build(deps): bump docker/login-action in the actions group

Bumps the actions group with 1 update: [docker/login-action](https://github.com/docker/login-action). Updates `docker/login-action` from 3.4.0 to 3.5.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](74a5d14239...184bdaa072) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
build(deps): bump github.com/aws/aws-sdk-go-v2/service/lambda
2025-08-05 15:21:57 +02:00 · 2025-08-05 15:20:57 +02:00 · 2025-07-29 09:29:08 +02:00 · 2025-07-28 20:03:07 +02:00 · 2025-07-22 10:34:28 +02:00 · 2025-07-21 18:53:28 +02:00
222 changed files with 11703 additions and 3896 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -5,15 +5,17 @@ updates:
    directory: "/"
    schedule:
      interval: "weekly"
-    labels:
-      - "area/dependency"
-      - "release-note-none"
-      - "ok-to-test"
+    groups:
+      gomod:
+        update-types:
+          - "patch"
+
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
-    labels:
-      - "area/dependency"
-      - "release-note-none"
-      - "ok-to-test"
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@ -9,23 +9,23 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: '1.20'
+          go-version: '1.23'
          check-latest: true
          cache: true

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
+      - uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4

-      - uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
+      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          install-only: true

--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -14,13 +14,14 @@ jobs:
    name: lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: '1.20'
+          go-version: '1.23'
+          cache: false
          check-latest: true
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
+        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
        with:
-          version: v1.53
+          version: v1.61
          args: --timeout=5m
--- a/.github/workflows/push-main.yml
+++ b/.github/workflows/push-main.yml
@ -14,25 +14,25 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: '1.20'
+          go-version: '1.23'
          check-latest: true
          cache: true

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2

-      - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
+      - uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4

-      - uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
+      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          install-only: true

@ -47,7 +47,7 @@ jobs:

      # Push images to DockerHUB
      - name: Login to Docker Hub
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_SECRET }}
@ -63,14 +63,14 @@ jobs:

      # Push images to AWS Public ECR
      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
        with:
          role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcosidekick-ecr
          aws-region: us-east-1

      - name: Login to Amazon ECR
        id: login-ecr-public
-        uses: aws-actions/amazon-ecr-login@fc3959cb4cf5a821ab7a5a636ea4f1e855b05180 # v1.6.2
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
        with:
          registry-type: public

--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -18,40 +18,40 @@ jobs:
      tag_name: ${{ steps.tag.outputs.tag_name }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: '1.20'
+          go-version: '1.23'
          check-latest: true

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

-      - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2

-      - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
+      - uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4

      # Push images to DockerHUB
      - name: Login to Docker Hub
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_SECRET }}

      # Push images to AWS Public ECR
      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
        with:
          role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcosidekick-ecr
          aws-region: us-east-1

      - name: Login to Amazon ECR
        id: login-ecr-public
-        uses: aws-actions/amazon-ecr-login@fc3959cb4cf5a821ab7a5a636ea4f1e855b05180 # v1.6.2
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
        with:
          registry-type: public

@ -68,10 +68,10 @@ jobs:

      - name: Run GoReleaser
        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          version: latest
-          args: release --clean --timeout 120m
+          args: release --clean --timeout 120m --parallelism 1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          LDFLAGS: ${{ env.GO_FLAGS }}
@ -92,7 +92,7 @@ jobs:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.release.outputs.hashes }}"
      upload-assets: true
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -14,10 +14,10 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
-          go-version: '1.20'
+          go-version: '1.23'
          check-latest: true
          cache: true
      - name: Run Go tests
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,7 +1,8 @@
 run:
-  deadline: 5m
-  skip-files:
-  - "zz_generated.*\\.go$"
+  timeout: 5m
+issues:
+  exclude-files:
+    - "zz_generated.*\\.go$"
 linters:
  disable-all: true
  enable:
@ -17,7 +18,3 @@ linters:
    - unused
  # Run with --fast=false for more extensive checks
  fast: true
-  include:
-  - EXC0002 # include "missing comments" issues from golint
-  max-issues-per-linter: 0
-  max-same-issues: 0
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,3 +1,5 @@
+version: 2
+
 project_name: falcosidekick

 env:
@ -8,7 +10,7 @@ env:
  - COSIGN_YES=true

 snapshot:
-  name_template: 'latest'
+  version_template: 'latest'

 checksum:
  name_template: 'checksums.txt'
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,39 +1,167 @@
 # Changelog

+## 2.31.1 - 2025-02-04
+#### Fix
+- Fix error while closing the writer for `GCPStorage` ([PR#1116](https://github.com/falcosecurity/falcosidekick/pull/1116) thanks to [@chanukya-yekollu-exa](https://github.com/chanukya-yekollu-exa))
+
+## 2.31.0 - 2025-02-03
+#### New
+- New output: **OTLP Logs** ([PR#1109](https://github.com/falcosecurity/falcosidekick/pull/1109))
+
+#### Enhancement
+- Add the namespace and the pod name as labels by default in `Loki` payload ([PR#1087](https://github.com/falcosecurity/falcosidekick/pull/1087) thanks to [@afreyermuth98](https://github.com/afreyermuth98))
+- Allow to set the format for the `Loki` payload to JSON ([PR#1091](https://github.com/falcosecurity/falcosidekick/pull/1091))
+- Allow to set a template for the subjets for `NATS`/`STAN` outputs ([PR#1099](https://github.com/falcosecurity/falcosidekick/pull/1099))
+- Improve the logger with a generic and extensible method ([PR#1102](https://github.com/falcosecurity/falcosidekick/pull/1102))
+
+#### Fix
+- Remove forgotten debug line ([PR#1088](https://github.com/falcosecurity/falcosidekick/pull/1088))
+- Fix missing templated fields as labls in `Loki` payload ([PR#1091](https://github.com/falcosecurity/falcosidekick/pull/1091))
+- Fix creation error of `ClusterPolicyReports` ([PR#1100](https://github.com/falcosecurity/falcosidekick/pull/100))
+- Fix missing custom headers for HTTP requests for `Loki` ([PR#1107](https://github.com/falcosecurity/falcosidekick/pull/1107) thanks to [@lsroe](https://github.com/lsroe))
+- Fix wrong key format for `Prometheus` format ([PR#1110](https://github.com/falcosecurity/falcosidekick/pull/1110) thanks to [@rubensf](https://github.com/rubensf))
+
+## 2.30.0 - 2024-11-28
+#### New
+- New output: **Webex** ([PR#979](https://github.com/falcosecurity/falcosidekick/pull/979) thanks to [@k0rventen](https://github.com/k0rventen))
+- New output: **OTLP Metrics** ([PR#1012](https://github.com/falcosecurity/falcosidekick/pull/1012) thanks to [@ekoops](https://github.com/ekoops))
+- New output: **Datadog Logs** ([PR#1052](https://github.com/falcosecurity/falcosidekick/pull/1052) thanks to [@yohboy](https://github.com/yohboy))
+
+#### Enhancement
+- Reuse of the http client for 3-4x increase of the throughput ([PR#962](https://github.com/falcosecurity/falcosidekick/pull/962) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Improve outputs throughput handling ([PR#966](https://github.com/falcosecurity/falcosidekick/pull/966) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Batching and gzip compression for the `Elastticsearch` output ([PR#967](https://github.com/falcosecurity/falcosidekick/pull/967) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Use the same convention for the Prometheus metrics than Falco ([PR#995](https://github.com/falcosecurity/falcosidekick/pull/995))
+- Add `APIKey` for `Elasticsearch` output ([PR#980](https://github.com/falcosecurity/falcosidekick/pull/980) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Add `Pipeline` configuration for `Elasticsearch` output ([PR#981](https://github.com/falcosecurity/falcosidekick/pull/981 ) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Add `MessageThreadID` configuration in `Telegram` output ([PR#1008](https://github.com/falcosecurity/falcosidekick/pull/1008) thanks to [@vashian](https://github.com/vashian))
+- Support multi-architecture in build ([PR#1024](https://github.com/falcosecurity/falcosidekick/pull/1024) thanks to [@nickytd](https://github.com/nickytd))
+- Add `falco` as source for the `Datadog Events` ([PR#1043](https://github.com/falcosecurity/falcosidekick/pull/1043) thanks to [@maxd-wttj](https://github.com/maxd-wttj))
+- Support `AlertManager` output in HA mode ([PR#1051](https://github.com/falcosecurity/falcosidekick/pull/1051))
+
+#### Fix
+- Fix `PolicyReports` created in the same namespace than previous event ([PR#978](https://github.com/falcosecurity/falcosidekick/pull/978))
+- Fix missing `customFields/extraFields` in the `Elasticsearch` payload ([PR#1033](https://github.com/falcosecurity/falcosidekick/pull/1033))
+- Fix incorrect key name for `CloudEvent` spec attribute ([PR#1051](https://github.com/falcosecurity/falcosidekick/pull/1051))
+
+> [!WARNING]
+> Breaking change: The Prometheus metrics have different names from this release, it might break the queries for the dashboards and alerts.
+
+## 2.29.0 - 2024-07-01
+#### New
+- New output: **Dynatrace** ([PR#575](https://github.com/falcosecurity/falcosidekick/pull/575) thanks to [@blu3r4y](https://github.com/blu3r4y))
+- New output: **OTLP Traces** ([PR#613](https://github.com/falcosecurity/falcosidekick/pull/613) thanks to [@jjo](https://github.com/jjo))
+- New output: **Sumologic** ([PR#656](https://github.com/falcosecurity/falcosidekick/pull/656) thanks to [@mencarellic](https://github.com/mencarellic))
+- New output: **Quickwit** ([PR#736](https://github.com/falcosecurity/falcosidekick/pull/736) thanks to [@idrissneumann](https://github.com/idrissneumann))
+- New output: **Falco Talon** ([PR#929](https://github.com/falcosecurity/falcosidekick/pull/929))
+
+#### Enhancement
+- Add global TLS config ([PR#588](https://github.com/falcosecurity/falcosidekick/pull/588) thanks to [@ibice](https://github.com/ibice))
+- Add `source` as label for `Prometheus` metrics ([PR#665](https://github.com/falcosecurity/falcosidekick/pull/665))
+- Better logs when TLS is enabled ([PR#668](https://github.com/falcosecurity/falcosidekick/pull/668))
+- Add test for utils sorting function ([PR#694](https://github.com/falcosecurity/falcosidekick/pull/694) thanks to [@stevemcquaid](https://github.com/stevemcquaid))
+- Refactor of the `InitClient` ([PR#765](https://github.com/falcosecurity/falcosidekick/pull/765) thanks to [@idrissneumann](https://github.com/idrissneumann))
+- Allow to use alternative endpoints for the `AWS S3` output ([PR#791](https://github.com/falcosecurity/falcosidekick/pull/791) thanks to [@gysel](https://github.com/gysel))
+- Consistent order for the `output_fields` and `tags` ([PR#802](https://github.com/falcosecurity/falcosidekick/pull/802))
+- Allow to add custom headers for `AlertManager` output ([PR#827](https://github.com/falcosecurity/falcosidekick/pull/827) thanks to [@Umaaz](https://github.com/Umaaz))
+- Add more checks for the `GCP Storage` output ([PR#858](https://github.com/falcosecurity/falcosidekick/pull/858))
+- Possibility to create an index template for the `Elasticsearch` output ([PR#868](https://github.com/falcosecurity/falcosidekick/pull/868))
+- Possibility to "flatten" the `output_fields` (replace `.` by `_`) for the `Elasticsearch` output to avoid mapping conflicts ([PR#868](https://github.com/falcosecurity/falcosidekick/pull/868))
+- Truncate the fields with a length > 512 chars to avoid rejection from some outputs ([PR#871](https://github.com/falcosecurity/falcosidekick/pull/871))
+- Change the license to Apache 2.0 ([PR#882](https://github.com/falcosecurity/falcosidekick/pull/882) thanks to [@leogr](https://github.com/leogr))
+- Revamp the `PolicyReport` output ([PR#899](https://github.com/falcosecurity/falcosidekick/pull/899))
+- New parameter `outputFieldFormat` to modify on the fly the format of the `output` field ([PR#901](https://github.com/falcosecurity/falcosidekick/pull/901))
+
+#### Fix
+- Fix missing root CA for the `Kafka` output ([PR#581](https://github.com/falcosecurity/falcosidekick/pull/581) thanks to [@claviola](https://github.com/claviola))
+- Fix bug with the extension `source` in the `CloudEvent` output ([PR#587](https://github.com/falcosecurity/falcosidekick/pull/587))
+- Fix panics in the `Prometheus` output when `hostname` field is missing ([PR#628](https://github.com/falcosecurity/falcosidekick/pull/628))
+- Remove refs to deprecated `ioutil` modules ([PR#639](https://github.com/falcosecurity/falcosidekick/pull/639) thanks to [@testwill](https://github.com/testwill))
+- Fix locks in the `Loki` output ([PR#647](https://github.com/falcosecurity/falcosidekick/pull/647) thanks to [@bsod90](https://github.com/bsod90))
+- Split the docs for the outputs into multiple files ([PR#648](https://github.com/falcosecurity/falcosidekick/pull/648))
+- Fix mTLS client verification failures due to missing ClientCAs ([PR#666](https://github.com/falcosecurity/falcosidekick/pull/666) thanks to [@jgmartinez](https://github.com/jgmartinez))
+- Fix wrong env var for pagerduty output ([PR#682](https://github.com/falcosecurity/falcosidekick/pull/682))
+- Remove hard settings for usernames in `Mattermost` and `Rocketchat` ([PR#731](https://github.com/falcosecurity/falcosidekick/pull/731))
+- Fix multi lines json in the error lines ([PR#764](https://github.com/falcosecurity/falcosidekick/pull/764) thanks to [@idrissneumann](https://github.com/idrissneumann))
+- Fix duplicated custom headers in clients ([PR#801](https://github.com/falcosecurity/falcosidekick/pull/801), [PR#857](https://github.com/falcosecurity/falcosidekick/pull/857))
+- Fix the labels for the `AlertManager` output ([PR#870](https://github.com/falcosecurity/falcosidekick/pull/870) thanks to [@Umaaz](https://github.com/Umaaz))
+
+## 2.28.0 - 2023-07-18
+#### New
+- New output: **Redis** ([PR#396](https://github.com/falcosecurity/falcosidekick/pull/396) thanks to [@pandyamarut](https://github.com/pandyamarut))
+- New output: **Telegram** ([PR#431](https://github.com/falcosecurity/falcosidekick/pull/431) thanks to [@zufardhiyaulhaq](https://github.com/zufardhiyaulhaq))
+- New output: **N8N** ([PR#462](https://github.com/falcosecurity/falcosidekick/pull/462))
+- New output: **Grafana OnCall** ([PR#470](https://github.com/falcosecurity/falcosidekick/pull/470))
+- New output: **OpenObserve** ([PR#509](https://github.com/falcosecurity/falcosidekick/pull/509))
+
+#### Enhancement
+- Add `output` in the description annotation for `AlertManager` output ([PR#341](https://github.com/falcosecurity/falcosidekick/pull/478))
+- Allow to set the http method for `Webhook` output ([PR#399](https://github.com/falcosecurity/falcosidekick/pull/399))
+- Add `hostname` as prometheus label ([PR#420](https://github.com/falcosecurity/falcosidekick/pull/420) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Allow to replace the brackets ([PR#421](https://github.com/falcosecurity/falcosidekick/pull/421))
+- Allow to set custom http headers for `Loki`, `Elasticsearch` and `Grafana` outputs ([PR#428](https://github.com/falcosecurity/falcosidekick/pull/428))
+- Add `hostname`, `tags`, `custom` and `templated fields` for `TimescaleDB` output ([PR#438](https://github.com/falcosecurity/falcosidekick/pull/438) thanks to [@hileef](https://github.com/hileef))
+- Allow to set thresholds for the dropped events in `AlertManager` ouput ([PR#439](https://github.com/falcosecurity/falcosidekick/pull/439) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Match the `priority` with `AlertManager` severity label ([PR#440](https://github.com/falcosecurity/falcosidekick/pull/440) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Add `rolearn` and `externalid` for the assume role for `AWS` outputs ([PR#494](https://github.com/falcosecurity/falcosidekick/pull/494))
+- Allow to set the `region` for `PagerDuty` output ([PR#500](https://github.com/falcosecurity/falcosidekick/pull/500))
+- Add TLS option + rewrite send method for the `SMTP` output ([PR#502](https://github.com/falcosecurity/falcosidekick/pull/502))
+- Add attributes to `GCP PubSub` messages ([PR#505](https://github.com/falcosecurity/falcosidekick/pull/505) thanks to [@annadorottya](https://github.com/annadorottya))
+- Add option for TLS and mTLS for the server ([PR#508](https://github.com/falcosecurity/falcosidekick/pull/508) thanks to [@annadorottya](https://github.com/annadorottya))
+- Add setting to auto create the `Kafka` topic ([PR#554](https://github.com/falcosecurity/falcosidekick/pull/554))
+- Add option to deploy a HTTP only server for specific endpoints ([PR#565](https://github.com/falcosecurity/falcosidekick/pull/565) thanks to [@annadorottya](https://github.com/annadorottya))
+- Support multiple bootstrap servers for `Kafka` output ([PR#571](https://github.com/falcosecurity/falcosidekick/pull/571) thanks to [@ibice](https://github.com/ibice))
+- Add option for TLS for `Kafka` output ([PR#574](https://github.com/falcosecurity/falcosidekick/pull/574))
+
+#### Fix
+- Fix error handling in `AWS Security Lake` output ([PR#390](https://github.com/falcosecurity/falcosidekick/pull/390))
+- Fix breaking brackets in `AWS SNS` messages ([PR#419](https://github.com/falcosecurity/falcosidekick/pull/419))
+- Fix setting name for the table of `TimescaleDB` output ([PR#426](https://github.com/falcosecurity/falcosidekick/pull/426) thanks to [@alika](https://github.com/alika))
+- Fix cardinality issue with prometheus labels ([PR#427](https://github.com/falcosecurity/falcosidekick/pull/427))
+- Fix panic when assert output fields which are nil ([PR#429](https://github.com/falcosecurity/falcosidekick/pull/429))
+- Fix dependencies for `Wavefront` output ([PR#432](https://github.com/falcosecurity/falcosidekick/pull/432))
+- Fix key pattern for `AWS Security Lake` output ([PR#447](https://github.com/falcosecurity/falcosidekick/pull/447))
+- Fix default settings for `Telegram` output ([PR#495](https://github.com/falcosecurity/falcosidekick/pull/495) thanks to [@schfkt](https://github.com/schfkt))
+- Fix URL generation for `Spyderbat` output ([PR#506](https://github.com/falcosecurity/falcosidekick/pull/506) thanks to [@bc-sb](https://github.com/bc-sb))
+- Fix nil values in `Spyderbat` output ([PR#527](https://github.com/falcosecurity/falcosidekick/pull/527) thanks to [@spider-guy](https://github.com/spider-guy))
+- Fix duplicated headers in `SMTP` output ([PR#528](https://github.com/falcosecurity/falcosidekick/pull/528) thanks to [@apsega](https://github.com/apsega))
+- Fix missing trim for names and values of labels for `AlertManager` output ([PR#563](https://github.com/falcosecurity/falcosidekick/pull/563) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Fix missing returned errors for `Kafka` output ([PR#573](https://github.com/falcosecurity/falcosidekick/pull/573))
+
 ## 2.27.0 - 2022-12-13
 #### New
 - New output: **Yandex Data Streams** ([PR#336](https://github.com/falcosecurity/falcosidekick/pull/336) thanks to [@preved911](https://github.com/preved911))
- New output: **Node-Red** ([PR#337](https://github.com/falcosecurity/falcosidekick/pull/337)
- New output: **MQTT** ([PR#338](https://github.com/falcosecurity/falcosidekick/pull/338)
- Templated fields: custom fields generated with Go templates ([PR#350](https://github.com/falcosecurity/falcosidekick/pull/350)
- New output: **Zincsearch** ([PR#360](https://github.com/falcosecurity/falcosidekick/pull/360)
- New output: **Gotify** ([PR#362](https://github.com/falcosecurity/falcosidekick/pull/362)
+- New output: **Node-Red** ([PR#337](https://github.com/falcosecurity/falcosidekick/pull/337))
+- New output: **MQTT** ([PR#338](https://github.com/falcosecurity/falcosidekick/pull/338))
+- Templated fields: custom fields generated with Go templates ([PR#350](https://github.com/falcosecurity/falcosidekick/pull/350))
+- New output: **Zincsearch** ([PR#360](https://github.com/falcosecurity/falcosidekick/pull/360))
+- New output: **Gotify** ([PR#362](https://github.com/falcosecurity/falcosidekick/pull/362))
 - New output: **Spyderbat** ([PR#368](https://github.com/falcosecurity/falcosidekick/pull/368) thanks to [@spyder-kyle](https://github.com/spyder-kyle))
- New output: **Tekton** ([PR#371](https://github.com/falcosecurity/falcosidekick/pull/371)
+- New output: **Tekton** ([PR#371](https://github.com/falcosecurity/falcosidekick/pull/371))
 - New output: **TimescaleDB** ([PR#378](https://github.com/falcosecurity/falcosidekick/pull/378) thanks to [@jagretti](https://github.com/jagretti))
- New output: **AWS Security Lake** ([PR#387](https://github.com/falcosecurity/falcosidekick/pull/387)
+- New output: **AWS Security Lake** ([PR#387](https://github.com/falcosecurity/falcosidekick/pull/387))

