build(deps): bump docker/login-action in the actions group

Bumps the actions group with 1 update: [docker/login-action](https://github.com/docker/login-action). Updates `docker/login-action` from 3.4.0 to 3.5.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](74a5d14239...184bdaa072) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
build(deps): bump github.com/aws/aws-sdk-go-v2/service/lambda
2025-08-05 15:21:57 +02:00 · 2025-08-05 15:20:57 +02:00 · 2025-07-29 09:29:08 +02:00 · 2025-07-28 20:03:07 +02:00 · 2025-07-22 10:34:28 +02:00 · 2025-07-21 18:53:28 +02:00
245 changed files with 22518 additions and 2088 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,9 @@
+.circleci
+.github
+.golangci.yml
+_config.yml
+config_example.yaml
+*.md
+hack
+imgs
+OWNERS
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -0,0 +1,59 @@
+<!--  Thanks for sending a pull request!  Here are some tips for you:
+
+1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/master/CONTRIBUTING.md) file and learn how to compile Falco from source [here](https://falco.org/docs/source).
+2. Please label this pull request according to what type of issue you are addressing.
+3. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"
+-->
+
+**What type of PR is this?**
+
+> Uncomment one (or more) `/kind <>` lines:
+
+> /kind bug
+
+> /kind cleanup
+
+> /kind design
+
+> /kind documentation
+
+> /kind failing-test
+
+> /kind feature
+
+<!--
+Please remove the leading whitespace before the `/kind <>` you uncommented.
+-->
+
+**Any specific area of the project related to this PR?**
+
+> Uncomment one (or more) `/area <>` lines:
+
+> /area build
+
+> /area config
+
+> /area outputs
+
+> /area tests
+
+
+<!--
+Please remove the leading whitespace before the `/area <>` you uncommented.
+-->
+
+**What this PR does / why we need it**:
+
+**Which issue(s) this PR fixes**:
+
+<!--
+Automatically closes linked issue when PR is merged.
+Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
+If PR is `kind/failing-tests` or `kind/flaky-test`, please post the related issues/tests in a comment and do not use `Fixes`.
+-->
+
+Fixes #
+
+**Special notes for your reviewer**:
+
+
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,21 @@
+---
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      gomod:
+        update-types:
+          - "patch"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
--- a/.github/workflows/build-image.yml
+++ b/.github/workflows/build-image.yml
@ -0,0 +1,39 @@
+name: build-ci-images
+
+on:
+  pull_request:
+
+jobs:
+  build-image:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.23'
+          check-latest: true
+          cache: true
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
+
+      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        with:
+          install-only: true
+
+      - name: run goreleaser-snapshot
+        run: |
+          make goreleaser-snapshot
+          docker images
+          docker run falcosecurity/falcosidekick:latest-amd64 --version
+          docker run public.ecr.aws/falcosecurity/falcosidekick:latest-amd64 --version
+        env:
+          GOPATH: /home/runner/go
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -0,0 +1,27 @@
+name: lint
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+  pull_request:
+
+permissions: read-all
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.23'
+          cache: false
+          check-latest: true
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
+        with:
+          version: v1.61
+          args: --timeout=5m
--- a/.github/workflows/push-main.yml
+++ b/.github/workflows/push-main.yml
@ -0,0 +1,83 @@
+name: push-ci-images
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+
+jobs:
+  build-push-image:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.23'
+          check-latest: true
+          cache: true
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+
+      - uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
+
+      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        with:
+          install-only: true
+
+      - name: run goreleaser-snapshot
+        run: |
+          make goreleaser-snapshot
+          docker images
+          docker run falcosecurity/falcosidekick:latest-amd64 --version
+          docker run public.ecr.aws/falcosecurity/falcosidekick:latest-amd64 --version
+        env:
+          GOPATH: /home/runner/go
+
+      # Push images to DockerHUB
+      - name: Login to Docker Hub
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_SECRET }}
+
+      - name: Push images to Dockerhub
+        run: |
+          docker push falcosecurity/falcosidekick:latest-amd64
+          docker push falcosecurity/falcosidekick:latest-arm64
+          docker push falcosecurity/falcosidekick:latest-armv7
+          docker manifest create --amend falcosecurity/falcosidekick:latest falcosecurity/falcosidekick:latest-amd64 \
+            falcosecurity/falcosidekick:latest-arm64 falcosecurity/falcosidekick:latest-armv7
+          docker manifest push --purge falcosecurity/falcosidekick:latest
+
+      # Push images to AWS Public ECR
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+        with:
+          role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcosidekick-ecr
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+        with:
+          registry-type: public
+
+      - run: |
+          docker push public.ecr.aws/falcosecurity/falcosidekick:latest-amd64
+          docker push public.ecr.aws/falcosecurity/falcosidekick:latest-arm64
+          docker push public.ecr.aws/falcosecurity/falcosidekick:latest-armv7
+          docker manifest create --amend public.ecr.aws/falcosecurity/falcosidekick:latest public.ecr.aws/falcosecurity/falcosidekick:latest-amd64 \
+            public.ecr.aws/falcosecurity/falcosidekick:latest-arm64 public.ecr.aws/falcosecurity/falcosidekick:latest-armv7
+          docker manifest push --purge public.ecr.aws/falcosecurity/falcosidekick:latest
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,99 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "*"
+
+concurrency: release
+
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+
+jobs:
+  release:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+      tag_name: ${{ steps.tag.outputs.tag_name }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.23'
+          check-latest: true
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+
+      - uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
+
+      # Push images to DockerHUB
+      - name: Login to Docker Hub
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_SECRET }}
+
+      # Push images to AWS Public ECR
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+        with:
+          role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcosidekick-ecr
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+        with:
+          registry-type: public
+
+      - name: Set LDFLAGS
+        id: ldflags
+        run: |
+           source ./release/ldflags.sh
+           goflags=$(ldflags)
+           echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
+
+      - name: Set tag output
+        id: tag
+        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
+
+      - name: Run GoReleaser
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        with:
+          version: latest
+          args: release --clean --timeout 120m --parallelism 1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LDFLAGS: ${{ env.GO_FLAGS }}
+          GOPATH: /home/runner/go
+
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs: [release]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true
+      upload-tag-name: "${{ needs.release.outputs.tag_name }}"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -0,0 +1,24 @@
+name: tests
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  unit-tests:
+    name: Run unit tests
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: '1.23'
+          check-latest: true
+          cache: true
+      - name: Run Go tests
+        run: make test
--- a/.gitignore
+++ b/.gitignore
@ -10,3 +10,14 @@

 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
+
+falcosidekick
+/config.yaml
+.env
+.vscode
+.idea
+*.swp
+/hack/tools/bin/*
+
+tmp/
+dist/
--- a/.golangci.yml
+++ b/.golangci.yml
@ -0,0 +1,20 @@
+run:
+  timeout: 5m
+issues:
+  exclude-files:
+    - "zz_generated.*\\.go$"
+linters:
+  disable-all: true
+  enable:
+    - goconst
+    - gofmt
+    - gosec
+    - govet
+    - ineffassign
+    - misspell
+    - nakedret
+    - prealloc
+    - unconvert
+    - unused
+  # Run with --fast=false for more extensive checks
+  fast: true
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -0,0 +1,158 @@
+version: 2
+
+project_name: falcosidekick
+
+env:
+  - GO111MODULE=on
+  - DOCKER_CLI_EXPERIMENTAL=enabled
+  - DOCKER_BUILDKIT=1
+  - BUILDX_PLATFORMS=linux/amd64,linux/arm64,linux/arm/v7
+  - COSIGN_YES=true
+
+snapshot:
+  version_template: 'latest'
+
+checksum:
+  name_template: 'checksums.txt'
+
+# Prevents parallel builds from stepping on each others toes downloading modules
+before:
+  hooks:
+    - go mod tidy
+    - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
+
+# gomod:
+#   proxy: true
+
+sboms:
+  - artifacts: archive
+
+builds:
+  - id: "falcosidekick"
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    goarm:
+      - '7'
+    asmflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    gcflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+    ldflags:
+      - "{{ .Env.LDFLAGS }}"
+    binary: falcosidekick
+
+dockers:
+  - goos: linux
+    goarch: amd64
+    dockerfile: Dockerfile
+    use: buildx
+    image_templates:
+      - "falcosecurity/falcosidekick:stable-amd64"
+      - "falcosecurity/falcosidekick:{{ .Version }}-amd64"
+      - "public.ecr.aws/falcosecurity/falcosidekick:stable-amd64"
+      - "public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-amd64"
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.name={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--platform=linux/amd64"
+    extra_files:
+      - LICENSE
+
+  - goos: linux
+    goarch: arm64
+    dockerfile: Dockerfile
+    use: buildx
+    image_templates:
+      - "falcosecurity/falcosidekick:stable-arm64"
+      - "falcosecurity/falcosidekick:{{ .Version }}-arm64"
+      - "public.ecr.aws/falcosecurity/falcosidekick:stable-arm64"
+      - "public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-arm64"
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.name={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--platform=linux/arm64"
+    extra_files:
+      - LICENSE
+
+  - goos: linux
+    goarch: arm
+    goarm: '7'
+    dockerfile: Dockerfile
+    use: buildx
+    image_templates:
+      - "falcosecurity/falcosidekick:stable-armv7"
+      - "falcosecurity/falcosidekick:{{ .Version }}-armv7"
+      - "public.ecr.aws/falcosecurity/falcosidekick:stable-armv7"
+      - "public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-armv7"
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.name={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--platform=linux/arm/v7"
+    extra_files:
+      - LICENSE
+
+docker_manifests:
+  - name_template: 'falcosecurity/falcosidekick:stable'
+    image_templates:
+      - 'falcosecurity/falcosidekick:stable-amd64'
+      - 'falcosecurity/falcosidekick:stable-arm64'
+      - 'falcosecurity/falcosidekick:stable-armv7'
+  - name_template: 'falcosecurity/falcosidekick:{{ .Version }}'
+    image_templates:
+      - 'falcosecurity/falcosidekick:{{ .Version }}-amd64'
+      - 'falcosecurity/falcosidekick:{{ .Version }}-arm64'
+      - 'falcosecurity/falcosidekick:{{ .Version }}-armv7'
+  - name_template: 'public.ecr.aws/falcosecurity/falcosidekick:stable'
+    image_templates:
+      - 'public.ecr.aws/falcosecurity/falcosidekick:stable-amd64'
+      - 'public.ecr.aws/falcosecurity/falcosidekick:stable-arm64'
+      - 'public.ecr.aws/falcosecurity/falcosidekick:stable-armv7'
+  - name_template: 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}'
+    image_templates:
+      - 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-amd64'
+      - 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-arm64'
+      - 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-armv7'
+
+signs:
+  - id: falcosidekick
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"]
+    artifacts: archive
+  - id: checksum
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"]
+    artifacts: checksum
+
+docker_signs:
+  - id: falcosidekick
+    cmd: cosign
+    args: ["sign", "--recursive", "${artifact}"]
+    artifacts: manifests
+    output: true
+
+release:
+  github:
+    owner: falcosecurity
+    name: falcosidekick
+  prerelease: auto
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,8 +1,403 @@
 # Changelog

