falcosecurity
/
falcosidekick
mirror of https://github.com/falcosecurity/falcosidekick.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: falcosecurity:master
Branches Tags
falcosecurity:master
falcosecurity:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/sts-1.35.1
falcosecurity:dependabot/go_modules/k8s.io/api-0.33.3
falcosecurity:dependabot/go_modules/go.opentelemetry.io/contrib/bridges/otelslog-0.12.0
falcosecurity:dependabot/go_modules/go.opentelemetry.io/otel/sdk/metric-1.37.0
falcosecurity:dependabot/github_actions/golangci/golangci-lint-action-8.0.0
falcosecurity:dependabot/go_modules/go.opentelemetry.io/otel/sdk/metric-1.34.0
falcosecurity:dependabot/github_actions/actions-6448d340cf
falcosecurity:dependabot/go_modules/k8s.io/apimachinery-0.32.1
falcosecurity:output_format
falcosecurity:update-workflow
falcosecurity:dogstatsd
falcosecurity:auth-smtp
falcosecurity:falcosidekick-ui
falcosecurity:gcscc-output
falcosecurity:2.31.1
falcosecurity:2.31.0
falcosecurity:2.30.0
falcosecurity:2.29.0
falcosecurity:2.29.0-rc.5
falcosecurity:2.29.0-rc.4
falcosecurity:2.29.0-rc.3
falcosecurity:2.29.0-rc.2
falcosecurity:2.29.0-rc.1
falcosecurity:2.28.0
falcosecurity:2.28.0-rc.1
falcosecurity:2.28.0-rc.0
falcosecurity:2.27.0
falcosecurity:2.26.0
falcosecurity:2.25.0
falcosecurity:2.24.0
falcosecurity:2.23.1
falcosecurity:2.23.0
falcosecurity:2.22.0
falcosecurity:2.21.0
falcosecurity:2.20.0
falcosecurity:2.19.1
falcosecurity:2.19.0
falcosecurity:2.18.0
falcosecurity:2.17.0
falcosecurity:2.16.0
falcosecurity:2.15.0
falcosecurity:2.14.0
falcosecurity:2.13.0
falcosecurity:2.12.3
falcosecurity:2.12.2
falcosecurity:2.12.1
falcosecurity:2.12.0
falcosecurity:2.11.1
falcosecurity:2.11.0
falcosecurity:2.10.0
falcosecurity:2.9.3
falcosecurity:2.9.2
falcosecurity:2.9.1
falcosecurity:2.9.0
falcosecurity:2.8.0
falcosecurity:2.7.2
falcosecurity:2.7.1
falcosecurity:2.7.0
falcosecurity:2.6.0
falcosecurity:2.5.0
falcosecurity:2.4.0
falcosecurity:2.3.0
falcosecurity:2.2.0
falcosecurity:2.1.0
falcosecurity:2.0.0
falcosecurity:1.1.0
falcosecurity:1.0.7
falcosecurity:1.0.6
falcosecurity:1.0.5
falcosecurity:1.0.4
falcosecurity:1.0.3
falcosecurity:1.0.2
falcosecurity:1.0.1
falcosecurity:1.0.0
..
compare: falcosecurity:2.21.0
Branches Tags
falcosecurity:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/sts-1.35.1
falcosecurity:master
falcosecurity:dependabot/go_modules/k8s.io/api-0.33.3
falcosecurity:dependabot/go_modules/go.opentelemetry.io/contrib/bridges/otelslog-0.12.0
falcosecurity:dependabot/go_modules/go.opentelemetry.io/otel/sdk/metric-1.37.0
falcosecurity:dependabot/github_actions/golangci/golangci-lint-action-8.0.0
falcosecurity:dependabot/go_modules/go.opentelemetry.io/otel/sdk/metric-1.34.0
falcosecurity:dependabot/github_actions/actions-6448d340cf
falcosecurity:dependabot/go_modules/k8s.io/apimachinery-0.32.1
falcosecurity:output_format
falcosecurity:update-workflow
falcosecurity:dogstatsd
falcosecurity:auth-smtp
falcosecurity:falcosidekick-ui
falcosecurity:gcscc-output
falcosecurity:2.31.1
falcosecurity:2.31.0
falcosecurity:2.30.0
falcosecurity:2.29.0
falcosecurity:2.29.0-rc.5
falcosecurity:2.29.0-rc.4
falcosecurity:2.29.0-rc.3
falcosecurity:2.29.0-rc.2
falcosecurity:2.29.0-rc.1
falcosecurity:2.28.0
falcosecurity:2.28.0-rc.1
falcosecurity:2.28.0-rc.0
falcosecurity:2.27.0
falcosecurity:2.26.0
falcosecurity:2.25.0
falcosecurity:2.24.0
falcosecurity:2.23.1
falcosecurity:2.23.0
falcosecurity:2.22.0
falcosecurity:2.21.0
falcosecurity:2.20.0
falcosecurity:2.19.1
falcosecurity:2.19.0
falcosecurity:2.18.0
falcosecurity:2.17.0
falcosecurity:2.16.0
falcosecurity:2.15.0
falcosecurity:2.14.0
falcosecurity:2.13.0
falcosecurity:2.12.3
falcosecurity:2.12.2
falcosecurity:2.12.1
falcosecurity:2.12.0
falcosecurity:2.11.1
falcosecurity:2.11.0
falcosecurity:2.10.0
falcosecurity:2.9.3
falcosecurity:2.9.2
falcosecurity:2.9.1
falcosecurity:2.9.0
falcosecurity:2.8.0
falcosecurity:2.7.2
falcosecurity:2.7.1
falcosecurity:2.7.0
falcosecurity:2.6.0
falcosecurity:2.5.0
falcosecurity:2.4.0
falcosecurity:2.3.0
falcosecurity:2.2.0
falcosecurity:2.1.0
falcosecurity:2.0.0
falcosecurity:1.1.0
falcosecurity:1.0.7
falcosecurity:1.0.6
falcosecurity:1.0.5
falcosecurity:1.0.4
falcosecurity:1.0.3
falcosecurity:1.0.2
falcosecurity:1.0.1
falcosecurity:1.0.0

