEMALLOC_LIB NAMES libjemalloc${JEMALLOC_LIB_SUFFIX})
-	if(JEMALLOC_LIB)
-		message(STATUS "Found JEMALLOC: include: ${JEMALLOC_INCLUDE}, lib: ${JEMALLOC_LIB}")
+	find_library(MALLOC_LIB NAMES libjemalloc${JEMALLOC_LIB_SUFFIX})
+	if(MALLOC_LIB)
+		message(STATUS "Found system jemalloc: include: ${JEMALLOC_INCLUDE}, lib: ${MALLOC_LIB}")
 	else()
 		message(FATAL_ERROR "Couldn't find system jemalloc")
 	endif()
@@ -38,15 +38,15 @@ else()
 		set(JEMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
 	endif()
 	set(JEMALLOC_SRC "${PROJECT_BINARY_DIR}/jemalloc-prefix/src")
-	set(JEMALLOC_LIB "${JEMALLOC_SRC}/jemalloc/lib/libjemalloc${JEMALLOC_LIB_SUFFIX}")
-	set(JEMALLOC_INCLUDE "${JEMALLOC_SRC}/jemalloc/include/jemalloc")
+	set(MALLOC_LIB "${JEMALLOC_SRC}/malloc/lib/libjemalloc${JEMALLOC_LIB_SUFFIX}")
+	set(JEMALLOC_INCLUDE "${JEMALLOC_SRC}/malloc/include/jemalloc")
 	if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64")
 		set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS --with-lg-page=14)
 	else()
 		set(JEMALLOC_ARCH_SPECIFIC_CONFIGURE_ARGS "")
 	endif()
 	ExternalProject_Add(
-		jemalloc
+		malloc
 		PREFIX "${PROJECT_BINARY_DIR}/jemalloc-prefix"
 		URL "https://github.com/jemalloc/jemalloc/archive/refs/tags/5.3.0.tar.gz"
 		URL_HASH "SHA256=ef6f74fd45e95ee4ef7f9e19ebe5b075ca6b7fbe0140612b2a161abafb7ee179"
@@ -56,11 +56,10 @@ else()
 		BUILD_COMMAND make build_lib_static
 		INSTALL_COMMAND ""
 		UPDATE_COMMAND ""
-		BUILD_BYPRODUCTS ${JEMALLOC_LIB}
+		BUILD_BYPRODUCTS ${MALLOC_LIB}
 	)
-	message(STATUS "Using bundled jemalloc: include: ${JEMALLOC_INCLUDE}, lib: ${JEMALLOC_LIB}")
 	install(
-		FILES "${JEMALLOC_LIB}"
+		FILES "${MALLOC_LIB}"
 		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
 		COMPONENT "libs-deps"
 	)
@@ -68,8 +67,8 @@ endif()
 
 # We add a custom target, in this way we can always depend on `jemalloc` without distinguishing
 # between "bundled" and "not-bundled" case
-if(NOT TARGET jemalloc)
-	add_custom_target(jemalloc)
+if(NOT TARGET malloc)
+	add_custom_target(malloc)
 endif()
 
 include_directories(${JEMALLOC_INCLUDE})

cmake/modules/mimalloc.cmake

@@ -0,0 +1,92 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2025 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License
+# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+# or implied. See the License for the specific language governing permissions and limitations under
+# the License.
+#
+
+option(USE_BUNDLED_MIMALLOC "Use bundled mimalloc (microsoft) allocator" ${USE_BUNDLED_DEPS})
+
+if(MIMALLOC_INCLUDE)
+	# we already have MIMALLOC
+elseif(NOT USE_BUNDLED_MIMALLOC)
+	find_path(MIMALLOC_INCLUDE mimalloc/mimalloc.h)
+	set(MIMALLOC_INCLUDE ${MIMALLOC_INCLUDE}/mimalloc)
+	if(BUILD_SHARED_LIBS)
+		set(MIMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(MIMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	find_library(MALLOC_LIB NAMES libmimalloc${MIMALLOC_LIB_SUFFIX})
+	if(MALLOC_LIB)
+		message(STATUS "Found system mimalloc: include: ${MIMALLOC_INCLUDE}, lib: ${MALLOC_LIB}")
+	else()
+		message(FATAL_ERROR "Couldn't find system mimalloc")
+	endif()
+else()
+	if(BUILD_SHARED_LIBS)
+		set(BUILD_STATIC Off)
+		set(MIMALLOC_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX})
+	else()
+		set(BUILD_STATIC On)
+		set(MIMALLOC_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX})
+	endif()
+	set(MIMALLOC_SRC "${PROJECT_BINARY_DIR}/mimalloc-prefix/src")
+	string(TOLOWER "${CMAKE_BUILD_TYPE}" _build_type)
+	if(_build_type STREQUAL "debug")
+		set(MIMALLOC_LIB_BASENAME "libmimalloc-debug")
+	else()
+		set(MIMALLOC_LIB_BASENAME "libmimalloc")
+	endif()
+	set(MALLOC_LIB "${MIMALLOC_SRC}/malloc-build/${MIMALLOC_LIB_BASENAME}${MIMALLOC_LIB_SUFFIX}")
+	set(MIMALLOC_INCLUDE ${MIMALLOC_SRC}/malloc/include/)
+
+	# To avoid recent clang versions complaining with "error: expansion of date or time macro is not
+	# reproducible" while building mimalloc, we force-set both variables.
+	string(TIMESTAMP DATE "%Y%m%d")
+	string(TIMESTAMP TIME "%H:%M")
+	set(MIMALLOC_EXTRA_CPPDEFS __DATE__="${DATE}",__TIME__="${TIME}")
+
+	# We disable arch specific optimization because of issues with building with zig. Optimizations
+	# would be only effective on arm64. See MI_NO_OPT_ARCH=On.
+	ExternalProject_Add(
+		malloc
+		PREFIX "${PROJECT_BINARY_DIR}/mimalloc-prefix"
+		URL "https://github.com/microsoft/mimalloc/archive/refs/tags/v3.1.5.tar.gz"
+		URL_HASH "SHA256=1c6949032069d5ebea438ec5cedd602d06f40a92ddf0f0d9dcff0993e5f6635c"
+		LIST_SEPARATOR "," # to pass MIMALLOC_EXTRA_CPPDEFS as list
+		CMAKE_ARGS -DBUILD_SHARED_LIBS=${BUILD_SHARED_LIBS}
+				   -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
+				   -DMI_BUILD_SHARED=${BUILD_SHARED_LIBS}
+				   -DMI_BUILD_STATIC=${BUILD_STATIC}
+				   -DMI_BUILD_TESTS=Off
+				   -DMI_BUILD_OBJECT=Off
+				   -DMI_NO_OPT_ARCH=On
+				   -DMI_EXTRA_CPPDEFS=${MIMALLOC_EXTRA_CPPDEFS}
+		INSTALL_COMMAND ""
+		UPDATE_COMMAND ""
+		BUILD_BYPRODUCTS ${MALLOC_LIB}
+	)
+	install(
+		FILES "${MALLOC_LIB}"
+		DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}"
+		COMPONENT "libs-deps"
+	)
+endif()
+
+# We add a custom target, in this way we can always depend on `mimalloc` without distinguishing
+# between "bundled" and "not-bundled" case
+if(NOT TARGET malloc)
+	add_custom_target(malloc)
+endif()
+
+include_directories(${MIMALLOC_INCLUDE})
+add_compile_definitions(HAS_MIMALLOC)

cmake/modules/rules.cmake

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2024 The Falco Authors.
+# Copyright (C) 2025 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
 # in compliance with the License. You may obtain a copy of the License at
@@ -18,9 +18,9 @@ include(ExternalProject)
 
 if(NOT DEFINED FALCOSECURITY_RULES_FALCO_PATH)
 	# falco_rules.yaml
-	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.2.0")
+	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-4.0.0")
 	set(FALCOSECURITY_RULES_FALCO_CHECKSUM
-		"SHA256=b3990bf0209cfbf6a903b361e458a1f5851a9a5aeee808ad26a5ddbe1377157d"
+		"SHA256=132320ddbfa1e2580981ed1bdd3ee3d0128a1e2306b2bee8978d1f0a930d6127"
 	)
 	set(FALCOSECURITY_RULES_FALCO_PATH
 		"${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml"

docker/driver-loader-buster/Dockerfile

@@ -1,7 +1,11 @@
 FROM debian:buster
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
 