+## 2.31.1 - 2025-02-04
+#### Fix
+- Fix error while closing the writer for `GCPStorage` ([PR#1116](https://github.com/falcosecurity/falcosidekick/pull/1116) thanks to [@chanukya-yekollu-exa](https://github.com/chanukya-yekollu-exa))
+
+## 2.31.0 - 2025-02-03
+#### New
+- New output: **OTLP Logs** ([PR#1109](https://github.com/falcosecurity/falcosidekick/pull/1109))
+
+#### Enhancement
+- Add the namespace and the pod name as labels by default in `Loki` payload ([PR#1087](https://github.com/falcosecurity/falcosidekick/pull/1087) thanks to [@afreyermuth98](https://github.com/afreyermuth98))
+- Allow to set the format for the `Loki` payload to JSON ([PR#1091](https://github.com/falcosecurity/falcosidekick/pull/1091))
+- Allow to set a template for the subjets for `NATS`/`STAN` outputs ([PR#1099](https://github.com/falcosecurity/falcosidekick/pull/1099))
+- Improve the logger with a generic and extensible method ([PR#1102](https://github.com/falcosecurity/falcosidekick/pull/1102))
+
+#### Fix
+- Remove forgotten debug line ([PR#1088](https://github.com/falcosecurity/falcosidekick/pull/1088))
+- Fix missing templated fields as labls in `Loki` payload ([PR#1091](https://github.com/falcosecurity/falcosidekick/pull/1091))
+- Fix creation error of `ClusterPolicyReports` ([PR#1100](https://github.com/falcosecurity/falcosidekick/pull/100))
+- Fix missing custom headers for HTTP requests for `Loki` ([PR#1107](https://github.com/falcosecurity/falcosidekick/pull/1107) thanks to [@lsroe](https://github.com/lsroe))
+- Fix wrong key format for `Prometheus` format ([PR#1110](https://github.com/falcosecurity/falcosidekick/pull/1110) thanks to [@rubensf](https://github.com/rubensf))
+
+## 2.30.0 - 2024-11-28
+#### New
+- New output: **Webex** ([PR#979](https://github.com/falcosecurity/falcosidekick/pull/979) thanks to [@k0rventen](https://github.com/k0rventen))
+- New output: **OTLP Metrics** ([PR#1012](https://github.com/falcosecurity/falcosidekick/pull/1012) thanks to [@ekoops](https://github.com/ekoops))
+- New output: **Datadog Logs** ([PR#1052](https://github.com/falcosecurity/falcosidekick/pull/1052) thanks to [@yohboy](https://github.com/yohboy))
+
+#### Enhancement
+- Reuse of the http client for 3-4x increase of the throughput ([PR#962](https://github.com/falcosecurity/falcosidekick/pull/962) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Improve outputs throughput handling ([PR#966](https://github.com/falcosecurity/falcosidekick/pull/966) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Batching and gzip compression for the `Elastticsearch` output ([PR#967](https://github.com/falcosecurity/falcosidekick/pull/967) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Use the same convention for the Prometheus metrics than Falco ([PR#995](https://github.com/falcosecurity/falcosidekick/pull/995))
+- Add `APIKey` for `Elasticsearch` output ([PR#980](https://github.com/falcosecurity/falcosidekick/pull/980) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Add `Pipeline` configuration for `Elasticsearch` output ([PR#981](https://github.com/falcosecurity/falcosidekick/pull/981 ) thanks to [@alekmaus](https://github.com/aleksmaus))
+- Add `MessageThreadID` configuration in `Telegram` output ([PR#1008](https://github.com/falcosecurity/falcosidekick/pull/1008) thanks to [@vashian](https://github.com/vashian))
+- Support multi-architecture in build ([PR#1024](https://github.com/falcosecurity/falcosidekick/pull/1024) thanks to [@nickytd](https://github.com/nickytd))
+- Add `falco` as source for the `Datadog Events` ([PR#1043](https://github.com/falcosecurity/falcosidekick/pull/1043) thanks to [@maxd-wttj](https://github.com/maxd-wttj))
+- Support `AlertManager` output in HA mode ([PR#1051](https://github.com/falcosecurity/falcosidekick/pull/1051))
+
+#### Fix
+- Fix `PolicyReports` created in the same namespace than previous event ([PR#978](https://github.com/falcosecurity/falcosidekick/pull/978))
+- Fix missing `customFields/extraFields` in the `Elasticsearch` payload ([PR#1033](https://github.com/falcosecurity/falcosidekick/pull/1033))
+- Fix incorrect key name for `CloudEvent` spec attribute ([PR#1051](https://github.com/falcosecurity/falcosidekick/pull/1051))
+
+> [!WARNING]
+> Breaking change: The Prometheus metrics have different names from this release, it might break the queries for the dashboards and alerts.
+
+## 2.29.0 - 2024-07-01
+#### New
+- New output: **Dynatrace** ([PR#575](https://github.com/falcosecurity/falcosidekick/pull/575) thanks to [@blu3r4y](https://github.com/blu3r4y))
+- New output: **OTLP Traces** ([PR#613](https://github.com/falcosecurity/falcosidekick/pull/613) thanks to [@jjo](https://github.com/jjo))
+- New output: **Sumologic** ([PR#656](https://github.com/falcosecurity/falcosidekick/pull/656) thanks to [@mencarellic](https://github.com/mencarellic))
+- New output: **Quickwit** ([PR#736](https://github.com/falcosecurity/falcosidekick/pull/736) thanks to [@idrissneumann](https://github.com/idrissneumann))
+- New output: **Falco Talon** ([PR#929](https://github.com/falcosecurity/falcosidekick/pull/929))
+
+#### Enhancement
+- Add global TLS config ([PR#588](https://github.com/falcosecurity/falcosidekick/pull/588) thanks to [@ibice](https://github.com/ibice))
+- Add `source` as label for `Prometheus` metrics ([PR#665](https://github.com/falcosecurity/falcosidekick/pull/665))
+- Better logs when TLS is enabled ([PR#668](https://github.com/falcosecurity/falcosidekick/pull/668))
+- Add test for utils sorting function ([PR#694](https://github.com/falcosecurity/falcosidekick/pull/694) thanks to [@stevemcquaid](https://github.com/stevemcquaid))
+- Refactor of the `InitClient` ([PR#765](https://github.com/falcosecurity/falcosidekick/pull/765) thanks to [@idrissneumann](https://github.com/idrissneumann))
+- Allow to use alternative endpoints for the `AWS S3` output ([PR#791](https://github.com/falcosecurity/falcosidekick/pull/791) thanks to [@gysel](https://github.com/gysel))
+- Consistent order for the `output_fields` and `tags` ([PR#802](https://github.com/falcosecurity/falcosidekick/pull/802))
+- Allow to add custom headers for `AlertManager` output ([PR#827](https://github.com/falcosecurity/falcosidekick/pull/827) thanks to [@Umaaz](https://github.com/Umaaz))
+- Add more checks for the `GCP Storage` output ([PR#858](https://github.com/falcosecurity/falcosidekick/pull/858))
+- Possibility to create an index template for the `Elasticsearch` output ([PR#868](https://github.com/falcosecurity/falcosidekick/pull/868))
+- Possibility to "flatten" the `output_fields` (replace `.` by `_`) for the `Elasticsearch` output to avoid mapping conflicts ([PR#868](https://github.com/falcosecurity/falcosidekick/pull/868))
+- Truncate the fields with a length > 512 chars to avoid rejection from some outputs ([PR#871](https://github.com/falcosecurity/falcosidekick/pull/871))
+- Change the license to Apache 2.0 ([PR#882](https://github.com/falcosecurity/falcosidekick/pull/882) thanks to [@leogr](https://github.com/leogr))
+- Revamp the `PolicyReport` output ([PR#899](https://github.com/falcosecurity/falcosidekick/pull/899))
+- New parameter `outputFieldFormat` to modify on the fly the format of the `output` field ([PR#901](https://github.com/falcosecurity/falcosidekick/pull/901))
+
+#### Fix
+- Fix missing root CA for the `Kafka` output ([PR#581](https://github.com/falcosecurity/falcosidekick/pull/581) thanks to [@claviola](https://github.com/claviola))
+- Fix bug with the extension `source` in the `CloudEvent` output ([PR#587](https://github.com/falcosecurity/falcosidekick/pull/587))
+- Fix panics in the `Prometheus` output when `hostname` field is missing ([PR#628](https://github.com/falcosecurity/falcosidekick/pull/628))
+- Remove refs to deprecated `ioutil` modules ([PR#639](https://github.com/falcosecurity/falcosidekick/pull/639) thanks to [@testwill](https://github.com/testwill))
+- Fix locks in the `Loki` output ([PR#647](https://github.com/falcosecurity/falcosidekick/pull/647) thanks to [@bsod90](https://github.com/bsod90))
+- Split the docs for the outputs into multiple files ([PR#648](https://github.com/falcosecurity/falcosidekick/pull/648))
+- Fix mTLS client verification failures due to missing ClientCAs ([PR#666](https://github.com/falcosecurity/falcosidekick/pull/666) thanks to [@jgmartinez](https://github.com/jgmartinez))
+- Fix wrong env var for pagerduty output ([PR#682](https://github.com/falcosecurity/falcosidekick/pull/682))
+- Remove hard settings for usernames in `Mattermost` and `Rocketchat` ([PR#731](https://github.com/falcosecurity/falcosidekick/pull/731))
+- Fix multi lines json in the error lines ([PR#764](https://github.com/falcosecurity/falcosidekick/pull/764) thanks to [@idrissneumann](https://github.com/idrissneumann))
+- Fix duplicated custom headers in clients ([PR#801](https://github.com/falcosecurity/falcosidekick/pull/801), [PR#857](https://github.com/falcosecurity/falcosidekick/pull/857))
+- Fix the labels for the `AlertManager` output ([PR#870](https://github.com/falcosecurity/falcosidekick/pull/870) thanks to [@Umaaz](https://github.com/Umaaz))
+
+## 2.28.0 - 2023-07-18
+#### New
+- New output: **Redis** ([PR#396](https://github.com/falcosecurity/falcosidekick/pull/396) thanks to [@pandyamarut](https://github.com/pandyamarut))
+- New output: **Telegram** ([PR#431](https://github.com/falcosecurity/falcosidekick/pull/431) thanks to [@zufardhiyaulhaq](https://github.com/zufardhiyaulhaq))
+- New output: **N8N** ([PR#462](https://github.com/falcosecurity/falcosidekick/pull/462))
+- New output: **Grafana OnCall** ([PR#470](https://github.com/falcosecurity/falcosidekick/pull/470))
+- New output: **OpenObserve** ([PR#509](https://github.com/falcosecurity/falcosidekick/pull/509))
+
+#### Enhancement
+- Add `output` in the description annotation for `AlertManager` output ([PR#341](https://github.com/falcosecurity/falcosidekick/pull/478))
+- Allow to set the http method for `Webhook` output ([PR#399](https://github.com/falcosecurity/falcosidekick/pull/399))
+- Add `hostname` as prometheus label ([PR#420](https://github.com/falcosecurity/falcosidekick/pull/420) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Allow to replace the brackets ([PR#421](https://github.com/falcosecurity/falcosidekick/pull/421))
+- Allow to set custom http headers for `Loki`, `Elasticsearch` and `Grafana` outputs ([PR#428](https://github.com/falcosecurity/falcosidekick/pull/428))
+- Add `hostname`, `tags`, `custom` and `templated fields` for `TimescaleDB` output ([PR#438](https://github.com/falcosecurity/falcosidekick/pull/438) thanks to [@hileef](https://github.com/hileef))
+- Allow to set thresholds for the dropped events in `AlertManager` ouput ([PR#439](https://github.com/falcosecurity/falcosidekick/pull/439) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Match the `priority` with `AlertManager` severity label ([PR#440](https://github.com/falcosecurity/falcosidekick/pull/440) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Add `rolearn` and `externalid` for the assume role for `AWS` outputs ([PR#494](https://github.com/falcosecurity/falcosidekick/pull/494))
+- Allow to set the `region` for `PagerDuty` output ([PR#500](https://github.com/falcosecurity/falcosidekick/pull/500))
+- Add TLS option + rewrite send method for the `SMTP` output ([PR#502](https://github.com/falcosecurity/falcosidekick/pull/502))
+- Add attributes to `GCP PubSub` messages ([PR#505](https://github.com/falcosecurity/falcosidekick/pull/505) thanks to [@annadorottya](https://github.com/annadorottya))
+- Add option for TLS and mTLS for the server ([PR#508](https://github.com/falcosecurity/falcosidekick/pull/508) thanks to [@annadorottya](https://github.com/annadorottya))
+- Add setting to auto create the `Kafka` topic ([PR#554](https://github.com/falcosecurity/falcosidekick/pull/554))
+- Add option to deploy a HTTP only server for specific endpoints ([PR#565](https://github.com/falcosecurity/falcosidekick/pull/565) thanks to [@annadorottya](https://github.com/annadorottya))
+- Support multiple bootstrap servers for `Kafka` output ([PR#571](https://github.com/falcosecurity/falcosidekick/pull/571) thanks to [@ibice](https://github.com/ibice))
+- Add option for TLS for `Kafka` output ([PR#574](https://github.com/falcosecurity/falcosidekick/pull/574))
+
+#### Fix
+- Fix error handling in `AWS Security Lake` output ([PR#390](https://github.com/falcosecurity/falcosidekick/pull/390))
+- Fix breaking brackets in `AWS SNS` messages ([PR#419](https://github.com/falcosecurity/falcosidekick/pull/419))
+- Fix setting name for the table of `TimescaleDB` output ([PR#426](https://github.com/falcosecurity/falcosidekick/pull/426) thanks to [@alika](https://github.com/alika))
+- Fix cardinality issue with prometheus labels ([PR#427](https://github.com/falcosecurity/falcosidekick/pull/427))
+- Fix panic when assert output fields which are nil ([PR#429](https://github.com/falcosecurity/falcosidekick/pull/429))
+- Fix dependencies for `Wavefront` output ([PR#432](https://github.com/falcosecurity/falcosidekick/pull/432))
+- Fix key pattern for `AWS Security Lake` output ([PR#447](https://github.com/falcosecurity/falcosidekick/pull/447))
+- Fix default settings for `Telegram` output ([PR#495](https://github.com/falcosecurity/falcosidekick/pull/495) thanks to [@schfkt](https://github.com/schfkt))
+- Fix URL generation for `Spyderbat` output ([PR#506](https://github.com/falcosecurity/falcosidekick/pull/506) thanks to [@bc-sb](https://github.com/bc-sb))
+- Fix nil values in `Spyderbat` output ([PR#527](https://github.com/falcosecurity/falcosidekick/pull/527) thanks to [@spider-guy](https://github.com/spider-guy))
+- Fix duplicated headers in `SMTP` output ([PR#528](https://github.com/falcosecurity/falcosidekick/pull/528) thanks to [@apsega](https://github.com/apsega))
+- Fix missing trim for names and values of labels for `AlertManager` output ([PR#563](https://github.com/falcosecurity/falcosidekick/pull/563) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Fix missing returned errors for `Kafka` output ([PR#573](https://github.com/falcosecurity/falcosidekick/pull/573))
+
+## 2.27.0 - 2022-12-13
+#### New
+- New output: **Yandex Data Streams** ([PR#336](https://github.com/falcosecurity/falcosidekick/pull/336) thanks to [@preved911](https://github.com/preved911))
+- New output: **Node-Red** ([PR#337](https://github.com/falcosecurity/falcosidekick/pull/337))
+- New output: **MQTT** ([PR#338](https://github.com/falcosecurity/falcosidekick/pull/338))
+- Templated fields: custom fields generated with Go templates ([PR#350](https://github.com/falcosecurity/falcosidekick/pull/350))
+- New output: **Zincsearch** ([PR#360](https://github.com/falcosecurity/falcosidekick/pull/360))
+- New output: **Gotify** ([PR#362](https://github.com/falcosecurity/falcosidekick/pull/362))
+- New output: **Spyderbat** ([PR#368](https://github.com/falcosecurity/falcosidekick/pull/368) thanks to [@spyder-kyle](https://github.com/spyder-kyle))
+- New output: **Tekton** ([PR#371](https://github.com/falcosecurity/falcosidekick/pull/371))
+- New output: **TimescaleDB** ([PR#378](https://github.com/falcosecurity/falcosidekick/pull/378) thanks to [@jagretti](https://github.com/jagretti))
+- New output: **AWS Security Lake** ([PR#387](https://github.com/falcosecurity/falcosidekick/pull/387))
+
+#### Enhancement
+- `SMTP` output now uses any SASL auth mechanism ([PR#341](https://github.com/falcosecurity/falcosidekick/pull/341) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Bind `Policy Reports` to Namespace by `ownerReference` ([PR#346](https://github.com/falcosecurity/falcosidekick/pull/346))
+- Add extra labels and annotations for `AlertManager` payloads ([PR#347](https://github.com/falcosecurity/falcosidekick/pull/347) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Update default type for `Elasticsearch` documents ([PR#349](https://github.com/falcosecurity/falcosidekick/pull/349))
+- Support env vars in custom fields ([PR#353](https://github.com/falcosecurity/falcosidekick/pull/353))
+- Update format + default endpoint for `Loki` output ([PR#356](https://github.com/falcosecurity/falcosidekick/pull/356))
+- Determine resource names + owner ref for `Policy Reports` ([PR#358](https://github.com/falcosecurity/falcosidekick/pull/358))
+- Update `Influxdb` output to use API Token and /api/v2 endpoint ([PR#359](https://github.com/falcosecurity/falcosidekick/pull/359))
+- Allow to override the `Slack` channel ([PR#366](https://github.com/falcosecurity/falcosidekick/pull/366))
+- Add From, To and Date headers in `SMTP` payload ([PR#364](https://github.com/falcosecurity/falcosidekick/pull/364))
+- Improve the check of the payload from `Falco`, it allows now to have an empty output ([PR#372](https://github.com/falcosecurity/falcosidekick/pull/372))
+- Allow to set user and api key for `Loki` output for `Grafana Logs` ([PR#379](https://github.com/falcosecurity/falcosidekick/pull/379))
+- Add `hostname` in json payload for all outputs ([PR#383](https://github.com/falcosecurity/falcosidekick/pull/383) thanks to [@Lowaiz](https://github.com/Lowaiz))
+- Add SASL authentication for `Kafka` output ([PR#385](https://github.com/falcosecurity/falcosidekick/pull/385) thanks to [@Lowaiz](https://github.com/Lowaiz)) and [@lyoung-confluent](https://github.com/lyoung-confluent))
+- Support CEF format for `Syslog` output ([PR#386](https://github.com/falcosecurity/falcosidekick/pull/386))
+- Allow to disable STS check for `AWS` output ([PR#387](https://github.com/falcosecurity/falcosidekick/pull/387))
+
+#### Fix
+- Fix `priority` label was replaced by `source` in `AlertManager` payload ([PR#340](https://github.com/falcosecurity/falcosidekick/pull/340) thanks to [@tks98](https://github.com/tks98))
+- Fix missing cert checks + fix inverted logic to use them in codebase ([PR#345](https://github.com/falcosecurity/falcosidekick/pull/345))
+- Fix race condition when headers are added to POST requests ([PR#380](https://github.com/falcosecurity/falcosidekick/pull/380) thanks to [@bc-sb](https://github.com/bc-sb))
+
+## 2.26.0 - 2022-06-18
+#### Enhancement
+- Add `expiresafter` for *AlertManager* output ([PR#323](https://github.com/falcosecurity/falcosidekick/pull/323) thanks to [@anushkamittal20](https://github.com/anushkamittal20))
+- Add `extralabels` for *Loki* and *Prometheus* outputs which allow to set fields to use as labels additionally to `rule`, `source`, `priority`, `tags` and `customfields` ([PR#327](https://github.com/falcosecurity/falcosidekick/pull/327))
+#### Fix
+- Fix *Panic* for Prometheus metrics when `customfields` are set ([PR#333](https://github.com/falcosecurity/falcosidekick/pull/333))
+
+## 2.25.0 - 2022-05-12
+#### New
+- New output: **Policy Report** ([PR#256](https://github.com/falcosecurity/falcosidekick/pull/256) thanks to [@anushkamittal20](https://github.com/anushkamittal20))
+- New output: **Syslog** ([PR#272](https://github.com/falcosecurity/falcosidekick/pull/272) thanks to [@bdluca](https://github.com/bdluca))
+- New output: **AWS Kinesis** ([PR#277](https://github.com/falcosecurity/falcosidekick/pull/277) thanks to [@gauravgahlot](https://github.com/gauravgahlot))
+- New output: **Zoho Cliq** ([PR#301](https://github.com/falcosecurity/falcosidekick/pull/301) thanks to [@averni](https://github.com/averni))
+- Images and Binaries for *arm* and *arm64* ([PR#288](https://github.com/falcosecurity/falcosidekick/pull/288))
+- Sign artifacts with *cosign* ([PR#302](https://github.com/falcosecurity/falcosidekick/pull/302))
+#### Enhancement
+- Add CI steps to push images into AWS ECR ([PR#270](https://github.com/falcosecurity/falcosidekick/pull/270) thanks to [@maxgio92](https://github.com/maxgio92))
+- Allow to choose API endpoint for *AlertManager* ([PR#282](https://github.com/falcosecurity/falcosidekick/pull/282) thanks to [@mathildeHermet](https://github.com/maxgiomathildeHermet92))
+- Add label `priority` in *AlertManager* events ([PR#276](https://github.com/falcosecurity/falcosidekick/pull/276))
+- Update Golang + GolangCI-Lint ([PR#289](https://github.com/falcosecurity/falcosidekick/pull/289) [PR#292](https://github.com/falcosecurity/falcosidekick/pull/292))
+- Add version info ([PR#290](https://github.com/falcosecurity/falcosidekick/pull/290))
+- Update image base to alpine 3.15 ([PR#291](https://github.com/falcosecurity/falcosidekick/pull/291))
+- Increase CircleCI timeout ([PR#293](https://github.com/falcosecurity/falcosidekick/pull/293))
+- Support *IRSA* for AWS authentication ([PR#295](https://github.com/falcosecurity/falcosidekick/pull/295) thanks to [@VariableExp0rt](https://github.com/VariableExp0rt))
+- Add *tenant* for *Loki* output ([PR#308](https://github.com/falcosecurity/falcosidekick/pull/308) thanks to [@JGodin-C2C](https://github.com/JGodin-C2C))
+- Upgrade endpoint for *Loki* ([PR#309](https://github.com/falcosecurity/falcosidekick/pull/309) thanks to [@JGodin-C2C](https://github.com/JGodin-C2C))
+- Add `tags` and `source` in events for all outputs ([PR#310](https://github.com/falcosecurity/falcosidekick/pull/310))
+- Add `custom_fields` to *Prometheus* series ([PR#314](https://github.com/falcosecurity/falcosidekick/pull/314) thanks to [@LyvingInSync](https://github.com/LyvingInSync))
+- Update CircleCI jobs ([PR#316](https://github.com/falcosecurity/falcosidekick/pull/316))
+#### Fix
+- Fix *OpsGenie* output when keys have "." ([PR#287](https://github.com/falcosecurity/falcosidekick/pull/287))
+- Fix typo in README ([PR#299](https://github.com/falcosecurity/falcosidekick/pull/299) thanks to [@oleg-nenashev](https://github.com/oleg-nenashev))
+- Fix *GCS* writer not closed ([PR#312](https://github.com/falcosecurity/falcosidekick/pull/312) thanks to [@Milkshak3s](https://github.com/Milkshak3s))
+
+## 2.24.0 - 2021-08-13
+#### New
+- New output: **Grafana** ([PR#254](https://github.com/falcosecurity/falcosidekick/pull/254))
+- New output: **Fission** ([PR#255](https://github.com/falcosecurity/falcosidekick/pull/255) thanks to [@gauravgahlot](https://github.com/gauravgahlot))
+- New output: **Yandex Cloud S3** ([PR#261](https://github.com/falcosecurity/falcosidekick/pull/261) thanks to [@nar3k](https://github.com/nar3k))
+- New output: **Kafka REST** ([PR#263](https://github.com/falcosecurity/falcosidekick/pull/263) thanks to [@dirien](https://github.com/dirien))
+#### Enhancement
+- Set header `x-amz-acl` to `bucket-owner-full-control` for output `AWS S3` ([PR#264](https://github.com/falcosecurity/falcosidekick/pull/264) thanks to [@Kaizhe](https://github.com/Kaizhe))
+- Docker image is now available on [`AWS ECR Public Gallery`](https://gallery.ecr.aws/falcosecurity/falcosidekick) ([PR#265](https://github.com/falcosecurity/falcosidekick/pull/265) thanks to [@maxgio92](https://github.com/maxgio92))
+
+## 2.23.1 - 2021-06-23
+#### Fix
+- Fix memory leak with `AddHeaders` method ([PR#252](https://github.com/falcosecurity/falcosidekick/pull/252) thanks to [@distortedsignal](https://github.com/distortedsignal))
+
+## 2.23.0 - 2021-06-23
+#### New
+- New output: **Wavefront** ([PR#229](https://github.com/falcosecurity/falcosidekick/pull/229) thanks to [@rikatz](https://github.com/rikatz))
+- New output: **GCP Cloud Functions** ([PR#241](https://github.com/falcosecurity/falcosidekick/pull/241))
+- New output: **GCP Cloud Run** ([PR#243](https://github.com/falcosecurity/falcosidekick/pull/243))
+- Allow MutualTLS for some outputs ([PR#231](https://github.com/falcosecurity/falcosidekick/pull/231) thanks to [@jasiam](https://github.com/jasiam))
+- Allow *Workload identity* for *GCP* output ([PR#235](https://github.com/falcosecurity/falcosidekick/pull/235) thanks to [@cartyc](https://github.com/cartyc))
+- Add basic auth for *Elasticsearch* output ([PR#245](https://github.com/falcosecurity/falcosidekick/pull/245) thanks to [@distortedsignal](https://github.com/distortedsignal))
+#### Enhancement
+- Reorder fields in *Slack*t, *RocketChat* and *Mattermost* outputs + sort `customer_fields` alphabetically ([PR#226](https://github.com/falcosecurity/falcosidekick/pull/226))
+- Set default values for *OpenFaas* output ([PR#232](https://github.com/falcosecurity/falcosidekick/pull/232))
+- Re-use session for *AWS* output instead of deprecated `session.New()` ([PR#238](https://github.com/falcosecurity/falcosidekick/pull/238) thanks to [@dchoy](https://github.com/dchoy))
+- Reorganize management of headers for outputs ([PR#245](https://github.com/falcosecurity/falcosidekick/pull/245) thanks to [@distortedsignal](https://github.com/distortedsignal))
+#### Fix
+- Fix init of **DogstatsD** output ([PR#227](https://github.com/falcosecurity/falcosidekick/pull/227))
+- Remove duplicated logs + fix some of prefixes ([PR#228](https://github.com/falcosecurity/falcosidekick/pull/228))
+- Fif *S3* output when "Default encryption" setting is disabled ([PR#242](https://github.com/falcosecurity/falcosidekick/pull/242) thanks to [@Kaizhe](https://github.com/Kaizhe))
+
+## 2.22.0 - 2021-04-06
+#### New
+- New output: **AWS S3** ([PR#195](https://github.com/falcosecurity/falcosidekick/pull/195) thanks to [@evalsocket](https://github.com/evalsocket))
+- New output: **GCP Storage** ([PR#202](https://github.com/falcosecurity/falcosidekick/pull/202) thanks to [@evalsocket](https://github.com/evalsocket))
+- New output: **RabbitMQ** ([PR#210](https://github.com/falcosecurity/falcosidekick/pull/210) thanks to [@evalsocket](https://github.com/evalsocket))
+- New output: **OpenFaas** ([PR#208](https://github.com/falcosecurity/falcosidekick/pull/208) thanks to [@developper-guy](https://github.com/developper-guy))
+#### Enhancement
+- Use higher level Writer api for **Kafka** ([PR#206](https://github.com/falcosecurity/falcosidekick/pull/206) thanks to [@zemek](https://github.com/zemek))
+- Reorder *imports* to follow good practices ([PR#205](https://github.com/falcosecurity/falcosidekick/pull/205))
+- Prevent misleading error message when *CUSTOMFIELDS* env var is set ([PR#201](https://github.com/falcosecurity/falcosidekick/pull/201) thanks to [@zemek](https://github.com/zemek))
+- Use *Events v2* API for **PagerDuty** output ([PR#200](https://github.com/falcosecurity/falcosidekick/pull/200) thanks to [@caWhite](https://github.com/caWhite))
+#### Fix
+- Fix *outputformat* when using fields or text in **Slack** output ([PR#204](https://github.com/falcosecurity/falcosidekick/pull/204))
+- Fix HTML template for **SMTP** output ([PR#199](https://github.com/falcosecurity/falcosidekick/pull/199))
+
+## 2.21.0 - 2021-02-12
+#### New
+- New output: **Cloud Events** ([PR#169](https://github.com/falcosecurity/falcosidekick/pull/169) thanks to [@n3wscott](https://github.com/n3wscott))
+- New output: **WebUI** ([PR#180](https://github.com/falcosecurity/falcosidekick/pull/180))
+#### Enhancement
+- Include numeric values for `Alertmanager` outputs ([PR#177](https://github.com/falcosecurity/falcosidekick/pull/177) thanks to to [@alsm](https://github.com/alsm))
+- Add `listenaddress` option ([PR#187](https://github.com/falcosecurity/falcosidekick/pull/187) thanks to to [@alsm](https://github.com/alsm))
+#### Fix
+- Fix spelling typos in README ([PR#175](https://github.com/falcosecurity/falcosidekick/pull/175) thanks to to [@princespaghetti](https://github.com/princespaghetti))
+- Fix several `gosec` issues ([PR#179](https://github.com/falcosecurity/falcosidekick/pull/179) thanks to to [@alsm](https://github.com/alsm))
+- Fix label values with quotes for `Loki` ([PR#182](https://github.com/falcosecurity/falcosidekick/pull/182))
+
+## 2.20.0 - 2021-01-12
+#### New
+- New output: **STAN (NATS Streaming)** ([PR#135](https://github.com/falcosecurity/falcosidekick/pull/135))
+- New output: **PagerDuty** ([PR#164](https://github.com/falcosecurity/falcosidekick/pull/164))
+- New output: **Kubeless** ([PR#170](https://github.com/falcosecurity/falcosidekick/pull/170))
+#### Enhancement
+- CI: clean filters ([PR#138](https://github.com/falcosecurity/falcosidekick/pull/138))
+- Replace library for `Kafka` ([PR#139](https://github.com/falcosecurity/falcosidekick/pull/139))
+- Re-align code for `NATS` output ([PR#159](https://github.com/falcosecurity/falcosidekick/pull/159))
+- Add new endpoint `/healthz` ([PR#167](https://github.com/falcosecurity/falcosidekick/pull/167))
+- Change the way to manage *Priority* ([PR#171](https://github.com/falcosecurity/falcosidekick/pull/171) thanks to [@n3wscott](https://github.com/n3wscott))
+#### Fix
+- Fix missing metrics for various outputs ([PR#145](https://github.com/falcosecurity/falcosidekick/pull/145), [PR#146](https://github.com/falcosecurity/falcosidekick/pull/146), [PR#147](https://github.com/falcosecurity/falcosidekick/pull/147), [PR#148](https://github.com/falcosecurity/falcosidekick/pull/148), [PR#149](https://github.com/falcosecurity/falcosidekick/pull/149), [PR#150](https://github.com/falcosecurity/falcosidekick/pull/150), [PR#151](https://github.com/falcosecurity/falcosidekick/pull/151), [PR#152](https://github.com/falcosecurity/falcosidekick/pull/152), [PR#153](https://github.com/falcosecurity/falcosidekick/pull/153), [PR#154](https://github.com/falcosecurity/falcosidekick/pull/154), [PR#155](https://github.com/falcosecurity/falcosidekick/pull/155), [PR#156](https://github.com/falcosecurity/falcosidekick/pull/156), [PR#157](https://github.com/falcosecurity/falcosidekick/pull/157), [PR#158](https://github.com/falcosecurity/falcosidekick/pull/158))
+
+## 2.19.1 - 2020-12-02
+#### Fix
+- Fix dockerfile to build the new kafka output ([PR#56](https://github.com/falcosecurity/falcosidekick/pull/132) thanks to [@cpanato](https://github.com/cpanato))
+
+## 2.19.0 - 2020-12-01
+#### New
+- New output: **Apache Kafka** ([PR#124](https://github.com/falcosecurity/falcosidekick/pull/124) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
+- New output: **Cloudwatch Logs** ([PR#127](https://github.com/falcosecurity/falcosidekick/pull/127) thanks to [@cpanato](https://github.com/cpanato))
+#### Enhancement
+- Bump Golang version to `1.15` ([PR#128](https://github.com/falcosecurity/falcosidekick/pull/128) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
+- Add a contributing document ([PR#123](https://github.com/falcosecurity/falcosidekick/pull/123) thanks to [@cpanato](https://github.com/cpanato))
+- Add a `.dockerignore` for small images ([PR#126](https://github.com/falcosecurity/falcosidekick/pull/126) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
+- Refactor HTTP server handler ([PR#116](https://github.com/falcosecurity/falcosidekick/pull/116) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
+- Add test for `Discord` ([PR#117](https://github.com/falcosecurity/falcosidekick/pull/117) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
+#### Fix
+- Fix Discord output's Prometheus metrics ([PR#118](https://github.com/falcosecurity/falcosidekick/pull/118) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
+- Fix `nil pointer` when `GCP` configuration is incorrect ([PR#130](https://github.com/falcosecurity/falcosidekick/pull/130))
+
+## 2.18.0 - 2020-11-20
+#### New
+- New output: **Google Chat** ([PR#107](https://github.com/falcosecurity/falcosidekick/pull/107) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
+#### Enhancement
+- Add test for `Mattermost` ([PR#99](https://github.com/falcosecurity/falcosidekick/pull/99) thanks to [@cpanato](https://github.com/cpanato))
+- Add golangci lint ([PR#100](https://github.com/falcosecurity/falcosidekick/pull/100) thanks to [@cpanato](https://github.com/cpanato))
+- Dependecies: update several deps ([PR#103](https://github.com/falcosecurity/falcosidekick/pull/103) thanks to [@cpanato](https://github.com/cpanato))
+- clean a bit the `Circleci` config ([PR#106](https://github.com/falcosecurity/falcosidekick/pull/106) thanks to [@cpanato](https://github.com/cpanato))
+- Use `testify` to check the test results ([PR#108](https://github.com/falcosecurity/falcosidekick/pull/108) [PR#112](https://github.com/falcosecurity/falcosidekick/pull/112) thanks to [@cpanato](https://github.com/cpanato))
+- Refactor type assertion in output ([PR#110](https://github.com/falcosecurity/falcosidekick/pull/110) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
+- Add test for `Rocketchat` ([PR#113](https://github.com/falcosecurity/falcosidekick/pull/113) thanks to [@cpanato](https://github.com/cpanato))
+#### Fix
+- Fix stats for `Mattermost` ([PR#99](https://github.com/falcosecurity/falcosidekick/pull/99) thanks to [@cpanato](https://github.com/cpanato))
+
+## 2.17.0 - 2020-11-13
+#### New
+- New output: **GCP PubSub** ([PR#97](https://github.com/falcosecurity/falcosidekick/pull/97) thanks to [@IanRobertson-wpe](https://github.com/IanRobertson-wpe))
+#### Enhancement
+- Better instructions for install with `Helm` ([PR#95](https://github.com/falcosecurity/falcosidekick/pull/95) thanks to [@pyaillet](https://github.com/pyaillet))
+
+## 2.16.0 - 2020-10-29
+#### New
+- Custom Headers can be set for `Webhook` output ([PR#92](https://github.com/falcosecurity/falcosidekick/pull/92))
+#### Enhancement
+- Enable of `CircleCI` for unit tests
+
+## 2.15.0 - 2020-10-27
+#### New
+- New output: **AWS SNS** ([PR#84](https://github.com/falcosecurity/falcosidekick/pull/84))
+- A `prometheus` exporter is now available for all metrics
+#### Enhancement
+- Reduce cardinality of alerts by grouping them for `AlertManager` ([PR#79](https://github.com/falcosecurity/falcosidekick/pull/79) thanks to [@epcim](https://github.com/epcim))
+#### Fix
+- Fix unsupported chars in a label name for `AlertManager` ([PR#78](https://github.com/falcosecurity/falcosidekick/pull/78) thanks to [@epcim](https://github.com/epcim))
+#### Note
+The Helm chart has been migrated to [falcosecurity/charts](https://github.com/falcosecurity/charts/tree/master/falcosidekick), the official repository chart of `falco` organization. You can now install it from [artifacthub.io](https://artifacthub.io/packages/helm/falcosecurity/falcosidekick).
+
+## 2.14.0 - 2020-08-10
+#### New
+- New output: **Azure Event Hubs** ([PR#66](https://github.com/falcosecurity/falcosidekick/pull/66) thanks to [@arminc](https://github.com/arminc))
+- New output: **Discord** ([PR#61](https://github.com/falcosecurity/falcosidekick/pull/61) thanks to [@nibalizer](https://github.com/nibalizer))
+#### Enhancement
+- Cert validity of outputs can be disabled ([PR#74](https://github.com/falcosecurity/falcosidekick/pull/74))
+- Golang 1.14 is now used for building the Docker image
+- Displayed username can be override for **Slack**, **Mattermost** and **Rocketchat** ([PR#72](https://github.com/falcosecurity/falcosidekick/pull/72))
+#### Fix
+- Wrong port name was displayed as output of Helm chart
+#### Note
+This release is the last one with an Helm chart, the next ones will be in [Falco Charts repo](https://github.com/helm/charts)
+
+## 2.13.0 - 2020-06-15
+#### New
+- New output: **Rocketchat**
+- New output: **Mattermost**
+
+# 2.12.3 - 2020-04-21
+#### Enhancement
+- Allow using Datadog EU site by specifying new variable **datadog.host**/**DATADOG_HOST** ([PR#59](https://github.com/falcosecurity/falcosidekick/pull/59) thanks to [@DrPhil](https://github.com/DrPhil))
+- Docker Image is based now on last Golang and Alpine images
+
+## 2.12.2 - 2020-04-21
+#### Fix
+- Typo in query to Datadog ([PR#58](https://github.com/falcosecurity/falcosidekick/pull/58) thanks to [@DrPhil](https://github.com/DrPhil))
+
+## 2.12.1 - 2020-01-28
+#### Fix
+- Typo in SMTP output logs ([PR#56](https://github.com/falcosecurity/falcosidekick/pull/56) thanks to [@cartyc](https://github.com/cartyc))
+
+## 2.12.0 - 2020-01-16
+#### Enhancement
+- Add Pod Security Policy to helm chart ([PR#54](https://github.com/falcosecurity/falcosidekick/pull/54) thanks to [@czunker](https://github.com/czunker))
+
+## 2.11.1 - 2020-01-06
+#### Fix
+- Wrong value reference for Elasticsearch output in deployment.yaml
+
+## 2.11.0 - 2019-11-13
+#### New
+- New output: **Webhook**
+- New output: **DogStatsD**
+- New metrics : *running goroutines*, *number of used CPU*
+#### Enhancement
+- :boom: Standardization of metric names (to be consistent between *expar* and *(Dog)StatsD*)
+- :boom: New namespace for metrics (*inputs*), will be used for future *inputs* (*fifo*, *gRPC*)
+#### Fix
+- *StatsD* implementation worked only with *DogStatsD* ([issue #49](https://github.com/falcosecurity/falcosidekick/issues/49))
+- Fix *panic* when payload from *Falco* is empty
+
+## 2.10.0 - 2019-10-22
+#### New
+- New output: **StatsD** ([PR#43](https://github.com/falcosecurity/falcosidekick/pull/40) thanks to [@actgardner](https://github.com/actgardner))
+
+
+## 2.9.3 - 2019-10-18
+#### Fix
+- Fix typo in priority check ([PR#42](https://github.com/falcosecurity/falcosidekick/pull/42) thanks to [@palmerabollo](https://github.com/palmerabollo))
+
+## 2.9.2 - 2019-10-11
+#### Enhancement
+#### Fix
+- Fix Opgenie config in helm template ([PR#41](https://github.com/falcosecurity/falcosidekick/pull/41) thanks to [@kamirendawkins](https://github.com/kamirendawkins))
+
+## 2.9.1 - 2019-10-07
+#### Enhancement
+- Add formatted Text in Slack message ([PR#40](https://github.com/falcosecurity/falcosidekick/pull/40) thanks to [@actgardner](https://github.com/actgardner))
+
 ## 2.9.0 - 2019-10-04
 #### New
- New output : **Opsgenie**
+- New output: **Opsgenie**
 #### Enhancement
 - New avatar : with colors and squared
 #### Fix
@ -10,7 +405,7 @@