No commits in common. "master" and "2.21.0" have entirely different histories.
master ... 2.21.0

231 changed files with 2419 additions and 18582 deletions
Show Stats Expand all files Collapse all files

62
.circleci/config.yml Normal file
View File

@ -0,0 +1,62 @@
version: 2.1
executors:
default:
docker:
- image: circleci/golang:1.15.5
jobs:
lint:
executor:
name: default
steps:
- checkout
- run: make lint
test:
executor:
name: default
steps:
- checkout
- run: make test
build-image:
executor:
name: default
steps:
- checkout
- setup_remote_docker
- run: make build-image
build-push-main:
executor:
name: default
steps:
- checkout
- setup_remote_docker
- run: make build-image
- run:
command: |
echo ${DOCKERHUB_SECRET} | docker login -u ${DOCKERHUB_USER} --password-stdin
docker push falcosecurity/falcosidekick:latest
workflows:
main:
jobs:
- test
- lint
- build-image:
requires:
- test
- lint
filters:
branches:
ignore: master
- build-push-main:
context: falco
requires:
- test
- lint
filters:
branches:
only: master

1
.dockerignore
View File

@ -1,4 +1,5 @@
.circleci
.git
.github
.golangci.yml
_config.yml

21
.github/dependabot.yml vendored
View File

@ -1,21 +0,0 @@
---
version: 2
updates:
- package-ecosystem: gomod
directory: "/"
schedule:
interval: "weekly"
groups:
gomod:
update-types:
- "patch"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
groups:
actions:
update-types:
- "minor"
- "patch"

39
.github/workflows/build-image.yml vendored
View File

@ -1,39 +0,0 @@
name: build-ci-images
on:
pull_request:
jobs:
build-image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.23'
check-latest: true
cache: true
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
- uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
with:
install-only: true
- name: run goreleaser-snapshot
run: |
make goreleaser-snapshot
docker images
docker run falcosecurity/falcosidekick:latest-amd64 --version
docker run public.ecr.aws/falcosecurity/falcosidekick:latest-amd64 --version
env:
GOPATH: /home/runner/go