 #### Enhancement
 - `SMTP` output now uses any SASL auth mechanism ([PR#341](https://github.com/falcosecurity/falcosidekick/pull/341) thanks to [@Lowaiz](https://github.com/Lowaiz))
- Bind `Policy Reports` to Namespace by `ownerReference` ([PR#346](https://github.com/falcosecurity/falcosidekick/pull/346)
+- Bind `Policy Reports` to Namespace by `ownerReference` ([PR#346](https://github.com/falcosecurity/falcosidekick/pull/346))
 - Add extra labels and annotations for `AlertManager` payloads ([PR#347](https://github.com/falcosecurity/falcosidekick/pull/347) thanks to [@Lowaiz](https://github.com/Lowaiz))
- Update default type for `Elasticsearch` documents ([PR#349](https://github.com/falcosecurity/falcosidekick/pull/349)
- Support env vars in custom fields ([PR#353](https://github.com/falcosecurity/falcosidekick/pull/353)
- Update format + default endpoint for `Loki` output ([PR#356](https://github.com/falcosecurity/falcosidekick/pull/356)
- Determine resource names + owner ref for `Policy Reports` ([PR#358](https://github.com/falcosecurity/falcosidekick/pull/358)
- Update `Influxdb` output to use API Token and /api/v2 endpoint ([PR#359](https://github.com/falcosecurity/falcosidekick/pull/359)
- Allow to override the `Slack` channel ([PR#366](https://github.com/falcosecurity/falcosidekick/pull/366)
- Add From, To and Date headers in `SMTP` payload ([PR#364](https://github.com/falcosecurity/falcosidekick/pull/364)
- Improve the check of the payload from `Falco`, it allows now to have an empty output ([PR#372](https://github.com/falcosecurity/falcosidekick/pull/372)
- Allow to set user and api key for `Loki` output for `Grafana Logs` ([PR#379](https://github.com/falcosecurity/falcosidekick/pull/379)
+- Update default type for `Elasticsearch` documents ([PR#349](https://github.com/falcosecurity/falcosidekick/pull/349))
+- Support env vars in custom fields ([PR#353](https://github.com/falcosecurity/falcosidekick/pull/353))
+- Update format + default endpoint for `Loki` output ([PR#356](https://github.com/falcosecurity/falcosidekick/pull/356))
+- Determine resource names + owner ref for `Policy Reports` ([PR#358](https://github.com/falcosecurity/falcosidekick/pull/358))
+- Update `Influxdb` output to use API Token and /api/v2 endpoint ([PR#359](https://github.com/falcosecurity/falcosidekick/pull/359))
+- Allow to override the `Slack` channel ([PR#366](https://github.com/falcosecurity/falcosidekick/pull/366))
+- Add From, To and Date headers in `SMTP` payload ([PR#364](https://github.com/falcosecurity/falcosidekick/pull/364))
+- Improve the check of the payload from `Falco`, it allows now to have an empty output ([PR#372](https://github.com/falcosecurity/falcosidekick/pull/372))
+- Allow to set user and api key for `Loki` output for `Grafana Logs` ([PR#379](https://github.com/falcosecurity/falcosidekick/pull/379))
 - Add `hostname` in json payload for all outputs ([PR#383](https://github.com/falcosecurity/falcosidekick/pull/383) thanks to [@Lowaiz](https://github.com/Lowaiz))
 - Add SASL authentication for `Kafka` output ([PR#385](https://github.com/falcosecurity/falcosidekick/pull/385) thanks to [@Lowaiz](https://github.com/Lowaiz)) and [@lyoung-confluent](https://github.com/lyoung-confluent))
- Support CEF format for `Syslog` output ([PR#386](https://github.com/falcosecurity/falcosidekick/pull/386)
- Allow to disable STS check for `AWS` output ([PR#387](https://github.com/falcosecurity/falcosidekick/pull/387)
+- Support CEF format for `Syslog` output ([PR#386](https://github.com/falcosecurity/falcosidekick/pull/386))
+- Allow to disable STS check for `AWS` output ([PR#387](https://github.com/falcosecurity/falcosidekick/pull/387))

 #### Fix
 - Fix `priority` label was replaced by `source` in `AlertManager` payload ([PR#340](https://github.com/falcosecurity/falcosidekick/pull/340) thanks to [@tks98](https://github.com/tks98))
- Fix missing cert checks + fix inverted logic to use them in codebase ([PR#345](https://github.com/falcosecurity/falcosidekick/pull/345) 
+- Fix missing cert checks + fix inverted logic to use them in codebase ([PR#345](https://github.com/falcosecurity/falcosidekick/pull/345))
 - Fix race condition when headers are added to POST requests ([PR#380](https://github.com/falcosecurity/falcosidekick/pull/380) thanks to [@bc-sb](https://github.com/bc-sb))

 ## 2.26.0 - 2022-06-18
--- a/6
+++ b/6
@ -1,9 +1,9 @@
-ARG BASE_IMAGE=alpine:3.17
+ARG BASE_IMAGE=alpine:3.19
 # Final Docker image
 FROM ${BASE_IMAGE} AS final-stage
-LABEL MAINTAINER "Thomas Labarussias <issif+falcosidekick@gadz.org>"
+LABEL MAINTAINER="Thomas Labarussias <issif+falcosidekick@gadz.org>"

-RUN apk add --update --no-cache ca-certificates
+RUN apk add --update --no-cache ca-certificates gcompat

 # Create user falcosidekick
 RUN addgroup -S falcosidekick && adduser -u 1234 -S falcosidekick -G falcosidekick
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -1,5 +1,5 @@
-ARG BUILDER_IMAGE=golang:1.20-bullseye
-ARG BASE_IMAGE=alpine:3.17
+ARG BUILDER_IMAGE=golang:1.21-bullseye
+ARG BASE_IMAGE=alpine:3.19

 FROM ${BUILDER_IMAGE} AS build-stage

@ -12,7 +12,7 @@ RUN make falcosidekick

 # Final Docker image
 FROM ${BASE_IMAGE} AS final-stage
-LABEL MAINTAINER "Thomas Labarussias <issif+falcosidekick@gadz.org>"
+LABEL MAINTAINER="Thomas Labarussias <issif+falcosidekick@gadz.org>"

 RUN apk add --update --no-cache ca-certificates

--- a/206
+++ b/206
@ -1,6 +1,212 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2024 The Falco Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+-------------------------
+
 MIT License

 Copyright (c) 2018 Thomas Labarussias
+Copyright (C) 2024 The Falco Authors

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/24
+++ b/24
@ -2,7 +2,6 @@
 SHELL=/bin/bash -o pipefail

 .DEFAULT_GOAL:=help
-
 GOPATH  := $(shell go env GOPATH)
 GOARCH  := $(shell go env GOARCH)
 GOOS    := $(shell go env GOOS)
@ -41,10 +40,13 @@ TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR)/bin)
 GO_INSTALL = ./hack/go_install.sh

 # Binaries.
-GOLANGCI_LINT_VER := v1.52.2
+GOLANGCI_LINT_VER := v1.57.2
 GOLANGCI_LINT_BIN := golangci-lint
 GOLANGCI_LINT := $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)

+# Docker
+IMAGE_TAG := falcosecurity/falcosidekick:latest
+
 ## --------------------------------------
 ## Build
 ## --------------------------------------
@ -52,16 +54,20 @@ GOLANGCI_LINT := $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)
 .PHONY: falcosidekick
 falcosidekick:
 	$(GO) mod download
-	$(GO) build -trimpath -ldflags "$(LDFLAGS)" -gcflags all=-trimpath=/src -asmflags all=-trimpath=/src -a -installsuffix cgo -o $@ .
+	GOOS=$(GOOS) GOARCH=$(GOARCH) $(GO) build -trimpath -ldflags "$(LDFLAGS)" -gcflags all=-trimpath=/src -asmflags all=-trimpath=/src -a -installsuffix cgo -o $@ .

-.PHONY: falcosidekick-linux-amd64
-falcosidekick-linux-amd64:
+.PHONY: falcosidekick-linux
+falcosidekick-linux:
 	$(GO) mod download
-	GOOS=linux GOARCH=amd64 $(GO) build -gcflags all=-trimpath=/src -asmflags all=-trimpath=/src -a -installsuffix cgo -o falcosidekick .
+	GOOS=linux GOARCH=$(GOARCH) $(GO) build -ldflags "$(LDFLAGS)" -gcflags all=-trimpath=/src -asmflags all=-trimpath=/src -a -installsuffix cgo -o falcosidekick .

 .PHONY: build-image
-build-image: falcosidekick-linux-amd64
-	$(DOCKER) build -t falcosecurity/falcosidekick:latest .
+build-image: falcosidekick-linux
+	$(DOCKER) build -t $(IMAGE_TAG) .
+
+.PHONY: push-image
+push-image:
+	$(DOCKER) push $(IMAGE_TAG)

 ## --------------------------------------
 ## Test
@ -93,7 +99,7 @@ lint-full: $(GOLANGCI_LINT) ## Run slower linters to detect possible issues

 .PHONY: goreleaser-snapshot
 goreleaser-snapshot: ## Release snapshot using goreleaser
-	LDFLAGS="$(LDFLAGS)" goreleaser --snapshot --skip-sign --clean
+	LDFLAGS="$(LDFLAGS)" goreleaser --snapshot --skip=sign --clean

 ## --------------------------------------
 ## Tooling Binaries
--- a/README.md
+++ b/README.md
--- a/config.go
+++ b/config.go
--- a/config_example.yaml
+++ b/config_example.yaml
@ -8,18 +8,28 @@ customfields: # custom fields are added to falco events and metrics, if the valu
 templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values
  # Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}'
 # bracketreplacer: "_" # if not empty, the brackets in keys of Output Fields are replaced
+customtags: # custom tags are added to the falco events, if the value starts with % the relative env var is used
+  - tagA
+  - tagB
+outputFieldFormat: "<timestamp>: <priority> <output> <custom_fields> <templated_fields>" # if not empty, allow to change the format of the output field. (default: "<timestamp>: <priority> <output>")
 mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs")
 mutualtlsclient: # takes priority over mutualtlsfilespath if not emtpy
  certfile: "/etc/certs/client/client.crt" # client certification file
  keyfile: "/etc/certs/client/client.key" # client key
  cacertfile: "/etc/certs/client/ca.crt" # for server certification
+tlsclient:
+  cacertfile: "/etc/certs/client/ca.crt" # CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty
 tlsserver:
  deploy: false # if true, TLS server will be deployed instead of HTTP
  certfile: "/etc/certs/server/server.crt" # server certification file
  keyfile: "/etc/certs/server/server.key" # server key
  mutualtls: false # if true, mTLS server will be deployed instead of TLS, deploy also has to be true
  cacertfile: "/etc/certs/server/ca.crt" # for client certification if mutualtls is true
-
+  notlsport: 2810 # port to serve http server serving selected endpoints (default: 2810)
+  notlspaths: # if not empty, and tlsserver.deploy is true, a separate http server will be deployed for the specified endpoints
+    - "/ping"
+    # - "/metrics"
+    # - "/healthz"

 slack:
  webhookurl: "" # Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled
@ -53,18 +63,28 @@ mattermost:
  # checkcert: true # check if ssl certificate of the output is valid (default: true)

 teams:
-  webhookurl: "" # Teams WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Teams output is enabled
+  webhookurl: "" # Teams WebhookURL, if not empty, Teams output is enabled
  #activityimage: "" # Image for message section
  outputformat: "all" # all (default), text, facts
  minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)

+webex:
+  # webhookurl: "" # Webex WebhookURL, if not empty, Teams Webex is enabled
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
 datadog:
  # apikey: "" # Datadog API Key, if not empty, Datadog output is enabled
  # host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com"
  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)

+datadoglogs:
+  # apikey: "" # Datadog API Key, if not empty, Datadog Logs output is enabled
+  # host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/"
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # service: "" # The name of the application or service generating the log events.
+
 alertmanager:
-  # hostport: "" # http://{domain or ip}:{port}, if not empty, Alertmanager output is enabled
+  # hostport: "" # Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is enabled
  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
  # checkcert: true # check if ssl certificate of the output is valid (default: true)
@ -75,19 +95,45 @@ alertmanager:
  # customseveritymap: "" # comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. (default: "")
  # dropeventdefaultpriority: "" # default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug (default: "critical")
  # dropeventthresholds: # comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` (default: `"10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning"`)
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value

 elasticsearch:
  # hostport: "" # http://{domain or ip}:{port}, if not empty, Elasticsearch output is enabled
  # index: "falco" # index (default: falco)
  # type: "_doc"
+  # pipeline: "" # optional ingest pipeline name
  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
  # suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none
  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # apikey: "" # use this APIKey to authenticate to Elasticsearch if the APIKey is not empty (default: "")
  # username: "" # use this username to authenticate to Elasticsearch if the username is not empty (default: "")
  # password: "" # use this password to authenticate to Elasticsearch if the password is not empty (default: "")
+  # flattenfields: false # replace . by _ to avoid mapping conflicts, force to true if createindextemplate==true (default: false)
+  # createindextemplate: false # create an index template (default: false)
+  # numberofshards: 3 # number of shards set by the index template (default: 3)
+  # numberofreplicas: 3 # number of replicas set by the index template (default: 3)
  # customHeaders: # Custom headers to add in POST, useful for Authentication
  #   key: value
+  # enablecompression: false # if true enables gzip compression for http requests (default: false)
+  # batching: # batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API
+  #   enabled: true # if true enables batching
+  #   batchsize: 5242880 # batch size in bytes (default: 5 MB)
+  #   flushinterval: 1s # batch fush interval (default: 1s)
+  # maxconcurrentrequests: 1 # max number of concurrent http requests (default: 1)
+
+quickwit:
+  # hostport: "" # http(s)://{domain or ip}:{port}, if not empty, Quickwit output is enabled
+  # apiendpoint: "/api/v1"
+  # index: "falco" # index (default: falco)
+  # version: "0.7"
+  # autocreateindex: false # create the index mapping if true and if the index doesn't already exists
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)

 influxdb:
  # hostport: "" # http://{domain or ip}:{port}, if not empty, Influxdb output is enabled
@ -110,6 +156,7 @@ loki:
  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
  # checkcert: true # check if ssl certificate of the output is valid (default: true)
  # tenant: "" # Add the Tenant header
+  # format: "text" # Format for the log entry value: json, text (default)
  # endpoint: "/loki/api/v1/push" # The endpoint URL path, default is "/loki/api/v1/push" more info : https://grafana.com/docs/loki/latest/api/#post-apiprompush
  # extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
  # customHeaders: # Custom headers to add in POST, useful for Authentication
@ -117,6 +164,7 @@ loki:

 nats:
  # hostport: "" # nats://{domain or ip}:{port}, if not empty, NATS output is enabled
+  # subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
  # checkcert: true # check if ssl certificate of the output is valid (default: true)
@ -125,6 +173,7 @@ stan:
  # hostport: "" # nats://{domain or ip}:{port}, if not empty, STAN output is enabled
  # clusterid: "" # Cluster name, if not empty, STAN output is enabled
  # clientid: "" # Client ID, if not empty, STAN output is enabled
+  # subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
  # checkcert: true # check if ssl certificate of the output is valid (default: true)
@ -152,8 +201,10 @@ aws:
    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
  s3:
    # bucket: "falcosidekick" # AWS S3, bucket name
-    # prefix : "" # name of prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
+    # prefix: "" # name of prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # endpoint: "" # endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs
+    # objectcannedacl: "bucket-owner-full-control" # Canned ACL (x-amz-acl) to use when creating the object
  securitylake.:
    # bucket: "" # Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is enabled
    # region: "" # Bucket Region  (mandatory)
@ -194,7 +245,7 @@ dogstatsd:
  #   key: "value"

 opsgenie:
-  # apikey: "2c771471-e2af-4dc6-bd35-e7f6ff479b64" # Opsgenie API Key, if not empty, Opsgenie output is enabled
+  # apikey: "" # Opsgenie API Key, if not empty, Opsgenie output is enabled
  region: "eu" # (us|eu) region of your domain
  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)