 ## 2.8.0 - 2019-09-11
 #### New
- New output : **NATS**
+- New output: **NATS**

 ## 2.7.2 - 2019-08-28
 #### Enhancement
@ -22,17 +417,17 @@

 ## 2.7.0 - 2019-08-27
 #### New
- New output : **Loki**
+- New output: **Loki**

 ## 2.6.0 - 2019-08-26
 #### New
- New output : **SMTP** (email)
+- New output: **SMTP** (email)

 ## 2.5.0 - 2019-08-12
 #### New
- New output : **AWS Lambda**
- New output : **AWS SQS** ([issue #5](https://github.com/falcosecurity/falcosidekick/issues/5))
- New output : **Teams** ([issue #30](https://github.com/falcosecurity/falcosidekick/issues/30))
+- New output: **AWS Lambda**
+- New output: **AWS SQS** ([issue #5](https://github.com/falcosecurity/falcosidekick/issues/5))
+- New output: **Teams** ([issue #30](https://github.com/falcosecurity/falcosidekick/issues/30))
 - A github page has been created : https://falcosecurity.github.io/falcosidekick/

 #### Enhancement
@ -48,21 +443,21 @@
 - Falcosidekick can now be deployed with Helm (see [README](https://github.com/falcosecurity/falcosidekick/blob/master/README.md)) ([PR#25](https://github.com/falcosecurity/falcosidekick/pull/25) thanks to [@SweetOps](https://github.com/SweetOps))

 ## 2.2.0 - 2019-06-13
-#### New 
+#### New
 - A minimum priority for each output can be set
- New output : **Influxdb** ([issue #4](https://github.com/falcosecurity/falcosidekick/issues/4))
+- New output: **Influxdb** ([issue #4](https://github.com/falcosecurity/falcosidekick/issues/4))
 #### Fix
 - Panic happened when trying to add `customfields` but falco event hadn't

 ## 2.1.0 - 2019-06-12
-#### New 
+#### New
 - Custom fields can be added to falco events (see [README](https://github.com/falcosecurity/falcosidekick/blob/master/README.md)) ([PR#26](https://github.com/falcosecurity/falcosidekick/pull/26) thanks to [@zetaab](https://github.com/zetaab))
 #### Fix
 - Fix `Slack.Output` in config.go ([PR#24](https://github.com/falcosecurity/falcosidekick/pull/24) thanks to [@SweetOps](https://github.com/SweetOps))

 ## 2.0.0 - 2019-05-23
-#### New 
- New output : **Elasticsearch** ([issue #14](https://github.com/falcosecurity/falcosidekick/issues/14))
+#### New
+- New output: **Elasticsearch** ([issue #14](https://github.com/falcosecurity/falcosidekick/issues/14))
 - **New configuration method : we can now use a config file in YAML and/or env vars** (see *README*) ([issue #17](https://github.com/falcosecurity/falcosidekick/issues/17))
 - New endpoint : `/debug/vars` gives access to Golang + Custom metrics (see *README*) ([issue #17](https://github.com/falcosecurity/falcosidekick/issues/17))
 #### Enhancement
@ -110,14 +505,14 @@

 ## 1.0.3 - 2019-01-30
 #### New
- New output  : **Alert Manager**
+- New output: **Alert Manager**
 #### Enhancement
 - Add status of posts to Outputs in logs (stdout)

 ## 1.0.2 - 2018-10-10
 #### Enhancement
 - Update changelog
- Update README with new Slack Options + more info 
+- Update README with new Slack Options + more info

 ## 1.0.1 - 2018-10-10
 #### New
@ -132,4 +527,4 @@
 - Fix cert errors in alpine ([PR#1](https://github.com/falcosecurity/falcosidekick/pull/1) thanks to [@palmerabollo](https://github.com/palmerabollo))

 ## 1.0.0 - 2018-10-10
- First tagged release
+- First tagged release
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,26 @@
+# Contributing
+
+First off, thanks for taking the time to contribute!
+
+## Steps to Contribute
+
+This project uses GitHub to manage reviews of pull requests.
+
+* If you have a trivial fix or improvement, go ahead and create a pull request
+
+* If you plan to do something more involved, first create an issue to discuss your ideas
+
+* Should you wish to work on an issue, please claim it first by commenting on the GitHub issue that you want to work on it. This is to prevent duplicated efforts from contributors on the same issue.
+
+## Pull Request Checklist
+
+* Start by forking the project, and then create a feature branch from the master branch for your feature.
+
+* If needed, rebase to the current master branch before submitting your pull request. If it doesn't merge cleanly with master you may be asked to rebase your changes.
+
+* Commits should be as small as possible, while ensuring that each commit is correct independently (i.e., each commit should compile and pass tests).
+
+* All commits must include a `Signed-off-by` line. This line must point to the author's Full Name and their valid email address.
+    * This can be accomplished by adding the `-s` flag in git.
+
+* Add tests relevant to the fixed bug or new feature.
--- a/31
+++ b/31
@ -1,29 +1,20 @@
-# Build image (Golang)
-FROM golang:1.12-alpine3.10 AS build-stage
-ENV GO111MODULE on
-ENV CGO_ENABLED 0
-
-RUN apk add --no-cache gcc git make
-
-WORKDIR /src
-ADD . .
-
-RUN go mod download
-RUN go build -o falcosidekick
-
+ARG BASE_IMAGE=alpine:3.19
 # Final Docker image
-FROM alpine:3.10 AS final-stage
-LABEL MAINTAINER "Thomas Labarussias <issif+falcosidekick@gadz.org>"
+FROM ${BASE_IMAGE} AS final-stage
+LABEL MAINTAINER="Thomas Labarussias <issif+falcosidekick@gadz.org>"

-RUN apk add --no-cache ca-certificates
+RUN apk add --update --no-cache ca-certificates gcompat

 # Create user falcosidekick
-RUN addgroup -S falcosidekick && adduser -S falcosidekick -G falcosidekick
-USER falcosidekick
+RUN addgroup -S falcosidekick && adduser -u 1234 -S falcosidekick -G falcosidekick
+# must be numeric to work with Pod Security Policies:
+# https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
+USER 1234

 WORKDIR ${HOME}/app
-COPY --from=build-stage /src/falcosidekick .
+COPY LICENSE .
+COPY falcosidekick .

 EXPOSE 2801

-ENTRYPOINT ["./falcosidekick"]
+ENTRYPOINT ["./falcosidekick"]
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -0,0 +1,31 @@
+ARG BUILDER_IMAGE=golang:1.21-bullseye
+ARG BASE_IMAGE=alpine:3.19
+
+FROM ${BUILDER_IMAGE} AS build-stage
+
+ENV CGO_ENABLED=0
+
+WORKDIR /src/
+COPY . .
+
+RUN make falcosidekick
+
+# Final Docker image
+FROM ${BASE_IMAGE} AS final-stage
+LABEL MAINTAINER="Thomas Labarussias <issif+falcosidekick@gadz.org>"
+
+RUN apk add --update --no-cache ca-certificates
+
+# Create user falcosidekick
+RUN addgroup -S falcosidekick && adduser -u 1234 -S falcosidekick -G falcosidekick
+# must be numeric to work with Pod Security Policies:
+# https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
+USER 1234
+
+WORKDIR ${HOME}/app
+COPY LICENSE .
+COPY --from=build-stage /src/falcosidekick .
+
+EXPOSE 2801
+
+ENTRYPOINT ["./falcosidekick"]
--- a/206
+++ b/206
@ -1,6 +1,212 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2024 The Falco Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+-------------------------
+
 MIT License

 Copyright (c) 2018 Thomas Labarussias
+Copyright (C) 2024 The Falco Authors

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/118
+++ b/118
@ -0,0 +1,118 @@
+# Ensure Make is run with bash shell as some syntax below is bash-specific
+SHELL=/bin/bash -o pipefail
+
+.DEFAULT_GOAL:=help
+GOPATH  := $(shell go env GOPATH)
+GOARCH  := $(shell go env GOARCH)
+GOOS    := $(shell go env GOOS)
+GOPROXY := $(shell go env GOPROXY)
+ifeq ($(GOPROXY),)
+GOPROXY := https://proxy.golang.org
+endif
+export GOPROXY
+GO ?= go
+DOCKER ?= docker
+TEST_FLAGS ?= -v -race
+
+GIT_TAG ?= dirty-tag
+GIT_VERSION ?= $(shell git describe --tags --always --dirty)
+GIT_HASH ?= $(shell git rev-parse HEAD)
+DATE_FMT = +'%Y-%m-%dT%H:%M:%SZ'
+SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)
+ifdef SOURCE_DATE_EPOCH
+    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)")
+else
+    BUILD_DATE ?= $(shell date "$(DATE_FMT)")
+endif
+GIT_TREESTATE = "clean"
+DIFF = $(shell git diff --quiet >/dev/null 2>&1; if [ $$? -eq 1 ]; then echo "1"; fi)
+ifeq ($(DIFF), 1)
+    GIT_TREESTATE = "dirty"
+endif
+
+PKG=main
+LDFLAGS=-X $(PKG).GitVersion=$(GIT_VERSION) -X $(PKG).gitCommit=$(GIT_HASH) -X $(PKG).gitTreeState=$(GIT_TREESTATE) -X $(PKG).buildDate=$(BUILD_DATE)
+
+# Directories.
+ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+TOOLS_DIR := hack/tools
+TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR)/bin)
+GO_INSTALL = ./hack/go_install.sh
+
+# Binaries.
+GOLANGCI_LINT_VER := v1.57.2
+GOLANGCI_LINT_BIN := golangci-lint
+GOLANGCI_LINT := $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)
+
+# Docker
+IMAGE_TAG := falcosecurity/falcosidekick:latest
+
+## --------------------------------------
+## Build
+## --------------------------------------
+
+.PHONY: falcosidekick
+falcosidekick:
+	$(GO) mod download
+	GOOS=$(GOOS) GOARCH=$(GOARCH) $(GO) build -trimpath -ldflags "$(LDFLAGS)" -gcflags all=-trimpath=/src -asmflags all=-trimpath=/src -a -installsuffix cgo -o $@ .
+
+.PHONY: falcosidekick-linux
+falcosidekick-linux:
+	$(GO) mod download
+	GOOS=linux GOARCH=$(GOARCH) $(GO) build -ldflags "$(LDFLAGS)" -gcflags all=-trimpath=/src -asmflags all=-trimpath=/src -a -installsuffix cgo -o falcosidekick .
+
+.PHONY: build-image
+build-image: falcosidekick-linux
+	$(DOCKER) build -t $(IMAGE_TAG) .
+
+.PHONY: push-image
+push-image:
+	$(DOCKER) push $(IMAGE_TAG)
+
+## --------------------------------------
+## Test
+## --------------------------------------
+
+.PHONY: test
+test:
+	$(GO) vet ./...
+	$(GO) test ${TEST_FLAGS} ./...
+
+.PHONY: test-coverage
+test-coverage:
+	$(GO) test ./outputs -count=1 -cover -v ./...
+
+## --------------------------------------
+## Linting
+## --------------------------------------
+
+.PHONY: lint
+lint: $(GOLANGCI_LINT) ## Lint codebase
+	$(GOLANGCI_LINT) run -v
+
+lint-full: $(GOLANGCI_LINT) ## Run slower linters to detect possible issues
+	$(GOLANGCI_LINT) run -v --fast=false
+
+## --------------------------------------
+## Release
+## --------------------------------------
+
+.PHONY: goreleaser-snapshot
+goreleaser-snapshot: ## Release snapshot using goreleaser
+	LDFLAGS="$(LDFLAGS)" goreleaser --snapshot --skip=sign --clean
+
+## --------------------------------------
+## Tooling Binaries
+## --------------------------------------
+
+$(GOLANGCI_LINT): ## Build golangci-lint from tools folder.
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) github.com/golangci/golangci-lint/cmd/golangci-lint $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER)
+
+## --------------------------------------
+## Cleanup / Verification
+## --------------------------------------
+
+.PHONY: clean
+clean:
+	rm -rf hack/tools/bin
+	rm -rf dist
--- a/10
+++ b/10
@ -0,0 +1,10 @@
+approvers:
+  - Issif
+  - leogr
+  - cpanato
+  - fjogeleit
+emeritus_approvers:
+  - leodido
+  - nibalizer
+  - KeisukeYamashita
+  - developer-guy
--- a/README.md
+++ b/README.md
@ -1,147 +1,367 @@
 # Falcosidekick

+[![Falco Ecosystem Repository](https://github.com/falcosecurity/evolution/blob/main/repos/badges/falco-ecosystem-blue.svg)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#ecosystem-scope) [![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#stable)
+
 ![falcosidekick](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/falcosidekick_color.png)

-![release](https://flat.badgen.net/github/release/falcosecurity/falcosidekick/latest?color=green) ![last commit](https://flat.badgen.net/github/last-commit/falcosecurity/falcosidekick) ![licence](https://flat.badgen.net/badge/license/MIT/blue) ![docker pulls](https://flat.badgen.net/docker/pulls/falcosecurity/falcosidekick?icon=docker)
+![release](https://flat.badgen.net/github/release/falcosecurity/falcosidekick/latest?color=green)
+![last commit](https://flat.badgen.net/github/last-commit/falcosecurity/falcosidekick)
+![licence](https://flat.badgen.net/badge/license/MIT/blue)
+![docker pulls](https://flat.badgen.net/docker/pulls/falcosecurity/falcosidekick?icon=docker)

 ## Description

-A simple daemon to help you with falco's outputs (https://sysdig.com/opensource/falco/). It takes a falco's event and forwards it to different outputs.
+A simple daemon for connecting [`Falco`](https://github.com/falcosecurity/falco) to your ecosystem. It takes a `Falco` events and
+forward them to different outputs in a fan-out way.
+
+It works as a single endpoint for as many as you want `Falco` instances :
+
+![falco_with_falcosidekick](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/falco_with_falcosidekick.png)
+
+## Table of contents
+
+- [Falcosidekick](#falcosidekick)
+  - [Description](#description)
+  - [Table of contents](#table-of-contents)
+  - [Outputs](#outputs)
+    - [Chat](#chat)
+    - [Metrics / Observability](#metrics--observability)
+    - [Alerting](#alerting)
+    - [Logs](#logs)
+    - [Object Storage](#object-storage)
+    - [FaaS / Serverless](#faas--serverless)
+    - [Message queue / Streaming](#message-queue--streaming)
+    - [Email](#email)
+    - [Database](#database)
+    - [Web](#web)
+    - [SIEM](#siem)
+    - [Workflow](#workflow)
+    - [Traces](#traces)
+    - [Other](#other)
+    - [Response engine](#response-engine)
+  - [Installation](#installation)
+    - [Localhost](#localhost)
+      - [With docker](#with-docker)
+      - [With systemd](#with-systemd)
+    - [In Kubernetes](#in-kubernetes)
+      - [With Helm](#with-helm)
+    - [Connect Falco](#connect-falco)
+      - [with falco.yaml](#with-falcoyaml)
+      - [with Helm](#with-helm-1)
+    - [Configuration](#configuration)
+      - [YAML File](#yaml-file)
+  - [Usage](#usage)
+  - [Endpoints](#endpoints)
+  - [Logs](#logs-1)
+  - [Mutual TLS](#mutual-tls)
+  - [Metrics](#metrics)
+    - [Golang ExpVar](#golang-expvar)
+    - [Prometheus](#prometheus)
+    - [StatsD / DogStatsD](#statsd--dogstatsd)
+  - [Try](#try)
+  - [Development](#development)
+    - [Build](#build)
+    - [Quicktest](#quicktest)
+    - [Test \& Coverage](#test--coverage)
+  - [Author](#author)

 ## Outputs

-Currently available outputs are :
+`Falcosidekick` manages a large variety of outputs with different purposes.

-* **Slack**
-* **Teams**
-* **Datadog**
-* **AlertManager**
-* **Elasticsearch**
-* **Loki**
-* **NATS**
-* **Influxdb**
-* **AWS Lambda**
-* **AWS SQS**
-* **SMTP** (email)
-* **Opsgenie**
+> [!NOTE]
+Follow the links to get the configuration of each output.

-## Usage
+### Chat

-Run the daemon as any other daemon in your architecture (systemd, k8s daemonset, swarm service, ...)
+- [**Slack**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/slack.md)
+- [**Rocketchat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rocketchat.md)
+- [**Mattermost**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mattermost.md)
+- [**Teams**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/teams.md)
+- [**Webex**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webex.md)
+- [**Discord**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/discord.md)
+- [**Google Chat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/googlechat.md)
+- [**Zoho Cliq**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cliq.md)
+- [**Telegram**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/telegram.md)

-### With docker
+### Metrics / Observability

+- [**Datadog**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/datadog.md)
+- [**Influxdb**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/influxdb.md)
+- [**StatsD**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/statsd.md) (for monitoring of `falcosidekick`)
+- [**DogStatsD**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dogstatsd.md) (for monitoring of `falcosidekick`)
+- [**Prometheus**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/prometheus.md) (for both events and monitoring of `falcosidekick`)
+- [**Wavefront**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/wavefront.md)
+- [**Spyderbat**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/spyderbat.md)
+- [**TimescaleDB**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/timescaledb.md)
+- [**Dynatrace**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dynatrace.md)
+- [**OTEL Metrics**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/otlp_metrics.md) (for both events and monitoring of `falcosidekick`)
+
+### Alerting
+
+- [**AlertManager**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/alertmanager.md)
+- [**Opsgenie**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/opsgenie.md)
+- [**PagerDuty**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/pagerduty.md)
+- [**Grafana OnCall**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana_oncall.md)
+
+### Logs
+
+- [**Elasticsearch**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md)
+- [**Loki**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/loki.md)
+- [**AWS CloudWatchLogs**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_cloudwatch_logs.md)
+- [**Grafana**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana.md)
+- [**Syslog**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/syslog.md)
+- [**Zincsearch**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs//zincsearch.md)
+- [**OpenObserve**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openobserve.md)
+- [**SumoLogic**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/sumologic.md)
+- [**Quickwit**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/quickwit.md)
+- [**Datadog Logs**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/datadog_logs.md)
+- [**Logstash**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/logstash.md)
+
+### Object Storage
+
+- [**AWS S3**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_s3.md)
+- [**GCP Storage**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_storage.md)
+- [**Yandex S3 Storage**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_s3.md)
+
+### FaaS / Serverless
+
+- [**AWS Lambda**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_lambda.md)
+- [**GCP Cloud Run**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_run.md)
+- [**GCP Cloud Functions**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_functions.md)
+- [**Fission**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/fission.md)
+- [**KNative (CloudEvents)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cloudevents.md)
+- [**Kubeless**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kubeless.md)
+- [**OpenFaaS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openfaas.md)
+- [**Tekton**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/tekton.md)
+
+### Message queue / Streaming
+
+- [**NATS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nats.md)
+- [**STAN (NATS Streaming)**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/stan.md)
+- [**AWS SQS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sqs.md)
+- [**AWS SNS**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sns.md)
+- [**AWS Kinesis**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_kinesis.md)
+- [**GCP PubSub**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_pub_sub.md)
+- [**Apache Kafka**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafka.md)
+- [**Kafka Rest Proxy**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafkarest.md)
+- [**RabbitMQ**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rabbitmq.md)
+- [**Azure Event Hubs**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/azure_event_hub.md)
+- [**Yandex Data Streams**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_datastreams.md)
+- [**MQTT**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mqtt.md)
+- [**Gotify**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gotify.md)
+
+### Email
+
+- [**SMTP**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/smtp.md)
+
+### Database
+
+- [**Redis**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/redis.md)
+
+### Web
+
+- [**Webhook**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webhook.md)
+- [**Node-RED**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nodered.md)
+- [**WebUI**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/falcosidekick-ui.md)
+
+### SIEM
+
+- [**AWS Security Lake**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_security_lake.md)
+
+### Workflow
+
+- [**n8n**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/n8n.md)
+
+### Traces
+
+- [**OTEL Traces**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/otlp_traces.md)
+
+### Other
+- [**Policy Report**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/policy_report.md)
+
+### Response engine
+- [**Falco Talon**](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/talon.md)
+
+## Installation
+
+Run the daemon as any other daemon in your architecture (systemd, k8s deployment, swarm service, ...).
+
+### Localhost
+
+#### With docker
+
+Use the environment variables to set up the outputs:
 ```bash
 docker run -d -p 2801:2801 -e SLACK_WEBHOOKURL=XXXX -e DATADOG_APIKEY=XXXX falcosecurity/falcosidekick
 ```