27
.github/workflows/lint.yml vendored
View File

@ -1,27 +0,0 @@
name: lint
on:
workflow_dispatch:
push:
branches:
- master
pull_request:
permissions: read-all
jobs:
golangci:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.23'
cache: false
check-latest: true
- name: golangci-lint
uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
with:
version: v1.61
args: --timeout=5m

83
.github/workflows/push-main.yml vendored
View File

@ -1,83 +0,0 @@
name: push-ci-images
on:
workflow_dispatch:
push:
branches:
- master
jobs:
build-push-image:
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.23'
check-latest: true
cache: true
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
- uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
- uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
with:
install-only: true
- name: run goreleaser-snapshot
run: |
make goreleaser-snapshot
docker images
docker run falcosecurity/falcosidekick:latest-amd64 --version
docker run public.ecr.aws/falcosecurity/falcosidekick:latest-amd64 --version
env:
GOPATH: /home/runner/go
# Push images to DockerHUB
- name: Login to Docker Hub
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_SECRET }}
- name: Push images to Dockerhub
run: |
docker push falcosecurity/falcosidekick:latest-amd64
docker push falcosecurity/falcosidekick:latest-arm64
docker push falcosecurity/falcosidekick:latest-armv7
docker manifest create --amend falcosecurity/falcosidekick:latest falcosecurity/falcosidekick:latest-amd64 \
falcosecurity/falcosidekick:latest-arm64 falcosecurity/falcosidekick:latest-armv7
docker manifest push --purge falcosecurity/falcosidekick:latest
# Push images to AWS Public ECR
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
with:
role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcosidekick-ecr
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
with:
registry-type: public
- run: |
docker push public.ecr.aws/falcosecurity/falcosidekick:latest-amd64
docker push public.ecr.aws/falcosecurity/falcosidekick:latest-arm64
docker push public.ecr.aws/falcosecurity/falcosidekick:latest-armv7
docker manifest create --amend public.ecr.aws/falcosecurity/falcosidekick:latest public.ecr.aws/falcosecurity/falcosidekick:latest-amd64 \
public.ecr.aws/falcosecurity/falcosidekick:latest-arm64 public.ecr.aws/falcosecurity/falcosidekick:latest-armv7
docker manifest push --purge public.ecr.aws/falcosecurity/falcosidekick:latest

99
.github/workflows/release.yml vendored
View File

@ -1,99 +0,0 @@
name: Release
on:
push:
tags:
- "*"
concurrency: release
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
jobs:
release:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
tag_name: ${{ steps.tag.outputs.tag_name }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.23'
check-latest: true
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
- uses: anchore/sbom-action/download-syft@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
# Push images to DockerHUB
- name: Login to Docker Hub
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_SECRET }}
# Push images to AWS Public ECR
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
with:
role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcosidekick-ecr
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
with:
registry-type: public
- name: Set LDFLAGS
id: ldflags
run: |
source ./release/ldflags.sh
goflags=$(ldflags)
echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
- name: Set tag output
id: tag
run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
with:
version: latest
args: release --clean --timeout 120m --parallelism 1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LDFLAGS: ${{ env.GO_FLAGS }}
GOPATH: /home/runner/go
- name: Generate subject
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs: [release]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects: "${{ needs.release.outputs.hashes }}"
upload-assets: true
upload-tag-name: "${{ needs.release.outputs.tag_name }}"

24
.github/workflows/test.yml vendored
View File

@ -1,24 +0,0 @@
name: tests
on:
push:
branches:
- master
pull_request:
jobs:
unit-tests:
name: Run unit tests
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.23'
check-latest: true
cache: true
- name: Run Go tests
run: make test