@@ -17,6 +21,13 @@ ENV HOME /root
 
 RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
 
+# Use 20250630T203427Z debian apt snapshot as it still contains support for buster.
+RUN cat <<EOF > /etc/apt/sources.list
+deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster main
+deb http://snapshot.debian.org/archive/debian-security/20250630T203427Z buster/updates main
+deb http://snapshot.debian.org/archive/debian/20250630T203427Z buster-updates main
+EOF
+
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	bash-completion \

docker/driver-loader/Dockerfile

@@ -1,8 +1,12 @@
 ARG FALCO_IMAGE_TAG=latest
 FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
 

docker/falco-debian/Dockerfile

@@ -1,7 +1,11 @@
 FROM debian:12-slim
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco/docker/falco-debian"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian"
 

docker/falco/Dockerfile

@@ -1,7 +1,11 @@
 FROM cgr.dev/chainguard/wolfi-base
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro  -v /etc:/host/etc:ro falcosecurity/falco:latest"
 # NOTE: for the "least privileged" use case, please refer to the official documentation

falco.yaml

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2023 The Falco Authors.
+# Copyright (C) 2025 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -494,31 +494,12 @@ load_plugins: []
 # option.
 plugins:
   - name: container
-    # For a summary of config option, see https://github.com/FedeDP/container_plugin?tab=readme-ov-file#configuration
+    # For a summary of config option, see https://github.com/falcosecurity/plugins/tree/main/plugins/container#configuration
     library_path: libcontainer.so
     init_config:
       label_max_len: 100
       with_size: false
-# We use default config values for engine key.
-#      engines:
-#        docker:
-#          enabled: true
-#          sockets: [ '/var/run/docker.sock' ]
-#        podman:
-#          enabled: true
-#          sockets: [ '/run/podman/podman.sock', '/run/user/1000/podman/podman.sock' ]
-#        containerd:
-#          enabled: true
-#          sockets: [ '/run/containerd/containerd.sock' ]
-#        cri:
-#          enabled: true
-#          sockets: [ '/run/crio/crio.sock' ]
-#        lxc:
-#          enabled: false
-#        libvirt_lxc:
-#          enabled: false
-#        bpm:
-#          enabled: false
+      # We use default config values for "engines" key.
   - name: k8saudit
     library_path: libk8saudit.so
     init_config: ""
@@ -526,10 +507,6 @@ plugins:
     #   webhookMaxBatchSize: 12582912
     #   sslCertificate: /etc/falco/falco.pem
     open_params: "http://:9765/k8s-audit"
-  - name: cloudtrail
-    library_path: libcloudtrail.so
-    # see docs for init_config and open_params:
-    # https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md
   - name: json
     library_path: libjson.so
 
@@ -691,7 +668,7 @@ outputs_queue:
 #             affect the regular Falco message in any way. These can be specified as a
 #             custom name with a custom format or as any supported field
 #             (see: https://falco.org/docs/reference/rules/supported-fields/)
-#   `suggested_output`: enable the use of extractor plugins suggested fields for the matching source output.
+#   `suggested_output`: automatically append fields that are suggested to rules output
 #
 # Example:
 # 
@@ -715,6 +692,17 @@ outputs_queue:
 append_output:
   - suggested_output: true
 
+# [Sandbox] `static_fields`
+#
+# Add statically defined fields to the Falco engine.
+# Then, they can be used as normal rule conditions, by prepending `static.` prefix,
+# eg: evt.type=open and static.foo=bar
+# Also, if `append_output.suggested_output` is true,
+# they'll be automatically appended to each rule output,
+# in the form "static_foo=bar"
+# static_fields:
+#  foo: bar
+#  foo2: ${env}
 
 ##########################
 # Falco outputs channels #

scripts/falcoctl/falcoctl.yaml.in

@@ -10,7 +10,7 @@ artifact:
     every: 6h0m0s
     falcoVersions: http://localhost:8765/versions
     refs:
-    - falco-rules:3
+    - falco-rules:4
 indexes:
 - name: falcosecurity
   url: https://falcosecurity.github.io/falcoctl/index.yaml

submodules/falcosecurity-rules

@@ -1 +1 @@
-Subproject commit 4ccf111c36ed910c7de6291db898bdb0225bcf18
+Subproject commit be3800132f0b9e4467d849c7b99e9b06f84211ad

userspace/engine/falco_engine_version.h

@@ -20,7 +20,7 @@ limitations under the License.
 
 // The version of this Falco engine
 #define FALCO_ENGINE_VERSION_MAJOR 0
-#define FALCO_ENGINE_VERSION_MINOR 50
+#define FALCO_ENGINE_VERSION_MINOR 55
 #define FALCO_ENGINE_VERSION_PATCH 0
 
 #define FALCO_ENGINE_VERSION                                                               \
@@ -36,4 +36,4 @@ limitations under the License.
 // It represents the fields supported by this version of Falco,
 // the event types, and the underlying driverevent schema. It's used to
 // detetect changes in engine version in our CI jobs.
-#define FALCO_ENGINE_CHECKSUM "c111251b08cfb00790515cd62fbe0b6c3d0b62035f7d9bbb1aea80f41d7986f9"
+#define FALCO_ENGINE_CHECKSUM "ed3df5b77b2909e51b90a4a8d06a88713dccee5ea29e06d2f8bf81d89c373e61"

userspace/falco/CMakeLists.txt

@@ -70,9 +70,9 @@ set(FALCO_INCLUDE_DIRECTORIES
 set(FALCO_DEPENDENCIES cxxopts)
 set(FALCO_LIBRARIES falco_engine)
 
-if(USE_JEMALLOC)
-	list(APPEND FALCO_DEPENDENCIES jemalloc)
-	list(APPEND FALCO_LIBRARIES ${JEMALLOC_LIB})
+if(USE_JEMALLOC OR USE_MIMALLOC)
+	list(APPEND FALCO_DEPENDENCIES malloc)
+	list(APPEND FALCO_LIBRARIES ${MALLOC_LIB})
 endif()
 
 if(NOT WIN32)

userspace/falco/app/actions/init_inspectors.cpp

@@ -21,6 +21,7 @@ limitations under the License.
 #include <unordered_set>
 
 #include <libsinsp/plugin_manager.h>
+#include <libsinsp/sinsp_filtercheck_static.h>
 
 using namespace falco::app;
 using namespace falco::app::actions;
@@ -53,7 +54,14 @@ static bool populate_filterchecks(const std::shared_ptr<sinsp>& inspector,
                                   const std::string& source,
                                   filter_check_list& filterchecks,
                                   std::unordered_set<std::string>& used_plugins,
+                                  std::map<std::string, std::string> static_fields,
                                   std::string& err) {
+	// Add static filterchecks loaded from config
+	if(!static_fields.empty()) {
+		filterchecks.add_filter_check(std::make_unique<sinsp_filter_check_static>(static_fields));
+	}
+
+	// Add plugin-defined filterchecks, checking that they do not overlap any internal filtercheck
 	std::vector<const filter_check_info*> infos;
 	for(const auto& plugin : inspector->get_plugin_manager()->plugins()) {
 		if(!(plugin->caps() & CAP_EXTRACTION)) {
@@ -82,6 +90,7 @@ static bool populate_filterchecks(const std::shared_ptr<sinsp>& inspector,
 		filterchecks.add_filter_check(sinsp_plugin::new_filtercheck(plugin));
 		used_plugins.insert(plugin->name());
 	}
+
 	return true;
 }
 