-### With Helm
+#### With systemd
+
+* Download the latest release:
+  ```shell
+  VER=$(curl --silent -qI https://github.com/falcosecurity/falcosidekick/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}')
+  wget -c https://github.com/falcosecurity/falcosidekick/releases/download/${VER}/falcosidekick_${VER}_linux_arm64.tar.gz -O - | tar -xz
+  or
+  wget -c https://github.com/falcosecurity/falcosidekick/releases/download/${VER}/falcosidekick_${VER}_linux_amd64.tar.gz -O - | tar -xz
+  chmod +x falcosidekick
+  sudo mv falcosidekick /usr/local/bin/
+  ```
+
+* Create the `/etc/falcosidekick/config.yaml` file, see [Configuration](#configuration).
+
+* Create the systemd unit files `/etc/systemd/system/falcosidekick.service`:
+  ```shell
+  sudo touch /etc/systemd/system/falcosidekick.service
+  sudo chmod 664 /etc/systemd/system/falcosidekick.service
+  ```
+  ```toml
+  [Unit]
+  Description=Falcosidekick
+  After=network.target
+  StartLimitIntervalSec=0
+
+  [Service]
+  Type=simple
+  Restart=always
+  RestartSec=1
+  ExecStart=/usr/local/bin/falcosidekick -c /etc/falcosidekick/config.yaml
+
+  [Install]
+  WantedBy=default.target
+  ```
+
+* Reload `systemd` and start `Falcosidekick`:
+  ```shell
+  sudo systemctl daemon-reload
+  sudo systemctl enable falcosidekick
+  sudo systemctl start falcosidekick
+  ```
+
+* Check if `Falcosidekick` runs:
+  ```shell
+  curl localhost:2801/healthz
+  ```  
+
+### In Kubernetes
+
+#### With Helm
+
+See
+[https://github.com/falcosecurity/charts/blob/master/charts/falcosidekick/README.md](https://github.com/falcosecurity/charts/blob/master/charts/falcosidekick/README.md)

 ```bash
+helm repo add falcosecurity https://falcosecurity.github.io/charts
+helm repo update

-git clone https://github.com/falcosecurity/falcosidekick.git
-cd ./falcosidekick/deploy/helm/falcosidekick/
-helm install --name falcosidekick .
+helm install falcosidekick --set config.debug=true falcosecurity/falcosidekick
 ```

-### Falco's config
-
-Add this (adapted to your environment) in your *falco.yaml* :
-
+> [!NOTE]
+You can also deploy `falcosidekick` as a dependency of the `falco` chart, the settings for the communication between falco and `falcosidekick` are automatically set. Just prefix all `falcosidekick` settings with `falcosidekick.`:
 ```bash
+helm repo add falcosecurity https://falcosecurity.github.io/charts
+helm repo update
+
+helm install falco --set falcosidekick.enabled=true falcosecurity/falco
+```
+
+### Connect Falco
+
+To connect Falco with Falcosidekick, you need to change it configuration as following:
+
+#### with falco.yaml
+
+If managing _falco.yaml_ manually, set this:
+
+```yaml
 json_output: true
 json_include_output_property: true
-program_output:
+http_output:
  enabled: true
-  keep_alive: false
-  program: "curl -d @- localhost:2801/"
+  url: "http://localhost:2801/"
+```
+
+#### with Helm
+
+If installing `falco` with `Helm`, set this (adapted to your environment) in
+your _values.yaml_ :
+
+```yaml
+falcosidekick:
+  enabled: true
+```
+
+or
+
+```yaml
+jsonOutput: true
+jsonIncludeOutputProperty: true
+httpOutput:
+  enabled: true
+  url: "http://falcosidekick:2801/"
+```
+
+or
+
+```yaml
+jsonOutput: true
+jsonIncludeOutputProperty: true
+programOutput:
+  enabled: true
+  keepAlive: false
+  program: "curl -d @- falcosidekick:2801/"
 ```

 ### Configuration

-Configuration is made by *file (yaml)* and *env vars*, both can be used but *env vars* override values from *file*.
+Configuration is made by _file (yaml)_ and _env vars_, both can be used but _env
+vars_ override values from _file_.

 #### YAML File

 See **config_example.yaml** :

 ```yaml
+#listenaddress: "" # ip address to bind falcosidekick to (default: "" meaning all addresses)
 #listenport: 2801 # port to listen for daemon (default: 2801)
 debug: false # if true all outputs will print in stdout the payload they send (default: false)
-customfields: # custom fields are added to falco events
-  Akey: "AValue"
-  Bkey: "BValue"
-  Ckey: "CValue"
-
-slack:
-  webhookurl: "" # Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled
-  #footer: "" # Slack footer
-  #icon: "" # Slack icon (avatar)
-  outputformat: "text" # all (default), text, fields
-  minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-
-teams:
-  webhookurl: "" # Teams WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Teams output is enabled
-  #activityimage: "" # Image for message section
-  outputformat: "text" # all (default), text, facts
-  minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-
-datadog:
-  #apikey: ""  # Datadog API Key, if not empty, Datadog output is enabled
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-
-alertmanager:
-  # hostport: "" # http://{domain or ip}:{port}, if not empty, Alertmanager output is enabled
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-
-elasticsearch:
-  # hostport: "" # http://{domain or ip}:{port}, if not empty, Elasticsearch output is enabled
-  # index: "falco" # index (default: falco)
-  # type: "event"
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-  # suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none
-
-influxdb:
-  # hostport: "" # http://{domain or ip}:{port}, if not empty, Influxdb output is enabled
-  # database: "falco" # Influxdb database (default: falco)
-  # user: "" # user to use if auth is enabled in Influxdb
-  # password: "" # pasword to use if auth is enabled in Influxdb
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-
-loki:
-  # hostport: "" # http://{domain or ip}:{port}, if not empty, Loki output is enabled
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-
-nats:
-  # hostport: "" # nats://{domain or ip}:{port}, if not empty, NATS output is enabled
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-
-aws:
-  # accesskeyid: "" # aws access key (optionnal if you use EC2 Instance Profile)
-  # secretaccesskey: "" # aws secret access key (optionnal if you use EC2 Instance Profile)
-  # region : "" # aws region (optionnal if you use EC2 Instance Profile)
-  lambda:
-    # functionname : "" # Lambda function name, if not empty, AWS Lambda output is enabled
-    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-  sqs:
-    # url : "" # SQS Queue URL, if not empty, AWS SQS output is enabled
-    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-
-smtp:
-  # hostport: "" # host:port address of SMTP server, if not empty, SMTP output is enabled
-  # user: "" # user to access SMTP server
-  # password: "" # password to access SMTP server
-  # from: "" # Sender address (mandatory if SMTP output is enabled)
-  # to: "" # comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is enabled)
-  # outputformat: "" # html (default), text
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-
-opsgenie:
-  # apikey: "" # Opsgenie API Key, if not empty, Opsgenie output is enabled
-  # region: "eu" # (us|eu) region of your domain (default is 'us')
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+customfields: # custom fields are added to falco events, if the value starts with % the relative env var is used
+  # Akey: "AValue"
+  # Bkey: "BValue"
+  # Ckey: "CValue"
+templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values
+  # Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}'
+customtags: # custom tags are added to the falco events, if the value starts with % the relative env var is used
+  # - tagA
+  # - tagB
+# bracketreplacer: "_" # if not empty, replace the brackets in keys of Output Fields
+outputFieldFormat: "<timestamp>: <priority> <output> <custom_fields> <templated_fields>" # if not empty, allow to change the format of the output field. (default: "<timestamp>: <priority> <output>")
+mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs")
+mutualtlsclient: # takes priority over mutualtlsfilespath if not emtpy
+  certfile: "/etc/certs/client/client.crt" # client certification file
+  keyfile: "/etc/certs/client/client.key" # client key
+  cacertfile: "/etc/certs/client/ca.crt" # for server certification
+tlsclient:
+  cacertfile: "/etc/certs/client/ca.crt" # CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty
+tlsserver:
+  deploy: false # if true, TLS server will be deployed instead of HTTP
+  certfile: "/etc/certs/server/server.crt" # server certification file
+  keyfile: "/etc/certs/server/server.key" # server key
+  mutualtls: false # if true, mTLS server will be deployed instead of TLS, deploy also has to be true
+  cacertfile: "/etc/certs/server/ca.crt" # for client certification if mutualtls is true
+  notlsport: 2810 # port to serve http server serving selected endpoints (default: 2810)
+  notlspaths: # if not empty, and tlsserver.deploy is true, a separate http server will be deployed for the specified endpoints
+    - "/ping"
+    # - "/metrics"
+    # - "/healthz"
 ```

+> [!NOTE]
+For the confiuration of the outputs, see the [docs](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/).
+
+## Usage
+
 Usage :

 ```bash
@ -152,68 +372,16 @@ Flags:
  -c, --config-file=CONFIG-FILE  config file
 ```

-#### Env vars
+## Endpoints

-Configuration of the daemon can be made also by *env vars*, these values override these from *yaml file*.
+Different endpoints (handlers) are available :

-The *env vars* "match" field names in *yaml file with this structure (**take care of lower/uppercases**) : `yaml: a.b --> envvar: A_B` :
-
-* **LISTENPORT** : port to listen for daemon (default: 2801)
-* **DEBUG** : if *true* all outputs will print in stdout the payload they send (default: false)
-* **CUSTOMFIELDS** : a list of comma separated custom fields to add to falco events, syntax is "key:value,key:value"
-* **SLACK_WEBHOOKURL** : Slack Webhook URL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not `empty`, Slack output is *enabled*
-* **SLACK_FOOTER** : Slack footer
-* **SLACK_ICON** : Slack icon (avatar)
-* **SLACK_OUTPUTFORMAT** : `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Slack)
-* **SLACK_MINIMUMPRIORITY** : minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **TEAMS_WEBHOOKURL** : Teams Webhook URL (ex: https://outlook.office.com/webhook/XXXXXX/IncomingWebhook/YYYYYY"), if not `empty`, Teams output is *enabled*
-* **TEAMS_ACTIVITYIMAGE** : Teams section image
-* **TEAMS_OUTPUTFORMAT** : `all` (default), `text` (only text is displayed in Teams), `facts` (only facts are displayed in Teams)
-* **TEAMS_MINIMUMPRIORITY** : minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **DATADOG_APIKEY** : Datadog API Key, if not `empty`, Datadog output is *enabled*
-* **DATADOG_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **ALERTMANAGER_HOSTPORT** : AlertManager http://host:port, if not `empty`, AlertManager is *enabled*
-* **ALERTMANAGER_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **ELASTICSEARCH_HOSTPORT** : Elasticsearch http://host:port, if not `empty`, Elasticsearch is *enabled*
-* **ELASTICSEARCH_INDEX** : Elasticsearch index (default: falco)
-* **ELASTICSEARCH_TYPE** : Elasticsearch document type (default: event)
-* **ELASTICSEARCH_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **ELASTICSEARCH_SUFFIX** : date suffix for index rotation : `daily` (default), `monthly`, `annually`, `none`
-* **INFLUXDB_HOSTPORT** : Influxdb http://host:port, if not `empty`, Influxdb is *enabled*
-* **INFLUXDB_DATABASE** : Influxdb database (default: falco)
-* **INFLUXDB_USER** : user to use if auth is enabled in Influxdb
-* **INFLUXDB_PASSWORD** : user to use if auth is enabled in Influxdb
-* **INFLUXDB_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **LOKI_HOSTPORT** : Loki http://host:port, if not `empty`, Loki is *enabled*
-* **LOKI_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **NATS_HOSTPORT** : NATS nats://host:port, if not `empty`, NATS is *enabled*
-* **NATS_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **AWS_ACCESSKEYID** : AWS Access Key Id (optionnal if you use EC2 Instance Profile)
-* **AWS_SECRETACCESSKEY** : AWS Secret Access Key (optionnal if you use EC2 Instance Profile)
-* **AWS_REGION** : AWS Region (optionnal if you use EC2 Instance Profile)
-* **AWS_LAMBDA_FUNCTIONNAME** : AWS Lambda Function Name, if not empty, AWS Lambda output is enabled
-* **AWS_LAMBDA_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **AWS_SQS_URL** : AWS SQS Queue URL, if not empty, AWS SQS output is enabled
-* **AWS_SQS_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **SMTP_HOSTPORT** :  host:port address of SMTP server, if not empty, SMTP output is enabled
-* **SMTP_USER** : user to access SMTP server
-* **SMTP_PASSWORD** : password to access SMTP server
-* **SMTP_FROM** : Sender address (mandatory if SMTP output is enabled)
-* **SMTP_TO** : comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is enabled)
-* **SMTP_OUTPUTFORMAT** : "" # html (default), text
-* **SMTP_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-* **OPSGENIE_APIKEY** : Opsgenie API Key, if not empty, Opsgenie output is enabled
-* **OPSGENIE_REGION** : "" # (us|eu) region of your domain (default is 'us')
-* **OPSGENIE_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
-
-## Handlers
-
-Different URI (handlers) are available :
-
-* `/` : main and default handler, your falco config must be configured to use it
-* `/ping` : you will get a  `pong` as answer, useful to test if falcosidekick is running and its port is opened (for healthcheck purpose for example)
-* `/test` : (for debug only) send a test event to all enabled outputs.
-* `/debug/vars` : get statistics from daemon (in JSON format), it uses classic `expvar` package and some custom values are added
+- `/` : main and default handler, your falco config must be configured to use it
+- `/ping` : you will get a `pong` as answer, useful to test if falcosidekick is running and its port is opened (for healthcheck purpose for example). This endpoint is deprecated and it will be removed in `3.0.0`.
+- `/healthz`: you will get a HTTP status code `200` response as answer, useful to test if falcosidekick is running and its port is opened (for healthcheck or purpose for example)
+- `/test` : (for debug only) send a test event to all enabled outputs.
+- `/debug/vars` : get statistics from daemon (in JSON format), it uses classic `expvar` package and some custom values are added
+- `/metrics` : prometheus endpoint, for scraping metrics about events and `falcosidekick`

 ## Logs

@ -223,99 +391,80 @@ All logs are sent to `stdout`.
 2019/05/10 14:32:06 [INFO] : Enabled Outputs : Slack Datadog
 ```

+## Mutual TLS ##
+
+Outputs with `mutualtls` enabled in their configuration require the *client.crt*, *client.key* and *ca.crt* filepaths to be configured in the **mutualtlsclient_certfile**, **mutualtlsclient_keyfile** and  **mutualtlsclient_cacertfile** global parameter.
+
+```bash
+docker run -d -p 2801:2801 -e MUTUALTLSCLIENT_CERTFILE=/etc/certs/client/client.crt -e MUTUALTLSCLIENT_KEYFILE=/etc/certs/client/client.key -e MUTUALTLSCLIENT_CACERTFILE=/etc/certs/client/ca.crt -e ALERTMANAGER_HOSTPORT=https://XXXX -e ALERTMANAGER_MUTUALTLS=true -e INFLUXDB_HOSTPORT=https://XXXX -e INFLUXDB_MUTUALTLS=true -e WEBHOOK_ADDRESS=XXXX -v /localpath/myclientcert.crt:/etc/certs/client/client.crt -v /localpath/myclientkey.key:/etc/certs/client/client.key -v /localpath/ca.crt:/etc/certs/client/ca.crt falcosecurity/falcosidekick
+```
+
+Alternately the path where the *client.crt*, *client.key* and *ca.crt* files are stored can be configured in **mutualtlsfilespath** global parameter. (**Important**: file names must be preserved)
+
+```bash
+docker run -d -p 2801:2801 -e MUTUALTLSFILESPATH=/etc/certs -e ALERTMANAGER_HOSTPORT=https://XXXX -e ALERTMANAGER_MUTUALTLS=true -e INFLUXDB_HOSTPORT=https://XXXX -e INFLUXDB_MUTUALTLS=true -e WEBHOOK_ADDRESS=XXXX -v /localpath/myclientcert.crt:/etc/certs/client.crt -v /localpath/myclientkey.key:/etc/certs/client.key -v /localpath/ca.crt:/etc/certs/ca.crt falcosecurity/falcosidekick
+```
+
+In above example, the same client certificate will be used for both Alertmanager & InfluxDB outputs which have mutualtls flag set to true.
+
 ## Metrics

-The daemon exposes the common *Golang* metrics and some custom values in JSON format. It's useful for monitoring purpose.
+### Golang ExpVar
+
+The daemon exposes the common _Golang_ metrics and some custom values in JSON
+format. It's useful for monitoring purpose.

 ![expvar json](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/expvar_json.png)
 ![expvarmon](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/expvarmon.png)

-## Examples
+### Prometheus

-Run you daemon and try (from falco's documentation) :
+The daemon exposes a `prometheus` endpoint on URI `/metrics`.
+
+See the [docs](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/prometheus.md) for more info.
+
+### StatsD / DogStatsD
+
+The daemon is able to push its metrics to a StatsD/DogstatsD server. See
+[Configuration](https://github.com/falcosecurity/falcosidekick#configuration)
+section for how-to.
+
+See the [statsd docs](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/statsd.md) and [dogstastd docs](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dogstatsd.md)  for more info.
+
+## Try
+
+Run you daemon and try (from Falco's documentation):

 ```bash
-curl "http://localhost:2801/" -d'{"output":"16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)","priority":"Error","rule":"Write below binary dir","time":"2019-05-17T15:31:56.746609046Z", "output_fields": {"evt.time":1507591916746609046,"fd.name":"/bin/hack","proc.cmdline":"touch /bin/hack","user.name":"root"}}'
+curl -XPOST "http://localhost:2801/" -d'{"output":"16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)","hostname": "localhost", "priority":"Error","rule":"Write below binary dir","time":"2019-05-17T15:31:56.746609046Z", "output_fields": {"evt.time":1507591916746609046,"fd.name":"/bin/hack","proc.cmdline":"touch /bin/hack","user.name":"root"}}'
 ```

-You should get :
-
-### Slack
-
-(SLACK_OUTPUTFORMAT="**all**")
-![slack example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/slack.png)
-(SLACK_OUTPUTFORMAT="**text**")
-![slack no fields example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/slack_no_fields.png)
-
-### Teams
-
-(TEAMS_OUTPUTFORMAT="**all**")
-![teams example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/teams.png)
-(TEAMS_OUTPUTFORMAT="**text**")
-![teams facts only](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/teams_facts_only.png)
-
-### Datadog
-
-*(Tip: filter on `sources: falco`)*
-![datadog example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/datadog.png)
-
-### AlertManager
-
-![alertmanager example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/alertmanager.png)
-
-### Elasticsearch (with Kibana)
-
-![kibana example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/kibana.png)
-
-### Influxdb
-
-```bash
-> use falco
-Using database falco
-> show series
-key
---
-events,akey=AValue,bkey=BValue,ckey=CValue,priority=Debug,rule=Testrule
-events,akey=A_Value,bkey=B_Value,ckey=C_Value,priority=Debug,rule=Test_rule
-> select * from events
-name: events
-time                akey    bkey    ckey    priority rule      value
----                ----    ----    ----    -------- ----      -----
-1560433816893368400 AValue  BValue  CValue  Debug    Testrule  This is a test from falcosidekick
-1560441359119741800 A_Value B_Value C_Value Debug    Test_rule This is a test from falcosidekick
-```
-
-### Loki (with Grafana)
-
-![loki example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/loki.png)
-
-### AWS SQS
-
-![aws sqs example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/aws_sqs.png)
-
-### SMTP
-
-(SMTP_OUTPUTFORMAT="**html**")
-![smtp html example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/smtp_html.png)
-(SMTP_OUTPUTFORMAT="**text**")
-![smtp plaintext example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/smtp_plaintext.png)
-
-### Opsgenie
-
-![opsgenie example](https://github.com/falcosecurity/falcosidekick/raw/master/imgs/opsgenie.png)
-
 ## Development

 ### Build

 ```bash
-go build
+make falcosidekick
+```
+
+### Quicktest
+
+Create a debug event
+
+```bash
+curl -X POST -H "Content-Type: application/json" -H "Accept: application/json" localhost:2801/test
 ```

 ### Test & Coverage