@ -270,10 +321,11 @@ cliq:
  messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Cliq Text above Table, displayed in addition to the output from `CLIQ_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Table.

 kafka:
-  hostport: "" # Apache Kafka Host:Port (ex: localhost:9092). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is enabled
+  hostport: "" # comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is enabled
  topic: "" # Name of the topic, if not empty, Kafka output is enabled
  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
  sasl: "" # SASL authentication mechanism, if empty, no authentication (PLAIN|SCRAM_SHA256|SCRAM_SHA512)
+  tls: false # Use TLS for the connections (default: false)
  username: "" # use this username to authenticate to Kafka via SASL (default: "")
  password: "" # use this password to authenticate to Kafka via SASL (default: "")
  # async: false # produce messages without blocking (default: false)
@ -365,7 +417,7 @@ fission:
 policyreport:
  enabled: false # if true policyreport output is enabled
  kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
-  failthreshold: 4 # events with priority above this threshold are mapped to fail in PolicyReport Summary and lower that those are mapped to warn (default=4)
+  falconamespace: "" # Set the namespace where Falco is running (only if falcosidekick is running outside the cluster)
  maxevents: 1000 # the max number of events per report(default: 1000)
  prunebypriority: false # if true; the events with lowest severity are pruned first, in FIFO order (default: false)