@@ -162,6 +171,7 @@ falco::app::run_result falco::app::actions::init_inspectors(falco::app::state& s
 		                          src,
 		                          *src_info->filterchecks,
 		                          used_plugins,
+		                          s.config->m_static_fields,
 		                          err)) {
 			return run_result::fatal(err);
 		}

userspace/falco/app/actions/load_config.cpp

@@ -66,6 +66,10 @@ falco::app::run_result falco::app::actions::load_config(const falco::app::state&
 		}
 	}
 
+	s.config->m_falco_reload_ts = (int64_t)std::chrono::duration_cast<std::chrono::nanoseconds>(
+	                                      std::chrono::system_clock::now().time_since_epoch())
+	                                      .count();
+
 	s.config->m_buffered_outputs = !s.options.unbuffered_outputs;
 
 	return apply_deprecated_options(s);

userspace/falco/app/actions/load_plugins.cpp

@@ -47,10 +47,12 @@ falco::app::run_result falco::app::actions::load_plugins(falco::app::state& s) {
 
 	// Load all the configured plugins
 	for(auto& p : s.config->m_plugins) {
-		falco_logger::log(falco_logger::level::INFO,
-		                  "Loading plugin '" + p.m_name + "' from file " + p.m_library_path + "\n");
 		auto plugin = s.offline_inspector->register_plugin(p.m_library_path);
 		s.plugin_configs.insert(p, plugin->name());
+		falco_logger::log(falco_logger::level::INFO,
+		                  "Loaded plugin '" + p.m_name + "@" +
+		                          plugin->plugin_version().as_string() + "' from file " +
+		                          p.m_library_path + "\n");
 		if((plugin->caps() & CAP_SOURCING) == 0 || plugin->id() == 0) {
 			continue;
 		}

userspace/falco/app/actions/process_events.cpp

@@ -226,7 +226,7 @@ static falco::app::run_result do_inspect(
 			if(source_engine_idx == sinsp_no_event_source_idx) {
 				std::string msg = "Unknown event source for inspector's event";
 				if(ev->get_type() == PPME_PLUGINEVENT_E || ev->get_type() == PPME_ASYNCEVENT_E) {
-					auto pluginID = *(uint32_t*)ev->get_param(0)->m_val;
+					auto pluginID = ev->get_param(0)->as<uint32_t>();
 					if(pluginID != 0) {
 						msg += " (plugin ID: " + std::to_string(pluginID) + ")";
 					}
@@ -485,6 +485,10 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
 				}
 
 				if(s.enabled_sources.size() == 1) {
+					if(s.on_inspectors_opened != nullptr) {
+						s.on_inspectors_opened();
+					}
+
 					// optimization: with only one source we don't spawn additional threads
 					process_inspector_events(s,
 					                         src_info->inspector,
@@ -514,6 +518,9 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
 				break;
 			}
 		}
+		if(s.enabled_sources.size() > 1 && s.on_inspectors_opened != nullptr) {
+			s.on_inspectors_opened();
+		}
 
 		// wait for event processing to terminate for all sources
 		// if a thread terminates with an error, we trigger the app termination

userspace/falco/app/actions/start_webserver.cpp

@@ -44,6 +44,7 @@ falco::app::run_result falco::app::actions::start_webserver(falco::app::state& s
 	                          std::to_string(webserver_config.m_listen_port) + ssl_option + "\n");
 
 	state.webserver.start(state, webserver_config);
+	state.on_inspectors_opened = [&state]() { state.webserver.enable_prometheus_metrics(state); };
 #endif
 	return run_result::ok();
 }

userspace/falco/app/restart_handler.cpp

@@ -38,7 +38,9 @@ limitations under the License.
 
 falco::app::restart_handler::~restart_handler() {
 	stop();
-	close(m_inotify_fd);
+	if(m_inotify_fd != -1) {
+		close(m_inotify_fd);
+	}
 	m_inotify_fd = -1;
 }
 
@@ -48,6 +50,12 @@ void falco::app::restart_handler::trigger() {
 
 bool falco::app::restart_handler::start(std::string& err) {
 #ifdef __linux__
+	if(m_watched_files.empty() && m_watched_dirs.empty()) {
+		falco_logger::log(falco_logger::level::DEBUG,
+		                  "Refusing to start restart handler due to nothing to watch\n");
+		return true;
+	}
+
 	m_inotify_fd = inotify_init();
 	if(m_inotify_fd < 0) {
 		err = "could not initialize inotify handler";

userspace/falco/app/restart_handler.h

@@ -61,7 +61,7 @@ public:
 private:
 	void watcher_loop() noexcept;
 
-	int m_inotify_fd;
+	int m_inotify_fd = -1;
 	std::thread m_watcher;
 	std::atomic<bool> m_stop;
 	std::atomic<bool> m_forced;

userspace/falco/app/state.h

@@ -116,6 +116,9 @@ struct state {
 
 	falco_webserver webserver;
 #endif
+	// Set by start_webserver to start prometheus metrics
+	// once all inspectors are opened.
+	std::function<void()> on_inspectors_opened = nullptr;
 
 	inline bool is_capture_mode() const { return config->m_engine_mode == engine_kind_t::REPLAY; }
 

userspace/falco/config_json_schema.h

@@ -35,6 +35,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                         "$ref": "#/definitions/AppendOutput"
                     }
                 },
+                "static_fields": {
+                    "type": "object"
+                },
                 "config_files": {
                     "type": "array",
                     "items": {

userspace/falco/configuration.cpp

@@ -663,6 +663,8 @@ void falco_configuration::load_yaml(const std::string &config_name) {
 		}
 	}
 
+	m_static_fields = m_config.get_scalar<std::map<std::string, std::string>>("static_fields", {});
+
 	std::vector<std::string> load_plugins;
 
 	bool load_plugins_node_defined = m_config.is_defined("load_plugins");

userspace/falco/configuration.h

@@ -147,6 +147,8 @@ public:
 	std::vector<rule_selection_config> m_rules_selection;
 	// Append output configuration passed by the user
 	std::vector<append_output_config> m_append_output;
+	// Static fields configuration passed by the user
+	std::map<std::string, std::string> m_static_fields;
 
 	bool m_json_output;
 	bool m_json_include_output_property;
@@ -214,7 +216,15 @@ public:
 	gvisor_config m_gvisor = {};
 
 	yaml_helper m_config;
+
+	//
+	// Runtime-Generated values (not user-configurable)
+	//
+
+	// JSON schema generated from a hardcoded string
 	nlohmann::json m_config_schema;
+	// Timestamp of most recent configuration reload
+	int64_t m_falco_reload_ts{0};
 
 private:
 	void merge_config_files(const std::string& config_name, config_loaded_res& res);

userspace/falco/falco_metrics.cpp

@@ -31,8 +31,36 @@ namespace fs = std::filesystem;
 
 /*!
     \class falco_metrics
-    \brief This class is used to convert the metrics provided by the application
-    and falco libs into a string to be return by the metrics endpoint.
+    \brief Converts metrics provided by the application and Falco libraries into a formatted string
+           for the metrics endpoint.
+
+    ## Metrics Overview
+    This section explains why looping over inspectors is necessary.
+    Falco utilizes multiple inspectors when loading plugins with an event source.
+    Most metrics should only be retrieved once, ideally by the syscalls inspector if applicable.
+    To maximize metrics retrieval and prevent duplicate data, the syscalls inspector is always
+    positioned at index 0 in the loop when it exists.
+
+    Wrapper fields: See https://falco.org/docs/concepts/metrics/
+    - `engine_name` and `event_source` are pushed for each inspector.
+    - All other wrapper fields are agnostic and should be retrieved once.
+
+    ## Metrics Collection Behavior
+    - `rules_counters_enabled` -> Agnostic; resides in falco; retrieved from the state, not an
+      inspector; only performed once.
+    - `resource_utilization_enabled` -> Agnostic; resides in libs; inspector is irrelevant;
+      only performed once.
+    - `state_counters_enabled` -> Semi-agnostic; resides in libs; must be retrieved by the syscalls
+      inspector if applicable.
+    - `kernel_event_counters_enabled` -> Resides in libs; must be retrieved by the syscalls
+   inspector; not available for other inspectors.
+    - `kernel_event_counters_per_cpu_enabled` -> Resides in libs; must be retrieved by the syscalls
+      inspector; not available for other inspectors.
+    - `libbpf_stats_enabled` -> Resides in libs; must be retrieved by the syscalls inspector;
+      not available for other inspectors.
+    - `plugins_metrics_enabled` -> Must be retrieved for each inspector.
+    - `jemalloc_stats_enabled` -> Agnostic; resides in falco; inspector is irrelevant;
+      only performed once.
 */
 