 ```bash
-go test ./outputs -count=1 -cover -v
+make test
+```
+
+With Coverage
+
+```bash
+make test-coverage
 ```

 ## Author
--- a/config.go
+++ b/config.go
--- a/config_example.yaml
+++ b/config_example.yaml
@ -1,74 +1,591 @@
+#listenaddress: "" # ip address to bind falcosidekick to (default: "" meaning all addresses)
 #listenport: 2801 # port to listen for daemon (default: 2801)
 debug: false # if true all outputs will print in stdout the payload they send (default: false)
-customfields: # custom fields are added to falco events
+customfields: # custom fields are added to falco events and metrics, if the value starts with % the relative env var is used
  Akey: "AValue"
  Bkey: "BValue"
  Ckey: "CValue"
+templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values
+  # Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}'
+# bracketreplacer: "_" # if not empty, the brackets in keys of Output Fields are replaced
+customtags: # custom tags are added to the falco events, if the value starts with % the relative env var is used
+  - tagA
+  - tagB
+outputFieldFormat: "<timestamp>: <priority> <output> <custom_fields> <templated_fields>" # if not empty, allow to change the format of the output field. (default: "<timestamp>: <priority> <output>")
+mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs")
+mutualtlsclient: # takes priority over mutualtlsfilespath if not emtpy
+  certfile: "/etc/certs/client/client.crt" # client certification file
+  keyfile: "/etc/certs/client/client.key" # client key
+  cacertfile: "/etc/certs/client/ca.crt" # for server certification
+tlsclient:
+  cacertfile: "/etc/certs/client/ca.crt" # CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty
+tlsserver:
+  deploy: false # if true, TLS server will be deployed instead of HTTP
+  certfile: "/etc/certs/server/server.crt" # server certification file
+  keyfile: "/etc/certs/server/server.key" # server key
+  mutualtls: false # if true, mTLS server will be deployed instead of TLS, deploy also has to be true
+  cacertfile: "/etc/certs/server/ca.crt" # for client certification if mutualtls is true
+  notlsport: 2810 # port to serve http server serving selected endpoints (default: 2810)
+  notlspaths: # if not empty, and tlsserver.deploy is true, a separate http server will be deployed for the specified endpoints
+    - "/ping"
+    # - "/metrics"
+    # - "/healthz"

 slack:
  webhookurl: "" # Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled
+  #channel: "" # Slack channel (optionnal)
  #footer: "" # Slack footer
  #icon: "" # Slack icon (avatar)
-  outputformat: "text" # all (default), text, fields
-  minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  #username: "" # Slack username (default: Falcosidekick)
+  outputformat: "all" # all (default), text, fields
+  minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  #messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Slack Text above Attachment, displayed in addition to the output from `SLACK_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
+
+rocketchat:
+  webhookurl: "" # Rocketchat WebhookURL (ex: http://XXXX/hooks/YYYY), if not empty, Rocketchat output is enabled
+  #icon: "" # Rocketchat icon (avatar)
+  #username: "" # Rocketchat username (default: Falcosidekick)
+  outputformat: "all" # all (default), text, fields
+  minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # messageformat: "Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields \"user.name\" }}*" # a Go template to format Rocketchat Text above Attachment, displayed in addition to the output from `ROCKETCHAT_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+mattermost:
+  webhookurl: "" # Mattermost WebhookURL (ex: http://XXXX/hooks/YYYY), if not empty, Mattermosst output is enabled
+  #footer: "" # Mattermost footer
+  #icon: "" # Mattermost icon (avatar)
+  #username: "" # Mattermost username (default: Falcosidekick)
+  outputformat: "all" # all (default), text, fields
+  minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # messageformat: "Alert : rule **{{ .Rule }}** triggered by user **{{ index .OutputFields \"user.name\" }}**" # a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `MATTERMOST_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)

 teams:
-  webhookurl: "" # Teams WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Teams output is enabled
+  webhookurl: "" # Teams WebhookURL, if not empty, Teams output is enabled
  #activityimage: "" # Image for message section
-  outputformat: "text" # all (default), text, facts
-  minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  outputformat: "all" # all (default), text, facts
+  minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+webex:
+  # webhookurl: "" # Webex WebhookURL, if not empty, Teams Webex is enabled
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)

 datadog:
-  #apikey: ""  # Datadog API Key, if not empty, Datadog output is enabled
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # apikey: "" # Datadog API Key, if not empty, Datadog output is enabled
+  # host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com"
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+datadoglogs:
+  # apikey: "" # Datadog API Key, if not empty, Datadog Logs output is enabled
+  # host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/"
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # service: "" # The name of the application or service generating the log events.

 alertmanager:
-  # hostport: "" # http://{domain or ip}:{port}, if not empty, Alertmanager output is enabled
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # hostport: "" # Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is enabled
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # endpoint: "" # alertmanager endpoint for posting alerts: "/api/v1/alerts" or "/api/v2/alerts" (default: "/api/v1/alerts")
+  # expiresafter: "" if set to a non-zero value, alert expires after that time in seconds (default: 0)
+  # extralabels: "" # comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2
+  # extraannotations: "" # comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2
+  # customseveritymap: "" # comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. (default: "")
+  # dropeventdefaultpriority: "" # default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug (default: "critical")
+  # dropeventthresholds: # comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` (default: `"10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning"`)
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value

 elasticsearch:
  # hostport: "" # http://{domain or ip}:{port}, if not empty, Elasticsearch output is enabled
  # index: "falco" # index (default: falco)
-  # type: "event"
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-  # suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none 
+  # type: "_doc"
+  # pipeline: "" # optional ingest pipeline name
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # apikey: "" # use this APIKey to authenticate to Elasticsearch if the APIKey is not empty (default: "")
+  # username: "" # use this username to authenticate to Elasticsearch if the username is not empty (default: "")
+  # password: "" # use this password to authenticate to Elasticsearch if the password is not empty (default: "")
+  # flattenfields: false # replace . by _ to avoid mapping conflicts, force to true if createindextemplate==true (default: false)
+  # createindextemplate: false # create an index template (default: false)
+  # numberofshards: 3 # number of shards set by the index template (default: 3)
+  # numberofreplicas: 3 # number of replicas set by the index template (default: 3)
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # enablecompression: false # if true enables gzip compression for http requests (default: false)
+  # batching: # batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API
+  #   enabled: true # if true enables batching
+  #   batchsize: 5242880 # batch size in bytes (default: 5 MB)
+  #   flushinterval: 1s # batch fush interval (default: 1s)
+  # maxconcurrentrequests: 1 # max number of concurrent http requests (default: 1)
+
+quickwit:
+  # hostport: "" # http(s)://{domain or ip}:{port}, if not empty, Quickwit output is enabled
+  # apiendpoint: "/api/v1"
+  # index: "falco" # index (default: falco)
+  # version: "0.7"
+  # autocreateindex: false # create the index mapping if true and if the index doesn't already exists
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)

 influxdb:
  # hostport: "" # http://{domain or ip}:{port}, if not empty, Influxdb output is enabled
-  # database: "falco" # Influxdb database (default: falco)
+  # database: "falco" # Influxdb database (api v1 only) (default: falco)
+  # organization: "" # Influxdb organization
+  # bucket: "falco" # bucket (default: falco)
+  # precision: "ns" # write precision
  # user: "" # user to use if auth is enabled in Influxdb
  # password: "" # pasword to use if auth is enabled in Influxdb
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # token: "" # API token to use if auth in enabled in Influxdb (disables user and password)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)

 loki:
  # hostport: "" # http://{domain or ip}:{port}, if not empty, Loki output is enabled
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # user: "" # user for Grafana Logs
+  # apikey: "" # API Key for Grafana Logs
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # tenant: "" # Add the Tenant header
+  # format: "text" # Format for the log entry value: json, text (default)
+  # endpoint: "/loki/api/v1/push" # The endpoint URL path, default is "/loki/api/v1/push" more info : https://grafana.com/docs/loki/latest/api/#post-apiprompush
+  # extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value

 nats:
  # hostport: "" # nats://{domain or ip}:{port}, if not empty, NATS output is enabled
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+stan:
+  # hostport: "" # nats://{domain or ip}:{port}, if not empty, STAN output is enabled
+  # clusterid: "" # Cluster name, if not empty, STAN output is enabled
+  # clientid: "" # Client ID, if not empty, STAN output is enabled
+  # subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)

 aws:
-  # accesskeyid: "" # aws access key (optionnal if you use EC2 Instance Profile)
-  # secretaccesskey: "" # aws secret access key (optionnal if you use EC2 Instance Profile)
-  # region : "" # aws region (optionnal if you use EC2 Instance Profile)
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
  lambda:
    # functionname : "" # Lambda function name, if not empty, AWS Lambda output is enabled
-    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
  sqs:
    # url : "" # SQS Queue URL, if not empty, AWS SQS output is enabled
-    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  sns:
+    # topicarn : "" # SNS TopicArn, if not empty, AWS SNS output is enabled
+    rawjson: false # Send Raw JSON or parse it (default: false)
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  cloudwatchlogs:
+    # loggroup : "" #  AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is enabled
+    # logstream : "" # AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  s3:
+    # bucket: "falcosidekick" # AWS S3, bucket name
+    # prefix: "" # name of prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # endpoint: "" # endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs
+    # objectcannedacl: "bucket-owner-full-control" # Canned ACL (x-amz-acl) to use when creating the object
+  securitylake.:
+    # bucket: "" # Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is enabled
+    # region: "" # Bucket Region  (mandatory)
+    # prefix: "" # Prefix for keys  (mandatory)
+    # accountid: "" # Account ID  (mandatory)
+    interval: 5 # Time in minutes between two puts to S3 (must be between 5 and 60min) (default: 5min)
+    batchsize: 1000 # Max number of events by parquet file (default: 1000)
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  kinesis:
+    # streamname: "" # AWS Kinesis Stream Name, if not empty, Kinesis output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)

 smtp:
  # hostport: "" # host:port address of SMTP server, if not empty, SMTP output is enabled
-  # user: "" # user to access SMTP server
-  # password: "" # password to access SMTP server
+  # tls: false # Use TLS connection (true/false). Default: true
+  # authmechanism: "plain" # SASL Mechanisms : plain, oauthbearer, external, anonymous or none (disable SASL). Default: plain
+  # user: "" # user for Plain Mechanism
+  # password: "" # password for Plain Mechanism
+  # token: "" # OAuthBearer token for OAuthBearer Mechanism
+  # identity: "" # identity string for Plain and External Mechanisms
+  # trace: "" trace string for Anonymous Mechanism
  # from: "" # Sender address (mandatory if SMTP output is enabled)
  # to: "" # comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is enabled)
  # outputformat: "" # html (default), text
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+prometheus:
+  # extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
+
+statsd:
+  forwarder: "" # The address for the StatsD forwarder, in the form "host:port", if not empty StatsD is enabled
+  namespace: "falcosidekick." # A prefix for all metrics (default: "falcosidekick.")
+
+dogstatsd:
+  forwarder: "" # The address for the DogStatsD forwarder, in the form "host:port", if not empty DogStatsD is enabled
+  namespace: "falcosidekick." # A prefix for all metrics (default: "falcosidekick.")
+  # tag :
+  #   key: "value"

 opsgenie:
  # apikey: "" # Opsgenie API Key, if not empty, Opsgenie output is enabled
-  # region: "eu" # (us|eu) region of your domain
-  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  region: "eu" # (us|eu) region of your domain
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+webhook:
+  # address: "" # Webhook address, if not empty, Webhook output is enabled
+  # method: "POST" # HTTP method: POST or PUT (default: POST)
+  # customHeaders: # Custom headers to add in the request, useful for Authentication
+  #   key: value
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+nodered:
+  # address: "" # Node-RED address, if not empty, Node-RED output is enabled
+  # user: "" # User if Basic Auth is enabled for 'http in' node in Node-RED
+  # password: "" # Password if Basic Auth is enabled for 'http in' node in Node-RED
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+cloudevents:
+  # address: "" # CloudEvents consumer http address, if not empty, CloudEvents output is enabled
+  # extensions: # Extensions to add in the outbound Event, useful for routing
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+azure:
+  eventHub:
+    name: "" # Name of the Hub, if not empty, EventHub is enabled
+    namespace: "" # Name of the space the Hub is in
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+discord:
+  webhookurl: "" # Discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is enabled
+  # icon: "" # Discord icon (avatar)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+gcp:
+  credentials: "" # The base64-encoded JSON key file for the GCP service account
+  pubsub:
+    projectid: "" # The GCP Project ID containing the Pub/Sub Topic
+    topic: "" # The name of the Pub/Sub topic
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # customAttributes: # Custom attributes to add to the Pub/Sub messages
+  #   key: value
+  storage:
+    # prefix : "" # name of prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
+    bucket: "" # The name of the bucket
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  cloudfunctions:
+    name: "" # The name of the Cloud Function
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  cloudrun:
+    endpoint: "" # The URL of the Cloud Function
+    jwt: "" # Appropriate JWT to invoke the Cloud Function
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+googlechat:
+  webhookurl: "" # Google Chat WebhookURL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not empty, Google Chat output is enabled
+  # outputformat: "" # all (default), text
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Slack Text above Attachment, displayed in addition to the output from `SLACK_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
+
+cliq:
+  webhookurl: "" # WebhookURL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq output is enabled
+  # icon: "" # Cliq icon (avatar)
+  # useemoji: true # Prefix message with an emoji
+  # outputformat: "all" # all (default), text, fields
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Cliq Text above Table, displayed in addition to the output from `CLIQ_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Table.
+
+kafka:
+  hostport: "" # comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is enabled
+  topic: "" # Name of the topic, if not empty, Kafka output is enabled
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  sasl: "" # SASL authentication mechanism, if empty, no authentication (PLAIN|SCRAM_SHA256|SCRAM_SHA512)
+  tls: false # Use TLS for the connections (default: false)
+  username: "" # use this username to authenticate to Kafka via SASL (default: "")
+  password: "" # use this password to authenticate to Kafka via SASL (default: "")
+  # async: false # produce messages without blocking (default: false)
+  # requiredacks: NONE # number of acknowledges from partition replicas required before receiving (default: "NONE")
+  # compression: "" # enable message compression using this algorithm, no compression (GZIP|SNAPPY|LZ4|ZSTD|NONE) (default: "NONE")
+  # balancer: "" # partition balancing strategy when producing, (default: "round_robin")
+  # clientid: "" # specify a client.id when communicating with the broker for tracing
+  # topiccreation: false # auto create the topic if it doesn't exist (default: false)
+
+kafkarest:
+  address: "" # The full URL to the topic (example "http://kafkarest:8082/topics/test")
+  #version: 2 # Kafka Rest Proxy API version 2|1 (default: 2)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+pagerduty:
+  routingKey: "" # Pagerduty Routing Key, if not empty, Pagerduty output is enabled
+  region: "us" # Pagerduty Region, can be 'us' or 'eu' (default: us)
+  minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+kubeless:
+  function: "" # Name of Kubeless function, if not empty, Kubeless is enabled
+  namespace: "" # Namespace of Kubeless function (mandatory)
+  port: 8080 # Port of service of Kubeless function
+  kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcoside is running outside the cluster)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+openfaas:
+  functionname: "" # Name of OpenFaaS function, if not empty, OpenFaaS is enabled
+  functionnamespace: "openfaas-fn" # Namespace of OpenFaaS function, "openfaas-fn" (default)
+  gatewayservice: "gateway" # Service of OpenFaaS Gateway, "gateway" (default)
+  gatewayport: 8080 # Port of service of OpenFaaS Gateway
+  gatewaynamespace: "openfaas" # Namespace of OpenFaaS Gateway, "openfaas" (default)
+  kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+rabbitmq:
+  url: "" # Rabbitmq URL, if not empty, Rabbitmq output is enabled
+  queue: "" # Rabbitmq Queue name
+  minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+wavefront:
+  endpointtype: "" # Wavefront endpoint type, must be 'direct' or 'proxy'. If not empty, with endpointhost, Wavefront output is enabled
+  endpointhost: "" # Wavefront endpoint address (only the host). If not empty, with endpointhost, Wavefront output is enabled
+  endpointtoken: "" # Wavefront token. Must be used only when endpointtype is 'direct'
+  # endpointmetricport: 2878 # Port to send metrics. Only used when endpointtype is 'proxy'. Defaults to 2878
+  # metricname: "falco.alert" # Metric to be created in Wavefront. Defaults to falco.alert
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # batchsize: 10000 # Wavefront batch size. If empty uses the default 10000. Only used when endpointtype is 'direct'
+  # flushintervalseconds: 1 # Wavefront flush interval in seconds. Defaults to 1
+
+grafana:
+  hostport: "" # http://{domain or ip}:{port}, if not empty, Grafana output is enabled
+  apikey: "" # API Key to authenticate to Grafana, if not empty, Grafana output is enabled
+  # dashboardid:  # annotations are scoped to a specific dashboard. Optionnal.
+  # panelid: "" # annotations are scoped to a specific panel. Optionnal.
+  # allfieldsastags: false # if true, all custom fields are added as tags (default: false)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+grafanaoncall:
+  webhookurl: "" # if not empty, Grafana OnCall output is enabled
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+webui:
+  url: "" # WebUI URL, if not empty, WebUI output is enabled
+
+fission:
+  function: "" # Name of Fission function, if not empty, Fission is enabled
+  routernamespace: "fission" # Namespace of Fission Router, "fission" (default)
+  routerservice: "router" # Service of Fission Router, "router" (default)
+  routerport: 80 # Port of service of Fission Router
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+
+policyreport:
+  enabled: false # if true policyreport output is enabled
+  kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
+  falconamespace: "" # Set the namespace where Falco is running (only if falcosidekick is running outside the cluster)
+  maxevents: 1000 # the max number of events per report(default: 1000)
+  prunebypriority: false # if true; the events with lowest severity are pruned first, in FIFO order (default: false)
+
+yandex:
+  # accesskeyid: "" # yandex access key
+  # secretaccesskey: "" # yandex secret access key
+  # region: "" # yandex storage region (default: ru-central-1)
+  s3:
+    # endpoint: "" # yandex storage endpoint (default: https://storage.yandexcloud.net)
+    # bucket: "falcosidekick" # Yandex storage, bucket name
+    # prefix: "" # name of prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug
+  datastreams:
+    # endpoint: "" # Yandex Data Streams endpoint (default: https://yds.serverless.yandexcloud.net)
+    # streamname: "" # stream name in format /${region}/${folder_id}/${ydb_id}/${stream_name}
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug
+
+syslog:
+  # host: "" # Syslog host, if not empty, Syslog output is enabled
+  # port: "" # Syslog endpoint port number
+  # protocol: "" # Syslog transport protocol. It can be either "tcp" or "udp" (default: tcp)
+  # format: "" # Syslog payload format. It can be either "json" or "cef" (default: json)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+mqtt:
+  broker: "" # Broker address, can start with tcp:// or ssl://, if not empty, MQTT output is enabled
+  # topic: "falco/events" # Topic for messages (default: falco/events)
+  # qos: 0 # QOS for messages (default: 0)
+  # retained: false # If true, messages are retained (default: false)
+  # user: "" # User if the authentication is enabled in the broker
+  # password: "" # Password if the authentication is enabled in the broker
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+zincsearch:
+  # hostport: "" # http://{domain or ip}:{port}, if not empty, ZincSearch output is enabled
+  # index: "falco" # index (default: falco)
+  # username: "" # use this username to authenticate to ZincSearch (default: "")
+  # password: "" # use this password to authenticate to ZincSearch (default: "")
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+gotify:
+  # hostport: "" # http://{domain or ip}:{port}, if not empty, Gotify output is enabled
+  # token: "" # API Token
+  # format: "markdown" # Format of the messages (plaintext, markdown, json) (default: markdown)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+tekton:
+  # eventListener: "" # EventListener address, if not empty, Tekton output is enabled
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+spyderbat:
+  # orguid: "" # Organization to send output to, if not empty, Spyderbat output is enabled
+  # apikey: "" # Spyderbat API key with access to the organization
+  # apiurl: "https://api.spyderbat.com" # Spyderbat API url (default: "https://api.spyderbat.com")
+  # source: "falcosidekick" # Spyderbat source ID, max 32 characters (default: "falcosidekick")
+  # sourcedescription: "" # Spyderbat source description and display name if not empty, max 256 characters
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+timescaledb:
+  # host: "" # TimescaleDB host, if not empty, TImescaleDB output is enabled
+  # port: "5432" # TimescaleDB port (default: 5432)
+  # user: "postgres" # Username to authenticate with TimescaleDB (default: postgres)
+  # password: "postgres" # Password to authenticate with TimescaleDB (default: postgres)
+  # database: "" # TimescaleDB database used
+  # hypertablename: "falco_events" # Hypertable to store data events (default: falco_events) See TimescaleDB setup for more info
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+redis:
+  # address: "" # Redis address, if not empty, Redis output is enabled
+  # password: "" # Password to authenticate with Redis (default: "")
+  # database: "" # Redis database number (default: 0)
+  # storagetype: "" # Redis storage type: hashmap or list (default: "list")
+  # key: "" # Redis storage key name for hashmap, list(default: "falco")
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+telegram:
+  # token: "" # telegram bot authentication token
+  # chatid: "" # telegram Identifier of the shared chat
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+n8n:
+  # address: "" # N8N address, if not empty, N8N output is enabled
+  # user: "" # Username to authenticate with N8N in basic auth
+  # password: "" # Password to authenticate with N8N in basic auth
+  # headerauthname: "" # Header Auth Key to authenticate with N8N
+  # headerauthvalue: "" # Header Auth Value to authenticate with N8N
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+openobserve:
+  # hostport: "" # http://{domain or ip}:{port}, if not empty, OpenObserve output is enabled
+  # organizationName: "default" # Organization name (default: default)
+  # streamName: "falco" # Stream name (default: falco)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # username: "a" # use this username to authenticate to OpenObserve if the username is not empty (default: "")
+  # password: "" # use this password to authenticate to OpenObserve if the password is not empty (default: "")
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+
+dynatrace:
+  apitoken: "" # Dynatrace API token with the "logs.ingest" scope, more info : https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled
+  apiurl: "" # Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+sumologic:
+  receiverURL: "" # Sumologic HTTP Source URL, if not empty, Sumologic output is enabled
+  # sourceCategory: "" # Override the default Sumologic Source Category
+  # sourceHost: "" # Override the default Sumologic Source Host
+  # name: "" # Override the default Sumologic Source Name
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+
+otlp:
+  traces:
+    # endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/traces), if not empty, OTLP Traces output is enabled
+    # protocol: "" # OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json)
+    # timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
+    # headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
+    # synced: false # Set to true if you want traces to be sent synchronously (default: false)
+    # duration: 1000 # Artificial span duration in milliseconds (default: 1000)
+    # extraenvvars: # Extra env vars (override the other settings)
+      # OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
+      # OTEL_EXPORTER_OTLP_TIMEOUT: 10000
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # checkcert: true # Set if you want to skip TLS certificate validation (default: true)
+  logs:
+    # endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/logs), if not empty, OTLP Traces output is enabled
+    # protocol: "" # OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json)
+    # timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
+    # headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
+    # extraenvvars: # Extra env vars (override the other settings)
+      # OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
+      # OTEL_EXPORTER_OTLP_TIMEOUT: 10000
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # checkcert: true # Set if you want to skip TLS certificate validation (default: true)
+  metrics:
+    # endpoint: "" # OTLP endpoint, typically in the form http(s)://{domain or ip}:4318(/v1/metrics), if not empty, OTLP Metrics output is enabled
+    # protocol: "" # OTLP transport protocol to be used for metrics data; it can be "grpc" or "http/protobuf" (default: "grpc")
+    # timeout: "" # OTLP timeout for outgoing metrics in milliseconds (default: "" which uses SDK default: 10000)
+    # headers: "" # List of headers to apply to all outgoing metrics in the form of "some-key=some-value,other-key=other-value" (default: "")
+    # extraenvvars: # Extra env vars (override the other settings) (default: "")
+      # OTEL_EXPORTER_OTLP_METRICS_TIMEOUT: 10000
+      # OTEL_EXPORTER_OTLP_TIMEOUT: 10000
+    # minimumpriority: "" # Minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "")
+    # checkcert: true # Set to false if you want to skip TLS certificate validation (only with https) (default: true)
+    # extraattributes: "" # Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields
+
+talon:
+  # address: "" # Falco talon address, if not empty, Falco Talon output is enabled
+  # checkcert: false # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+logstash:
+  # address: "" # Logstash address, if not empty, Logstash output is enabled
+  # port: 5044 # Logstash port number (default: 5044)
+  # tls: false # communicate over tls; requires Logstash version 8+ to work 
+  # mutualtls: false # or authenticate to the output with TLS; if true, checkcert flag will be ignored (server cert will always be checked) (default: false)
+  # checkcert: true # Check if ssl certificate of the output is valid (default: true)
+  # certfile: "" # Use this certificate file instead of the client certificate when using mutual TLS (default: "")
+  # keyfile: "" # Use this key file instead of the client certificate when using mutual TLS (default: "")
+  # cacertfile: "" # Use this CA certificate file instead of the client certificate when using mutual TLS (default: "")
+  # minimumpriority: minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "debug")
+  # tags: ["falco"] # An additional list of tags that will be added to those produced by Falco (default: [])
--- a/deploy/helm/falcosidekick/.helmignore
+++ b/deploy/helm/falcosidekick/.helmignore
@ -1,22 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
--- a/deploy/helm/falcosidekick/Chart.yaml
+++ b/deploy/helm/falcosidekick/Chart.yaml
@ -1,9 +0,0 @@
-apiVersion: v1
-appVersion: "2.9.0"
-description: A simple daemon to help you with falco's outputs
-icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick.png
-name: falcosidekick
-version: 0.1.7
-maintainers:
-  - name: SweetOps
-  - name: Issif
--- a/deploy/helm/falcosidekick/templates/NOTES.txt
+++ b/deploy/helm/falcosidekick/templates/NOTES.txt
@ -1,21 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
-  {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
-  {{- end }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "falcosidekick.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "falcosidekick.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "falcosidekick.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "falcosidekick.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl port-forward $POD_NAME 8080:80
-{{- end }}
--- a/deploy/helm/falcosidekick/templates/_helpers.tpl
+++ b/deploy/helm/falcosidekick/templates/_helpers.tpl
@ -1,32 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "falcosidekick.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "falcosidekick.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "falcosidekick.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
--- a/deploy/helm/falcosidekick/templates/deployment.yaml