@ -471,3 +523,69 @@ openobserve:
  # password: "" # use this password to authenticate to OpenObserve if the password is not empty (default: "")
  # customHeaders: # Custom headers to add in POST, useful for Authentication
  #   key: value
+
+dynatrace:
+  apitoken: "" # Dynatrace API token with the "logs.ingest" scope, more info : https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled
+  apiurl: "" # Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+sumologic:
+  receiverURL: "" # Sumologic HTTP Source URL, if not empty, Sumologic output is enabled
+  # sourceCategory: "" # Override the default Sumologic Source Category
+  # sourceHost: "" # Override the default Sumologic Source Host
+  # name: "" # Override the default Sumologic Source Name
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+otlp:
+  traces:
+    # endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/traces), if not empty, OTLP Traces output is enabled
+    # protocol: "" # OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json)
+    # timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
+    # headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
+    # synced: false # Set to true if you want traces to be sent synchronously (default: false)
+    # duration: 1000 # Artificial span duration in milliseconds (default: 1000)
+    # extraenvvars: # Extra env vars (override the other settings)
+      # OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
+      # OTEL_EXPORTER_OTLP_TIMEOUT: 10000
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # checkcert: true # Set if you want to skip TLS certificate validation (default: true)
+  logs:
+    # endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/logs), if not empty, OTLP Traces output is enabled
+    # protocol: "" # OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json)
+    # timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
+    # headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
+    # extraenvvars: # Extra env vars (override the other settings)
+      # OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
+      # OTEL_EXPORTER_OTLP_TIMEOUT: 10000
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # checkcert: true # Set if you want to skip TLS certificate validation (default: true)
+  metrics:
+    # endpoint: "" # OTLP endpoint, typically in the form http(s)://{domain or ip}:4318(/v1/metrics), if not empty, OTLP Metrics output is enabled
+    # protocol: "" # OTLP transport protocol to be used for metrics data; it can be "grpc" or "http/protobuf" (default: "grpc")
+    # timeout: "" # OTLP timeout for outgoing metrics in milliseconds (default: "" which uses SDK default: 10000)
+    # headers: "" # List of headers to apply to all outgoing metrics in the form of "some-key=some-value,other-key=other-value" (default: "")
+    # extraenvvars: # Extra env vars (override the other settings) (default: "")
+      # OTEL_EXPORTER_OTLP_METRICS_TIMEOUT: 10000
+      # OTEL_EXPORTER_OTLP_TIMEOUT: 10000
+    # minimumpriority: "" # Minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "")
+    # checkcert: true # Set to false if you want to skip TLS certificate validation (only with https) (default: true)
+    # extraattributes: "" # Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields
+
+talon:
+  # address: "" # Falco talon address, if not empty, Falco Talon output is enabled
+  # checkcert: false # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+logstash:
+  # address: "" # Logstash address, if not empty, Logstash output is enabled
+  # port: 5044 # Logstash port number (default: 5044)
+  # tls: false # communicate over tls; requires Logstash version 8+ to work 
+  # mutualtls: false # or authenticate to the output with TLS; if true, checkcert flag will be ignored (server cert will always be checked) (default: false)
+  # checkcert: true # Check if ssl certificate of the output is valid (default: true)
+  # certfile: "" # Use this certificate file instead of the client certificate when using mutual TLS (default: "")
+  # keyfile: "" # Use this key file instead of the client certificate when using mutual TLS (default: "")
+  # cacertfile: "" # Use this CA certificate file instead of the client certificate when using mutual TLS (default: "")
+  # minimumpriority: minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "debug")
+  # tags: ["falco"] # An additional list of tags that will be added to those produced by Falco (default: [])
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -58,3 +58,15 @@ services:
    ports:
      - "9093:9093"
    profiles: [alertmanager]
+
+  minio:
+    image: quay.io/minio/minio
+    environment:
+      - MINIO_ROOT_USER=root
+      - MINIO_ROOT_PASSWORD=super-secret
+      - MINIO_DOMAIN=minio.localhost
+    command: server /data --console-address ":9001"
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    profiles: [minio]
--- a/docs/outputs/EXAMPLE.md
+++ b/docs/outputs/EXAMPLE.md
@ -0,0 +1,35 @@
+# Output Name
+
+- **Category**: Category of the output
+- **Website**: URL of the output
+
+## Table of content
+
+- [Output Name](#output-name)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting | Env var | Default value | Description |
+| ------- | ------- | ------------- | ----------- |
+|         |         |               |             |
+|         |         |               |             |
+|         |         |               |             |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+output:
+  setting: ""
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/alertmanager.md
+++ b/docs/outputs/alertmanager.md
@ -0,0 +1,55 @@
+# AlertManager
+
+- **Category**: Alerting
+- **Website**: https://github.com/prometheus/alertmanager
+
+## Table of content
+
+- [AlertManager](#alertmanager)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+|                 Setting                 |                 Env var                 |                            Default value                             |                                                                                                               Description                                                                                                                |
+| --------------------------------------- | --------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `alertmanager.hostport`                 | `ALERTMANAGER_HOSTPORT`                 |                                                                      | Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is **enabled**                                                                                                 |
+| `alertmanager.mutualtls`                | `ALERTMANAGER_MUTUALTLS`                | `false`                                                              | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                                                                                                                        |
+| `alertmanager.checkcert`                | `ALERTMANAGER_CHECKCERT`                | `true`                                                               | check if ssl certificate of the output is valid                                                                                                                                                                                          |
+| `alertmanager.endpoint`                 | `ALERTMANAGER_ENDPOINT`                 | `/api/v1/alerts`                                                     | Alertmanager endpoint for posting alerts `/api/v1/alerts` or `/api/v2/alerts`                                                                                                                                                            |
+| `alertmanager.expiresafter`             | `ALERTMANAGER_EXPIRESAFTER`             | `0`                                                                  | If set to a non-zero value, alert expires after that time in seconds                                                                                                                                                                     |
+| `alertmanager.extralabels`              | `ALERTMANAGER_EXTRALABELS`              |                                                                      | Comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: `my_annotation_1:my_value_1, my_annotation_1:my_value_2`                                                                 |
+| `alertmanager.extraannotations`         | `ALERTMANAGER_EXTRAANNOTATIONS`         |                                                                      | Comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts Example: `debug:value_1,critical:value2`                                                                                      |
+| `alertmanager.customseveritymap`        | `ALERTMANAGER_CUSTOMSEVERITYMAP`        |                                                                      | Comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: `debug:value_1,critical:value2` |
+| `alertmanager.dropeventdefaultpriority` | `ALERTMANAGER_DROPEVENTDEFAULTPRIORITY` | `critical`                                                           | Default priority of dropped events, values are `emergency,alert,critical,error,warning,notice,informational,debug`                                                                                                                       |
+| `alertmanager.dropeventthresholds`      | `ALERTMANAGER_DROPEVENTTHRESHOLDS`      | `10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning` | Comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational`                                   |
+| `alertmanager.minimumpriority`          | `ALERTMANAGER_MINIMUMPRIORITY`          | `""` (= `debug`)                                                     | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                                                                      |
+| `alertmanager.customheaders`            | `ALERTMANAGER_CUSTOMHEADERS`            |                                                                      | Custom headers for the POST request                                                                                                                                                                                                      |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+alertmanager:
+  hostport: "" # http://{domain or ip}:{port}, if not empty, Alertmanager output is enabled
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # endpoint: "" # alertmanager endpoint for posting alerts: "/api/v1/alerts" or "/api/v2/alerts" (default: "/api/v1/alerts")
+  # expiresafter: "" if set to a non-zero value, alert expires after that time in seconds (default: 0)
+  # extralabels: "" # comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2
+  # extraannotations: "" # comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2
+  # customseveritymap: "" # comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. (default: "")
+  # dropeventdefaultpriority: "" # default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug (default: "critical")
+  # dropeventthresholds: # comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` (default: `"10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning"`)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+```
+
+## Screenshots
+
+![alertmanager example](images/alertmanager.png)
--- a/docs/outputs/aws_cloudwatch_logs.md
+++ b/docs/outputs/aws_cloudwatch_logs.md
@ -0,0 +1,76 @@
+# AWS Cloudwatch Logs
+
+- **Category**: Logs
+- **Website**: https://aws.amazon.com/cloudwatch/features/
+
+## Table of content
+
+- [AWS Cloudwatch Logs](#aws-cloudwatch-logs)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [CloudWatch Logs Sample IAM Policy](#cloudwatch-logs-sample-iam-policy)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                              | Env var                              | Default value    | Description                                                                                                                         |
+| ------------------------------------ | ------------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`                    | `AWS_ACCESSKEYID`                    |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`                | `AWS_SECRETACCESSKEY`                |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`                         | `AWS_REGION`                         |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`                        | `AWS_ROLEARN`                        |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`                     | `AWS_EXTERNALID`                     |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`                  | `AWS_CHECKIDENTITY`                  | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.cloudwatchlogs.loggroup`        | `AWS_CLOUDWATCHLOGS_LOGGROUP`        |                  | AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is **enabled**                                                 |
+| `aws.cloudwatchlogs.logstream`       | `AWS_CLOUDWATCHLOGS_LOGSTREAM`       |                  | AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream                                            |
+| `aws.cloudwatchlogs.minimumpriority` | `AWS_CLOUDWATCHLOGS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  cloudwatchlogs:
+    loggroup : "" #  AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is enabled
+    logstream : "" # AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+### CloudWatch Logs Sample IAM Policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "cloudwacthlogs",
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogStream",
+        "logs:DescribeLogStreams",
+        "logs:PutRetentionPolicy",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+## Screenshots
--- a/docs/outputs/aws_kinesis.md
+++ b/docs/outputs/aws_kinesis.md
@ -0,0 +1,51 @@
+# AWS Kinesis
+
+- **Category**: Message Queue / Streaming
+- **Website**: https://aws.amazon.com/kinesis/
+
+## Table of content
+
+- [AWS Kinesis](#aws-kinesis)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                       | Default value    | Description                                                                                                                         |
+| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`             | `AWS_ACCESSKEYID`             |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`         | `AWS_SECRETACCESSKEY`         |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`                  | `AWS_REGION`                  |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`                 | `AWS_ROLEARN`                 |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`              | `AWS_EXTERNALID`              |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`           | `AWS_CHECKIDENTITY`           | `true`           | Check the identity credentials, set to false for locale developments                                                                |             
+| `aws.kinesis.streamname`      | `AWS_KINESIS_STREAMNAME`      |                  | AWS Kinesis Stream Name, if not empty, Kinesis output is **enabled**                                                                |
+| `aws.kinesis.minimumpriority` | `AWS_KINESIS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  kinesis:
+    streamname: "" # AWS Kinesis Stream Name, if not empty, Kinesis output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+## Screenshots
--- a/docs/outputs/aws_lambda.md
+++ b/docs/outputs/aws_lambda.md
@ -0,0 +1,70 @@
+# AWS Lambda
+
+- **Category**: FaaS / Serverless
+- **Website**: https://aws.amazon.com/lambda/features/
+
+## Table of content
+
+- [AWS Lambda](#aws-lambda)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [Lambda Sample IAM Policy](#lambda-sample-iam-policy)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                      | Env var                      | Default value    | Description                                                                                                                         |
+| ---------------------------- | ---------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`            | `AWS_ACCESSKEYID`            |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`        | `AWS_SECRETACCESSKEY`        |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`                 | `AWS_REGION`                 |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`                | `AWS_ROLEARN`                |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`             | `AWS_EXTERNALID`             |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`          | `AWS_CHECKIDENTITY`          | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.lambda.functionname`    | `AWS_LAMBDA_FUNCTIONNAME`    |                  | Lambda function name, if not empty, AWS Lambda output is **enabled**                                                                |
+| `aws.lambda.minimumpriority` | `AWS_LAMBDA_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  lambda:
+    functionname : "" # Lambda function name, if not empty, AWS Lambda output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+### Lambda Sample IAM Policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Id": "lambda",
+  "Statement": [
+    {
+      "Sid": "invoke",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "lambda:InvokeFunction",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+## Screenshots
--- a/docs/outputs/aws_s3.md
+++ b/docs/outputs/aws_s3.md
@ -0,0 +1,57 @@
+# AWS S3
+
+- **Category**: Object storage
+- **Website**: https://aws.amazon.com/s3/features/
+
+## Table of content
+
+- [AWS S3](#aws-s3)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                  | Env var                  | Default value               | Description                                                                                                                         |
+|--------------------------|--------------------------|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+| `aws.accesskeyid`        | `AWS_ACCESSKEYID`        |                             | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`    | `AWS_SECRETACCESSKEY`    |                             | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`             | `AWS_REGION`             |                             | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`            | `AWS_ROLEARN`            |                             | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`         | `AWS_EXTERNALID`         |                             | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`      | `AWS_CHECKIDENTITY`      | `true`                      | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.s3.bucket`          | `AWS_S3_BUCKET`          |                             | AWS S3 bucket name, if not empty, AWS S3 output is **enabled**                                                                      |
+| `aws.s3.prefix`          | `AWS_S3_PREFIX`          |                             | Prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json                                   |
+| `aws.s3.minimumpriority` | `AWS_S3_MINIMUMPRIORITY` | `""` (= `debug`)            | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `aws.s3.endpoint`        | `AWS_S3_ENDPOINT`        |                             | Endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs                                         |
+| `aws.s3.objectcannedacl` | `AWS_S3_OBJECTCANNEDACL` | `bucket-owner-full-control` | Canned ACL (`x-amz-acl`) to use when creating the object                                                                            |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  s3:
+    bucket: "falcosidekick" # AWS S3, bucket name
+    prefix : "" # Prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # endpoint: "" # endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs
+    # objectcannedacl: "bucket-owner-full-control" # Canned ACL (x-amz-acl) to use when creating the object
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+## Screenshots
--- a/docs/outputs/aws_security_lake.md
+++ b/docs/outputs/aws_security_lake.md
@ -0,0 +1,61 @@
+# AWS Security Lake
+
+- **Category**: SIEM
+- **Website**: https://aws.amazon.com/security-lake/
+
+## Table of content
+
+- [AWS Security Lake](#aws-security-lake)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                            | Env var                            | Default value    | Description                                                                                                                         |
+| ---------------------------------- | ---------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`                  | `AWS_ACCESSKEYID`                  |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`              | `AWS_SECRETACCESSKEY`              |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`                       | `AWS_REGION`                       |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`                      | `AWS_ROLEARN`                      |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`                   | `AWS_EXTERNALID`                   |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`                | `AWS_CHECKIDENTITY`                | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.securitylake.bucket`          | `AWS_SECURITYLAKE_BUCKET`          |                  | Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is **enabled**                                              |
+| `aws.securitylake.region`          | `AWS_SECURITYLAKE_REGION`          |                  | Bucket Region for AWS SecurityLake data                                                                                             |
+| `aws.securitylake.prefix`          | `AWS_SECURITYLAKE_PREFIX`          |                  | Prefix for keys                                                                                                                     |
+| `aws.securitylake.accountid`       | `AWS_SECURITYLAKE_ACCOUNTID`       |                  | Account ID                                                                                                                          |
+| `aws.securitylake.interval`        | `AWS_SECURITYLAKE_INTERVAL`        | `5`              | Time in minutes between two puts to S3 (must be between 5 and 60min)                                                                |
+| `aws.securitylake.batchsize`       | `AWS_SECURITYLAKE_BATCHSIZE`       | `1000`           | Max number of events by parquet file                                                                                                |
+| `aws.securitylake.minimumpriority` | `AWS_SECURITYLAKE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  securitylake.:
+    bucket: "" # Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is enabled
+    region: "" # Bucket Region
+    prefix: "" # Prefix for keys
+    accountid: "" # Account ID
+    # interval: 5 # Time in minutes between two puts to S3 (must be between 5 and 60min) (default: 5min)
+    # batchsize: 1000 # Max number of events by parquet file (default: 1000)
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+## Screenshots
--- a/docs/outputs/aws_sns.md
+++ b/docs/outputs/aws_sns.md
@ -0,0 +1,73 @@
+# AWS SNS
+
+- **Category**: Message queue / Streaming
+- **Website**: https://aws.amazon.com/sns/features/
+
+## Table of content
+
+- [AWS SNS](#aws-sns)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [SNS Sample Policy](#sns-sample-policy)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`         | `AWS_ACCESSKEYID`         |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`     | `AWS_SECRETACCESSKEY`     |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`              | `AWS_REGION`              |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`             | `AWS_ROLEARN`             |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`          | `AWS_EXTERNALID`          |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`       | `AWS_CHECKIDENTITY`       | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.sns.topicarn`        | `AWS_SNS_TOPICARN`        |                  | SNS TopicArn, if not empty, AWS SNS output is **enabled**                                                                           |
+| `aws.sns.rawjson`         | `AWS_SNS_RAWJSON`         | `false`          | end Raw JSON or parse it                                                                                                            |
+| `aws.sns.minimumpriority` | `AWS_SNS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  sns:
+    # topicarn : "" # SNS TopicArn, if not empty, AWS SNS output is enabled
+    rawjson: false # Send Raw JSON or parse it (default: false)
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+### SNS Sample Policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Id": "sns",
+  "Statement": [
+    {
+      "Sid": "publish",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sns:Publish",
+      "Resource": "arn:aws:sqs:*:111122223333:queue1"
+    }
+  ]
+}
+```
+
+
+## Screenshots
--- a/docs/outputs/aws_sqs.md
+++ b/docs/outputs/aws_sqs.md
@ -0,0 +1,72 @@
+# AWS SQS
+
+- **Category**: Message queue / Streaming
+- **Website**: https://aws.amazon.com/sqs/features/
+
+## Table of content
+
+- [AWS SQS](#aws-sqs)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [SQS Sample IAM Policy](#sqs-sample-iam-policy)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`         | `AWS_ACCESSKEYID`         |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`     | `AWS_SECRETACCESSKEY`     |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`              | `AWS_REGION`              |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`             | `AWS_ROLEARN`             |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`          | `AWS_EXTERNALID`          |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`       | `AWS_CHECKIDENTITY`       | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.sqs.url`             | `AWS_SQS_URL`             |                  | SQS Queue URL, if not empty, AWS SQS output is **enabled**                                                                          |
+| `aws.sqs.minimumpriority` | `AWS_SQS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  sqs:
+    # url : "" # SQS Queue URL, if not empty, AWS SQS output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+### SQS Sample IAM Policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Id": "sqs",
+  "Statement": [
+    {
+      "Sid": "sendMessage",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:*:111122223333:queue1"
+    }
+  ]
+}
+```
+
+## Screenshots
+
+![aws sqs example](images/aws_sqs.png)
--- a/docs/outputs/azure_event_hub.md
+++ b/docs/outputs/azure_event_hub.md
@ -0,0 +1,37 @@
+# Azure EventHub
+
+- **Category**: Message queue / Streaming
+- **Website**: https://azure.microsoft.com/en-in/services/event-hubs/²
+## Table of content
+
+- [Azure EventHub](#azure-eventhub)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                          | Env var                          | Default value    | Description                                                                                                                         |
+| -------------------------------- | -------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `azure.eventhub.name`            | `AZURE_EVENTHUB_NAME`            |                  | Name of the Hub, if not empty, EventHub is **enabled**                                                                              |
+| `azure.eventhub.namespace`       | `AZURE_EVENTHUB_NAMESPACE`       |                  | Name of the space the Hub is in                                                                                                     |
+| `azure.eventhub.minimumpriority` | `AZURE_EVENTHUB_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+azure:
+  eventhub:
+    name: "" # Name of the Hub, if not empty, EventHub is enabled
+    namespace: "" # Name of the space the Hub is in
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/cliq.md
+++ b/docs/outputs/cliq.md
@ -0,0 +1,59 @@
+# Zoho Cliq
+
+- **Category**: Chat
+- **Website**: https://www.zoho.com/cliq/
+
+## Table of content
+
+- [Zoho Cliq](#zoho-cliq)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [Message Formatting](#message-formatting)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                | Env var                | Default value    | Description                                                                                                                                                                                                                                            |
+| ---------------------- | ---------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `cliq.webhookurl`      | `CLIQ_WEBHOOKURL`      |                  | WebhookURL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq output is **enabled**                                                                                                                        |
+| `cliq.icon`            | `CLIQ_ICON`            |                  | Cliq icon (avatar)                                                                                                                                                                                                                                     |
+| `cliq.useemoji`        | `CLIQ_USEEMOJI`        | `true`           | Prefix message text with an emoji                                                                                                                                                                                                                      |
+| `cliq.outputformat`    | `CLIQ_OUTPUTFORMAT`    | `all`            | `all`, `text`, `fields`                                                                                                                                                                                                                                |
+| `cliq.messageformat`   | `CLIQ_MESSAGEFORMAT`   |                  | A Go template to format Cliq Text above Attachment, displayed in addition to the output from `CLIQ_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
+| `cliq.minimumpriority` | `CLIQ_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                                                                                    |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+cliq:
+  webhookurl: "" # WebhookURL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq output is enabled
+  # icon: "" # Cliq icon (avatar)
+  # useemoji: true # Prefix message text with an emoji
+  # outputformat: "all" # all (default), text, fields
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index.OutputFields "user.name" }}*' # a Go template to format Cliq Text above Table, displayed in addition to the output from `CLIQ_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Table.
+```
+
+## Additional info
+
+### Message Formatting
+
+The `CLIQ_MESSAGEFORMAT` environment variable and `cliq.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Cliq alert.
+These templates are evaluated on the JSON data from each Falco event. The following fields are available:
+
+| Template Syntax                              | Description                                                                                                                                                        |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `{{ .Output }}`                              | A formatted string from Falco describing the event.                                                                                                                |
+| `{{ .Priority }}`                            | The priority of the event, as a string.                                                                                                                            |
+| `{{ .Rule }}`                                | The name of the rule that generated the event.                                                                                                                     |
+| `{{ .Time }}`                                | The timestamp when the event occurred.                                                                                                                             |
+| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
+
+Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.
+
+## Screenshots
--- a/docs/outputs/cloudevents.md
+++ b/docs/outputs/cloudevents.md
@ -0,0 +1,48 @@
+# Cloud Events
+
+- **Category**: FaaS / Serverless
+- **Website**: https://cloudevents.io/
+
+## Table of content
+
+- [Cloud Events](#cloud-events)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                       | Default value    | Description                                                                                                                         |
+| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `cloudevents.address`         | `CLOUDEVENTS_ADDRESS`         |                  | CloudEvents consumer http address, if not empty, CloudEvents output is **enabled**                                                  |
+| `cloudevents.extensions`      | `CLOUDEVENTS_EXTENSIONS`      |                  | Extensions to add in the outbound Event, useful for routing                                                                         |
+| `cloudevents.mutualtls`       | `CLOUDEVENTS_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `cloudevents.checkcert`       | `CLOUDEVENTS_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `cloudevents.minimumpriority` | `CLOUDEVENTS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+cloudevents:
+  address: "" # CloudEvents consumer http address, if not empty, CloudEvents output is enabled
+  # extensions: # Extensions to add in the outbound Event, useful for routing
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+```
+
+## Additional info
+
+> [!NOTE]
+This output works with [`KNative`](https://knative.dev/).
+
+## Screenshots
+
+
--- a/docs/outputs/datadog.md
+++ b/docs/outputs/datadog.md
@ -0,0 +1,41 @@
+# Datadog
+
+- **Category**: Observability
+- **Website**: https://www.datadoghq.com/
+
+## Table of content
+
+- [Datadog](#datadog)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value               | Description                                                                                                                         |
+| ------------------------- | ------------------------- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `datadog.apikey`          | `DATADOG_APIKEY`          |                             | Datadog API Key, if not empty, Datadog output is **enabled**                                                                        |
+| `datadog.host`            | `DATADOG_HOST`            | `https://api.datadoghq.com` | Datadog host. Override if you are on the Datadog EU site                                                                            |
+| `datadog.minimumpriority` | `DATADOG_MINIMUMPRIORITY` | `""` (= `debug`)            | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+datadog:
+  apikey: "" # Datadog API Key, if not empty, Datadog output is enabled
+  # host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com"
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+Filter the events in the UI with `sources: falco`.
+
+## Screenshots
+
+![datadog example](images/datadog.png)
--- a/docs/outputs/datadog_logs.md
+++ b/docs/outputs/datadog_logs.md
@ -0,0 +1,43 @@
+# Datadog Logs
+
+- **Category**: Logs
+- **Website**: https://www.datadoghq.com/
+
+## Table of content
+
+- [Datadog Logs](#datadogLogs)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                     | Default value              | Description                                                                                                                       |
+|-------------------------------|-----------------------------| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| `datadoglogs.apikey`          | `DATADOGLOGS_APIKEY`        |                            | Datadog API Key, if not empty, Datadog Logs output is **enabled**                                                                      |
+| `datadoglogs.host`            | `DATADOGLOGS_HOST`          | `https://http-intake.logs.datadoghq.com/` | Datadog host. Override if you are on the Datadog EU site                                                                          |
+| `datadoglogs.minimumpriority` | `DATADOGLOGS_MINIMUMPRIORITY` | `""` (= `debug`)           | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `datadoglogs.service`         | `DATADOGLOGS_SERVICE`       | `""`            | The name of the application or service generating the log events. |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+datadoglogs:
+  apikey: "" # Datadog API Key, if not empty, Datadog Logs output is enabled
+  # host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/"
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # service: "" # The name of the application or service generating the log events.
+```
+
+## Additional info
+
+Filter the logs in the UI with `sources: falco`.
+
+## Screenshots
+
+![datadog example](images/datadog_logs.png)
--- a/docs/outputs/discord.md
+++ b/docs/outputs/discord.md
@ -0,0 +1,39 @@
+# Discord
+
+- **Category**: Chat
+- **Website**: https://www.discord.com/
+
+## Table of content
+
+- [Discord](#discord)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `discord.webhookurl`      | `DISCORD_WEBHOOKURL`      |                  | Discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is **enabled**                |
+| `discord.ICON`            | `DISCORD_ICON`            |                  | Discord icon (avatar)                                                                                                               |
+| `discord.minimumpriority` | `DISCORD_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+discord:
+  webhookurl: "" # discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is enabled
+  # icon: "" # Discord icon (avatar)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
+
+![discord example](images/discord.png)
--- a/docs/outputs/dogstatsd.md
+++ b/docs/outputs/dogstatsd.md
@ -0,0 +1,38 @@
+# Dogstatsd
+
+- **Category**: Metrics / Observability
+- **Website**: https://docs.datadoghq.com/developers/dogstatsd/?tab=go
+
+## Table of content
+
+- [Dogstatsd](#dogstatsd)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting               | Env var               | Default value    | Description                                                                                             |
+| --------------------- | --------------------- | ---------------- | ------------------------------------------------------------------------------------------------------- |
+| `dogstastd.forwarded` | `DOGSTASTD_FORWARDED` |                  | The address for the DogStatsD forwarder, in the form "host:port", if not empty DogStatsD is **enabled** |
+| `dogstastd.namespace` | `DOGSTASTD_NAMESPACE` | `falcosidekick.` | A prefix for all metrics                                                                                |
+| `dogstastd.tags`      | `DOGSTASTD_TAGS`      |                  | Comma separeted list of key:value to add as tags to the metrics                                         |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+dogstatsd:
+  forwarder: "" # The address for the DogStatsD forwarder, in the form "host:port", if not empty DogStatsD is enabled
+  namespace: "falcosidekick." # A prefix for all metrics (default: "falcosidekick.")
+  # tag : # Tags to add to the metrics
+  #   key: "value"
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/dynatrace.md
+++ b/docs/outputs/dynatrace.md
@ -0,0 +1,41 @@
+# Dynatrace
+
+- **Category**: Metrics / Observability
+- **Website**: https://www.dynatrace.com/
+
+## Table of content
+
+- [Dynatrace](#dynatrace)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+|           Setting           |           Env var           |  Default value   |                                                                                           Description                                                                                           |
+| --------------------------- | --------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `dynatrace.api_token`       | `DYNATRACE_APITOKEN`        |                  | Dynatrace API token with the "logs.ingest" scope, more info: https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled                                                              |
+| `dynatrace.apiurl`          | `DYNATRACE_APIURL`          |                  | Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge |
+| `dynatrace.minimumpriority` | `DYNATRACE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                             |
+| `dynatrace.checkcert`       | `DYNATRACE_CHECKCERT`       | `true`           | Check if ssl certificate of the output is valid                                                                                                                                                 |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+dynatrace:
+  apitoken: "" # Dynatrace API token with the "logs.ingest" scope, more info : https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled
+  apiurl: "" # Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+```
+
+## Additional info
+
+## Screenshots
+
+![Dynatrace example](images/dynatrace.png)
--- a/docs/outputs/elasticsearch.md
+++ b/docs/outputs/elasticsearch.md
@ -0,0 +1,79 @@
+# Elasticsearch
+
+- **Category**: Logs
+- **Website**: https://www.elastic.co/elasticsearch/
+
+## Table of content
+
+- [Elasticsearch](#elasticsearch)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+|               Setting                 |               Env var                  |  Default value   |                                                             Description                                                             |
+| ------------------------------------- | -------------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `elasticsearch.hostport`              | `ELASTICSEARCH_HOSTPORT`               |                  | http://{domain or ip}:{port}, if not empty, Elasticsearch output is **enabled**                                                     |
+| `elasticsearch.index`                 | `ELASTICSEARCH_INDEX`                  | `falco`          | Index                                                                                                                               |
+| `elasticsearch.type`                  | `ELASTICSEARCH_TYPE`                   | `_doc`           | Index                                                                                                                               |
+| `elasticsearch.pipeline`              | `ELASTICSEARCH_PIPELINE`               |                  | Optional ingest pipeline name. Documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html           |
+| `elasticsearch.suffix`                | `ELASTICSEARCH_SUFFIX`                 | `daily`          | Date suffix for index rotation : `daily`, `monthly`, `annually`, `none`                                                             |
+| `elasticsearch.apikey`                | `ELASTICSEARCH_APIKEY`                 |                  | Use this APIKey to authenticate to Elasticsearch                                                                                    |
+| `elasticsearch.username`              | `ELASTICSEARCH_USERNAME`               |                  | Use this username to authenticate to Elasticsearch                                                                                  |
+| `elasticsearch.password`              | `ELASTICSEARCH_PASSWORD`               |                  | Use this password to authenticate to Elasticsearch                                                                                  |
+| `elasticsearch.flattenfields`         | `ELASTICSEARCH_FLATTENFIELDS`          | `false`          | Replace . by _ to avoid mapping conflicts, force to true if `createindextemplate=true`                                              |
+| `elasticsearch.createindextemplate`   | `ELASTICSEARCH_CREATEINDEXTEMPLATE`    | `false`          | Create an index template                                                                                                            |
+| `elasticsearch.numberofshards`        | `ELASTICSEARCH_NUMBEROFSHARDS`         | `3`              | Number of shards set by the index template                                                                                          |
+| `elasticsearch.numberofreplicas`      | `ELASTICSEARCH_NUMBEROFREPLICAS`       | `3`              | Number of replicas set by the index template                                                                                        |
+| `elasticsearch.customheaders`         | `ELASTICSEARCH_CUSTOMHEADERS`          |                  | Custom headers to add in POST, useful for Authentication                                                                            |
+| `elasticsearch.mutualtls`             | `ELASTICSEARCH_MUTUALTLS`              | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `elasticsearch.checkcert`             | `ELASTICSEARCH_CHECKCERT`              | `true`           | Check if ssl certificate of the output is valid                                                                                     |
+| `elasticsearch.minimumpriority`       | `ELASTICSEARCH_MINIMUMPRIORITY`        | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `elasticsearch.maxconcurrentrequests` | `ELASTICSEARCH_MAXCONCURRENTREQUESTS`  | `1`              | Max number of concurrent requests                                                                                                   |
+| `elasticsearch.enablecompression`     | `ELASTICSEARCH_ENABLECOMPRESSION`      | `false`          | Enables gzip compression                                                                                                            |
+| `elasticsearch.batching.enabled`      | `ELASTICSEARCH_BATCHING_ENABLED`       | `false`          | Enables batching (utilizing Elasticsearch bulk API)                                                                                 |
+| `elasticsearch.batching.batchsize`    | `ELASTICSEARCH_BATCHING_BATCHSIZE`     | `5242880`        | Batch size in bytes, default 5MB                                                                                                    |
+| `elasticsearch.batching.flushinterval`| `ELASTICSEARCH_BATCHING_FLUSHINTERVAL` | `1s`             | Batch flush interval, use valid Go duration string                                                                                  |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+> [!NOTE]
+Increasing the default number of concurrent requests is a good way to increase throughput of the http outputs. This also increases the potential number of open connections. Choose wisely.
+
+> [!NOTE]
+Enabling batching for Elasticsearch is invaluable when the expected number of falco alerts is in the hundreds or thousands per second. The batching of data can be fine-tuned for your specific use case. The batch request is sent to Elasticsearch when the pending data size reaches `batchsize` or upon the `flushinterval`.
+Enabling gzip compression increases throughput even further.
+
+> [!WARNING]
+By enabling the creation of the index template with `elasticsearch.createindextemplate=true`, the output fields of the Falco events will be flatten to avoid any mapping conflict.
+
+## Example of config.yaml
+
+```yaml
+elasticsearch:
+  # hostport: "" # http://{domain or ip}:{port}, if not empty, Elasticsearch output is enabled
+  # index: "falco" # index (default: falco)
+  # type: "_doc"
+  # suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none
+  # username: "" # use this username to authenticate to Elasticsearch if the username is not empty (default: "")
+  # password: "" # use this password to authenticate to Elasticsearch if the password is not empty (default: "")
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # enablecompression: # if true enables gzip compression for http requests (default: false)
+  # batching: # batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API
+  #   enabled: true # if true enables batching
+  #   batchsize: 5242880 # batch size in bytes (default: 5 MB)
+  #   flushinterval: 1s # batch fush interval (default: 1s)
+  # maxconcurrentrequests: # max number of concurrent http requests (default: 1)
+```
+
+## Screenshots
+
+With Kibana:
+![kibana example](images/kibana.png)
--- a/docs/outputs/falcosidekick-ui.md
+++ b/docs/outputs/falcosidekick-ui.md
@ -0,0 +1,36 @@
+# Falcosidekick-UI
+
+- **Category**: Metrics / Observability
+- **Website**: https://github.com/falcosecurity/falcosidekick-ui
+
+## Table of content
+
+- [Falcosidekick-UI](#falcosidekick-ui)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting     | Env var     | Default value | Description                                          |
+| ----------- | ----------- | ------------- | ---------------------------------------------------- |
+| `webui.url` | `WEBUI_URL` |               | WebUI URL, if not empty, WebUI output is **enabled** |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+webui:
+  url: "" # WebUI URL, if not empty, WebUI output is enabled
+```
+
+## Additional info
+
+## Screenshots
+
+![falcosidekick-ui dashboard](images/falcosidekick-ui_dashboard.png)
+![falcosidekick-ui events](images/falcosidekick-ui_events.png)
--- a/docs/outputs/fission.md
+++ b/docs/outputs/fission.md
@ -0,0 +1,46 @@
+# Fission
+
+- **Category**: FaaS / Serverless
+- **Website**: URL of the output
+
+## Table of content
+
+- [Fission](#fission)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `fission.function`        | `FISSION_FUNCTION`        |                  | Name of Fission function, if not empty, Fission is **enabled**                                                                      |
+| `fission.routernamespace` | `FISSION_ROUTERNAMESPACE` | `fission`        | Namespace of Fission Router                                                                                                         |
+| `fission.routerservice`   | `FISSION_ROUTERSERVICE`   | `router`         | Service of Fission Router                                                                                                           |
+| `fission.routerport`      | `FISSION_ROUTERPORT`      | `80`             | Port of service of Fission Router                                                                                                   |
+| `fission.mutualtls`       | `FISSION_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `fission.checkcert`       | `FISSION_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `fission.minimumpriority` | `FISSION_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+fission:
+  function: "" # Name of Fission function, if not empty, Fission is enabled
+  routernamespace: "fission" # Namespace of Fission Router, "fission" (default)
+  routerservice: "router" # Service of Fission Router, "router" (default)
+  routerport: 80 # Port of service of Fission Router
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/gcp_cloud_functions.md
+++ b/docs/outputs/gcp_cloud_functions.md
@ -0,0 +1,38 @@
+# GCP Cloud Functions
+
+- **Category**: FaaS / Serverless
+- **Website**: https://cloud.google.com/functions
+
+## Table of content
+
+- [GCP Cloud Functions](#gcp-cloud-functions)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                              | Env var                              | Default value    | Description                                                                                                                         |
+| ------------------------------------ | ------------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gcp.credentials`                    | `GCP_CREDENTIALS`                    |                  | The base64-encoded JSON key file for the GCP service account                                                                        |
+| `gcp.cloudfunctions.name`            | `GCP_CLOUDFUNCTIONS_NAME`            |                  | The name of the Cloud Function, if not empty, Google Cloud Functions is **enabled**                                                 |
+| `gcp.cloudfunctions.minimumpriority` | `GCP_CLOUDFUNCTIONS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gcp:
+  credentials: "" # The base64-encoded JSON key file for the GCP service account
+  cloudfunctions:
+    name: "" # The name of the Cloud Function, if not empty, GCP Cloud Functions is enabled
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/gcp_cloud_run.md
+++ b/docs/outputs/gcp_cloud_run.md
@ -0,0 +1,40 @@
+# GCP Cloud Run
+
+- **Category**: Faas / Serverless
+- **Website**: https://cloud.google.com/run
+
+## Table of content
+
+- [GCP Cloud Run](#gcp-cloud-run)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                        | Env var                        | Default value    | Description                                                                                                                         |
+| ------------------------------ | ------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gcp.credentials`              | `GCP_CREDENTIALS`              |                  | The base64-encoded JSON key file for the GCP service account                                                                        |
+| `gcp.cloudrun.endpoint`        | `GCP_CLOUDRUN_ENDPOINT`        |                  | The URL of the Cloud Run, if not empty, Google Cloud Run is **enabled**                                                             |
+| `gcp.cloudrun.jwt`             | `GCP_CLOUDRUN_JWT`             |                  | Appropriate JWT to invoke the Cloud Function                                                                                        |
+| `gcp.cloudrun.minimumpriority` | `GCP_CLOUDRUN_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gcp:
+  credentials: "" # The base64-encoded JSON key file for the GCP service account
+  cloudrun:
+    endpoint: "" # The URL of the Cloud Function
+    jwt: "" # Appropriate JWT to invoke the Cloud Function
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/gcp_pub_sub.md
+++ b/docs/outputs/gcp_pub_sub.md
@ -0,0 +1,43 @@
+# GCP PubSub
+
+- **Category**: Message queue / Streaming
+- **Website**: https://cloud.google.com/pubsub
+
+## Table of content
+
+- [GCP PubSub](#gcp-pubsub)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                       | Default value    | Description                                                                                                                         |
+| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gcp.credentials`             | `GCP_CREDENTIALS`             |                  | The base64-encoded JSON key file for the GCP service account                                                                        |
+| `gcp.pubsub.projectid`        | `GCP_PUBSUB_PROJECTID`        |                  | The GCP Project ID containing the Pub/Sub Topic, if not empty, GCP PubSub is **enabled**                                            |
+| `gcp.pubsub.topic`            | `GCP_PUBSUB_TOPIC`            |                  | The name of the Pub/Sub topic                                                                                                       |
+| `gcp.pubsub.customattributes` | `GCP_PUBSUB_CUSTOMATTRIBUTES` |                  | Custom attributes to add to the Pub/Sub messages                                                                                    |
+| `gcp.pubsub.minimumpriority`  | `GCP_PUBSUB_MINIMUMPRIORITY`  | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gcp:
+  credentials: "" # The base64-encoded JSON key file for the GCP service account