 /*!
@@ -42,108 +70,354 @@ namespace fs = std::filesystem;
 
     https://prometheus.io/docs/instrumenting/exposition_formats/#text-based-format
 */
-const std::string falco_metrics::content_type = "text/plain; version=0.0.4";
+const std::string falco_metrics::content_type_prometheus = "text/plain; version=0.0.4";
 
-/*!
-    \brief this method takes an application \c state and returns a textual representation of
-    its configured metrics.
+std::string falco_metrics::falco_to_text_prometheus(
+        const falco::app::state& state,
+        libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter,
+        std::vector<metrics_v2>& additional_wrapper_metrics) {
+	std::string prometheus_text;
 
-    The current implementation returns a Prometheus exposition formatted string.
-*/
-std::string falco_metrics::to_text(const falco::app::state& state) {
+	// # HELP falcosecurity_falco_version_info https://falco.org/docs/metrics/
+	// # TYPE falcosecurity_falco_version_info gauge
+	// falcosecurity_falco_version_info{version="0.41.0-100+334ca42"} 1
+	prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+	        "version",
+	        "falcosecurity",
+	        "falco",
+	        {{"version", FALCO_VERSION}});
+
+#if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
+	// Note that the rule counter metrics are retrieved from the state, not from any inspector
+	// Distinguish between config and rules files using labels, following Prometheus best
+	// practices: https://prometheus.io/docs/practices/naming/#labels
+
+	// # HELP falcosecurity_falco_sha256_rules_files_info https://falco.org/docs/metrics/
+	// # TYPE falcosecurity_falco_sha256_rules_files_info gauge
+	// falcosecurity_falco_sha256_rules_files_info{file_name="falco_rules.yaml",sha256="6f0078862a26528cb50a860f9ebebbfbe3162e5009187089c73cb0cdf91d0b06"}
+	// 1
+	for(const auto& item : state.config.get()->m_loaded_rules_filenames_sha256sum) {
+		fs::path fs_path = item.first;
+		prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+		        "sha256_rules_files",
+		        "falcosecurity",
+		        "falco",
+		        {{"file_name", fs_path.filename()}, {"sha256", item.second}});
+	}
+
+	// # HELP falcosecurity_falco_sha256_config_files_info https://falco.org/docs/metrics/
+	// # TYPE falcosecurity_falco_sha256_config_files_info gauge
+	// falcosecurity_falco_sha256_config_files_info{file_name="falco.yaml",sha256="f97de5fa6f513b5e07cd9f29ee9904ee4267cb120ef6501f8555543d5a98dd1c"}
+	// 1
+	for(const auto& item : state.config.get()->m_loaded_configs_filenames_sha256sum) {
+		fs::path fs_path = item.first;
+		prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+		        "sha256_config_files",
+		        "falcosecurity",
+		        "falco",
+		        {{"file_name", fs_path.filename()}, {"sha256", item.second}});
+	}
+
+#endif
+	// # HELP falcosecurity_falco_outputs_queue_num_drops_total https://falco.org/docs/metrics/
+	// # TYPE falcosecurity_falco_outputs_queue_num_drops_total counter
+	// falcosecurity_falco_outputs_queue_num_drops_total 0
+	additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
+	        "outputs_queue_num_drops",
+	        METRICS_V2_MISC,
+	        METRIC_VALUE_TYPE_U64,
+	        METRIC_VALUE_UNIT_COUNT,
+	        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+	        state.outputs->get_outputs_queue_num_drops()));
+
+	// # HELP falcosecurity_falco_reload_timestamp_nanoseconds https://falco.org/docs/metrics/
+	// # TYPE falcosecurity_falco_reload_timestamp_nanoseconds gauge
+	// falcosecurity_falco_reload_timestamp_nanoseconds 1748338536592811359
+	additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
+	        "reload_ts",
+	        METRICS_V2_MISC,
+	        METRIC_VALUE_TYPE_S64,
+	        METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
+	        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
+	        state.config->m_falco_reload_ts));
+
+	if(state.config->m_metrics_flags & METRICS_V2_RULE_COUNTERS) {
+		// rules_counters_enabled
+		const stats_manager& rule_stats_manager = state.engine->get_rule_stats_manager();
+		const indexed_vector<falco_rule>& rules = state.engine->get_rules();
+		const std::vector<std::unique_ptr<std::atomic<uint64_t>>>& rules_by_id =
+		        rule_stats_manager.get_by_rule_id();
+		// Distinguish between rules counters using labels, following Prometheus best
+		// practices: https://prometheus.io/docs/practices/naming/#labels
+		for(size_t i = 0; i < rules_by_id.size(); i++) {
+			auto rule = rules.at(i);
+			auto count = rules_by_id[i]->load();
+			if(count > 0) {
+				// # HELP falcosecurity_falco_rules_matches_total https://falco.org/docs/metrics/
+				// # TYPE falcosecurity_falco_rules_matches_total counter
+				// falcosecurity_falco_rules_matches_total{priority="4",rule_name="Read sensitive
+				// file
+				// untrusted",source="syscall",tag_T1555="true",tag_container="true",tag_filesystem="true",tag_host="true",tag_maturity_stable="true",tag_mitre_credential_access="true"}
+				// 32 # HELP falcosecurity_falco_rules_matches_total https://falco.org/docs/metrics/
+				// # TYPE falcosecurity_falco_rules_matches_total counter
+				// falcosecurity_falco_rules_matches_total{priority="5",rule_name="Terminal shell in
+				// container",source="syscall",tag_T1059="true",tag_container="true",tag_maturity_stable="true",tag_mitre_execution="true",tag_shell="true"}
+				// 1
+				auto metric = libs::metrics::libsinsp_metrics::new_metric(
+				        "rules_matches",
+				        METRICS_V2_RULE_COUNTERS,
+				        METRIC_VALUE_TYPE_U64,
+				        METRIC_VALUE_UNIT_COUNT,
+				        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+				        count);
+				prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
+				std::map<std::string, std::string> const_labels = {
+				        {"rule_name", rule->name},
+				        {"priority", std::to_string(rule->priority)},
+				        {"source", rule->source},
+				};
+				std::for_each(rule->tags.cbegin(),
+				              rule->tags.cend(),
+				              [&const_labels](std::string const& tag) {
+					              const_labels.emplace(std::string{"tag_"} + tag, "true");
+				              });
+				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+				        metric,
+				        "falcosecurity",
+				        "falco",
+				        const_labels);
+			}
+		}
+	}
+#ifdef HAS_JEMALLOC
+	if(state.config->m_metrics_flags & METRICS_V2_JEMALLOC_STATS) {
+		// jemalloc_stats_enabled
+		nlohmann::json j;
+		malloc_stats_print(
+		        [](void* to, const char* from) {
+			        nlohmann::json* j = (nlohmann::json*)to;
+			        *j = nlohmann::json::parse(from);
+		        },
+		        &j,
+		        "Jmdablxeg");
+		const auto& j_stats = j["jemalloc"]["stats"];
+		for(auto it = j_stats.begin(); it != j_stats.end(); ++it) {
+			if(it.value().is_number_unsigned()) {
+				std::uint64_t val = it.value().template get<std::uint64_t>();
+				std::string key = "jemalloc." + it.key();
+				auto metric = libs::metrics::libsinsp_metrics::new_metric(
+				        key.c_str(),
+				        METRICS_V2_JEMALLOC_STATS,
+				        METRIC_VALUE_TYPE_U64,
+				        METRIC_VALUE_UNIT_MEMORY_BYTES,
+				        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+				        val);
+				prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
+				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+				        metric,
+				        "falcosecurity",
+				        "falco");
+			}
+		}
+	}
+#endif
+	return prometheus_text;
+}
+
+std::string falco_metrics::sources_to_text_prometheus(
+        const falco::app::state& state,
+        libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter,
+        std::vector<metrics_v2>& additional_wrapper_metrics) {
 	static const char* all_driver_engines[] = {BPF_ENGINE,
 	                                           KMOD_ENGINE,
 	                                           MODERN_BPF_ENGINE,
 	                                           SOURCE_PLUGIN_ENGINE,
 	                                           NODRIVER_ENGINE,
 	                                           GVISOR_ENGINE};
+	static re2::RE2 drops_buffer_pattern("n_drops_buffer_([^_]+(?:_[^_]+)*)_(enter|exit)$");
+	static re2::RE2 cpu_pattern("(\\d+)");
 