+++ b/deploy/helm/falcosidekick/templates/deployment.yaml
@ -1,207 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "falcosidekick.fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-    helm.sh/chart: {{ include "falcosidekick.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-      app.kubernetes.io/instance: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Name }}
-    spec:
-      serviceAccountName: {{ include "falcosidekick.fullname" . }}
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: 2801
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /ping
-              port: http
-            initialDelaySeconds: 10
-            periodSeconds: 5
-          readinessProbe:
-            httpGet:
-              path: /ping
-              port: http
-            initialDelaySeconds: 10
-            periodSeconds: 5
-          env:
-            - name: DEBUG
-              value: {{ .Values.config.debug | quote }}
-            - name: CUSTOMFIELDS
-              value: {{ .Values.config.customfields | quote }}
-            {{- if .Values.config.slack.webhookurl }}
-            - name: SLACK_WEBHOOKURL
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: slack-webhookurl
-            - name: SLACK_OUTPUTFORMAT
-              value: {{ .Values.config.slack.outputformat | quote }}
-            - name: SLACK_FOOTER
-              value: {{ .Values.config.slack.footer | quote }}
-            - name: SLACK_ICON
-              value: {{ .Values.config.slack.icon | quote }}
-            - name: SLACK_MINIMUMPRIORITY
-              value: {{ .Values.config.slack.minimumpriority | quote }}
-            {{- end }}
-            {{- if .Values.config.teams.webhookurl }}
-            - name: TEAMS_WEBHOOKURL
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: teams-webhookurl
-            - name: TEAMS_OUTPUTFORMAT
-              value: {{ .Values.config.teams.outputformat | quote }}
-            - name: TEAMS_ACTIVITYIMAGE
-              value: {{ .Values.config.teams.activityimage | quote }}
-            - name: TEAMS_MINIMUMPRIORITY
-              value: {{ .Values.config.teams.minimumpriority | quote }}
-            {{- end }}
-            {{- if .Values.config.datadog.apikey }}
-            - name: DATADOG_APIKEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: datadog-apikey
-            - name: DATADOG_MINIMUMPRIORITY
-              value: {{ .Values.config.datadog.minimumpriority | quote }}
-            {{- end }}
-            {{- if .Values.config.alertmanager.hostport }}
-            - name: ALERTMANAGER_HOSTPORT
-              value: {{ .Values.config.alertmanager.hostport | quote }}
-            - name: ALERTMANAGER_MINIMUMPRIORITY
-              value: {{ .Values.config.alertmanager.minimumpriority | quote }}
-            {{- end }}
-            {{- if .Values.config.elasticsearch.hostport }}
-            - name: ELASTICSEARCH_HOSTPORT
-              value: {{ .Values.config.hostport.hostport | quote }}
-            - name: ELASTICSEARCH_INDEX
-              value: {{ .Values.config.elasticsearch.index | quote }}
-            - name: ELASTICSEARCH_TYPE
-              value: {{ .Values.config.elasticsearch.type | quote }}
-            - name: ELASTICSEARCH_MINIMUMPRIORITY
-              value: {{ .Values.config.elasticsearch.minimumpriority | quote }}
-            {{- end }}
-            {{- if .Values.config.influxdb.hostport }}
-            - name: INFLUXDB_HOSTPORT
-              value: {{ .Values.config.influxdb.hostport | quote }}
-            - name: INFLUXDB_MINIMUMPRIORITY
-              value: {{ .Values.config.influxdb.minimumpriority | quote }}
-            - name: INFLUXDB_DATABASE
-              value: {{ .Values.config.influxdb.database | quote }}
-            {{- end }}
-            {{- if and .Values.config.influxdb.user .Values.config.influxdb.password }}
-            - name: INFLUXDB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: influxbd-user
-            - name: INFLUXDB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: influxbd-password
-            {{- end }}
-            {{- if .Values.config.loki.hostport }}
-            - name: LOKI_HOSTPORT
-              value: {{ .Values.config.loki.hostport | quote }}
-            - name: LOKI_MINIMUMPRIORITY
-              value: {{ .Values.config.loki.minimumpriority | quote }}
-            {{ end }}
-            {{- if .Values.config.nats.hostport }}
-            - name: NATS_HOSTPORT
-              value: {{ .Values.config.nats.hostport | quote }}
-            - name: NATS_MINIMUMPRIORITY
-              value: {{ .Values.config.nats.minimumpriority | quote }}
-            {{ end }}
-            {{- if and .Values.config.aws.accesskeyid .Values.config.influxdb.secretaccesskey .Values.config.aws.region }}
-            - name: AWS_ACCESSKEYID
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: aws-accesskeyid
-            - name: AWS_SECRETACCESSKEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: aws-secretaccesskey
-            - name: AWS_REGION
-              value: {{ .Values.config.aws.region | quote }}
-            {{- end }}
-            {{- if .Values.config.aws.lambda.functionname }}
-            - name: AWS_LAMBDA_FUNCTIONNAME
-              value: {{ .Values.config.aws.lambda.functionname | quote }}
-            - name: AWS_LAMBDA_MINIMUMPRIORITY
-              value: {{ .Values.config.aws.lambda.minimumpriority | quote }}
-            {{- end }}
-            {{- if .Values.config.aws.sqs.url }}
-            - name: AWS_SQS_URL
-              value: {{ .Values.config.aws.sqs.functionname | quote }}
-            - name: AWS_SQS_MINIMUMPRIORITY
-              value: {{ .Values.config.aws.sqs.minimumpriority | quote }}
-            {{- end }}
-            {{- if and .Values.config.smtp.hostport .Values.config.smtp.from .Values.config.smtp.to }}
-            - name: SMTP_HOSTPORT
-              value: {{ .Values.config.smtp.hostport | quote }}
-            - name: SMTP_FROM
-              value: {{ .Values.config.smtp.from | quote }}
-            - name: SMTP_TO
-              value: {{ .Values.config.smtp.to | quote }}
-            - name: SMTP_OUTPUTFORMAT
-              value: {{ .Values.config.smtp.outputformat | quote }}
-            - name: SMTP_MINIMUMPRIORITY
-              value: {{ .Values.config.smtp.minimumpriority | quote }}
-            {{- if and .Values.config.smtp.user .Values.config.smtp.password }}
-            - name: SMTP_USER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: smtp-user
-            - name: SMTP_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: smtp-password
-            {{- end }}  
-            {{- end }}
-            {{- if .Values.opsgenie.datadog.apikey }}
-            - name: OPSGENIE_APIKEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "falcosidekick.fullname" . }}
-                  key: opsgenie-apikey
-            - name: OPSGENIE_REGION
-              value: {{ .Values.config.opsgenie.region | quote }}
-            - name: OPSGENIE_MINIMUMPRIORITY
-              value: {{ .Values.config.opsgenie.minimumpriority | quote }}
-            {{- end }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-    {{- end }}
--- a/deploy/helm/falcosidekick/templates/ingress.yaml
+++ b/deploy/helm/falcosidekick/templates/ingress.yaml
@ -1,39 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-{{- $fullName := include "falcosidekick.fullname" . -}}
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  labels:
-    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-    helm.sh/chart: {{ include "falcosidekick.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  {{- with .Values.ingress.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-{{- if .Values.ingress.tls }}
-  tls:
-  {{- range .Values.ingress.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . | quote }}
-      {{- end }}
-      secretName: {{ .secretName }}
-  {{- end }}
-{{- end }}
-  rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
-      http:
-        paths:
-        {{- range .paths }}
-          - path: {{ . }}
-            backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-        {{- end }}
-  {{- end }}
-{{- end }}
--- a/deploy/helm/falcosidekick/templates/rbac.yaml
+++ b/deploy/helm/falcosidekick/templates/rbac.yaml
@ -1,45 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "falcosidekick.fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-    helm.sh/chart: {{ include "falcosidekick.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
-  name: {{ include "falcosidekick.fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-    helm.sh/chart: {{ include "falcosidekick.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-rules:
- apiGroups:
-    - ""
-  resources:
-    - endpoints
-  resourceNames:
-    - {{ include "falcosidekick.fullname" . }}
-  verbs:
-    - get
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
-  name: {{ include "falcosidekick.fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-    helm.sh/chart: {{ include "falcosidekick.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "falcosidekick.fullname" . }}
-subjects:
- kind: ServiceAccount
-  name: {{ include "falcosidekick.fullname" . }}
--- a/deploy/helm/falcosidekick/templates/secrets.yaml
+++ b/deploy/helm/falcosidekick/templates/secrets.yaml
@ -1,35 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "falcosidekick.fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-    helm.sh/chart: {{ include "falcosidekick.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-type: Opaque
-data:
-  {{- if .Values.config.slack.webhookurl }}
-  slack-webhookurl: "{{ .Values.config.slack.webhookurl | b64enc }}"
-  {{- end }}
-  {{- if .Values.config.teams.webhookurl }}
-  teams-webhookurl: "{{ .Values.config.teams.webhookurl | b64enc }}"
-  {{- end }}
-  {{- if .Values.config.datadog.apikey }}
-  datadog-apikey: "{{ .Values.config.datadog.apikey | b64enc }}"
-  {{- end }}
-  {{- if and .Values.config.influxdb.user .Values.config.influxdb.password }}
-  influxdb-user: "{{ .Values.config.influxdb.user | b64enc }}"
-  influxdb-password: "{{ .Values.config.influxdb.password | b64enc }}"
-  {{- end }}
-  {{- if and .Values.config.aws.accesskeyid .Values.config.aws.secretaccesskey }}
-  aws-accesskeyid: "{{ .Values.config.aws.accesskeyid | b64enc }}"
-  aws-secretaccesskey: "{{ .Values.config.aws.secretaccesskey | b64enc }}"
-  {{- end }}
-  {{- if and .Values.config.smtp.user .Values.config.smtp.password }}
-  smtp-user: "{{ .Values.config.smtp.user | b64enc }}"
-  smtp-password: "{{ .Values.config.smtp.password | b64enc }}"
-  {{- end }}
-  {{- if .Values.config.opsgenie.apikey }}
-  opsgenie-apikey: "{{ .Values.config.opsgenie.apikey | b64enc }}"
-  {{- end }}
--- a/deploy/helm/falcosidekick/templates/service.yaml
+++ b/deploy/helm/falcosidekick/templates/service.yaml
@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "falcosidekick.fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-    helm.sh/chart: {{ include "falcosidekick.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
--- a/deploy/helm/falcosidekick/templates/tests/test-connection.yaml
+++ b/deploy/helm/falcosidekick/templates/tests/test-connection.yaml
@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "falcosidekick.fullname" . }}-test-connection"
-  labels:
-    app.kubernetes.io/name: {{ include "falcosidekick.name" . }}
-    helm.sh/chart: {{ include "falcosidekick.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  annotations:
-    "helm.sh/hook": test-success
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args:  ['{{ include "falcosidekick.fullname" . }}:{{ .Values.service.port }}']
-  restartPolicy: Never
--- a/deploy/helm/falcosidekick/values.yaml
+++ b/deploy/helm/falcosidekick/values.yaml
@ -1,122 +0,0 @@
-# Default values for falcosidekick.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
-  repository: falcosecurity/falcosidekick
-  tag: 2.9.0
-  pullPolicy: IfNotPresent
-
-nameOverride: ""
-fullnameOverride: ""
-
-config:
-
-  debug: false
-  ##
-  ## a list of comma separated custom fields to add to falco events, syntax is "key:value,key:value"
-  customfields: ""
-
-  slack:
-    webhookurl: ""
-    footer: ""
-    icon: ""
-    outputformat: "all"
-    minimumpriority: ""
-
-  teams:
-    webhookurl: ""
-    activityimage: ""
-    outputformat: "all"
-    minimumpriority: ""
-
-  datadog:
-    apikey: ""
-    minimumpriority: ""
-
-  alertmanager:
-    hostport: ""
-
-  elasticsearch:
-    hostport: ""
-    index: "falco"
-    type: "event"
-    minimumpriority: ""
-
-  influxdb:
-    hostport: ""
-    database: "falco"
-    user: ""
-    password: ""
-    minimumpriority: ""
-
-  loki:
-    hostport: ""
-    minimumpriority: ""
-
-  nats:
-    hostport: ""
-    minimumpriority: ""
-
-  aws:
-    accesskeyid: ""
-    secretaccesskey: ""
-    region : ""
-    lambda:
-      functionname : ""
-      minimumpriority: ""
-    sqs:
-      url : ""
-      minimumpriority: ""
-
-  smtp:
-    hostport: ""
-    user: ""
-    password: ""
-    from: ""
-    to: ""
-    outputformat: "html"
-    minimumpriority: ""
-
-  opsgenie:
-    aipkey: ""
-    region: ""
-    minimumpriority: ""
-
-service:
-  type: ClusterIP
-  port: 2801
-
-ingress:
-  enabled: false
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  hosts:
-    - host: chart-example.local
-      paths: []
-
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -0,0 +1,72 @@
+version: "3"
+services:
+  smtp:
+    image: mailhog/mailhog:latest
+    ports:
+      - "1025:1025"
+      - "8025:8025"
+    profiles: [smtp]
+
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.1.0
+    ports:
+      - "9200:9200"
+      - "9300:9300"
+    environment: #credentials: elastic/elastic
+      - ELASTIC_PASSWORD=elastic
+      - discovery.type=single-node
+      - xpack.security.enabled=false
+      - xpack.security.transport.ssl.enabled=false
+    profiles: [elasticsearch]
+
+  nats:
+    image: nats:latest
+    ports:
+      - "4222:4222"
+      - "8222:8222"
+    command: "--http_port 8222"
+    hostname: nats
+    profiles: [nats]
+
+  loki:
+    image: grafana/loki:latest
+    ports:
+      - "3100:3100"
+    command: -config.file=/etc/loki/local-config.yaml
+    profiles: [loki]
+  grafana: #credentials: admin/admin
+    image: grafana/grafana:latest
+    ports:
+      - "3000:3000"
+    depends_on: [loki]
+    profiles: [loki]
+
+  influxdb: #credentials: admin/adminadmin
+    image: influxdb:latest
+    environment:
+      - DOCKER_INFLUXDB_INIT_MODE=setup
+      - DOCKER_INFLUXDB_INIT_USERNAME=admin
+      - DOCKER_INFLUXDB_INIT_PASSWORD=adminadmin
+      - DOCKER_INFLUXDB_INIT_ORG=falco
+      - DOCKER_INFLUXDB_INIT_BUCKET=falco
+    ports:
+      - "8086:8086"
+    profiles: [influxdb]
+
+  alertmanager:
+    image: prom/alertmanager:latest
+    ports:
+      - "9093:9093"
+    profiles: [alertmanager]
+
+  minio:
+    image: quay.io/minio/minio
+    environment:
+      - MINIO_ROOT_USER=root
+      - MINIO_ROOT_PASSWORD=super-secret
+      - MINIO_DOMAIN=minio.localhost
+    command: server /data --console-address ":9001"
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    profiles: [minio]
--- a/docs/outputs/EXAMPLE.md
+++ b/docs/outputs/EXAMPLE.md
@ -0,0 +1,35 @@
+# Output Name
+
+- **Category**: Category of the output
+- **Website**: URL of the output
+
+## Table of content
+
+- [Output Name](#output-name)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting | Env var | Default value | Description |
+| ------- | ------- | ------------- | ----------- |
+|         |         |               |             |
+|         |         |               |             |
+|         |         |               |             |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+output:
+  setting: ""
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/alertmanager.md
+++ b/docs/outputs/alertmanager.md
@ -0,0 +1,55 @@
+# AlertManager
+
+- **Category**: Alerting
+- **Website**: https://github.com/prometheus/alertmanager
+
+## Table of content
+
+- [AlertManager](#alertmanager)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+|                 Setting                 |                 Env var                 |                            Default value                             |                                                                                                               Description                                                                                                                |
+| --------------------------------------- | --------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `alertmanager.hostport`                 | `ALERTMANAGER_HOSTPORT`                 |                                                                      | Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is **enabled**                                                                                                 |
+| `alertmanager.mutualtls`                | `ALERTMANAGER_MUTUALTLS`                | `false`                                                              | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                                                                                                                        |
+| `alertmanager.checkcert`                | `ALERTMANAGER_CHECKCERT`                | `true`                                                               | check if ssl certificate of the output is valid                                                                                                                                                                                          |
+| `alertmanager.endpoint`                 | `ALERTMANAGER_ENDPOINT`                 | `/api/v1/alerts`                                                     | Alertmanager endpoint for posting alerts `/api/v1/alerts` or `/api/v2/alerts`                                                                                                                                                            |
+| `alertmanager.expiresafter`             | `ALERTMANAGER_EXPIRESAFTER`             | `0`                                                                  | If set to a non-zero value, alert expires after that time in seconds                                                                                                                                                                     |
+| `alertmanager.extralabels`              | `ALERTMANAGER_EXTRALABELS`              |                                                                      | Comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: `my_annotation_1:my_value_1, my_annotation_1:my_value_2`                                                                 |
+| `alertmanager.extraannotations`         | `ALERTMANAGER_EXTRAANNOTATIONS`         |                                                                      | Comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts Example: `debug:value_1,critical:value2`                                                                                      |
+| `alertmanager.customseveritymap`        | `ALERTMANAGER_CUSTOMSEVERITYMAP`        |                                                                      | Comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: `debug:value_1,critical:value2` |
+| `alertmanager.dropeventdefaultpriority` | `ALERTMANAGER_DROPEVENTDEFAULTPRIORITY` | `critical`                                                           | Default priority of dropped events, values are `emergency,alert,critical,error,warning,notice,informational,debug`                                                                                                                       |
+| `alertmanager.dropeventthresholds`      | `ALERTMANAGER_DROPEVENTTHRESHOLDS`      | `10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning` | Comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational`                                   |
+| `alertmanager.minimumpriority`          | `ALERTMANAGER_MINIMUMPRIORITY`          | `""` (= `debug`)                                                     | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                                                                      |
+| `alertmanager.customheaders`            | `ALERTMANAGER_CUSTOMHEADERS`            |                                                                      | Custom headers for the POST request                                                                                                                                                                                                      |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+alertmanager:
+  hostport: "" # http://{domain or ip}:{port}, if not empty, Alertmanager output is enabled
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # endpoint: "" # alertmanager endpoint for posting alerts: "/api/v1/alerts" or "/api/v2/alerts" (default: "/api/v1/alerts")
+  # expiresafter: "" if set to a non-zero value, alert expires after that time in seconds (default: 0)
+  # extralabels: "" # comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2
+  # extraannotations: "" # comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2
+  # customseveritymap: "" # comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. (default: "")
+  # dropeventdefaultpriority: "" # default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug (default: "critical")
+  # dropeventthresholds: # comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` (default: `"10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning"`)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+```
+
+## Screenshots
+
+![alertmanager example](images/alertmanager.png)
--- a/docs/outputs/aws_cloudwatch_logs.md
+++ b/docs/outputs/aws_cloudwatch_logs.md
@ -0,0 +1,76 @@
+# AWS Cloudwatch Logs
+
+- **Category**: Logs
+- **Website**: https://aws.amazon.com/cloudwatch/features/
+
+## Table of content
+
+- [AWS Cloudwatch Logs](#aws-cloudwatch-logs)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [CloudWatch Logs Sample IAM Policy](#cloudwatch-logs-sample-iam-policy)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                              | Env var                              | Default value    | Description                                                                                                                         |
+| ------------------------------------ | ------------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`                    | `AWS_ACCESSKEYID`                    |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`                | `AWS_SECRETACCESSKEY`                |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`                         | `AWS_REGION`                         |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`                        | `AWS_ROLEARN`                        |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`                     | `AWS_EXTERNALID`                     |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`                  | `AWS_CHECKIDENTITY`                  | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.cloudwatchlogs.loggroup`        | `AWS_CLOUDWATCHLOGS_LOGGROUP`        |                  | AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is **enabled**                                                 |
+| `aws.cloudwatchlogs.logstream`       | `AWS_CLOUDWATCHLOGS_LOGSTREAM`       |                  | AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream                                            |
+| `aws.cloudwatchlogs.minimumpriority` | `AWS_CLOUDWATCHLOGS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  cloudwatchlogs:
+    loggroup : "" #  AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is enabled
+    logstream : "" # AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+### CloudWatch Logs Sample IAM Policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "cloudwacthlogs",
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogStream",
+        "logs:DescribeLogStreams",
+        "logs:PutRetentionPolicy",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+## Screenshots
--- a/docs/outputs/aws_kinesis.md
+++ b/docs/outputs/aws_kinesis.md
@ -0,0 +1,51 @@
+# AWS Kinesis
+
+- **Category**: Message Queue / Streaming
+- **Website**: https://aws.amazon.com/kinesis/
+
+## Table of content
+
+- [AWS Kinesis](#aws-kinesis)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                       | Default value    | Description                                                                                                                         |
+| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`             | `AWS_ACCESSKEYID`             |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`         | `AWS_SECRETACCESSKEY`         |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`                  | `AWS_REGION`                  |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`                 | `AWS_ROLEARN`                 |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`              | `AWS_EXTERNALID`              |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`           | `AWS_CHECKIDENTITY`           | `true`           | Check the identity credentials, set to false for locale developments                                                                |             
+| `aws.kinesis.streamname`      | `AWS_KINESIS_STREAMNAME`      |                  | AWS Kinesis Stream Name, if not empty, Kinesis output is **enabled**                                                                |
+| `aws.kinesis.minimumpriority` | `AWS_KINESIS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  kinesis:
+    streamname: "" # AWS Kinesis Stream Name, if not empty, Kinesis output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+## Screenshots
--- a/docs/outputs/aws_lambda.md
+++ b/docs/outputs/aws_lambda.md
@ -0,0 +1,70 @@
+# AWS Lambda
+
+- **Category**: FaaS / Serverless
+- **Website**: https://aws.amazon.com/lambda/features/
+
+## Table of content
+
+- [AWS Lambda](#aws-lambda)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [Lambda Sample IAM Policy](#lambda-sample-iam-policy)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                      | Env var                      | Default value    | Description                                                                                                                         |
+| ---------------------------- | ---------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`            | `AWS_ACCESSKEYID`            |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`        | `AWS_SECRETACCESSKEY`        |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`                 | `AWS_REGION`                 |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`                | `AWS_ROLEARN`                |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`             | `AWS_EXTERNALID`             |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`          | `AWS_CHECKIDENTITY`          | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.lambda.functionname`    | `AWS_LAMBDA_FUNCTIONNAME`    |                  | Lambda function name, if not empty, AWS Lambda output is **enabled**                                                                |
+| `aws.lambda.minimumpriority` | `AWS_LAMBDA_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  lambda:
+    functionname : "" # Lambda function name, if not empty, AWS Lambda output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+### Lambda Sample IAM Policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Id": "lambda",
+  "Statement": [
+    {
+      "Sid": "invoke",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "lambda:InvokeFunction",
+      "Resource": "*"
+    }
+  ]
+}
+```
+
+## Screenshots
--- a/docs/outputs/aws_s3.md
+++ b/docs/outputs/aws_s3.md
@ -0,0 +1,57 @@
+# AWS S3
+
+- **Category**: Object storage
+- **Website**: https://aws.amazon.com/s3/features/
+
+## Table of content
+
+- [AWS S3](#aws-s3)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                  | Env var                  | Default value               | Description                                                                                                                         |
+|--------------------------|--------------------------|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
+| `aws.accesskeyid`        | `AWS_ACCESSKEYID`        |                             | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`    | `AWS_SECRETACCESSKEY`    |                             | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`             | `AWS_REGION`             |                             | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`            | `AWS_ROLEARN`            |                             | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`         | `AWS_EXTERNALID`         |                             | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`      | `AWS_CHECKIDENTITY`      | `true`                      | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.s3.bucket`          | `AWS_S3_BUCKET`          |                             | AWS S3 bucket name, if not empty, AWS S3 output is **enabled**                                                                      |
+| `aws.s3.prefix`          | `AWS_S3_PREFIX`          |                             | Prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json                                   |
+| `aws.s3.minimumpriority` | `AWS_S3_MINIMUMPRIORITY` | `""` (= `debug`)            | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `aws.s3.endpoint`        | `AWS_S3_ENDPOINT`        |                             | Endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs                                         |
+| `aws.s3.objectcannedacl` | `AWS_S3_OBJECTCANNEDACL` | `bucket-owner-full-control` | Canned ACL (`x-amz-acl`) to use when creating the object                                                                            |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  s3:
+    bucket: "falcosidekick" # AWS S3, bucket name
+    prefix : "" # Prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+    # endpoint: "" # endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs
+    # objectcannedacl: "bucket-owner-full-control" # Canned ACL (x-amz-acl) to use when creating the object
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+## Screenshots
--- a/docs/outputs/aws_security_lake.md
+++ b/docs/outputs/aws_security_lake.md
@ -0,0 +1,61 @@
+# AWS Security Lake
+
+- **Category**: SIEM
+- **Website**: https://aws.amazon.com/security-lake/
+
+## Table of content
+
+- [AWS Security Lake](#aws-security-lake)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                            | Env var                            | Default value    | Description                                                                                                                         |
+| ---------------------------------- | ---------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`                  | `AWS_ACCESSKEYID`                  |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`              | `AWS_SECRETACCESSKEY`              |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`                       | `AWS_REGION`                       |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`                      | `AWS_ROLEARN`                      |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`                   | `AWS_EXTERNALID`                   |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`                | `AWS_CHECKIDENTITY`                | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.securitylake.bucket`          | `AWS_SECURITYLAKE_BUCKET`          |                  | Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is **enabled**                                              |
+| `aws.securitylake.region`          | `AWS_SECURITYLAKE_REGION`          |                  | Bucket Region for AWS SecurityLake data                                                                                             |