+  pubsub:
+    projectid: "" # The GCP Project ID containing the Pub/Sub Topic, if not empty, GCP PubSub is enabled
+    topic: "" # The name of the Pub/Sub topic
+    # customattributes: # Custom attributes to add to the Pub/Sub messages
+    #   key: value
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/gcp_storage.md
+++ b/docs/outputs/gcp_storage.md
@ -0,0 +1,40 @@
+# GCP Storage
+
+- **Category**: Object storage
+- **Website**: https://cloud.google.com/storage
+
+## Table of content
+
+- [GCP Storage](#gcp-storage)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                       | Default value    | Description                                                                                                                         |
+| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gcp.credentials`             | `GCP_CREDENTIALS`             |                  | The base64-encoded JSON key file for the GCP service account                                                                        |
+| `gcp.storage.bucket`          | `GCP_STORAGE_BUCKET`          |                  | The name of the bucket, if not empty, GCP Storage is **enabled**                                                                    |
+| `gcp.storage.prefix`          | `GCP_STORAGE_PREFIX`          |                  | Prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json                                   |
+| `gcp.storage.minimumpriority` | `GCP_STORAGE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gcp:
+  credentials: "" # The base64-encoded JSON key file for the GCP service account
+  storage:
+    bucket: "" # The name of the bucket, if not empty, GCP Storage is enabled
+    prefix : "" # Prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/googlechat.md
+++ b/docs/outputs/googlechat.md
@ -0,0 +1,63 @@
+# Google Chat
+
+- **Category**: Chat
+- **Website**: https://workspace.google.com/products/chat/
+
+## Table of content
+
+- [Google Chat](#google-chat)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [Message Formatting](#message-formatting)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                      | Env var                      | Default value    | Description                                                                                                                                                                                                                                              |
+| ---------------------------- | ---------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `googlechat.webhookurl`      | `GOOGLECHAT_WEBHOOKURL`      |                  | Google Chat WebhookURL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not empty, Google Chat output is **enabled**                                                                                                                        |
+| `googlechat.outputformat`    | `GOOGLECHAT_OUTPUTFORMAT`    | `all`            | `all`, `text`                                                                                                                                                                                                                                            |
+| `googlechat.messageformat`   | `GOOGLECHAT_MESSAGEFORMAT`   |                  | A Go template to format Googlechat Text above Attachment, displayed in addition to the output from `GOOGLECHAT_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
+| `googlechat.minimumpriority` | `GOOGLECHAT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                                                                                      |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+googlechat:
+  webhookurl: "" # Google Chat WebhookURL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not empty, Google Chat output is enabled
+  # outputformat: "" # all (default), text
+  # messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index.OutputFields "user.name" }}*' # a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `GOOGLECHAT_OUTPUTFORMAT`.
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+### Message Formatting
+
+The `GOOGLECHAT_MESSAGEFORMAT` environment variable and `googlechat.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Googlechat alert.
+These templates are evaluated on the JSON data from each Falco event. The following fields are available:
+
+| Template Syntax                              | Description                                                                                                                                                        |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `{{ .Output }}`                              | A formatted string from Falco describing the event.                                                                                                                |
+| `{{ .Priority }}`                            | The priority of the event, as a string.                                                                                                                            |
+| `{{ .Rule }}`                                | The name of the rule that generated the event.                                                                                                                     |
+| `{{ .Time }}`                                | The timestamp when the event occurred.                                                                                                                             |
+| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
+
+Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.
+
+## Screenshots
+
+(GOOGLECHAT_OUTPUTFORMAT="**all**")
+
+![google chat example](images/google_chat_no_fields.png)
+
+(GOOGLECHAT_OUTPUTFORMAT="**text**")
+
+![google chat text example](images/google_chat_example.png)
--- a/docs/outputs/gotify.md
+++ b/docs/outputs/gotify.md
@ -0,0 +1,43 @@
+# Gotify
+
+- **Category**: Message queue / Streaming
+- **Website**: https://gotify.net/
+
+## Table of content
+
+- [Gotify](#gotify)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                  | Env var                  | Default value    | Description                                                                                                                         |
+| ------------------------ | ------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gotify.hostport`        | `GOTIFY_HOSTPORT`        |                  | http://{domain or ip}:{port}, if not empty, Gotify output is **enabled**                                                            |
+| `gotify.token`           | `GOTIFY_TOKEN`           |                  | API Token                                                                                                                           |
+| `gotify.format`          | `GOTIFY_FORMAT`          | `markdown`       | Format of the messages (`plaintext`, `markdown`, `json`)                                                                            |
+| `gotify.checkcert`       | `GOTIFY_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `gotify.minimumpriority` | `GOTIFY_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gotify:
+  hostport: "" # http://{domain or ip}:{port}, if not empty, Gotify output is enabled
+  token: "" # API Token
+  # format: "markdown" # Format of the messages (plaintext, markdown, json) (default: markdown)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
+
+![gotify example](images/gotify.jpg)
--- a/docs/outputs/grafana.md
+++ b/docs/outputs/grafana.md
@ -0,0 +1,52 @@
+# Grafana
+
+- **Category**: Logs
+- **Website**: https://grafana.com/
+
+## Table of content
+
+- [Grafana](#grafana)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `grafana.hostport`        | `GRAFANA_HOSTPORT`        |                  | http://{domain or ip}:{port}, if not empty, Grafana output is **enabled**                                                           |
+| `grafana.apikey`          | `GRAFANA_HOSTPORT`        |                  | API Key to authenticate to Grafana                                                                                                  |
+| `grafana.dashboardid`     | `GRAFANA_DASHBOARDID`     |                  | Annotations are scoped to a specific dashboard. Optionnal.                                                                          |
+| `grafana.panelid`         | `GRAFANA_PANELID`         |                  | Annotations are scoped to a specific panel. Optionnal.                                                                              |
+| `grafana.allfieldsastags` | `GRAFANA_ALLFIELDSASTAGS` | `false`          | If true, all custom fields are added as tags                                                                                        |
+| `grafana.customheaders`   | `GRAFANA_CUSTOMHEADERS`   |                  | Custom headers for the POST request                                                                                                 |
+| `grafana.checkcert`       | `GRAFANA_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `grafana.minimumpriority` | `GRAFANA_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+grafana:
+  hostport: "" # http://{domain or ip}:{port}, if not empty, Grafana output is enabled
+  apikey: "" # API Key to authenticate to Grafana, if not empty, Grafana output is enabled
+  # dashboardid: "" # annotations are scoped to a specific dashboard. Optionnal.
+  # panelid: "" # annotations are scoped to a specific panel. Optionnal.
+  # allfieldsastags: false # if true, all custom fields are added as tags (default: false)
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+This output creates annotations.
+
+## Screenshots
--- a/docs/outputs/grafana_oncall.md
+++ b/docs/outputs/grafana_oncall.md
@ -0,0 +1,44 @@
+# Grafana OnCall
+
+- **Category**: Alerting
+- **Website**: https://grafana.com/products/oncall/
+
+## Table of content
+
+- [Grafana OnCall](#grafana-oncall)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                         | Env var                         | Default value    | Description                                                                                                                         |
+| ------------------------------- | ------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `grafanaoncall.webhookurl`      | `GRAFANAONCALL_WEBHOOKURL`      |                  | If not empty, Grafana OnCall output is enabled                                                                                      |
+| `grafanaoncall.customheaders`   | `GRAFANAONCALL_CUSTOMHEADERS`   |                  | Custom headers for the POST request                                                                                                 |
+| `grafanaoncall.mutualtls`       | `GRAFANAONCALL_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `grafanaoncall.checkcert`       | `GRAFANAONCALL_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `grafanaoncall.minimumpriority` | `GRAFANAONCALL_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+grafanaoncall:
+  webhookurl: "" # if not empty, Grafana OnCall output is enabled
+  # customheaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
+
+![grafana oncall example](images/grafana-oncall.png)
--- a/docs/outputs/images/alertmanager.png
+++ b/docs/outputs/images/alertmanager.png
--- a/docs/outputs/images/aws_sqs.png
+++ b/docs/outputs/images/aws_sqs.png
--- a/docs/outputs/images/datadog.png
+++ b/docs/outputs/images/datadog.png
--- a/docs/outputs/images/datadog_logs.png
+++ b/docs/outputs/images/datadog_logs.png
--- a/docs/outputs/images/discord.png
+++ b/docs/outputs/images/discord.png
--- a/docs/outputs/images/dynatrace.png
+++ b/docs/outputs/images/dynatrace.png
--- a/docs/outputs/images/falcosidekick-ui_dashboard.png
+++ b/docs/outputs/images/falcosidekick-ui_dashboard.png
--- a/docs/outputs/images/falcosidekick-ui_events.png
+++ b/docs/outputs/images/falcosidekick-ui_events.png
--- a/docs/outputs/images/google_chat_example.png
+++ b/docs/outputs/images/google_chat_example.png
--- a/docs/outputs/images/google_chat_no_fields.png
+++ b/docs/outputs/images/google_chat_no_fields.png
--- a/docs/outputs/images/gotify.jpg
+++ b/docs/outputs/images/gotify.jpg
--- a/docs/outputs/images/grafana-oncall.png
+++ b/docs/outputs/images/grafana-oncall.png
--- a/docs/outputs/images/grafana_quickwit.png
+++ b/docs/outputs/images/grafana_quickwit.png
--- a/docs/outputs/images/kibana.png
+++ b/docs/outputs/images/kibana.png
--- a/docs/outputs/images/loki.png
+++ b/docs/outputs/images/loki.png
--- a/docs/outputs/images/mattermost.png
+++ b/docs/outputs/images/mattermost.png
--- a/docs/outputs/images/n8n.png
+++ b/docs/outputs/images/n8n.png
--- a/docs/outputs/images/node-red.png
+++ b/docs/outputs/images/node-red.png
--- a/docs/outputs/images/openobserve.png
+++ b/docs/outputs/images/openobserve.png
--- a/docs/outputs/images/opsgenie.png
+++ b/docs/outputs/images/opsgenie.png
--- a/docs/outputs/images/otlp_metrics-prom_view.png
+++ b/docs/outputs/images/otlp_metrics-prom_view.png
--- a/docs/outputs/images/otlp_traces-grafana_explore.png
+++ b/docs/outputs/images/otlp_traces-grafana_explore.png
--- a/docs/outputs/images/otlp_traces-traces_view.png
+++ b/docs/outputs/images/otlp_traces-traces_view.png
--- a/docs/outputs/images/slack.png
+++ b/docs/outputs/images/slack.png
--- a/docs/outputs/images/slack_fields_messageformat.png
+++ b/docs/outputs/images/slack_fields_messageformat.png
--- a/docs/outputs/images/slack_no_fields.png
+++ b/docs/outputs/images/slack_no_fields.png
--- a/docs/outputs/images/smtp_html.png
+++ b/docs/outputs/images/smtp_html.png
--- a/docs/outputs/images/smtp_plaintext.png
+++ b/docs/outputs/images/smtp_plaintext.png
--- a/docs/outputs/images/sumologic.png
+++ b/docs/outputs/images/sumologic.png
--- a/docs/outputs/images/teams.png
+++ b/docs/outputs/images/teams.png
--- a/docs/outputs/images/teams_facts_only.png
+++ b/docs/outputs/images/teams_facts_only.png
--- a/docs/outputs/images/teams_text.png
+++ b/docs/outputs/images/teams_text.png
--- a/docs/outputs/images/telegram.png
+++ b/docs/outputs/images/telegram.png
--- a/docs/outputs/images/webex.png
+++ b/docs/outputs/images/webex.png
--- a/docs/outputs/images/zincsearch.png
+++ b/docs/outputs/images/zincsearch.png
--- a/docs/outputs/influxdb.md
+++ b/docs/outputs/influxdb.md
@ -0,0 +1,67 @@
+# InfluxDB
+
+
+- **Category**: Metrics/Observability
+- **Website**: https://www.influxdata.com/products/influxdb/
+
+## Table of content
+
+- [InfluxDB](#influxdb)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Result](#result)
+
+## Configuration
+
+| Setting                    | Env var                    | Default value    | Description                                                                                                                         |
+| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `influxdb.hostport`        | `INFLUXDB_HOSTPORT`        |                  | http://{domain or ip}:{port}, if not empty, Influxdb output is **enabled**                                                          |
+| `influxdb.database`        | `INFLUXDB_DATABASE`        | `falco`          | Influxdb database (api v1 only)                                                                                                     |
+| `influxdb.organization`    | `INFLUXDB_ORGANISATION`    |                  | Influxdb organisation                                                                                                               |
+| `influxdb.bucket`          | `INFLUXDB_BUCKET`          | `falco`          | Metrics bucket                                                                                                                      |
+| `influxdb.precision`       | `INFLUXDB_PRECISION`       | `ns`             | Write precision                                                                                                                     |
+| `influxdb.user`            | `INFLUXDB_USER`            |                  | User to use if auth is enabled in Influxdb                                                                                          |
+| `influxdb.password`        | `INFLUXDB_PASSWORD`        |                  | Password to use if auth is enabled in Influxdb                                                                                      |
+| `influxdb.token`           | `INFLUXDB_TOKEN`           |                  | API token to use if auth in enabled in Influxdb (disables user and password)                                                        |
+| `influxdb.mutualtls`       | `INFLUXDB_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `influxdb.checkcert`       | `INFLUXDB_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     | `mattermost.minimumpriority` | `MATTERMOST_MINIMUMPRIORITY` | `""` (= `debug`)                                                                                    | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`
+| `influxdb.minimumpriority` | `INFLUXDB_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+influxdb:
+  # hostport: "" # http://{domain or ip}:{port}, if not empty, Influxdb output is enabled
+  # database: "falco" # Influxdb database (api v1 only) (default: falco)
+  # organization: "" # Influxdb organization
+  # bucket: "falco" # Metrics bucket (default: falco)
+  # precision: "ns" # Write precision
+  # user: "" # user to use if auth is enabled in Influxdb
+  # password: "" # pasword to use if auth is enabled in Influxdb
+  # token: "" # API token to use if auth in enabled in Influxdb (disables user and password)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+```
+
+## Result
+
+```bash
+> use falco
+Using database falco
+> show series
+key
+---
+events,akey=AValue,bkey=BValue,ckey=CValue,priority=Debug,rule=Testrule
+events,akey=A_Value,bkey=B_Value,ckey=C_Value,priority=Debug,rule=Test_rule
+> select * from events
+name: events
+time                akey    bkey    ckey    priority rule      value
+----                ----    ----    ----    -------- ----      -----
+1560433816893368400 AValue  BValue  CValue  Debug    Testrule  This is a test from falcosidekick
+1560441359119741800 A_Value B_Value C_Value Debug    Test_rule This is a test from falcosidekick
+```
--- a/docs/outputs/kafka.md
+++ b/docs/outputs/kafka.md
@ -0,0 +1,57 @@
+# Kafka
+
+- **Category**: Message queue / Streaming
+- **Website**: https://kafka.apache.org/
+
+## Table of content
+
+- [Kafka](#kafka)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                 | Env var                 | Default value    | Description                                                                                                                                                                                                                                                |
+| ----------------------- | ----------------------- | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `kafka.hostport`        | `KAFKA_HOSTPORT`        |                  | Comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is **enabled** |
+| `kafka.topic`           | `KAFKA_TOPIC`           |                  | Name of the topic                                                                                                                                                                                                                                          |
+| `kafka.topiccreation`   | `KAFKA_TOPICCREATION`   | `false`          | Auto create the topic if it doesn't exist                                                                                                                                                                                                                  |
+| `kafka.sasl`            | `KAFKA_SASL`            |                  | SASL authentication mechanism, if empty, no authentication (`PLAIN`, `SCRAM_SHA256`, `SCRAM_SHA512`)                                                                                                                                                       |
+| `kafka.tls`             | `KAFKA_TSL`             | `false`          | Use TLS for the connections                                                                                                                                                                                                                                |
+| `kafka.username`        | `KAFKA_USERNAME`        |                  | Use this username to authenticate to Kafka via SASL                                                                                                                                                                                                        |
+| `kafka.password`        | `KAFKA_PASSWORD`        |                  | Use this password to authenticate to Kafka via SASL                                                                                                                                                                                                        |
+| `kafka.async`           | `KAFKA_ASYNC`           | `false`          | Produce messages without blocking                                                                                                                                                                                                                          |
+| `kafka.requiredacks`    | `KAFKA_REQUIREDACKS`    | `NONE`           | Number of acknowledges from partition replicas required before receiving                                                                                                                                                                                   |
+| `kafka.compression`     | `KAFKA_COMPRESSION`     | `NONE`           | Enable message compression using this algorithm (`GZIP`, `SNAPPY`, `LZ4`, `ZSTD`, `NONE`)                                                                                                                                                                  |
+| `kafka.balancer`        | `KAFKA_BALANCER`        | `round_robin`    | Partition balancing strategy when producing                                                                                                                                                                                                                |
+| `kafka.clientid`        | `KAFKA_CLIENTID`        |                  | Specify a client.id when communicating with the broker for tracing                                                                                                                                                                                         |
+| `kafka.minimumpriority` | `KAFKA_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                                                                                        |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+kafka:
+  hostport: "" # Comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is enabled
+  topic: "" # Name of the topic
+  # topiccreation: false # auto create the topic if it doesn't exist (default: false)
+  # sasl: "" # SASL authentication mechanism, if empty, no authentication (PLAIN|SCRAM_SHA256|SCRAM_SHA512)
+  # tls: false # Use TLS for the connections (default: false)
+  # username: "" # use this username to authenticate to Kafka via SASL (default: "")
+  # password: "" # use this password to authenticate to Kafka via SASL (default: "")
+  # async: false # produce messages without blocking (default: false)
+  # requiredacks: NONE # number of acknowledges from partition replicas required before receiving (default: "NONE")
+  # compression: "" # enable message compression using this algorithm (GZIP|SNAPPY|LZ4|ZSTD|NONE) (default: "NONE")
+  # balancer: "" # partition balancing strategy when producing (default: "round_robin")
+  # clientid: "" # specify a client.id when communicating with the broker for tracing
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/kafkarest.md
+++ b/docs/outputs/kafkarest.md
@ -0,0 +1,41 @@
+# Kafka Rest
+
+- **Category**: Message queue / Streaming
+- **Website**: https://docs.confluent.io/platform/current/kafka-rest/index.html
+
+## Table of content
+
+- [Kafka Rest](#kafka-rest)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                     | Env var                     | Default value    | Description                                                                                                                         |
+| --------------------------- | --------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `kafkarest.address`         | `KAFKAREST_ADDRESS`         |                  | The full URL to the topic (example "http://kafkarest:8082/topics/test"), if not empty, Kafka Rest is **enabled**                    |
+| `kafkarest.version`         | `KAFKAREST_VERSION`         | `2`              | Kafka Rest Proxy API version `2` or `1`                                                                                             |
+| `kafkarest.mutualtls`       | `KAFKAREST_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `kafkarest.checkcert`       | `KAFKAREST_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `kafkarest.minimumpriority` | `KAFKAREST_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+kafkarest:
+  address: "" # The full URL to the topic (example "http://kafkarest:8082/topics/test")
+  # version: 2 # Kafka Rest Proxy API version 2|1 (default: 2)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/kubeless.md
+++ b/docs/outputs/kubeless.md
@ -0,0 +1,46 @@
+# Kubeless
+
+- **Category**: FaaS / Serverless
+- **Website**: https://kubeless.io/
+
+## Table of content
+
+- [Kubeless](#kubeless)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                    | Env var                    | Default value    | Description                                                                                                                         |
+| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `kubeless.function`        | `KUBELESS_FUNCTION`        |                  | Name of Kubeless function, if not empty, Kubeless is **enabled**                                                                    |
+| `kubeless.namespace`       | `KUBELESS_NAMESPACE`       |                  | Namespace of Kubeless function (mandatory)                                                                                          |
+| `kubeless.port`            | `KUBELESS_PORT`            | `8080`           | Port of service of Kubeless function                                                                                                |
+| `kubeless.port`            | `KUBELESS_PORT`            | `~/.kube/config` | Port of service of Kubeless function                                                                                                |
+| `kubeless.kubeconfig`      | `KUBELESS_KUBECONFIG`      | `true`           | Kubeconfig file to use (only if falcosidekick is running outside the cluster)                                                       |
+| `kubeless.minimumpriority` | `KUBELESS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+kubeless:
+  function: "" # Name of Kubeless function, if not empty, Kubeless is enabled
+  namespace: "" # Namespace of Kubeless function (mandatory)
+  port: 8080 # Port of service of Kubeless function
+  kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+```
+
+## Additional info
+
+> [!WARNING]
+`Kubeless` is no more maintained, consider to use a different output.
+
+## Screenshots
--- a/docs/outputs/logstash.md
+++ b/docs/outputs/logstash.md
@ -0,0 +1,51 @@
+# Logstash
+
+- **Category**: Logs
+- **Website**: https://github.com/elastic/logstash
+
+## Table of content
+
+- [Logstash](#logstash)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                    | Env var                    | Default value    | Description                                                                                                                         |
+| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `logstash.address`         | `LOGSTASH_ADDRESS`         |                  | Logstash address, if not empty, Logstash output is **enabled**                                                                      |