-	std::vector<std::shared_ptr<sinsp>> inspectors;
-	std::vector<libs::metrics::libs_metrics_collector> metrics_collectors;
+	std::string prometheus_text;
+	bool agent_info_written = false;
+	bool machine_info_written = false;
 
+	// Then, source-bound metrics
 	for(const auto& source : state.enabled_sources) {
 		auto source_info = state.source_infos.at(source);
 		auto source_inspector = source_info->inspector;
-		inspectors.emplace_back(source_inspector);
-		metrics_collectors.emplace_back(
-		        libs::metrics::libs_metrics_collector(source_inspector.get(),
-		                                              state.config->m_metrics_flags));
-	}
-	libs::metrics::prometheus_metrics_converter prometheus_metrics_converter;
-	std::string prometheus_text;
 
-	for(auto inspector : inspectors) {
-		// Falco wrapper metrics
-		//
-		for(size_t i = 0; i < sizeof(all_driver_engines) / sizeof(const char*); i++) {
-			if(inspector->check_current_engine(all_driver_engines[i])) {
+		// First thing: list of enabled engine names
+
+		// Falco wrapper metrics Part A: Repeated for each inspector, accounting for plugins w/
+		// event sources
+
+		/* Examples ...
+		    # HELP falcosecurity_scap_engine_name_info https://falco.org/docs/metrics/
+		    # TYPE falcosecurity_scap_engine_name_info gauge
+		    falcosecurity_scap_engine_name_info{engine_name="source_plugin",evt_source="dummy"} 1
+		    # HELP falcosecurity_scap_engine_name_info https://falco.org/docs/metrics/
+		    # TYPE falcosecurity_scap_engine_name_info gauge
+		    falcosecurity_scap_engine_name_info{engine_name="bpf",evt_source="syscall"} 1
+		*/
+
+		for(size_t j = 0; j < sizeof(all_driver_engines) / sizeof(const char*); j++) {
+			if(source_inspector->check_current_engine(all_driver_engines[j])) {
 				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
 				        "engine_name",
 				        "falcosecurity",
 				        "scap",
-				        {{"engine_name", all_driver_engines[i]}});
+				        {{"engine_name", std::string(all_driver_engines[j])},
+				         {"evt_source", source}});
 				break;
 			}
 		}
 
-		const scap_agent_info* agent_info = inspector->get_agent_info();
-		const scap_machine_info* machine_info = inspector->get_machine_info();
-		libs::metrics::libs_metrics_collector libs_metrics_collector(inspector.get(), 0);
-		prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-		        "version",
-		        "falcosecurity",
-		        "falco",
-		        {{"version", FALCO_VERSION}});
+		// Inspectors' metrics collectors
+		// Libs metrics categories
+		//
+		// resource_utilization_enabled
+		// state_counters_enabled
+		// kernel_event_counters_enabled
+		// kernel_event_counters_per_cpu_enabled
+		// libbpf_stats_enabled
+		auto metrics_collector =
+		        libs::metrics::libs_metrics_collector(source_inspector.get(),
+		                                              state.config->m_metrics_flags);
+		metrics_collector.snapshot();
+		auto metrics_snapshot = metrics_collector.get_metrics();
+
+		// Source plugin
+		if(source != falco_common::syscall_source) {
+			// Performed repeatedly for each inspectors' libs metrics collector
+			for(auto& metric : metrics_snapshot) {
+				if(metric.flags & METRICS_V2_PLUGINS) {
+					prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
+					prometheus_text +=
+					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
+					                metric,
+					                "falcosecurity",
+					                "plugins");
+				}
+			}
+		} else {
+			// Source syscall
+			for(auto& metric : metrics_snapshot) {
+				prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
+				std::string prometheus_subsystem = "scap";
+
+				if(metric.flags & METRICS_V2_RESOURCE_UTILIZATION) {
+					prometheus_subsystem = "falco";
+				}
+
+				if(metric.flags & METRICS_V2_PLUGINS) {
+					prometheus_subsystem = "plugins";
+				}
+
+				// raw incoming in form of for example n_evts_cpu_15 or n_drops_cpu_15
+				if(strncmp(metric.name, "n_evts_cpu", 10) == 0 ||
+				   strncmp(metric.name, "n_drops_cpu", 11) == 0)  // prefix match
+				{
+					std::string name_str(metric.name);
+					std::string cpu_number;
+					if(re2::RE2::PartialMatch(name_str, cpu_pattern, &cpu_number)) {
+						re2::RE2::GlobalReplace(&name_str, cpu_pattern, "");
+						// possible double __ will be sanitized within libs
+						auto metric_new = libs::metrics::libsinsp_metrics::new_metric(
+						        name_str.c_str(),
+						        METRICS_V2_KERNEL_COUNTERS_PER_CPU,
+						        METRIC_VALUE_TYPE_U64,
+						        METRIC_VALUE_UNIT_COUNT,
+						        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+						        metric.value.u64);
+						const std::map<std::string, std::string>& const_labels = {
+						        {"cpu", cpu_number}};
+						/* Examples ...
+						    # HELP falcosecurity_scap_n_evts_cpu_total
+						   https://falco.org/docs/metrics/ # TYPE
+						   falcosecurity_scap_n_evts_cpu_total counter
+						    falcosecurity_scap_n_evts_cpu_total{cpu="7"} 237
+						    # HELP falcosecurity_scap_n_drops_cpu_total
+						   https://falco.org/docs/metrics/ # TYPE
+						   falcosecurity_scap_n_drops_cpu_total counter
+						    falcosecurity_scap_n_drops_cpu_total{cpu="7"} 0
+						*/
+						prometheus_text +=
+						        prometheus_metrics_converter.convert_metric_to_text_prometheus(
+						                metric_new,
+						                "falcosecurity",
+						                prometheus_subsystem,
+						                const_labels);
+					}
+				} else if(strcmp(metric.name, "n_drops_buffer_total") == 0) {
+					// Skip the libs aggregate metric since we distinguish between buffer drops
+					// using labels similar to the rules_matches
+					continue;
+				} else if(strncmp(metric.name, "n_drops_buffer", 14) == 0)  // prefix match
+				{
+					std::string drop;
+					std::string dir;
+					std::string name_str(metric.name);
+					if(re2::RE2::FullMatch(name_str, drops_buffer_pattern, &drop, &dir)) {
+						auto metric_new = libs::metrics::libsinsp_metrics::new_metric(
+						        "n_drops_buffer",
+						        METRICS_V2_KERNEL_COUNTERS,
+						        METRIC_VALUE_TYPE_U64,
+						        METRIC_VALUE_UNIT_COUNT,
+						        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+						        metric.value.u64);
+						const std::map<std::string, std::string>& const_labels = {{"drop", drop},
+						                                                          {"dir", dir}};
+						/* Examples ...
+						    # HELP falcosecurity_scap_n_drops_buffer_total
+						   https://falco.org/docs/metrics/ # TYPE
+						   falcosecurity_scap_n_drops_buffer_total counter
+						    falcosecurity_scap_n_drops_buffer_total{dir="enter",drop="clone_fork"} 0
+						    # HELP falcosecurity_scap_n_drops_buffer_total
+						   https://falco.org/docs/metrics/ # TYPE
+						   falcosecurity_scap_n_drops_buffer_total counter
+						    falcosecurity_scap_n_drops_buffer_total{dir="exit",drop="clone_fork"} 0
+						*/
+						prometheus_text +=
+						        prometheus_metrics_converter.convert_metric_to_text_prometheus(
+						                metric_new,
+						                "falcosecurity",
+						                prometheus_subsystem,
+						                const_labels);
+					}
+				} else {
+					prometheus_text +=
+					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
+					                metric,
+					                "falcosecurity",
+					                prometheus_subsystem);
+				}
+			}
+		}
+
+		// Source wrapper metrics Part B: Agnostic, performed only once.
+		if(agent_info_written && machine_info_written) {
+			continue;
+		}
+
+		const scap_agent_info* agent_info = nullptr;
+		if(!agent_info_written) {
+			agent_info = source_inspector->get_agent_info();
+		}
+		const scap_machine_info* machine_info = nullptr;
+		if(!machine_info_written) {
+			machine_info = source_inspector->get_machine_info();
+		}
 