+| `aws.securitylake.prefix`          | `AWS_SECURITYLAKE_PREFIX`          |                  | Prefix for keys                                                                                                                     |
+| `aws.securitylake.accountid`       | `AWS_SECURITYLAKE_ACCOUNTID`       |                  | Account ID                                                                                                                          |
+| `aws.securitylake.interval`        | `AWS_SECURITYLAKE_INTERVAL`        | `5`              | Time in minutes between two puts to S3 (must be between 5 and 60min)                                                                |
+| `aws.securitylake.batchsize`       | `AWS_SECURITYLAKE_BATCHSIZE`       | `1000`           | Max number of events by parquet file                                                                                                |
+| `aws.securitylake.minimumpriority` | `AWS_SECURITYLAKE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  securitylake.:
+    bucket: "" # Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is enabled
+    region: "" # Bucket Region
+    prefix: "" # Prefix for keys
+    accountid: "" # Account ID
+    # interval: 5 # Time in minutes between two puts to S3 (must be between 5 and 60min) (default: 5min)
+    # batchsize: 1000 # Max number of events by parquet file (default: 1000)
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+## Screenshots
--- a/docs/outputs/aws_sns.md
+++ b/docs/outputs/aws_sns.md
@ -0,0 +1,73 @@
+# AWS SNS
+
+- **Category**: Message queue / Streaming
+- **Website**: https://aws.amazon.com/sns/features/
+
+## Table of content
+
+- [AWS SNS](#aws-sns)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [SNS Sample Policy](#sns-sample-policy)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`         | `AWS_ACCESSKEYID`         |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`     | `AWS_SECRETACCESSKEY`     |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`              | `AWS_REGION`              |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`             | `AWS_ROLEARN`             |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`          | `AWS_EXTERNALID`          |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`       | `AWS_CHECKIDENTITY`       | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.sns.topicarn`        | `AWS_SNS_TOPICARN`        |                  | SNS TopicArn, if not empty, AWS SNS output is **enabled**                                                                           |
+| `aws.sns.rawjson`         | `AWS_SNS_RAWJSON`         | `false`          | end Raw JSON or parse it                                                                                                            |
+| `aws.sns.minimumpriority` | `AWS_SNS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  sns:
+    # topicarn : "" # SNS TopicArn, if not empty, AWS SNS output is enabled
+    rawjson: false # Send Raw JSON or parse it (default: false)
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+### SNS Sample Policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Id": "sns",
+  "Statement": [
+    {
+      "Sid": "publish",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sns:Publish",
+      "Resource": "arn:aws:sqs:*:111122223333:queue1"
+    }
+  ]
+}
+```
+
+
+## Screenshots
--- a/docs/outputs/aws_sqs.md
+++ b/docs/outputs/aws_sqs.md
@ -0,0 +1,72 @@
+# AWS SQS
+
+- **Category**: Message queue / Streaming
+- **Website**: https://aws.amazon.com/sqs/features/
+
+## Table of content
+
+- [AWS SQS](#aws-sqs)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [SQS Sample IAM Policy](#sqs-sample-iam-policy)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `aws.accesskeyid`         | `AWS_ACCESSKEYID`         |                  | AWS access key (optional if you use EC2 Instance Profile)                                                                           |
+| `aws.secretaccesskey`     | `AWS_SECRETACCESSKEY`     |                  | AWS secret access key (optional if you use EC2 Instance Profile)                                                                    |
+| `aws.region`              | `AWS_REGION`              |                  | AWS region (by default, the metadata are used to get it)                                                                            |
+| `aws.rolearn`             | `AWS_ROLEARN`             |                  | AWS role to assume (optional if you use EC2 Instance Profile)                                                                       |
+| `aws.externalid`          | `AWS_EXTERNALID`          |                  | External id for the role to assume (optional if you use EC2 Instance Profile)                                                       |
+| `aws.checkidentity`       | `AWS_CHECKIDENTITY`       | `true`           | Check the identity credentials, set to false for locale developments                                                                |
+| `aws.sqs.url`             | `AWS_SQS_URL`             |                  | SQS Queue URL, if not empty, AWS SQS output is **enabled**                                                                          |
+| `aws.sqs.minimumpriority` | `AWS_SQS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+aws:
+  # accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
+  # region : "" # aws region (by default, the metadata are used to get it)
+  # rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
+  # externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
+  # checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
+  sqs:
+    # url : "" # SQS Queue URL, if not empty, AWS SQS output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+When using this AWS output you will need to set the AWS keys or role with some permissions.
+
+### SQS Sample IAM Policy
+
+```json
+{
+  "Version": "2012-10-17",
+  "Id": "sqs",
+  "Statement": [
+    {
+      "Sid": "sendMessage",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:*:111122223333:queue1"
+    }
+  ]
+}
+```
+
+## Screenshots
+
+![aws sqs example](images/aws_sqs.png)
--- a/docs/outputs/azure_event_hub.md
+++ b/docs/outputs/azure_event_hub.md
@ -0,0 +1,37 @@
+# Azure EventHub
+
+- **Category**: Message queue / Streaming
+- **Website**: https://azure.microsoft.com/en-in/services/event-hubs/²
+## Table of content
+
+- [Azure EventHub](#azure-eventhub)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                          | Env var                          | Default value    | Description                                                                                                                         |
+| -------------------------------- | -------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `azure.eventhub.name`            | `AZURE_EVENTHUB_NAME`            |                  | Name of the Hub, if not empty, EventHub is **enabled**                                                                              |
+| `azure.eventhub.namespace`       | `AZURE_EVENTHUB_NAMESPACE`       |                  | Name of the space the Hub is in                                                                                                     |
+| `azure.eventhub.minimumpriority` | `AZURE_EVENTHUB_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+azure:
+  eventhub:
+    name: "" # Name of the Hub, if not empty, EventHub is enabled
+    namespace: "" # Name of the space the Hub is in
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/cliq.md
+++ b/docs/outputs/cliq.md
@ -0,0 +1,59 @@
+# Zoho Cliq
+
+- **Category**: Chat
+- **Website**: https://www.zoho.com/cliq/
+
+## Table of content
+
+- [Zoho Cliq](#zoho-cliq)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [Message Formatting](#message-formatting)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                | Env var                | Default value    | Description                                                                                                                                                                                                                                            |
+| ---------------------- | ---------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `cliq.webhookurl`      | `CLIQ_WEBHOOKURL`      |                  | WebhookURL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq output is **enabled**                                                                                                                        |
+| `cliq.icon`            | `CLIQ_ICON`            |                  | Cliq icon (avatar)                                                                                                                                                                                                                                     |
+| `cliq.useemoji`        | `CLIQ_USEEMOJI`        | `true`           | Prefix message text with an emoji                                                                                                                                                                                                                      |
+| `cliq.outputformat`    | `CLIQ_OUTPUTFORMAT`    | `all`            | `all`, `text`, `fields`                                                                                                                                                                                                                                |
+| `cliq.messageformat`   | `CLIQ_MESSAGEFORMAT`   |                  | A Go template to format Cliq Text above Attachment, displayed in addition to the output from `CLIQ_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
+| `cliq.minimumpriority` | `CLIQ_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                                                                                    |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+cliq:
+  webhookurl: "" # WebhookURL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq output is enabled
+  # icon: "" # Cliq icon (avatar)
+  # useemoji: true # Prefix message text with an emoji
+  # outputformat: "all" # all (default), text, fields
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index.OutputFields "user.name" }}*' # a Go template to format Cliq Text above Table, displayed in addition to the output from `CLIQ_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Table.
+```
+
+## Additional info
+
+### Message Formatting
+
+The `CLIQ_MESSAGEFORMAT` environment variable and `cliq.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Cliq alert.
+These templates are evaluated on the JSON data from each Falco event. The following fields are available:
+
+| Template Syntax                              | Description                                                                                                                                                        |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `{{ .Output }}`                              | A formatted string from Falco describing the event.                                                                                                                |
+| `{{ .Priority }}`                            | The priority of the event, as a string.                                                                                                                            |
+| `{{ .Rule }}`                                | The name of the rule that generated the event.                                                                                                                     |
+| `{{ .Time }}`                                | The timestamp when the event occurred.                                                                                                                             |
+| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
+
+Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.
+
+## Screenshots
--- a/docs/outputs/cloudevents.md
+++ b/docs/outputs/cloudevents.md
@ -0,0 +1,48 @@
+# Cloud Events
+
+- **Category**: FaaS / Serverless
+- **Website**: https://cloudevents.io/
+
+## Table of content
+
+- [Cloud Events](#cloud-events)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                       | Default value    | Description                                                                                                                         |
+| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `cloudevents.address`         | `CLOUDEVENTS_ADDRESS`         |                  | CloudEvents consumer http address, if not empty, CloudEvents output is **enabled**                                                  |
+| `cloudevents.extensions`      | `CLOUDEVENTS_EXTENSIONS`      |                  | Extensions to add in the outbound Event, useful for routing                                                                         |
+| `cloudevents.mutualtls`       | `CLOUDEVENTS_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `cloudevents.checkcert`       | `CLOUDEVENTS_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `cloudevents.minimumpriority` | `CLOUDEVENTS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+cloudevents:
+  address: "" # CloudEvents consumer http address, if not empty, CloudEvents output is enabled
+  # extensions: # Extensions to add in the outbound Event, useful for routing
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+
+```
+
+## Additional info
+
+> [!NOTE]
+This output works with [`KNative`](https://knative.dev/).
+
+## Screenshots
+
+
--- a/docs/outputs/datadog.md
+++ b/docs/outputs/datadog.md
@ -0,0 +1,41 @@
+# Datadog
+
+- **Category**: Observability
+- **Website**: https://www.datadoghq.com/
+
+## Table of content
+
+- [Datadog](#datadog)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value               | Description                                                                                                                         |
+| ------------------------- | ------------------------- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `datadog.apikey`          | `DATADOG_APIKEY`          |                             | Datadog API Key, if not empty, Datadog output is **enabled**                                                                        |
+| `datadog.host`            | `DATADOG_HOST`            | `https://api.datadoghq.com` | Datadog host. Override if you are on the Datadog EU site                                                                            |
+| `datadog.minimumpriority` | `DATADOG_MINIMUMPRIORITY` | `""` (= `debug`)            | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+datadog:
+  apikey: "" # Datadog API Key, if not empty, Datadog output is enabled
+  # host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com"
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+Filter the events in the UI with `sources: falco`.
+
+## Screenshots
+
+![datadog example](images/datadog.png)
--- a/docs/outputs/datadog_logs.md
+++ b/docs/outputs/datadog_logs.md
@ -0,0 +1,43 @@
+# Datadog Logs
+
+- **Category**: Logs
+- **Website**: https://www.datadoghq.com/
+
+## Table of content
+
+- [Datadog Logs](#datadogLogs)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                     | Default value              | Description                                                                                                                       |
+|-------------------------------|-----------------------------| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| `datadoglogs.apikey`          | `DATADOGLOGS_APIKEY`        |                            | Datadog API Key, if not empty, Datadog Logs output is **enabled**                                                                      |
+| `datadoglogs.host`            | `DATADOGLOGS_HOST`          | `https://http-intake.logs.datadoghq.com/` | Datadog host. Override if you are on the Datadog EU site                                                                          |
+| `datadoglogs.minimumpriority` | `DATADOGLOGS_MINIMUMPRIORITY` | `""` (= `debug`)           | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `datadoglogs.service`         | `DATADOGLOGS_SERVICE`       | `""`            | The name of the application or service generating the log events. |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+datadoglogs:
+  apikey: "" # Datadog API Key, if not empty, Datadog Logs output is enabled
+  # host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/"
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # service: "" # The name of the application or service generating the log events.
+```
+
+## Additional info
+
+Filter the logs in the UI with `sources: falco`.
+
+## Screenshots
+
+![datadog example](images/datadog_logs.png)
--- a/docs/outputs/discord.md
+++ b/docs/outputs/discord.md
@ -0,0 +1,39 @@
+# Discord
+
+- **Category**: Chat
+- **Website**: https://www.discord.com/
+
+## Table of content
+
+- [Discord](#discord)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `discord.webhookurl`      | `DISCORD_WEBHOOKURL`      |                  | Discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is **enabled**                |
+| `discord.ICON`            | `DISCORD_ICON`            |                  | Discord icon (avatar)                                                                                                               |
+| `discord.minimumpriority` | `DISCORD_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+discord:
+  webhookurl: "" # discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is enabled
+  # icon: "" # Discord icon (avatar)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
+
+![discord example](images/discord.png)
--- a/docs/outputs/dogstatsd.md
+++ b/docs/outputs/dogstatsd.md
@ -0,0 +1,38 @@
+# Dogstatsd
+
+- **Category**: Metrics / Observability
+- **Website**: https://docs.datadoghq.com/developers/dogstatsd/?tab=go
+
+## Table of content
+
+- [Dogstatsd](#dogstatsd)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting               | Env var               | Default value    | Description                                                                                             |
+| --------------------- | --------------------- | ---------------- | ------------------------------------------------------------------------------------------------------- |
+| `dogstastd.forwarded` | `DOGSTASTD_FORWARDED` |                  | The address for the DogStatsD forwarder, in the form "host:port", if not empty DogStatsD is **enabled** |
+| `dogstastd.namespace` | `DOGSTASTD_NAMESPACE` | `falcosidekick.` | A prefix for all metrics                                                                                |
+| `dogstastd.tags`      | `DOGSTASTD_TAGS`      |                  | Comma separeted list of key:value to add as tags to the metrics                                         |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+dogstatsd:
+  forwarder: "" # The address for the DogStatsD forwarder, in the form "host:port", if not empty DogStatsD is enabled
+  namespace: "falcosidekick." # A prefix for all metrics (default: "falcosidekick.")
+  # tag : # Tags to add to the metrics
+  #   key: "value"
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/dynatrace.md
+++ b/docs/outputs/dynatrace.md
@ -0,0 +1,41 @@
+# Dynatrace
+
+- **Category**: Metrics / Observability
+- **Website**: https://www.dynatrace.com/
+
+## Table of content
+
+- [Dynatrace](#dynatrace)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+|           Setting           |           Env var           |  Default value   |                                                                                           Description                                                                                           |
+| --------------------------- | --------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `dynatrace.api_token`       | `DYNATRACE_APITOKEN`        |                  | Dynatrace API token with the "logs.ingest" scope, more info: https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled                                                              |
+| `dynatrace.apiurl`          | `DYNATRACE_APIURL`          |                  | Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge |
+| `dynatrace.minimumpriority` | `DYNATRACE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                             |
+| `dynatrace.checkcert`       | `DYNATRACE_CHECKCERT`       | `true`           | Check if ssl certificate of the output is valid                                                                                                                                                 |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+dynatrace:
+  apitoken: "" # Dynatrace API token with the "logs.ingest" scope, more info : https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled
+  apiurl: "" # Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+```
+
+## Additional info
+
+## Screenshots
+
+![Dynatrace example](images/dynatrace.png)
--- a/docs/outputs/elasticsearch.md
+++ b/docs/outputs/elasticsearch.md
@ -0,0 +1,79 @@
+# Elasticsearch
+
+- **Category**: Logs
+- **Website**: https://www.elastic.co/elasticsearch/
+
+## Table of content
+
+- [Elasticsearch](#elasticsearch)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+|               Setting                 |               Env var                  |  Default value   |                                                             Description                                                             |
+| ------------------------------------- | -------------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `elasticsearch.hostport`              | `ELASTICSEARCH_HOSTPORT`               |                  | http://{domain or ip}:{port}, if not empty, Elasticsearch output is **enabled**                                                     |
+| `elasticsearch.index`                 | `ELASTICSEARCH_INDEX`                  | `falco`          | Index                                                                                                                               |
+| `elasticsearch.type`                  | `ELASTICSEARCH_TYPE`                   | `_doc`           | Index                                                                                                                               |
+| `elasticsearch.pipeline`              | `ELASTICSEARCH_PIPELINE`               |                  | Optional ingest pipeline name. Documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html           |
+| `elasticsearch.suffix`                | `ELASTICSEARCH_SUFFIX`                 | `daily`          | Date suffix for index rotation : `daily`, `monthly`, `annually`, `none`                                                             |
+| `elasticsearch.apikey`                | `ELASTICSEARCH_APIKEY`                 |                  | Use this APIKey to authenticate to Elasticsearch                                                                                    |
+| `elasticsearch.username`              | `ELASTICSEARCH_USERNAME`               |                  | Use this username to authenticate to Elasticsearch                                                                                  |
+| `elasticsearch.password`              | `ELASTICSEARCH_PASSWORD`               |                  | Use this password to authenticate to Elasticsearch                                                                                  |
+| `elasticsearch.flattenfields`         | `ELASTICSEARCH_FLATTENFIELDS`          | `false`          | Replace . by _ to avoid mapping conflicts, force to true if `createindextemplate=true`                                              |
+| `elasticsearch.createindextemplate`   | `ELASTICSEARCH_CREATEINDEXTEMPLATE`    | `false`          | Create an index template                                                                                                            |
+| `elasticsearch.numberofshards`        | `ELASTICSEARCH_NUMBEROFSHARDS`         | `3`              | Number of shards set by the index template                                                                                          |
+| `elasticsearch.numberofreplicas`      | `ELASTICSEARCH_NUMBEROFREPLICAS`       | `3`              | Number of replicas set by the index template                                                                                        |
+| `elasticsearch.customheaders`         | `ELASTICSEARCH_CUSTOMHEADERS`          |                  | Custom headers to add in POST, useful for Authentication                                                                            |
+| `elasticsearch.mutualtls`             | `ELASTICSEARCH_MUTUALTLS`              | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `elasticsearch.checkcert`             | `ELASTICSEARCH_CHECKCERT`              | `true`           | Check if ssl certificate of the output is valid                                                                                     |
+| `elasticsearch.minimumpriority`       | `ELASTICSEARCH_MINIMUMPRIORITY`        | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+| `elasticsearch.maxconcurrentrequests` | `ELASTICSEARCH_MAXCONCURRENTREQUESTS`  | `1`              | Max number of concurrent requests                                                                                                   |
+| `elasticsearch.enablecompression`     | `ELASTICSEARCH_ENABLECOMPRESSION`      | `false`          | Enables gzip compression                                                                                                            |
+| `elasticsearch.batching.enabled`      | `ELASTICSEARCH_BATCHING_ENABLED`       | `false`          | Enables batching (utilizing Elasticsearch bulk API)                                                                                 |
+| `elasticsearch.batching.batchsize`    | `ELASTICSEARCH_BATCHING_BATCHSIZE`     | `5242880`        | Batch size in bytes, default 5MB                                                                                                    |
+| `elasticsearch.batching.flushinterval`| `ELASTICSEARCH_BATCHING_FLUSHINTERVAL` | `1s`             | Batch flush interval, use valid Go duration string                                                                                  |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+> [!NOTE]
+Increasing the default number of concurrent requests is a good way to increase throughput of the http outputs. This also increases the potential number of open connections. Choose wisely.
+
+> [!NOTE]
+Enabling batching for Elasticsearch is invaluable when the expected number of falco alerts is in the hundreds or thousands per second. The batching of data can be fine-tuned for your specific use case. The batch request is sent to Elasticsearch when the pending data size reaches `batchsize` or upon the `flushinterval`.
+Enabling gzip compression increases throughput even further.
+
+> [!WARNING]
+By enabling the creation of the index template with `elasticsearch.createindextemplate=true`, the output fields of the Falco events will be flatten to avoid any mapping conflict.
+
+## Example of config.yaml
+
+```yaml
+elasticsearch:
+  # hostport: "" # http://{domain or ip}:{port}, if not empty, Elasticsearch output is enabled
+  # index: "falco" # index (default: falco)
+  # type: "_doc"
+  # suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none
+  # username: "" # use this username to authenticate to Elasticsearch if the username is not empty (default: "")
+  # password: "" # use this password to authenticate to Elasticsearch if the password is not empty (default: "")
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # enablecompression: # if true enables gzip compression for http requests (default: false)
+  # batching: # batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API
+  #   enabled: true # if true enables batching
+  #   batchsize: 5242880 # batch size in bytes (default: 5 MB)
+  #   flushinterval: 1s # batch fush interval (default: 1s)
+  # maxconcurrentrequests: # max number of concurrent http requests (default: 1)
+```
+
+## Screenshots
+
+With Kibana:
+![kibana example](images/kibana.png)
--- a/docs/outputs/falcosidekick-ui.md
+++ b/docs/outputs/falcosidekick-ui.md
@ -0,0 +1,36 @@
+# Falcosidekick-UI
+
+- **Category**: Metrics / Observability
+- **Website**: https://github.com/falcosecurity/falcosidekick-ui
+
+## Table of content
+
+- [Falcosidekick-UI](#falcosidekick-ui)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting     | Env var     | Default value | Description                                          |
+| ----------- | ----------- | ------------- | ---------------------------------------------------- |
+| `webui.url` | `WEBUI_URL` |               | WebUI URL, if not empty, WebUI output is **enabled** |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+webui:
+  url: "" # WebUI URL, if not empty, WebUI output is enabled
+```
+
+## Additional info
+
+## Screenshots
+
+![falcosidekick-ui dashboard](images/falcosidekick-ui_dashboard.png)
+![falcosidekick-ui events](images/falcosidekick-ui_events.png)
--- a/docs/outputs/fission.md
+++ b/docs/outputs/fission.md
@ -0,0 +1,46 @@
+# Fission
+
+- **Category**: FaaS / Serverless
+- **Website**: URL of the output
+
+## Table of content
+
+- [Fission](#fission)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `fission.function`        | `FISSION_FUNCTION`        |                  | Name of Fission function, if not empty, Fission is **enabled**                                                                      |
+| `fission.routernamespace` | `FISSION_ROUTERNAMESPACE` | `fission`        | Namespace of Fission Router                                                                                                         |
+| `fission.routerservice`   | `FISSION_ROUTERSERVICE`   | `router`         | Service of Fission Router                                                                                                           |
+| `fission.routerport`      | `FISSION_ROUTERPORT`      | `80`             | Port of service of Fission Router                                                                                                   |
+| `fission.mutualtls`       | `FISSION_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `fission.checkcert`       | `FISSION_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `fission.minimumpriority` | `FISSION_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+fission:
+  function: "" # Name of Fission function, if not empty, Fission is enabled
+  routernamespace: "fission" # Namespace of Fission Router, "fission" (default)
+  routerservice: "router" # Service of Fission Router, "router" (default)
+  routerport: 80 # Port of service of Fission Router
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/gcp_cloud_functions.md
+++ b/docs/outputs/gcp_cloud_functions.md
@ -0,0 +1,38 @@
+# GCP Cloud Functions
+
+- **Category**: FaaS / Serverless
+- **Website**: https://cloud.google.com/functions
+
+## Table of content
+
+- [GCP Cloud Functions](#gcp-cloud-functions)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                              | Env var                              | Default value    | Description                                                                                                                         |
+| ------------------------------------ | ------------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gcp.credentials`                    | `GCP_CREDENTIALS`                    |                  | The base64-encoded JSON key file for the GCP service account                                                                        |
+| `gcp.cloudfunctions.name`            | `GCP_CLOUDFUNCTIONS_NAME`            |                  | The name of the Cloud Function, if not empty, Google Cloud Functions is **enabled**                                                 |