+| `logstash.port`            | `LOGSTASH_PORT`            | 5044             | Logstash port number                                                                                                                |
+| `logstash.tls`             | `LOGSTASH_TLS`             | false            | Use TLS connection (true/false)                                                                                                     |
+| `logstash.mutualtls`       | `LOGSTASH_MUTUALTLS`       | false            | Authenticate to the output with TLS; if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `logstash.checkcert`       | `LOGSTASH_CHECKCERT`       | true             | Check if ssl certificate of the output is valid                                                                                     |
+| `logstash.certfile`        | `LOGSTASH_CERTFILE`        |                  | Use this certificate file instead of the client certificate when using mutual TLS                                                   |
+| `logstash.keyfile`         | `LOGSTASH_KEYFILE`         |                  | Use this key file instead of the client certificate when using mutual TLS                                                           |
+| `logstash.cacertfile`      | `LOGSTASH_CACERTFILE`      |                  | Use this CA certificate file instead of the client certificate when using mutual TLS                                                |
+| `logstash.minimumpriority` | `LOGSTASH_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `logstash.tags`            | `LOGSTASH_TAGS`            |                  | An additional list of tags that will be added to those produced by Falco; these tags may help in decision-making while routing logs |
+
+> [!NOTE]
+Values stored in environment variables will override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+logstash:
+  address: "" # Logstash address, if not empty, Logstash output is enabled
+  # port: 5044 # Logstash port number (default: 5044)
+  # tls: false # communicate over tls; requires Logstash version 8+ to work 
+  # mutualtls: false # or authenticate to the output with TLS; if true, checkcert flag will be ignored (server cert will always be checked) (default: false)
+  # checkcert: true # Check if ssl certificate of the output is valid (default: true)
+  # certfile: "" # Use this certificate file instead of the client certificate when using mutual TLS (default: "")
+  # keyfile: "" # Use this key file instead of the client certificate when using mutual TLS (default: "")
+  # cacertfile: "" # Use this CA certificate file instead of the client certificate when using mutual TLS (default: "")
+  # minimumpriority: minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "debug")
+  # tags: ["falco"] # An additional list of tags that will be added to those produced by Falco (default: [])
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/loki.md
+++ b/docs/outputs/loki.md
@ -0,0 +1,56 @@
+# Loki
+
+
+- **Category**: Logs
+- **Website**: https://grafana.com/oss/loki/
+
+## Table of content
+
+- [Loki](#loki)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+|        Setting         |        Env var         |    Default value    |                                                             Description                                                             |                              |                              |                  |                                                                                                                                     |
+| ---------------------- | ---------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `loki.hostport`        | `LOKI_HOSTPORT`        |                     | http://{domain or ip}:{port}, if not empty, Loki output is **enabled**                                                              |                              |                              |                  |                                                                                                                                     |
+| `loki.user`            | `LOKI_USER`            |                     | User for Grafana Logs                                                                                                               |                              |                              |                  |                                                                                                                                     |
+| `loki.apikey`          | `LOKI_APIKEY`          |                     | API KEy for Grafana Logs                                                                                                            |                              |                              |                  |                                                                                                                                     |
+| `loki.tenant`          | `LOKI_TENANT`          |                     | Add the tenant header if needed                                                                                                     |                              |                              |                  |                                                                                                                                     |
+| `loki.format`          | `LOKI_FORMAT`          | `text`              | Format for the log entry value: json, text                                                                                          |                              |                              |                  |                                                                                                                                     |
+| `loki.endpoint`        | `LOKI_ENDPOINT`        | `/loki/api/v1/push` | The endpoint URL path, more info : https://grafana.com/docs/loki/latest/api/#post-apiprompush                                       |                              |                              |                  |                                                                                                                                     |
+| `loki.extralabels`     | `LOKI_EXTRALABELS`     |                     | comma separated list of fields to use as labels additionally to `rule`, `source`, `priority`, `tags` and `custom_fields`            |                              |                              |                  |                                                                                                                                     |
+| `loki.customheaders`   | `LOKI_CUSTOMHEADERS`   |                     | Custom headers to add in POST, useful for Authentication                                                                            |                              |                              |                  |                                                                                                                                     |
+| `loki.mutualtls`       | `LOKI_MUTUALTLS`       | `false`             | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |                              |                              |                  |                                                                                                                                     |
+| `loki.checkcert`       | `LOKI_CHECKCERT`       | `/api/v1/alerts`    | Check if ssl certificate of the output is valid                                                                                     | `mattermost.minimumpriority` | `MATTERMOST_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `loki.minimumpriority` | `LOKI_MINIMUMPRIORITY` | `""` (= `debug`)    | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |                              |                              |                  |                                                                                                                                     |
+
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+loki:
+  # hostport: "" # http://{domain or ip}:{port}, if not empty, Loki output is enabled
+  # user: "" # user for Grafana Logs
+  # apikey: "" # API Key for Grafana Logs
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # tenant: "" # Add the tenant header if needed. Enabled if not empty
+  # format: "text" # Format for the log entry value: json, text (default)
+  # endpoint: "/loki/api/v1/push" # The endpoint URL path, default is "/loki/api/v1/push" more info : https://grafana.com/docs/loki/latest/api/#post-apiprompush
+  # extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+```
+
+## Screenshots
+
+With Grafana
+
+![loki example](images/loki.png)
--- a/docs/outputs/mattermost.md
+++ b/docs/outputs/mattermost.md
@ -0,0 +1,68 @@
+# Mattermost
+
+
+- **Category**: Chat/Messaging
+- **Website**: https://github.com/mattermost/mattermost
+
+## Table of content
+
+- [Mattermost](#mattermost)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [Message Formatting](#message-formatting)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+
+| Setting                      | Env var                      | Default value                                                                                       | Description                                                                                                                                                                                                                                                                    |
+| ---------------------------- | ---------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `mattermost.webhookurl`      | `MATTERMOST_WEBHOOKURL`      |                                                                                                     | Mattermost WebhookURL (ex: https://hooks.mattermost.com/services/XXXX/YYYY/ZZZZ), if not empty, Mattermost output is **enabled**                                                                                                                                               |
+| `mattermost.icon`            | `MATTERMOST_ICON`            | `https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png` | Mattermost icon (avatar)                                                                                                                                                                                                                                                       |
+| `mattermost.username`        | `MATTERMOST_USERNAME`        | `Falcosidekick`                                                                                     | Mattermost username                                                                                                                                                                                                                                                            |
+| `mattermost.outputformat`    | `MATTERMOST_OUTPUTFORMAT`    | `all`                                                                                               | Mattermost message format: `all`, `text`, `field`                                                                                                                                                                                                                              |
+| `mattermost.messageformat`   | `MATTERMOST_MESSAGEFORMAT`   |                                                                                                     | A Go template to format Mattermost Text above Attachment, displayed in addition to the output from `MATTERMOST_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
+| `mattermost.mutualtls`       | `MATTERMOST_MUTUALTLS`       | `false`                                                                                             | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                                                                                                                                                              |
+| `mattermost.checkcert`       | `MATTERMOST_CHECKCERT`       | `/api/v1/alerts`                                                                                    | Check if ssl certificate of the output is valid                                                                                                                                                                                                                                | `mattermost.minimumpriority` | `MATTERMOST_MINIMUMPRIORITY` | `""` (= `debug`)                                                                                    | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`
+| `mattermost.minimumpriority` | `MATTERMOST_MINIMUMPRIORITY` | `""` (= `debug`)                                                                                    | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                                                                                                            |
+
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+mattermost:
+  webhookurl: "" # Mattermost WebhookURL (ex: http://XXXX/hooks/YYYY), if not empty, Mattermost output is enabled
+  # icon: "" # Mattermost icon (avatar)
+  # username: "" # Mattermost username (default: Falcosidekick)
+  # outputformat: "all" # all (default), text, fields
+  # messageformat: "Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields \"user.name\" }}*" # a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `MATTERMOST_OUTPUTFORMAT`. If empty, no Text is displayed before Attachment.
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+### Message Formatting
+
+The `MATTERMOST_MESSAGEFORMAT` environment variable and `mattermost.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Mattermost alert.
+These templates are evaluated on the JSON data from each Falco event. The following fields are available:
+
+| Template Syntax                              | Description                                                                                                                                                        |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `{{ .Output }}`                              | A formatted string from Falco describing the event.                                                                                                                |
+| `{{ .Priority }}`                            | The priority of the event, as a string.                                                                                                                            |
+| `{{ .Rule }}`                                | The name of the rule that generated the event.                                                                                                                     |
+| `{{ .Time }}`                                | The timestamp when the event occurred.                                                                                                                             |
+| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
+
+Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.
+
+## Screenshots
+
+![mattermost example](images/mattermost.png)
--- a/docs/outputs/mqtt.md
+++ b/docs/outputs/mqtt.md
@ -0,0 +1,47 @@
+# MQTT
+
+- **Category**: Message queue / Streaming
+- **Website**: https://mqtt.org/
+
+## Table of content
+
+- [MQTT](#mqtt)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                | Env var                | Default value    | Description                                                                                                                         |
+| ---------------------- | ---------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `mqtt.broker`          | `MQTT_BROKER`          |                  | Broker address, can start with tcp:// or ssl://, if not empty, MQTT output is **enabled**                                           |
+| `mqtt.topic`           | `MQTT_TOPIC`           | `falco/events`   | Topic for messages                                                                                                                  |
+| `mqtt.qos`             | `MQTT_QOS`             | `0`              | QOS for messages                                                                                                                    |
+| `mqtt.retained`        | `MQTT_RETAINED`        | `false`          | If true, messages are retained                                                                                                      |
+| `mqtt.user`            | `MQTT_USER`            |                  | User if the authentication is enabled in the broker                                                                                 |
+| `mqtt.password`        | `MQTT_PASSWORD`        |                  | Password if the authentication is enabled in the broker                                                                             |
+| `mqtt.checkcert`       | `MQTT_CHECKCERT`       | `true`           | Check if ssl certificate of the output is valid                                                                                     |
+| `mqtt.minimumpriority` | `MQTT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+mqtt:
+  broker: "" # Broker address, can start with tcp:// or ssl://, if not empty, MQTT output is enabled
+  topic: "falco/events" # Topic for messages (default: falco/events)
+  # qos: 0 # QOS for messages (default: 0)
+  # retained: false # If true, messages are retained (default: false)
+  # user: "" # User if the authentication is enabled in the broker
+  # password: "" # Password if the authentication is enabled in the broker
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/n8n.md
+++ b/docs/outputs/n8n.md
@ -0,0 +1,48 @@
+# N8N
+
+- **Category**: Workflow
+- **Website**: https://n8n.io/
+
+## Table of content
+
+- [N8N](#n8n)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting               | Env var               | Default value    | Description                                                                                                                         |
+| --------------------- | --------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `n8n.address`         | `N8N_ADDRESS`         |                  | N8N address, if not empty, N8N output is **enabled**                                                                                |
+| `n8n.user`            | `N8N_USER`            |                  | Username to authenticate with N8N in basic auth                                                                                     |
+| `n8n.password`        | `N8N_PASSWORD`        |                  | Password to authenticate with N8N in basic auth                                                                                     |
+| `n8n.headerauthname`  | `N8N_HEADERAUTHNAME`  |                  | Header Auth Value to authenticate with N8N                                                                                          |
+| `n8n.headerauthvalue` | `N8N_HEADERAUTHVALUE` |                  | Check if ssl certificate of the output is valid                                                                                     |
+| `n8n.checkcert`       | `N8N_CHECKCERT`       | `true`           | Check if ssl certificate of the output is valid                                                                                     |
+| `n8n.minimumpriority` | `N8N_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+n8n:
+  address: "" # N8N address, if not empty, N8N output is enabled
+  # user: "" # Username to authenticate with N8N in basic auth
+  # password: "" # Password to authenticate with N8N in basic auth
+  # headerauthname: "" # Header Auth Key to authenticate with N8N
+  # headerauthvalue: "" # 
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+```
+
+## Additional info
+
+## Screenshots
+
+![n8n example](images/n8n.png)
--- a/docs/outputs/nats.md
+++ b/docs/outputs/nats.md
@ -0,0 +1,45 @@
+# NATS
+
+- **Category**: Message queue / Streaming
+- **Website**: https://nats.io/
+
+## Table of content
+
+- [NATS](#nats)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+- [subjecttemplate: "falco.." # template for the subject, tokens  and  will be automatically replaced (default: falco..)](#subjecttemplate-falco--template-for-the-subject-tokens--and--will-be-automatically-replaced-default-falco)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+  # subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
+
+
+|        Setting         |        Env var         |       Default value       |                                                             Description                                                             |
+| ---------------------- | ---------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `nats.hostport`        | `NATS_HOSTPORT`        |                           | nats://{domain or ip}:{port}, if not empty, NATS output is **enabled**                                                              |
+| `nats.subjecttemplate` | `NATS_SUBJECTTEMPLATE` | `falco.<priority>.<rule>` | Template for the subject, tokens <priority> and <rule> will be automatically replaced                                               |
+| `nats.mutualtls`       | `NATS_MUTUALTLS`       | `false`                   | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `nats.checkcert`       | `NATS_CHECKCERT`       | `true`                    | Check if ssl certificate of the output is valid                                                                                     |
+| `nats.minimumpriority` | `NATS_MINIMUMPRIORITY` | `""` (= `debug`)          | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+nats:
+  hostport: "" # nats://{domain or ip}:{port}, if not empty, NATS output is enabled
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/nodered.md
+++ b/docs/outputs/nodered.md
@ -0,0 +1,46 @@
+# Node-RED
+
+- **Category**: Workflow
+- **Website**: https://nodered.org/
+
+## Table of content
+
+- [Node-RED](#node-red)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `nodered.address`         | `NODERED_ADDRESS`         |                  | Node-RED address, if not empty, Node-RED output is **enabled**                                                                      |
+| `nodered.user`            | `NODERED_USER`            |                  | User if Basic Auth is enabled for 'http in' node in Node-RED                                                                        |
+| `nodered.password`        | `NODERED_PASSWORD`        |                  | Password if Basic Auth is enabled for 'http in' node in Node-RED                                                                    |
+| `nodered.customheaders`   | `NODERED_CUSTOMHEADERS`   |                  | Custom headers for the POST request                                                                                                 |
+| `nodered.checkcert`       | `NODERED_CHECKCERT`       | `true`           | Check if ssl certificate of the output is valid                                                                                     |
+| `nodered.minimumpriority` | `NODERED_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+nodered:
+  address: "" # Node-RED address, if not empty, Node-RFED output is enabled
+  # user: "" # User if Basic Auth is enabled for 'http in' node in Node-RED
+  # password: "" # Password if Basic Auth is enabled for 'http in' node in Node-RED
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+```
+
+## Additional info
+
+## Screenshots
+
+![node-red example](images/node-red.png)
--- a/docs/outputs/openfaas.md
+++ b/docs/outputs/openfaas.md
@ -0,0 +1,47 @@
+# OpenFaaS
+
+- **Category**: FaaS / Serverlesss
+- **Website**: https://www.openfaas.com/
+
+## Table of content
+
+- [OpenFaaS](#openfaas)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                      | Env var                      | Default value    | Description                                                                                                                         |
+| ---------------------------- | ---------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `openfaas.functionname`      | `OPENFAAS_FUNCTIONNAME`      |                  | Name of OpenFaaS function, if not empty, OpenFaaS is **enabled**                                                                    |
+| `openfaas.functionnamespace` | `OPENFAAS_FUNCTIONNAMESPACE` | `openfaas-fn`    | Namespace of OpenFaaS function                                                                                                      |
+| `openfaas.gatewayservice`    | `OPENFAAS_GATEWAYSERVICE`    | `gateway`        | Service of OpenFaaS Gateway                                                                                                         |
+| `openfaas.gatewayport`       | `OPENFAAS_GATEWAYPORT`       | `8080`           | Port of service of OpenFaaS Gateway                                                                                                 |
+| `openfaas.gatewaynamespace`  | `OPENFAAS_GATEWAYNAMESPACE`  | `openfaas`       | Namespace of OpenFaaS Gateway                                                                                                       |
+| `openfaas.kubeconfig`        | `OPENFAAS_KUBECONFIG`        | `~/.kube/config` | Kubeconfig file to use (only if falcosidekick is running outside the cluster)                                                       |
+| `openfaas.checkcert`         | `OPENFAAS_CHECKCERT`         | `true`           | Check if ssl certificate of the output is valid                                                                                     |
+| `openfaas.minimumpriority`   | `OPENFAAS_MINIMUMPRIORITY`   | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+openfaas:
+  functionname: "" # Name of OpenFaaS function, if not empty, OpenFaaS is enabled
+  functionnamespace: "openfaas-fn" # Namespace of OpenFaaS function, "openfaas-fn" (default)
+  gatewayservice: "gateway" # Service of OpenFaaS Gateway, "gateway" (default)
+  gatewayport: 8080 # Port of service of OpenFaaS Gateway
+  gatewaynamespace: "openfaas" # Namespace of OpenFaaS Gateway, "openfaas" (default)
+  kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/openobserve.md
+++ b/docs/outputs/openobserve.md
@ -0,0 +1,52 @@
+# OpenObserve
+
+- **Category**: Logs
+- **Website**: https://openobserve.ai/
+
+## Table of content
+
+- [OpenObserve](#openobserve)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                        | Env var                        | Default value    | Description                                                                                                                         |
+| ------------------------------ | ------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `openobserve.hostport`         | `OPENOBSERVE_HOSTPORT`         |                  | http://{domain or ip}:{port}, if not empty, OpenObserve output is **enabled**                                                       |
+| `openobserve.organizationname` | `OPENOBSERVE_ORGANIZATIONNAME` | `default`        | Organization name                                                                                                                   |
+| `openobserve.streamname`       | `OPENOBSERVE_STREAMNAME`       | `falco`          | Stream name                                                                                                                         |
+| `openobserve.username`         | `OPENOBSERVE_USERNAME`         |                  | Use this username to authenticate to OpenObserve                                                                                    |
+| `openobserve.password`         | `OPENOBSERVE_PASSWORD`         |                  | Use this password to authenticate to OpenObserve                                                                                    |
+| `openobserve.customheaders`    | `OPENOBSERVE_CUSTOMHEADERS`    |                  | Custom headers to add in POST, useful for Authentication                                                                            |