 		// Not all scap engines report agent and machine infos.
+		// However, recent lib refactors enable a linux lite platform, allowing non-syscall
+		// inspectors to retrieve these metrics if the syscall inspector is unavailable.
+		// We only push these info once.
 		if(agent_info) {
 			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
 			        "kernel_release",
 			        "falcosecurity",
 			        "falco",
 			        {{"kernel_release", agent_info->uname_r}});
-		}
-		if(machine_info) {
-			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-			        "hostname",
-			        "falcosecurity",
-			        "evt",
-			        {{"hostname", machine_info->hostname}});
-		}
-
-#if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
-		// Distinguish between config and rules files using labels, following Prometheus best
-		// practices: https://prometheus.io/docs/practices/naming/#labels
-		for(const auto& item : state.config.get()->m_loaded_rules_filenames_sha256sum) {
-			fs::path fs_path = item.first;
-			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-			        "sha256_rules_files",
-			        "falcosecurity",
-			        "falco",
-			        {{"file_name", fs_path.filename()}, {"sha256", item.second}});
-		}
-
-		for(const auto& item : state.config.get()->m_loaded_configs_filenames_sha256sum) {
-			fs::path fs_path = item.first;
-			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-			        "sha256_config_files",
-			        "falcosecurity",
-			        "falco",
-			        {{"file_name", fs_path.filename()}, {"sha256", item.second}});
-		}
-
-#endif
-
-		for(const std::string& source : inspector->event_sources()) {
-			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-			        "evt_source",
-			        "falcosecurity",
-			        "falco",
-			        {{"evt_source", source}});
-		}
-		std::vector<metrics_v2> additional_wrapper_metrics;
-
-		if(agent_info) {
 			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
 			        "start_ts",
 			        METRICS_V2_MISC,
@@ -151,8 +425,25 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 			        METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
 			        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
 			        agent_info->start_ts_epoch));
+			auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(
+			                   std::chrono::system_clock::now().time_since_epoch())
+			                   .count();
+			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
+			        "duration_sec",
+			        METRICS_V2_MISC,
+			        METRIC_VALUE_TYPE_U64,
+			        METRIC_VALUE_UNIT_TIME_S_COUNT,
+			        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+			        (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS)));
+			agent_info_written = true;
 		}
+
 		if(machine_info) {
+			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+			        "hostname",
+			        "falcosecurity",
+			        "evt",
+			        {{"hostname", machine_info->hostname}});
 			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
 			        "host_boot_ts",
 			        METRICS_V2_MISC,
@@ -167,225 +458,41 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 			        METRIC_VALUE_UNIT_COUNT,
 			        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
 			        machine_info->num_cpus));
+			machine_info_written = true;
 		}
-		additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
-		        "outputs_queue_num_drops",
-		        METRICS_V2_MISC,
-		        METRIC_VALUE_TYPE_U64,
-		        METRIC_VALUE_UNIT_COUNT,
-		        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-		        state.outputs->get_outputs_queue_num_drops()));
+	}  // End inspector loop
+
+	return prometheus_text;
+}
+
+/*!
+    \brief this method takes an application \c state and returns a textual representation of
+    its configured metrics.
+
+    The current implementation returns a Prometheus exposition formatted string.
+*/
+std::string falco_metrics::to_text_prometheus(const falco::app::state& state) {
+	libs::metrics::prometheus_metrics_converter prometheus_metrics_converter;
+	std::string prometheus_text;
+
+	std::vector<metrics_v2> additional_wrapper_metrics;
+
+	// Falco global metrics, once
+	prometheus_text += falco_to_text_prometheus(state,
+	                                            prometheus_metrics_converter,
+	                                            additional_wrapper_metrics);
+	// Metrics for each source
+	prometheus_text += sources_to_text_prometheus(state,
+	                                              prometheus_metrics_converter,
+	                                              additional_wrapper_metrics);
+
+	for(auto metric : additional_wrapper_metrics) {
+		prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
+		prometheus_text +=
+		        prometheus_metrics_converter.convert_metric_to_text_prometheus(metric,
+		                                                                       "falcosecurity",
+		                                                                       "falco");
+	}
 