+| `gcp.cloudfunctions.minimumpriority` | `GCP_CLOUDFUNCTIONS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gcp:
+  credentials: "" # The base64-encoded JSON key file for the GCP service account
+  cloudfunctions:
+    name: "" # The name of the Cloud Function, if not empty, GCP Cloud Functions is enabled
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/gcp_cloud_run.md
+++ b/docs/outputs/gcp_cloud_run.md
@ -0,0 +1,40 @@
+# GCP Cloud Run
+
+- **Category**: Faas / Serverless
+- **Website**: https://cloud.google.com/run
+
+## Table of content
+
+- [GCP Cloud Run](#gcp-cloud-run)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                        | Env var                        | Default value    | Description                                                                                                                         |
+| ------------------------------ | ------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gcp.credentials`              | `GCP_CREDENTIALS`              |                  | The base64-encoded JSON key file for the GCP service account                                                                        |
+| `gcp.cloudrun.endpoint`        | `GCP_CLOUDRUN_ENDPOINT`        |                  | The URL of the Cloud Run, if not empty, Google Cloud Run is **enabled**                                                             |
+| `gcp.cloudrun.jwt`             | `GCP_CLOUDRUN_JWT`             |                  | Appropriate JWT to invoke the Cloud Function                                                                                        |
+| `gcp.cloudrun.minimumpriority` | `GCP_CLOUDRUN_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gcp:
+  credentials: "" # The base64-encoded JSON key file for the GCP service account
+  cloudrun:
+    endpoint: "" # The URL of the Cloud Function
+    jwt: "" # Appropriate JWT to invoke the Cloud Function
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/gcp_pub_sub.md
+++ b/docs/outputs/gcp_pub_sub.md
@ -0,0 +1,43 @@
+# GCP PubSub
+
+- **Category**: Message queue / Streaming
+- **Website**: https://cloud.google.com/pubsub
+
+## Table of content
+
+- [GCP PubSub](#gcp-pubsub)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                       | Default value    | Description                                                                                                                         |
+| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gcp.credentials`             | `GCP_CREDENTIALS`             |                  | The base64-encoded JSON key file for the GCP service account                                                                        |
+| `gcp.pubsub.projectid`        | `GCP_PUBSUB_PROJECTID`        |                  | The GCP Project ID containing the Pub/Sub Topic, if not empty, GCP PubSub is **enabled**                                            |
+| `gcp.pubsub.topic`            | `GCP_PUBSUB_TOPIC`            |                  | The name of the Pub/Sub topic                                                                                                       |
+| `gcp.pubsub.customattributes` | `GCP_PUBSUB_CUSTOMATTRIBUTES` |                  | Custom attributes to add to the Pub/Sub messages                                                                                    |
+| `gcp.pubsub.minimumpriority`  | `GCP_PUBSUB_MINIMUMPRIORITY`  | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gcp:
+  credentials: "" # The base64-encoded JSON key file for the GCP service account
+  pubsub:
+    projectid: "" # The GCP Project ID containing the Pub/Sub Topic, if not empty, GCP PubSub is enabled
+    topic: "" # The name of the Pub/Sub topic
+    # customattributes: # Custom attributes to add to the Pub/Sub messages
+    #   key: value
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/gcp_storage.md
+++ b/docs/outputs/gcp_storage.md
@ -0,0 +1,40 @@
+# GCP Storage
+
+- **Category**: Object storage
+- **Website**: https://cloud.google.com/storage
+
+## Table of content
+
+- [GCP Storage](#gcp-storage)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                       | Env var                       | Default value    | Description                                                                                                                         |
+| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gcp.credentials`             | `GCP_CREDENTIALS`             |                  | The base64-encoded JSON key file for the GCP service account                                                                        |
+| `gcp.storage.bucket`          | `GCP_STORAGE_BUCKET`          |                  | The name of the bucket, if not empty, GCP Storage is **enabled**                                                                    |
+| `gcp.storage.prefix`          | `GCP_STORAGE_PREFIX`          |                  | Prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json                                   |
+| `gcp.storage.minimumpriority` | `GCP_STORAGE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gcp:
+  credentials: "" # The base64-encoded JSON key file for the GCP service account
+  storage:
+    bucket: "" # The name of the bucket, if not empty, GCP Storage is enabled
+    prefix : "" # Prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
+    # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/googlechat.md
+++ b/docs/outputs/googlechat.md
@ -0,0 +1,63 @@
+# Google Chat
+
+- **Category**: Chat
+- **Website**: https://workspace.google.com/products/chat/
+
+## Table of content
+
+- [Google Chat](#google-chat)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+    - [Message Formatting](#message-formatting)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                      | Env var                      | Default value    | Description                                                                                                                                                                                                                                              |
+| ---------------------------- | ---------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `googlechat.webhookurl`      | `GOOGLECHAT_WEBHOOKURL`      |                  | Google Chat WebhookURL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not empty, Google Chat output is **enabled**                                                                                                                        |
+| `googlechat.outputformat`    | `GOOGLECHAT_OUTPUTFORMAT`    | `all`            | `all`, `text`                                                                                                                                                                                                                                            |
+| `googlechat.messageformat`   | `GOOGLECHAT_MESSAGEFORMAT`   |                  | A Go template to format Googlechat Text above Attachment, displayed in addition to the output from `GOOGLECHAT_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
+| `googlechat.minimumpriority` | `GOOGLECHAT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                                                                                      |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+googlechat:
+  webhookurl: "" # Google Chat WebhookURL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not empty, Google Chat output is enabled
+  # outputformat: "" # all (default), text
+  # messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index.OutputFields "user.name" }}*' # a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `GOOGLECHAT_OUTPUTFORMAT`.
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+### Message Formatting
+
+The `GOOGLECHAT_MESSAGEFORMAT` environment variable and `googlechat.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Googlechat alert.
+These templates are evaluated on the JSON data from each Falco event. The following fields are available:
+
+| Template Syntax                              | Description                                                                                                                                                        |
+| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `{{ .Output }}`                              | A formatted string from Falco describing the event.                                                                                                                |
+| `{{ .Priority }}`                            | The priority of the event, as a string.                                                                                                                            |
+| `{{ .Rule }}`                                | The name of the rule that generated the event.                                                                                                                     |
+| `{{ .Time }}`                                | The timestamp when the event occurred.                                                                                                                             |
+| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
+
+Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.
+
+## Screenshots
+
+(GOOGLECHAT_OUTPUTFORMAT="**all**")
+
+![google chat example](images/google_chat_no_fields.png)
+
+(GOOGLECHAT_OUTPUTFORMAT="**text**")
+
+![google chat text example](images/google_chat_example.png)
--- a/docs/outputs/gotify.md
+++ b/docs/outputs/gotify.md
@ -0,0 +1,43 @@
+# Gotify
+
+- **Category**: Message queue / Streaming
+- **Website**: https://gotify.net/
+
+## Table of content
+
+- [Gotify](#gotify)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                  | Env var                  | Default value    | Description                                                                                                                         |
+| ------------------------ | ------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `gotify.hostport`        | `GOTIFY_HOSTPORT`        |                  | http://{domain or ip}:{port}, if not empty, Gotify output is **enabled**                                                            |
+| `gotify.token`           | `GOTIFY_TOKEN`           |                  | API Token                                                                                                                           |
+| `gotify.format`          | `GOTIFY_FORMAT`          | `markdown`       | Format of the messages (`plaintext`, `markdown`, `json`)                                                                            |
+| `gotify.checkcert`       | `GOTIFY_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `gotify.minimumpriority` | `GOTIFY_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+gotify:
+  hostport: "" # http://{domain or ip}:{port}, if not empty, Gotify output is enabled
+  token: "" # API Token
+  # format: "markdown" # Format of the messages (plaintext, markdown, json) (default: markdown)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
+
+![gotify example](images/gotify.jpg)
--- a/docs/outputs/grafana.md
+++ b/docs/outputs/grafana.md
@ -0,0 +1,52 @@
+# Grafana
+
+- **Category**: Logs
+- **Website**: https://grafana.com/
+
+## Table of content
+
+- [Grafana](#grafana)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                   | Env var                   | Default value    | Description                                                                                                                         |
+| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `grafana.hostport`        | `GRAFANA_HOSTPORT`        |                  | http://{domain or ip}:{port}, if not empty, Grafana output is **enabled**                                                           |
+| `grafana.apikey`          | `GRAFANA_HOSTPORT`        |                  | API Key to authenticate to Grafana                                                                                                  |
+| `grafana.dashboardid`     | `GRAFANA_DASHBOARDID`     |                  | Annotations are scoped to a specific dashboard. Optionnal.                                                                          |
+| `grafana.panelid`         | `GRAFANA_PANELID`         |                  | Annotations are scoped to a specific panel. Optionnal.                                                                              |
+| `grafana.allfieldsastags` | `GRAFANA_ALLFIELDSASTAGS` | `false`          | If true, all custom fields are added as tags                                                                                        |
+| `grafana.customheaders`   | `GRAFANA_CUSTOMHEADERS`   |                  | Custom headers for the POST request                                                                                                 |
+| `grafana.checkcert`       | `GRAFANA_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `grafana.minimumpriority` | `GRAFANA_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+grafana:
+  hostport: "" # http://{domain or ip}:{port}, if not empty, Grafana output is enabled
+  apikey: "" # API Key to authenticate to Grafana, if not empty, Grafana output is enabled
+  # dashboardid: "" # annotations are scoped to a specific dashboard. Optionnal.
+  # panelid: "" # annotations are scoped to a specific panel. Optionnal.
+  # allfieldsastags: false # if true, all custom fields are added as tags (default: false)
+  # customHeaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+> [!NOTE]
+This output creates annotations.
+
+## Screenshots
--- a/docs/outputs/grafana_oncall.md
+++ b/docs/outputs/grafana_oncall.md
@ -0,0 +1,44 @@
+# Grafana OnCall
+
+- **Category**: Alerting
+- **Website**: https://grafana.com/products/oncall/
+
+## Table of content
+
+- [Grafana OnCall](#grafana-oncall)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                         | Env var                         | Default value    | Description                                                                                                                         |
+| ------------------------------- | ------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `grafanaoncall.webhookurl`      | `GRAFANAONCALL_WEBHOOKURL`      |                  | If not empty, Grafana OnCall output is enabled                                                                                      |
+| `grafanaoncall.customheaders`   | `GRAFANAONCALL_CUSTOMHEADERS`   |                  | Custom headers for the POST request                                                                                                 |
+| `grafanaoncall.mutualtls`       | `GRAFANAONCALL_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `grafanaoncall.checkcert`       | `GRAFANAONCALL_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `grafanaoncall.minimumpriority` | `GRAFANAONCALL_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+grafanaoncall:
+  webhookurl: "" # if not empty, Grafana OnCall output is enabled
+  # customheaders: # Custom headers to add in POST, useful for Authentication
+  #   key: value
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
+
+![grafana oncall example](images/grafana-oncall.png)
--- a/docs/outputs/images/alertmanager.png
+++ b/docs/outputs/images/alertmanager.png
--- a/docs/outputs/images/aws_sqs.png
+++ b/docs/outputs/images/aws_sqs.png
--- a/docs/outputs/images/datadog.png
+++ b/docs/outputs/images/datadog.png
--- a/docs/outputs/images/datadog_logs.png
+++ b/docs/outputs/images/datadog_logs.png
--- a/docs/outputs/images/discord.png
+++ b/docs/outputs/images/discord.png
--- a/docs/outputs/images/dynatrace.png
+++ b/docs/outputs/images/dynatrace.png
--- a/docs/outputs/images/falcosidekick-ui_dashboard.png
+++ b/docs/outputs/images/falcosidekick-ui_dashboard.png
--- a/docs/outputs/images/falcosidekick-ui_events.png
+++ b/docs/outputs/images/falcosidekick-ui_events.png
--- a/docs/outputs/images/google_chat_example.png
+++ b/docs/outputs/images/google_chat_example.png
--- a/docs/outputs/images/google_chat_no_fields.png
+++ b/docs/outputs/images/google_chat_no_fields.png
--- a/docs/outputs/images/gotify.jpg
+++ b/docs/outputs/images/gotify.jpg
--- a/docs/outputs/images/grafana-oncall.png
+++ b/docs/outputs/images/grafana-oncall.png
--- a/docs/outputs/images/grafana_quickwit.png
+++ b/docs/outputs/images/grafana_quickwit.png
--- a/docs/outputs/images/kibana.png
+++ b/docs/outputs/images/kibana.png
--- a/docs/outputs/images/loki.png
+++ b/docs/outputs/images/loki.png
--- a/docs/outputs/images/mattermost.png
+++ b/docs/outputs/images/mattermost.png
--- a/docs/outputs/images/n8n.png
+++ b/docs/outputs/images/n8n.png
--- a/docs/outputs/images/node-red.png
+++ b/docs/outputs/images/node-red.png
--- a/docs/outputs/images/openobserve.png
+++ b/docs/outputs/images/openobserve.png
--- a/docs/outputs/images/opsgenie.png
+++ b/docs/outputs/images/opsgenie.png
--- a/docs/outputs/images/otlp_metrics-prom_view.png
+++ b/docs/outputs/images/otlp_metrics-prom_view.png
--- a/docs/outputs/images/otlp_traces-grafana_explore.png
+++ b/docs/outputs/images/otlp_traces-grafana_explore.png
--- a/docs/outputs/images/otlp_traces-traces_view.png
+++ b/docs/outputs/images/otlp_traces-traces_view.png
--- a/docs/outputs/images/slack.png
+++ b/docs/outputs/images/slack.png
--- a/docs/outputs/images/slack_fields_messageformat.png
+++ b/docs/outputs/images/slack_fields_messageformat.png
--- a/docs/outputs/images/slack_no_fields.png
+++ b/docs/outputs/images/slack_no_fields.png
--- a/docs/outputs/images/smtp_html.png
+++ b/docs/outputs/images/smtp_html.png
--- a/docs/outputs/images/smtp_plaintext.png
+++ b/docs/outputs/images/smtp_plaintext.png
--- a/docs/outputs/images/sumologic.png
+++ b/docs/outputs/images/sumologic.png
--- a/docs/outputs/images/teams.png
+++ b/docs/outputs/images/teams.png
--- a/docs/outputs/images/teams_facts_only.png
+++ b/docs/outputs/images/teams_facts_only.png
--- a/docs/outputs/images/teams_text.png
+++ b/docs/outputs/images/teams_text.png
--- a/docs/outputs/images/telegram.png
+++ b/docs/outputs/images/telegram.png
--- a/docs/outputs/images/webex.png
+++ b/docs/outputs/images/webex.png
--- a/docs/outputs/images/zincsearch.png
+++ b/docs/outputs/images/zincsearch.png
--- a/docs/outputs/influxdb.md
+++ b/docs/outputs/influxdb.md
@ -0,0 +1,67 @@
+# InfluxDB
+
+
+- **Category**: Metrics/Observability
+- **Website**: https://www.influxdata.com/products/influxdb/
+
+## Table of content
+
+- [InfluxDB](#influxdb)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Result](#result)
+
+## Configuration
+
+| Setting                    | Env var                    | Default value    | Description                                                                                                                         |
+| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `influxdb.hostport`        | `INFLUXDB_HOSTPORT`        |                  | http://{domain or ip}:{port}, if not empty, Influxdb output is **enabled**                                                          |
+| `influxdb.database`        | `INFLUXDB_DATABASE`        | `falco`          | Influxdb database (api v1 only)                                                                                                     |
+| `influxdb.organization`    | `INFLUXDB_ORGANISATION`    |                  | Influxdb organisation                                                                                                               |
+| `influxdb.bucket`          | `INFLUXDB_BUCKET`          | `falco`          | Metrics bucket                                                                                                                      |
+| `influxdb.precision`       | `INFLUXDB_PRECISION`       | `ns`             | Write precision                                                                                                                     |
+| `influxdb.user`            | `INFLUXDB_USER`            |                  | User to use if auth is enabled in Influxdb                                                                                          |
+| `influxdb.password`        | `INFLUXDB_PASSWORD`        |                  | Password to use if auth is enabled in Influxdb                                                                                      |
+| `influxdb.token`           | `INFLUXDB_TOKEN`           |                  | API token to use if auth in enabled in Influxdb (disables user and password)                                                        |
+| `influxdb.mutualtls`       | `INFLUXDB_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `influxdb.checkcert`       | `INFLUXDB_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     | `mattermost.minimumpriority` | `MATTERMOST_MINIMUMPRIORITY` | `""` (= `debug`)                                                                                    | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`
+| `influxdb.minimumpriority` | `INFLUXDB_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+influxdb:
+  # hostport: "" # http://{domain or ip}:{port}, if not empty, Influxdb output is enabled
+  # database: "falco" # Influxdb database (api v1 only) (default: falco)
+  # organization: "" # Influxdb organization
+  # bucket: "falco" # Metrics bucket (default: falco)
+  # precision: "ns" # Write precision
+  # user: "" # user to use if auth is enabled in Influxdb
+  # password: "" # pasword to use if auth is enabled in Influxdb
+  # token: "" # API token to use if auth in enabled in Influxdb (disables user and password)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+```
+
+## Result
+
+```bash
+> use falco
+Using database falco
+> show series
+key
+---
+events,akey=AValue,bkey=BValue,ckey=CValue,priority=Debug,rule=Testrule
+events,akey=A_Value,bkey=B_Value,ckey=C_Value,priority=Debug,rule=Test_rule
+> select * from events
+name: events
+time                akey    bkey    ckey    priority rule      value
+----                ----    ----    ----    -------- ----      -----
+1560433816893368400 AValue  BValue  CValue  Debug    Testrule  This is a test from falcosidekick
+1560441359119741800 A_Value B_Value C_Value Debug    Test_rule This is a test from falcosidekick
+```
--- a/docs/outputs/kafka.md
+++ b/docs/outputs/kafka.md
@ -0,0 +1,57 @@
+# Kafka
+
+- **Category**: Message queue / Streaming
+- **Website**: https://kafka.apache.org/
+
+## Table of content
+
+- [Kafka](#kafka)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                 | Env var                 | Default value    | Description                                                                                                                                                                                                                                                |
+| ----------------------- | ----------------------- | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `kafka.hostport`        | `KAFKA_HOSTPORT`        |                  | Comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is **enabled** |
+| `kafka.topic`           | `KAFKA_TOPIC`           |                  | Name of the topic                                                                                                                                                                                                                                          |
+| `kafka.topiccreation`   | `KAFKA_TOPICCREATION`   | `false`          | Auto create the topic if it doesn't exist                                                                                                                                                                                                                  |
+| `kafka.sasl`            | `KAFKA_SASL`            |                  | SASL authentication mechanism, if empty, no authentication (`PLAIN`, `SCRAM_SHA256`, `SCRAM_SHA512`)                                                                                                                                                       |
+| `kafka.tls`             | `KAFKA_TSL`             | `false`          | Use TLS for the connections                                                                                                                                                                                                                                |
+| `kafka.username`        | `KAFKA_USERNAME`        |                  | Use this username to authenticate to Kafka via SASL                                                                                                                                                                                                        |
+| `kafka.password`        | `KAFKA_PASSWORD`        |                  | Use this password to authenticate to Kafka via SASL                                                                                                                                                                                                        |
+| `kafka.async`           | `KAFKA_ASYNC`           | `false`          | Produce messages without blocking                                                                                                                                                                                                                          |
+| `kafka.requiredacks`    | `KAFKA_REQUIREDACKS`    | `NONE`           | Number of acknowledges from partition replicas required before receiving                                                                                                                                                                                   |
+| `kafka.compression`     | `KAFKA_COMPRESSION`     | `NONE`           | Enable message compression using this algorithm (`GZIP`, `SNAPPY`, `LZ4`, `ZSTD`, `NONE`)                                                                                                                                                                  |
+| `kafka.balancer`        | `KAFKA_BALANCER`        | `round_robin`    | Partition balancing strategy when producing                                                                                                                                                                                                                |
+| `kafka.clientid`        | `KAFKA_CLIENTID`        |                  | Specify a client.id when communicating with the broker for tracing                                                                                                                                                                                         |
+| `kafka.minimumpriority` | `KAFKA_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`                                                                                                                        |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+kafka:
+  hostport: "" # Comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is enabled
+  topic: "" # Name of the topic
+  # topiccreation: false # auto create the topic if it doesn't exist (default: false)
+  # sasl: "" # SASL authentication mechanism, if empty, no authentication (PLAIN|SCRAM_SHA256|SCRAM_SHA512)
+  # tls: false # Use TLS for the connections (default: false)
+  # username: "" # use this username to authenticate to Kafka via SASL (default: "")
+  # password: "" # use this password to authenticate to Kafka via SASL (default: "")
+  # async: false # produce messages without blocking (default: false)
+  # requiredacks: NONE # number of acknowledges from partition replicas required before receiving (default: "NONE")
+  # compression: "" # enable message compression using this algorithm (GZIP|SNAPPY|LZ4|ZSTD|NONE) (default: "NONE")
+  # balancer: "" # partition balancing strategy when producing (default: "round_robin")
+  # clientid: "" # specify a client.id when communicating with the broker for tracing
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/kafkarest.md
+++ b/docs/outputs/kafkarest.md
@ -0,0 +1,41 @@
+# Kafka Rest
+
+- **Category**: Message queue / Streaming
+- **Website**: https://docs.confluent.io/platform/current/kafka-rest/index.html
+
+## Table of content
+
+- [Kafka Rest](#kafka-rest)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                     | Env var                     | Default value    | Description                                                                                                                         |
+| --------------------------- | --------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `kafkarest.address`         | `KAFKAREST_ADDRESS`         |                  | The full URL to the topic (example "http://kafkarest:8082/topics/test"), if not empty, Kafka Rest is **enabled**                    |
+| `kafkarest.version`         | `KAFKAREST_VERSION`         | `2`              | Kafka Rest Proxy API version `2` or `1`                                                                                             |
+| `kafkarest.mutualtls`       | `KAFKAREST_MUTUALTLS`       | `false`          | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked)                   |
+| `kafkarest.checkcert`       | `KAFKAREST_CHECKCERT`       | `true` | Check if ssl certificate of the output is valid                                                                                     |
+| `kafkarest.minimumpriority` | `KAFKAREST_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+kafkarest:
+  address: "" # The full URL to the topic (example "http://kafkarest:8082/topics/test")
+  # version: 2 # Kafka Rest Proxy API version 2|1 (default: 2)
+  # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+```
+
+## Additional info
+
+## Screenshots
--- a/docs/outputs/kubeless.md
+++ b/docs/outputs/kubeless.md
@ -0,0 +1,46 @@
+# Kubeless
+
+- **Category**: FaaS / Serverless
+- **Website**: https://kubeless.io/
+
+## Table of content
+
+- [Kubeless](#kubeless)
+  - [Table of content](#table-of-content)
+  - [Configuration](#configuration)
+  - [Example of config.yaml](#example-of-configyaml)
+  - [Additional info](#additional-info)
+  - [Screenshots](#screenshots)
+
+## Configuration
+
+| Setting                    | Env var                    | Default value    | Description                                                                                                                         |
+| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `kubeless.function`        | `KUBELESS_FUNCTION`        |                  | Name of Kubeless function, if not empty, Kubeless is **enabled**                                                                    |
+| `kubeless.namespace`       | `KUBELESS_NAMESPACE`       |                  | Namespace of Kubeless function (mandatory)                                                                                          |
+| `kubeless.port`            | `KUBELESS_PORT`            | `8080`           | Port of service of Kubeless function                                                                                                |
+| `kubeless.port`            | `KUBELESS_PORT`            | `~/.kube/config` | Port of service of Kubeless function                                                                                                |
+| `kubeless.kubeconfig`      | `KUBELESS_KUBECONFIG`      | `true`           | Kubeconfig file to use (only if falcosidekick is running outside the cluster)                                                       |
+| `kubeless.minimumpriority` | `KUBELESS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
+
+> [!NOTE]
+The Env var values override the settings from yaml file.
+
+## Example of config.yaml
+
+```yaml
+kubeless:
+  function: "" # Name of Kubeless function, if not empty, Kubeless is enabled
+  namespace: "" # Namespace of Kubeless function (mandatory)
+  port: 8080 # Port of service of Kubeless function
+  kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
+  # minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
+  # checkcert: true # check if ssl certificate of the output is valid (default: true)
+```
+
+## Additional info
+
+> [!WARNING]
+`Kubeless` is no more maintained, consider to use a different output.
+
+## Screenshots
--- a/Show More
+++ b/Show More