+| `openobserve.mutualtls`        | `OPENOBSERVE_MUTUALTLS`        | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `openobserve.checkcert`        | `OPENOBSERVE_CHECKCERT`        | `true`           | Check if ssl certificate of the output is valid                                                                                     |
+| `openobserve.minimumpriority`  | `OPENOBSERVE_MINIMUMPRIORITY`  | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+openobserve:
+  hostport: "" # http://{domain or ip}:{port}, if not empty, OpenObserve output is enabled
+  # organizationname: "default" # Organization name (default: default)
+  # streamname: "falco" # Stream name (default: falco)
+  # username: "a" # use this username to authenticate to OpenObserve (default: "")
+  # password: "" # use this password to authenticate to OpenObserve (default: "")
+  # customheaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
+
+![openobserve example](images/openobserve.png)
--- a/docs/outputs/opsgenie.md
+++ b/docs/outputs/opsgenie.md
@ -0,0 +1,40 @@
+# Opsgenie
+
+- **Category**: Alerting
+- **Website**: https://www.opsgenie.com/
+
+## Table of content
+
+- [Opsgenie](#opsgenie)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                    | Env var                    | Default value    | Description                                                                                                                         |
+| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `opsgenie.apikey`          | `OPSGENIE_APIKEY`          |                  | Opsgenie API Key, if not empty, Opsgenie output is **enabled**                                                                      |
+| `opsgenie.region`          | `OPSGENIE_REGION`          | `us`             | Region of your domain (`us`, `eu`)                                                                                                  |
+| `opsgenie.minimumpriority` | `OPSGENIE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+opsgenie:
+  apikey: "" # Opsgenie API Key, if not empty, Opsgenie output is enabled
+  region: "eu" # Region of your domain (us|eu) (default: us)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+```
+
+## Additional info
+
+## Screenshots
+
+![opsgenie example](images/opsgenie.png)
--- a/docs/outputs/otlp_logs.md
+++ b/docs/outputs/otlp_logs.md
@ -0,0 +1,51 @@
+# OTEL Logs
+
+- **Category**: Logs
+- **Website**: <https://opentelemetry.io/docs/concepts/signals/logs/>
+
+## Table of content
+
+- [OTEL Logs](#otel-logs)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+
+## Configuration
+
+|           Setting           |           Env var           |       Default value        |                                                             Description                                                             |
+| --------------------------- | --------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `otlp.logs.endpoint`        | `OTLP_LOGS_ENDPOINT`        |                            | OTLP endpoint in the form of http://{domain or ip}:4318/v1/logs                                                                     |
+| `otlp.logs.protocol`        | `OTLP_LOGS_PROTOCOL`        | `http/protobuf` (from SDK) | OTLP Protocol: `http/protobuf`, `grpc`                                                                                              |
+| `otlp.logs.timeout`         | `OTLP_LOGS_TIMEOUT`         | `10000` (from SDK)         | Timeout value in milliseconds                                                                                                       |
+| `otlp.logs.headers`         | `OTLP_LOGS_HEADERS`         |                            | List of headers to apply to all outgoing logs in the form of "some-key=some-value,other-key=other-value"                            |
+| `otlp.logs.synced`          | `OTLP_LOGS_SYNCED`          | `false`                    | Set to `true` if you want logs to be sent synchronously                                                                             |
+| `otlp.logs.minimumpriority` | `OTLP_LOGS_MINIMUMPRIORITY` | `""` (=`debug`)            | minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `otlp.logs.checkcert`       | `OTLP_LOGS_CHECKCERT`       | `false`                    | Set if you want to skip TLS certificate validation                                                                                  |
+| `otlp.logs.duration`        | `OTLP_LOGS_DURATION`        | `1000`                     | Artificial span duration in milliseconds (as Falco doesn't provide an ending timestamp)                                             |
+| `otlp.logs.extraenvvars`    | `OTLP_LOGS_EXTRAENVVARS`    |                            | Extra env vars (override the other settings)                                                                                        |
+
+> [!NOTE]
+For the extra Env Vars values see [standard `OTEL_*` environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/)
+
+## Example of config.yaml
+
+```yaml
+otlp:
+  logs:
+    # endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/logs), if not empty, OTLP Traces output is enabled
+    protocol: "" # OTLP protocol: http/protobuf, grpc (default: "" which uses SDK default: "http/protobuf")
+    # timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
+    # headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
+    # extraenvvars: # Extra env vars (override the other settings)
+      # OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
+      # OTEL_EXPORTER_OTLP_TIMEOUT: 10000
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # checkcert: true # Set if you want to skip TLS certificate validation (default: true)
+```
+
+## Additional info
+
+> [!WARNING]
+Because of the way the OTEL SDK is structured, the OTLP outputs don't appear in the metrics (Prometheus, Statsd, ...) 
+and the error logs just specify `OTEL` as output.
--- a/docs/outputs/otlp_metrics.md
+++ b/docs/outputs/otlp_metrics.md
@ -0,0 +1,208 @@
+# OTEL Metrics
+
+- **Category**: Metrics/Observability
+- **Website**: <https://opentelemetry.io/docs/concepts/signals/metrics/>
+
+## Table of content
+
+- [OTEL Metrics](#otel-metrics)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Running a whole stack with docker-compose](#running-a-whole-stack-with-docker-compose)
+    - [Requirements](#requirements)
+    - [Configuration files](#configuration-files)
+    - [Run it](#run-it)
+
+## Configuration
+
+|            Setting             |            Env var             |       Default value        |                                                                     Description                                                                     |
+| ------------------------------ | ------------------------------ | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `otlp.metrics.endpoint`        | `OTLP_METRICS_ENDPOINT`        |                            | OTLP endpoint, typically in the form http(s)://{domain or ip}:4318(/v1/metrics)                                                                     |
+| `otlp.metrics.protocol`        | `OTLP_METRICS_PROTOCOL`        | `http/protobuf` (from SDK) | OTLP Protocol: `http/protobuf`, `grpc`                                                                                                              |
+| `otlp.metrics.timeout`         | `OTLP_METRICS_TIMEOUT`         | `10000` (from SDK)         | OTLP timeout for outgoing metrics in milliseconds                                                                                                   |
+| `otlp.metrics.headers`         | `OTLP_METRICS_HEADERS`         | `""`                       | List of headers to apply to all outgoing metrics in the form of `some-key=some-value,other-key=other-value`                                         |
+| `otlp.metrics.extraenvvars`    | `OTLP_METRICS_EXTRAENVVARS`    | `""`                       | Extra env vars (override the other settings)                                                                                                        |
+| `otlp.metrics.minimumpriority` | `OTLP_METRICS_MINIMUMPRIORITY` | `""` (=`debug`)            | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                 |
+| `otlp.metrics.checkcert`       | `OTLP_METRICS_CHECKCERT`       | `true`                     | Set to false if you want to skip TLS certificate validation (only with https)                                                                       |
+| `otlp.metrics.extraattributes` | `OTLP_METRICS_EXTRAATTRIBUTES` | `""`                       | Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields |
+
+> [!NOTE]
+For the extra Env Vars values see [standard `OTEL_*` environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/)
+
+> [!WARNING]
+If you use `grpc`, the endpoint format must be `http(s)://{domain or ip}:4318`
+If you use `http/protobuf`, the endpoint format must be `http(s)://{domain or ip}:4318/v1/traces`
+
+## Example of config.yaml
+
+```yaml
+otlp:
+  metrics:
+    # endpoint: "" # OTLP endpoint, typically in the form http(s)://{domain or ip}:4318(/v1/metrics), if not empty, OTLP Metrics output is enabled
+    # protocol: "" # OTLP protocol: http/protobuf, grpc (default: "" which uses SDK default: "http/protobuf")
+    # timeout: "" # OTLP timeout for outgoing metrics in milliseconds (default: "" which uses SDK default: 10000)
+    # headers: "" # List of headers to apply to all outgoing metrics in the form of "some-key=some-value,other-key=other-value" (default: "")
+    # extraenvvars: # Extra env vars (override the other settings) (default: "")
+      # OTEL_EXPORTER_OTLP_METRICS_TIMEOUT: 10000
+      # OTEL_EXPORTER_OTLP_TIMEOUT: 10000
+    # minimumpriority: "" # Minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "")
+    # checkcert: true # Set to false if you want to skip TLS certificate validation (only with https) (default: true)
+    # extraattributes: "" # Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields
+```
+
+## Additional info
+
+> [!NOTE]
+This output is used to collect metrics about Falco events and Falcosidekick inputs and outputs in OTLP metrics format.
+
+> [!WARNING]
+Because of the way the OTEL SDK is structured, the OTLP outputs don't appear in the metrics (Prometheus, Statsd, ...) 
+and the error logs just specify `OTEL` as output.
+
+## Running a whole stack with docker-compose
+
+Below `docker-compose` file runs a stack of:
+
+- `falco`
+- `falcosidekick`
+- `prometheus` as metrics backend
+- OTEL collector to collect OTEL metrics from `falcosidekick` and let prometheus scrape them
+- `events-generator` to generate arbitrary Falco events
+
+### Requirements
+
+A local Linux kernel capable of running `falco`--modern-bpf`, see <https://falco.org/blog/falco-modern-bpf/>.
+
+### Configuration files
+
+You need to create these files:
+
+- `./docker-compose.yaml`: minimal docker-compose configuration
+
+```yaml
+---
+services:
+  falco:
+    image: falcosecurity/falco:0.39.0
+    privileged: true
+    volumes:
+      - /var/run/docker.sock:/host/var/run/docker.sock
+      - /dev:/host/dev
+      - /proc:/host/proc:ro
+      - /boot:/host/boot:ro
+      - /lib/modules:/host/lib/modules:ro
+      - /usr:/host/usr:ro
+      - /etc/falco:/host/etc:ro
+    command: [
+      "/usr/bin/falco" ,
+      "-o", "json_output=true",
+      "-o", "http_output.enabled=true",
+      "-o", "http_output.url=http://sidekick:2801", # Set the HTTP output url to Falcosidekick endpoint
+      "-o", "http_output.insecure=true"
+    ]
+
+  sidekick:
+    image: falcosidekick:latest
+    ports:
+      - "2801:2801" # Expose default port towards Falco instance
+    environment:
+      - OTLP_METRICS_ENDPOINT=http://otel-collector:4317
+      - OTLP_METRICS_CHECKCERT=false
+
+  otel-collector:
+    image: otel/opentelemetry-collector-contrib
+    volumes:
+      - ./config.yaml:/etc/otelcol-contrib/config.yaml
+    ports:
+      - "4317:4317" # Expose OTLP gRPC port
+
+  prometheus:
+    image: prom/prometheus:latest
+    volumes:
+      - ./prometheus.yml:/etc/prometheus/prometheus.yml
+    ports:
+      - "9090:9090" # Expose port to access Prometheus expression browser
+
+  event-generator:
+    image: falcosecurity/event-generator
+    command: run
+    restart: always
+  trigger:
+    image: alpine
+    command: [ # Alternate reads to /etc/shadow with creations of symlinks from it
+      "sh",
+      "-c",
+      "while true; do cat /etc/shadow > /dev/null; sleep 5; ln -s /etc/shadow shadow; rm shadow; sleep 5; done"
+    ]
+```
+
+> `./docker-compose.yaml` mentions the `falcosidekick:latest` docker image, that must be locally available before
+> bringing up the stack. You can build it from source by cloning the repository and issuing the building commands:
+> ```shell
+> git clone https://github.com/falcosecurity/falcosidekick.git
+> cd falcosidekick
+> go build . && docker build . -t falcosidekick:latest
+> ```
+
+- `./config.yaml`: minimal OTEL collector configuration
+
+```yaml
+---
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: "0.0.0.0:4317"
+
+exporters:
+  prometheus:
+    endpoint: "0.0.0.0:9090"
+
+service:
+  pipelines:
+    metrics:
+      receivers: [otlp]
+      processors: []
+      exporters: [prometheus]
+```
+
+- `./prometheus.yml`: minimal prometheus configuration
+
+```yaml
+global:
+  scrape_interval: 5s
+
+scrape_configs:
+  - job_name: 'otel-collector'
+    static_configs:
+      - targets: ['otel-collector:9090']
+```
+
+### Run it
+
+To bring up the stack, and see the results on prometheus expression browser:
+
+1. Bring up the stack
+
+  ```shell
+  docker compose up
+  ```
+
+2. Navigate to <http://localhost:9090/graph> to start browsing the local prometheus expression browser
+
+3. Navigate to the `Graph` tab and adjust the time interval to be comparable to the stack uptime (e.g.: 15 minutes)
+
+5. To get information regarding the `falcosecurity_falco_rules_matches_total` metric, you can enter a simple query like
+`falcosecurity_falco_rules_matches_total` or `sum by (rule) (falcosecurity_falco_rules_matches_total)` and press
+`Execute`
+
+6. Explore the obtained results
+   ![Falco metrics view](images/otlp_metrics-prom_view.png)
+
+1. Bring down the stack
+
+  ```shell
+  docker compose down
+  ```
--- a/docs/outputs/otlp_traces.md
+++ b/docs/outputs/otlp_traces.md
@ -0,0 +1,253 @@
+# OTEL Traces
+
+- **Category**: Traces
+- **Website**: <https://opentelemetry.io/docs/concepts/signals/traces/>
+
+## Table of content
+
+- [OTEL Traces](#otel-traces)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Running a whole stack with docker-compose](#running-a-whole-stack-with-docker-compose)
+    - [Requirements](#requirements)
+    - [Configuration files](#configuration-files)
+    - [Run it](#run-it)
+
+## Configuration
+
+|            Setting            |            Env var            |       Default value        |                                                             Description                                                             |
+| ----------------------------- | ----------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `otlp.traces.endpoint`        | `OTLP_TRACES_ENDPOINT`        |                            | OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/traces)                                                              |
+| `otlp.traces.protocol`        | `OTLP_TRACES_PROTOCOL`        | `http/protobuf` (from SDK) | OTLP Protocol: `http/protobuf`, `grpc`                                                                                              |
+| `otlp.traces.timeout`         | `OTLP_TRACES_TIMEOUT`         | `10000` (from SDK)         | Timeout value in milliseconds                                                                                                       |
+| `otlp.traces.headers`         | `OTLP_TRACES_HEADERS`         |                            | List of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value"                          |
+| `otlp.traces.synced`          | `OTLP_TRACES_SYNCED`          | `false`                    | Set to `true` if you want traces to be sent synchronously                                                                           |
+| `otlp.traces.minimumpriority` | `OTLP_TRACES_MINIMUMPRIORITY` | `""` (=`debug`)            | minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `otlp.traces.checkcert`       | `OTLP_TRACES_CHECKCERT`       | `false`                    | Set if you want to skip TLS certificate validation                                                                                  |
+| `otlp.traces.duration`        | `OTLP_TRACES_DURATION`        | `1000`                     | Artificial span duration in milliseconds (as Falco doesn't provide an ending timestamp)                                             |
+| `otlp.traces.extraenvvars`    | `OTLP_TRACES_EXTRAENVVARS`    |                            | Extra env vars (override the other settings)                                                                                        |
+
+> [!NOTE]
+For the extra Env Vars values see [standard `OTEL_*` environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/)
+
+> [!WARNING]
+If you use `grpc`, the endpoint format must be `http(s)://{domain or ip}:4318`
+If you use `http/protobuf`, the endpoint format must be `http(s)://{domain or ip}:4318/v1/traces`
+
+## Example of config.yaml
+
+```yaml
+otlp:
+  traces:
+    # endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/traces), if not empty, OTLP Traces output is enabled
+    # protocol: "" # OTLP protocol: http/protobuf, grpc (default: "" which uses SDK default: "http/protobuf")
+    # timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
+    # headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
+    # synced: false # Set to true if you want traces to be sent synchronously (default: false)
+    # duration: 1000 # Artificial span duration in milliseconds (default: 1000)
+    # extraenvvars: # Extra env vars (override the other settings)
+      # OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
+      # OTEL_EXPORTER_OTLP_TIMEOUT: 10000
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # checkcert: true # Set if you want to skip TLS certificate validation (default: true)
+```
+
+## Additional info
+
+> [!NOTE]
+The OTLP Traces are only available for the source: `syscalls`.
+
+> [!WARNING]
+Because of the way the OTEL SDK is structured, the OTLP outputs don't appear in the metrics (Prometheus, Statsd, ...) 
+and the error logs just specify `OTEL` as output.
+
+## Running a whole stack with docker-compose
+
+Below `docker-compose` file runs a stack of:
+
+- `falco`
+- `falcosidekick`
+- `events-generator` to generate arbitrary falco events
+- [Tempo](https://grafana.com/oss/tempo/) as OTLP traces backend
+- [Grafana](https://grafana.com/oss/grafana/) for visualization
+
+### Requirements
+
+A local Linux kernel capable of running `falco`--modern-bpf`, see
+<https://falco.org/blog/falco-modern-bpf/>.
+
+### Configuration files
+
+You need to create these files:
+
+- `./docker-compose.yaml`: minimal docker-compose configuration
+
+```yaml
+---
+version: "3.9"
+services:
+  falco:
+    image: falcosecurity/falco-no-driver:latest
+    privileged: true
+    command: "falco --modern-bpf -r /etc/falco/rules"
+    volumes:
+      - /var/run/docker.sock:/host/var/run/docker.sock
+      - /dev:/host/dev
+      - /proc:/host/proc:ro
+      - /boot:/host/boot:ro
+      - /lib/modules:/host/lib/modules:ro
+      - ./etc/falco:/etc/falco:ro
+
+  falcosidekick:
+    # Build from locally cloned repository
+    build: ../../../
+    volumes:
+      - ./etc/falco:/etc/falco:ro
+    command: -c /etc/falco/falcosidekick.yaml
+    ports:
+      - 2801:2801
+    environment:
+      - OTLP_TRACES_ENDPOINT=http://traces-backend:4318/v1/traces
+      - OTLP_HEADERS=X-Scope-OrgID=1
+      - OTLP_TRACES_SYNCED=true
+  traces-backend:
+    image: grafana/tempo:latest
+    ports:
+      - 4317
+      - 4318
+      - 3200
+    volumes:
+      - ./etc/tempo:/etc/tempo:ro
+    command: "-config.file /etc/tempo/config.yaml"
+    restart: always
+
+  grafana:
+    image: grafana/grafana:10.0.3
+    volumes:
+      - ./etc/grafana/provisioning:/etc/grafana/provisioning:ro
+    environment:
+      - GF_AUTH_ANONYMOUS_ENABLED=true
+      - GF_AUTH_ANONYMOUS_ORG_ROLE=Admin
+      - GF_AUTH_DISABLE_LOGIN_FORM=true
+      - GF_FEATURE_TOGGLES_ENABLE=traceqlEditor
+    ports:
+      - "3000:3000"
+  event-generator:
+    image: falcosecurity/event-generator
+    command: run
+    restart: always
+  trigger:
+    image: alpine
+    command: ["sh", "-c", "while true; do cat /etc/shadow > /dev/null; sleep 5; done"]
+```
+
+- `./etc/falco/falco.yaml`: minimal falco configuration
+
+```yaml
+---
+debug: true
+outputs:
+  rate: 1
+  max_burst: 1000
+json_output: true
+http_output:
+  enabled: true
+  url: http://falcosidekick:2801
+  #url: http://172.17.0.1:2801
+  user_agent: "falcosecurity/falco"
+  # Tell Falco to not verify the remote server.
+  insecure: true
+
+plugins:
+  - name: json
+    library_path: libjson.so
+
+stdout_output:
+  enabled: true
+log_stderr: true
+
+syscall_buf_size_preset: 4
+```
+
+- `./etc/falco/rules/` folder: from upstream
+  <https://github.com/falcosecurity/rules.git>
+
+```shell
+mkdir -p ./etc/falco/upstream-rules
+git clone --depth 1 https://github.com/falcosecurity/rules/ ./etc/falco/upstream-rules
+ln -s upstream-rules/rules ./etc/falco/rules
+```
+
+- `./etc/grafana/provisioning/datasources/datasources.yaml`: provisioning Tempo
+  backend as Grafana datasource
+
+```yaml
+apiVersion: 1
+
+datasources:
+- name: Tempo
+  type: tempo
+  access: proxy
+  orgId: 1
+  url: http://traces-backend:3200
+  basicAuth: false
+  isDefault: true
+  version: 1
+  editable: false
+  apiVersion: 1
+  uid: tempo
+  jsonData:
+    httpMethod: GET
+    serviceMap:
+      datasourceUid: prometheus
+```
+
+- `./etc/tempo/config.yaml`: minimal tempo configuration
+
+```yaml
+---
+server:
+  http_listen_port: 3200
+
+distributor:
+  receivers:
+    otlp:
+      protocols:
+        http:
+        grpc:
+  log_received_spans:
+    enabled: true
+
+storage:
+  trace:
+    backend: local
+    local:
+      path: /tmp/tempo/blocks
+```
+
+### Run it
+
+To bring up the stack, and peek at how Grafana shows it:
+
+1. Bring up the stack
+
+  ```shell
+  docker-compose up
+  ```
+
+1. Navigate to <http://localhost:3000/> to start browsing the local Grafana UI
+
+1. Navigate to [/explore](http://localhost:3000/explore/), choose `Tempo` datasource, and query `{}`, or just click [here](http://localhost:3000/explore?orgId=1&left=%7B%22datasource%22:%22tempo%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22datasource%22:%7B%22type%22:%22tempo%22,%22uid%22:%22tempo%22%7D,%22queryType%22:%22traceql%22,%22limit%22:20,%22query%22:%22%7B%7D%22%7D%5D) for such already crafted query.
+   ![Grafana explore](images/otlp_traces-grafana_explore.png)
+
+1. Click on any of the shown traces on the left panel, you should see something
+   similar to the below attached screenshot.
+   ![Falco traces view](images/otlp_traces-traces_view.png)
+
+1. Bring down the stack
+
+  ```shell
+  docker-compose down
+  ```
--- a/docs/outputs/pagerduty.md
+++ b/docs/outputs/pagerduty.md
@ -0,0 +1,37 @@
+# PagerDuty
+
+- **Category**: Alerting
+- **Website**: https://pagerduty.com/
+
+## Table of content
+
+- [PagerDuty](#pagerduty)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                     | Env var                     | Default value    | Description                                                                                                                         |
+| --------------------------- | --------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `pagerduty.routingkey`      | `PAGERDUTY_ROUTINGKEY`          |                  | Pagerduty Routing Key, if not empty, Pagerduty output is **enabled**                                                                |
+| `pagerduty.region`          | `PAGERDUTY_REGION`          | `us`             | Pagerduty Region (`us`, `eu`)                                                                                                       |
+| `pagerduty.minimumpriority` | `PAGERDUTY_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+pagerduty:
+  routingkey: "" # Pagerduty Routing Key, if not empty, Pagerduty output is enabled
+  region: "us" # Pagerduty Region, can be 'us' or 'eu' (default: us)
+  minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/policy_report.md
+++ b/docs/outputs/policy_report.md
@ -0,0 +1,52 @@
+# Policy Report
+
+- **Category**: Other
+- **Website**: https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report/falco-adapter
+
+## Table of content
+
+- [Policy Report](#policy-report)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [Installing Policy Report Custom Resource Definition (CRD)](#installing-policy-report-custom-resource-definition-crd)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+|            Setting             |            Env var             |  Default value   |                                                             Description                                                             |
+| ------------------------------ | ------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `policyreport.enabled`         | `POLICYREPORT_ENABLED`         |                  | If true; policyreport output is **enabled**                                                                                         |
+| `policyreport.kubeconfig`      | `POLICYREPORT_KUBECONFIG`      | `~/.kube/config` | Kubeconfig file to use (only if falcosidekick is running outside the cluster)                                                       |
+| `policyreport.falconamespace`  | `POLICYREPORT_FALCONAMESPACE`  |                  | Set the namespace where Falco is running (only if falcosidekick is running outside the cluster)                                     |
+| `policyreport.maxevents`       | `POLICYREPORT_MAXEVENTS`       | `1000`           | The max number of events that can be in a policyreport                                                                              |
+| `policyreport.minimumpriority` | `POLICYREPORT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+policyreport:
+  enabled: false  # if true; policyreport output is enabled
+  kubeconfig: "~/.kube/config"  # kubeconfig file to use (only if falcosidekick is running outside the cluster)
+  falconamespace: ""  # set the namespace where Falco is running (only if falcosidekick is running outside the cluster)
+  maxevents: 1000 # the max number of events that can be in a policyreport (default: 1000)
+  minimumpriority: "debug" # events with a priority above this are mapped to fail in PolicyReport Summary and lower that those are mapped to warn (default="")
+```
+
+## Additional info
+
+### Installing Policy Report Custom Resource Definition (CRD)
+
+> [!WARNING]
+This output works only for the sources `syscalls` and `k8saudit`.
+
+> [!WARNING]
+Installation of the Policy Report Custom Resource Definition (CRD) is a prerequisite for using the Policy Report output.
+
+Information about how to find and install the CRD for the reports can be found [here](https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report#installing). 
+
+## Screenshots
--- a/docs/outputs/prometheus.md
+++ b/docs/outputs/prometheus.md
@ -0,0 +1,36 @@
+# Prometheus
+
+- **Category**: Metrics / Observability
+- **Website**: https://prometheus.io/
+
+## Table of content
+
+- [Prometheus](#prometheus)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                  | Env var                  | Default value | Description                                                                                                    |
+| ------------------------ | ------------------------ | ------------- | -------------------------------------------------------------------------------------------------------------- |
+| `prometheus.extralabels` | `PROMETHEUS_EXTRALABELS` |               | Comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+prometheus:
+  # extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
+```
+
+## Additional info
+
+> [!NOTE]
+This output is used to collect metrics about Falco events and Falcosidekick outputs in prometheus format, scrape the endpoint `/metrics` to collect them.
+
+## Screenshots
--- a/Show More
+++ b/Show More