-		if(agent_info) {
-			auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(
-			                   std::chrono::system_clock::now().time_since_epoch())
-			                   .count();
-			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
-			        "duration_sec",
-			        METRICS_V2_MISC,
-			        METRIC_VALUE_TYPE_U64,
-			        METRIC_VALUE_UNIT_TIME_S_COUNT,
-			        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-			        (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS)));
-		}
-
-		for(auto metric : additional_wrapper_metrics) {
-			prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
-			prometheus_text +=
-			        prometheus_metrics_converter.convert_metric_to_text_prometheus(metric,
-			                                                                       "falcosecurity",
-			                                                                       "falco");
-		}
-
-		// Falco metrics categories
-		//
-		// rules_counters_enabled
-		if(state.config->m_metrics_flags & METRICS_V2_RULE_COUNTERS) {
-			const stats_manager& rule_stats_manager = state.engine->get_rule_stats_manager();
-			const indexed_vector<falco_rule>& rules = state.engine->get_rules();
-			const std::vector<std::unique_ptr<std::atomic<uint64_t>>>& rules_by_id =
-			        rule_stats_manager.get_by_rule_id();
-			// Distinguish between rules counters using labels, following Prometheus best practices:
-			// https://prometheus.io/docs/practices/naming/#labels
-			for(size_t i = 0; i < rules_by_id.size(); i++) {
-				auto rule = rules.at(i);
-				auto count = rules_by_id[i]->load();
-				if(count > 0) {
-					/* Examples ...
-					    # HELP falcosecurity_falco_rules_matches_total
-					   https://falco.org/docs/metrics/ # TYPE
-					   falcosecurity_falco_rules_matches_total counter
-					    falcosecurity_falco_rules_matches_total{priority="4",rule_name="Read
-					   sensitive file
-					   untrusted",source="syscall",tag_T1555="true",tag_container="true",tag_filesystem="true",tag_host="true",tag_maturity_stable="true",tag_mitre_credential_access="true"}
-					   10 # HELP falcosecurity_falco_rules_matches_total
-					   https://falco.org/docs/metrics/ # TYPE
-					   falcosecurity_falco_rules_matches_total counter
-					    falcosecurity_falco_rules_matches_total{priority="5",rule_name="Unexpected
-					   UDP
-					   Traffic",source="syscall",tag_TA0011="true",tag_container="true",tag_host="true",tag_maturity_incubating="true",tag_mitre_exfiltration="true",tag_network="true"}
-					   1
-					*/
-					auto metric = libs::metrics::libsinsp_metrics::new_metric(
-					        "rules_matches",
-					        METRICS_V2_RULE_COUNTERS,
-					        METRIC_VALUE_TYPE_U64,
-					        METRIC_VALUE_UNIT_COUNT,
-					        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-					        rules_by_id[i]->load());
-					prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
-					std::map<std::string, std::string> const_labels = {
-					        {"rule_name", rule->name},
-					        {"priority", std::to_string(rule->priority)},
-					        {"source", rule->source},
-					};
-					std::for_each(rule->tags.cbegin(),
-					              rule->tags.cend(),
-					              [&const_labels](std::string const& tag) {
-						              const_labels.emplace(std::string{"tag_"} + tag, "true");
-					              });
-					prometheus_text +=
-					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
-					                metric,
-					                "falcosecurity",
-					                "falco",
-					                const_labels);
-				}
-			}
-		}
-#ifdef HAS_JEMALLOC
-		if(state.config->m_metrics_flags & METRICS_V2_JEMALLOC_STATS) {
-			nlohmann::json j;
-			malloc_stats_print(
-			        [](void* to, const char* from) {
-				        nlohmann::json* j = (nlohmann::json*)to;
-				        *j = nlohmann::json::parse(from);
-			        },
-			        &j,
-			        "Jmdablxeg");
-			const auto& j_stats = j["jemalloc"]["stats"];
-			for(auto it = j_stats.begin(); it != j_stats.end(); ++it) {
-				if(it.value().is_number_unsigned()) {
-					std::uint64_t val = it.value().template get<std::uint64_t>();
-					std::string key = "jemalloc." + it.key();
-					auto metric = libs::metrics::libsinsp_metrics::new_metric(
-					        key.c_str(),
-					        METRICS_V2_JEMALLOC_STATS,
-					        METRIC_VALUE_TYPE_U64,
-					        METRIC_VALUE_UNIT_MEMORY_BYTES,
-					        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-					        val);
-					prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
-					prometheus_text +=
-					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
-					                metric,
-					                "falcosecurity",
-					                "falco");
-				}
-			}
-		}
-#endif
-	}
-
-	// Libs metrics categories
-	//
-	// resource_utilization_enabled
-	// state_counters_enabled
-	// kernel_event_counters_enabled
-	// libbpf_stats_enabled
-	for(auto metrics_collector : metrics_collectors) {
-		metrics_collector.snapshot();
-		auto metrics_snapshot = metrics_collector.get_metrics();
-
-		for(auto& metric : metrics_snapshot) {
-			prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
-			std::string prometheus_subsystem = "scap";
-
-			if(metric.flags & METRICS_V2_RESOURCE_UTILIZATION) {
-				prometheus_subsystem = "falco";
-			}
-
-			if(metric.flags & METRICS_V2_PLUGINS) {
-				prometheus_subsystem = "plugins";
-			}
-
-			// raw incoming in form of for example n_evts_cpu_15 or n_drops_cpu_15
-			if(strncmp(metric.name, "n_evts_cpu", 10) == 0 ||
-			   strncmp(metric.name, "n_drops_cpu", 11) == 0)  // prefix match
-			{
-				std::string name_str(metric.name);
-				re2::RE2 pattern("(\\d+)");
-				std::string cpu_number;
-				if(re2::RE2::PartialMatch(name_str, pattern, &cpu_number)) {
-					re2::RE2::GlobalReplace(&name_str, pattern, "");
-					// possible double __ will be sanitized within libs
-					auto metric_new = libs::metrics::libsinsp_metrics::new_metric(
-					        name_str.c_str(),
-					        METRICS_V2_KERNEL_COUNTERS_PER_CPU,
-					        METRIC_VALUE_TYPE_U64,
-					        METRIC_VALUE_UNIT_COUNT,
-					        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-					        metric.value.u64);
-					const std::map<std::string, std::string>& const_labels = {{"cpu", cpu_number}};
-					/* Examples ...
-					    # HELP falcosecurity_scap_n_evts_cpu_total https://falco.org/docs/metrics/
-					    # TYPE falcosecurity_scap_n_evts_cpu_total counter
-					    falcosecurity_scap_n_evts_cpu_total{cpu="7"} 237
-					    # HELP falcosecurity_scap_n_drops_cpu_total https://falco.org/docs/metrics/
-					    # TYPE falcosecurity_scap_n_drops_cpu_total counter
-					    falcosecurity_scap_n_drops_cpu_total{cpu="7"} 0
-					*/
-					prometheus_text +=
-					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
-					                metric_new,
-					                "falcosecurity",
-					                prometheus_subsystem,
-					                const_labels);
-				}
-			} else if(strcmp(metric.name, "n_drops_buffer_total") == 0) {
-				// Skip the libs aggregate metric since we distinguish between buffer drops using
-				// labels similar to the rules_matches
-				continue;
-			} else if(strncmp(metric.name, "n_drops_buffer", 14) == 0)  // prefix match
-			{
-				re2::RE2 pattern("n_drops_buffer_([^_]+(?:_[^_]+)*)_(enter|exit)$");
-				std::string drop;
-				std::string dir;
-				std::string name_str(metric.name);
-				if(re2::RE2::FullMatch(name_str, pattern, &drop, &dir)) {
-					auto metric_new = libs::metrics::libsinsp_metrics::new_metric(
-					        "n_drops_buffer",
-					        METRICS_V2_KERNEL_COUNTERS,
-					        METRIC_VALUE_TYPE_U64,
-					        METRIC_VALUE_UNIT_COUNT,
-					        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-					        metric.value.u64);
-					const std::map<std::string, std::string>& const_labels = {{"drop", drop},
-					                                                          {"dir", dir}};
-					/* Examples ...
-					    # HELP falcosecurity_scap_n_drops_buffer_total
-					   https://falco.org/docs/metrics/ # TYPE
-					   falcosecurity_scap_n_drops_buffer_total counter
-					    falcosecurity_scap_n_drops_buffer_total{dir="enter",drop="clone_fork"} 0
-					    # HELP falcosecurity_scap_n_drops_buffer_total
-					   https://falco.org/docs/metrics/ # TYPE
-					   falcosecurity_scap_n_drops_buffer_total counter
-					    falcosecurity_scap_n_drops_buffer_total{dir="exit",drop="clone_fork"} 0
-					*/
-					prometheus_text +=
-					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
-					                metric_new,
-					                "falcosecurity",
-					                prometheus_subsystem,
-					                const_labels);
-				}
-			} else {
-				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-				        metric,
-				        "falcosecurity",
-				        prometheus_subsystem);
-			}
-		}
-	}
 	return prometheus_text;
 }

userspace/falco/falco_metrics.h

@@ -26,6 +26,16 @@ struct state;
 
 class falco_metrics {
 public:
-	static const std::string content_type;
-	static std::string to_text(const falco::app::state& state);
+	static const std::string content_type_prometheus;
+	static std::string to_text_prometheus(const falco::app::state& state);
+
+private:
+	static std::string falco_to_text_prometheus(
+	        const falco::app::state& state,
+	        libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter,
+	        std::vector<metrics_v2>& additional_wrapper_metrics);
+	static std::string sources_to_text_prometheus(
+	        const falco::app::state& state,
+	        libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter,
+	        std::vector<metrics_v2>& additional_wrapper_metrics);
 };

userspace/falco/stats_writer.cpp

@@ -233,7 +233,6 @@ void stats_writer::worker() noexcept {
 	bool use_file = !m_config->m_metrics_output_file.empty();
 	auto tick = stats_writer::get_ticker();
 	auto last_tick = tick;
-	auto first_tick = tick;
 
 	while(true) {
 // blocks until a message becomes availables
@@ -244,35 +243,33 @@ void stats_writer::worker() noexcept {
 			return;
 		}
 
-		// this helps waiting for the first tick
 		tick = stats_writer::get_ticker();
-		if(first_tick != tick) {
-			if(last_tick != tick) {
-				m_total_samples++;
-			}
-			last_tick = tick;
 
-			try {
-				if(use_outputs) {
-					std::string rule = "Falco internal: metrics snapshot";
-					std::string msg = "Falco metrics snapshot";
-					m_outputs->handle_msg(m.ts,
-					                      falco_common::PRIORITY_INFORMATIONAL,
-					                      msg,
-					                      rule,
-					                      m.output_fields);
-				}
+		if(last_tick != tick) {
+			m_total_samples++;
+		}
+		last_tick = tick;
 
-				if(use_file) {
-					nlohmann::json jmsg;
-					jmsg["sample"] = m_total_samples;
-					jmsg["output_fields"] = m.output_fields;
-					m_file_output << jmsg.dump() << std::endl;
-				}
-			} catch(const std::exception& e) {
-				falco_logger::log(falco_logger::level::ERR,
-				                  "stats_writer (worker): " + std::string(e.what()) + "\n");
+		try {
+			if(use_outputs) {
+				std::string rule = "Falco internal: metrics snapshot";
+				std::string msg = "Falco metrics snapshot";
+				m_outputs->handle_msg(m.ts,
+				                      falco_common::PRIORITY_INFORMATIONAL,
+				                      msg,
+				                      rule,
+				                      m.output_fields);
 			}
+
+			if(use_file) {
+				nlohmann::json jmsg;
+				jmsg["sample"] = m_total_samples;
+				jmsg["output_fields"] = m.output_fields;
+				m_file_output << jmsg.dump() << std::endl;
+			}
+		} catch(const std::exception& e) {
+			falco_logger::log(falco_logger::level::ERR,
+			                  "stats_writer (worker): " + std::string(e.what()) + "\n");
 		}
 	}
 }
@@ -353,6 +350,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 	/* Wrapper fields useful for statistical analyses and attributions. Always enabled. */
 	output_fields["evt.time"] =
 	        now; /* Some ETLs may prefer a consistent timestamp within output_fields. */
+	output_fields["falco.reload_ts"] = m_writer->m_config->m_falco_reload_ts;
 	output_fields["falco.version"] = FALCO_VERSION;
 	if(agent_info) {
 		output_fields["falco.start_ts"] = agent_info->start_ts_epoch;
@@ -416,7 +414,8 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 
 void stats_writer::collector::get_metrics_output_fields_additional(
         nlohmann::json& output_fields,
-        double stats_snapshot_time_delta_sec) {
+        double stats_snapshot_time_delta_sec,
+        const std::string& src) {
 	// Falco metrics categories
 	//
 	// rules_counters_enabled
@@ -480,7 +479,8 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 #endif
 
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
-	if(m_writer->m_libs_metrics_collector && m_writer->m_output_rule_metrics_converter) {
+	if(m_writer->m_libs_metrics_collectors.find(src) != m_writer->m_libs_metrics_collectors.end() &&
+	   m_writer->m_output_rule_metrics_converter) {
 		// Libs metrics categories
 		//
 		// resource_utilization_enabled
@@ -489,8 +489,9 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 		// libbpf_stats_enabled
 
 		// Refresh / New snapshot
-		m_writer->m_libs_metrics_collector->snapshot();
-		auto metrics_snapshot = m_writer->m_libs_metrics_collector->get_metrics();
+		auto& libs_metrics_collector = m_writer->m_libs_metrics_collectors[src];
+		libs_metrics_collector->snapshot();
+		auto metrics_snapshot = libs_metrics_collector->get_metrics();
 		// Cache n_evts and n_drops to derive n_drops_perc.
 		uint64_t n_evts = 0;
 		uint64_t n_drops = 0;
@@ -613,7 +614,8 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector,
                                       uint64_t num_evts) {
 	if(m_writer->has_output()) {
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
-		if(!m_writer->m_libs_metrics_collector) {
+		if(m_writer->m_libs_metrics_collectors.find(src) ==
+		   m_writer->m_libs_metrics_collectors.end()) {
 			uint32_t flags = m_writer->m_config->m_metrics_flags;
 			// Note: ENGINE_FLAG_BPF_STATS_ENABLED check has been moved to libs, that is, when
 			// libbpf stats is not enabled in the kernel settings we won't collect them even if the
@@ -627,7 +629,7 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector,
 				flags &= ~(METRICS_V2_KERNEL_COUNTERS | METRICS_V2_KERNEL_COUNTERS_PER_CPU |
 				           METRICS_V2_STATE_COUNTERS | METRICS_V2_LIBBPF_STATS);
 			}
-			m_writer->m_libs_metrics_collector =
+			m_writer->m_libs_metrics_collectors[src] =
 			        std::make_unique<libs::metrics::libs_metrics_collector>(inspector.get(), flags);
 		}
 
@@ -659,7 +661,8 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector,
 			                                  num_evts,
 			                                  now,
 			                                  stats_snapshot_time_delta_sec);
-			get_metrics_output_fields_additional(output_fields, stats_snapshot_time_delta_sec);
+
+			get_metrics_output_fields_additional(output_fields, stats_snapshot_time_delta_sec, src);
 
 			/* Send message in the queue */
 			stats_writer::msg msg;

userspace/falco/stats_writer.h

@@ -79,10 +79,13 @@ public:
 		   fields.
 		*/
 		void get_metrics_output_fields_additional(nlohmann::json& output_fields,
-		                                          double stats_snapshot_time_delta_sec);
+		                                          double stats_snapshot_time_delta_sec,
+		                                          const std::string& src);
 
 		std::shared_ptr<stats_writer> m_writer;
-		stats_writer::ticker_t m_last_tick = 0;
+		// Init m_last_tick w/ invalid value to enable metrics logging immediately after
+		// startup/reload
+		stats_writer::ticker_t m_last_tick = std::numeric_limits<ticker_t>::max();
 		uint64_t m_last_now = 0;
 		uint64_t m_last_n_evts = 0;
 		uint64_t m_last_n_drops = 0;
@@ -151,7 +154,9 @@ private:
 	tbb::concurrent_bounded_queue<stats_writer::msg> m_queue;
 #endif
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
-	std::unique_ptr<libs::metrics::libs_metrics_collector> m_libs_metrics_collector;
+	// Per source map of libs metrics collectors
+	std::unordered_map<std::string, std::unique_ptr<libs::metrics::libs_metrics_collector>>
+	        m_libs_metrics_collectors;
 	std::unique_ptr<libs::metrics::output_rule_metrics_converter> m_output_rule_metrics_converter;
 #endif
 	std::shared_ptr<falco_outputs> m_outputs;

userspace/falco/webserver.cpp

@@ -58,11 +58,6 @@ void falco_webserver::start(const falco::app::state &state,
 		              res.set_content(versions_json_str, "application/json");
 	              });
 
-	if(state.config->m_metrics_enabled && webserver_config.m_prometheus_metrics_enabled) {
-		m_server->Get("/metrics", [&state](const httplib::Request &, httplib::Response &res) {
-			res.set_content(falco_metrics::to_text(state), falco_metrics::content_type);
-		});
-	}
 	// run server in a separate thread
 	if(!m_server->is_valid()) {
 		m_server = nullptr;
@@ -105,3 +100,13 @@ void falco_webserver::stop() {
 		m_running = false;
 	}
 }
+
+void falco_webserver::enable_prometheus_metrics(const falco::app::state &state) {
+	if(state.config->m_metrics_enabled &&
+	   state.config->m_webserver_config.m_prometheus_metrics_enabled) {
+		m_server->Get("/metrics", [&state](const httplib::Request &, httplib::Response &res) {
+			res.set_content(falco_metrics::to_text_prometheus(state),
+			                falco_metrics::content_type_prometheus);
+		});
+	}
+}

userspace/falco/webserver.h

@@ -40,6 +40,7 @@ public:
 	virtual void start(const falco::app::state& state,
 	                   const falco_configuration::webserver_config& webserver_config);
 	virtual void stop();
+	virtual void enable_prometheus_metrics(const falco::app::state& state);
 
 private:
 	bool m_running = false;