1
.gitignore vendored
View File

@ -20,4 +20,3 @@ falcosidekick
/hack/tools/bin/*
tmp/
dist/

18
.golangci.yml
View File

@ -1,20 +1,28 @@
run:
timeout: 5m
issues:
exclude-files:
- "zz_generated.*\\.go$"
deadline: 5m
skip-files:
- "zz_generated.*\\.go$"
linters:
disable-all: true
enable:
- deadcode
- goconst
- gofmt
- golint
- gosec
- govet
- ineffassign
- interfacer
- maligned
- misspell
- nakedret
- prealloc
- structcheck
- unconvert
- unused
- varcheck
# Run with --fast=false for more extensive checks
fast: true
include:
- EXC0002 # include "missing comments" issues from golint
max-issues-per-linter: 0
max-same-issues: 0

158
.goreleaser.yml
View File

@ -1,158 +0,0 @@
version: 2
project_name: falcosidekick
env:
- GO111MODULE=on
- DOCKER_CLI_EXPERIMENTAL=enabled
- DOCKER_BUILDKIT=1
- BUILDX_PLATFORMS=linux/amd64,linux/arm64,linux/arm/v7
- COSIGN_YES=true
snapshot:
version_template: 'latest'
checksum:
name_template: 'checksums.txt'
# Prevents parallel builds from stepping on each others toes downloading modules
before:
hooks:
- go mod tidy
- /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
# gomod:
# proxy: true
sboms:
- artifacts: archive
builds:
- id: "falcosidekick"
goos:
- linux
goarch:
- amd64
- arm64
- arm
goarm:
- '7'
asmflags:
- all=-trimpath={{.Env.GOPATH}}
gcflags:
- all=-trimpath={{.Env.GOPATH}}
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- "{{ .Env.LDFLAGS }}"
binary: falcosidekick
dockers:
- goos: linux
goarch: amd64
dockerfile: Dockerfile
use: buildx
image_templates:
- "falcosecurity/falcosidekick:stable-amd64"
- "falcosecurity/falcosidekick:{{ .Version }}-amd64"
- "public.ecr.aws/falcosecurity/falcosidekick:stable-amd64"
- "public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-amd64"
build_flag_templates:
- "--pull"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.name={{.ProjectName}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
- "--platform=linux/amd64"
extra_files:
- LICENSE
- goos: linux
goarch: arm64
dockerfile: Dockerfile
use: buildx
image_templates:
- "falcosecurity/falcosidekick:stable-arm64"
- "falcosecurity/falcosidekick:{{ .Version }}-arm64"
- "public.ecr.aws/falcosecurity/falcosidekick:stable-arm64"
- "public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-arm64"
build_flag_templates:
- "--pull"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.name={{.ProjectName}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
- "--platform=linux/arm64"
extra_files:
- LICENSE
- goos: linux
goarch: arm
goarm: '7'
dockerfile: Dockerfile
use: buildx
image_templates:
- "falcosecurity/falcosidekick:stable-armv7"
- "falcosecurity/falcosidekick:{{ .Version }}-armv7"
- "public.ecr.aws/falcosecurity/falcosidekick:stable-armv7"
- "public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-armv7"
build_flag_templates:
- "--pull"
- "--label=org.opencontainers.image.created={{.Date}}"
- "--label=org.opencontainers.image.name={{.ProjectName}}"
- "--label=org.opencontainers.image.revision={{.FullCommit}}"
- "--label=org.opencontainers.image.version={{.Version}}"
- "--platform=linux/arm/v7"
extra_files:
- LICENSE
docker_manifests:
- name_template: 'falcosecurity/falcosidekick:stable'
image_templates:
- 'falcosecurity/falcosidekick:stable-amd64'
- 'falcosecurity/falcosidekick:stable-arm64'
- 'falcosecurity/falcosidekick:stable-armv7'
- name_template: 'falcosecurity/falcosidekick:{{ .Version }}'
image_templates:
- 'falcosecurity/falcosidekick:{{ .Version }}-amd64'
- 'falcosecurity/falcosidekick:{{ .Version }}-arm64'
- 'falcosecurity/falcosidekick:{{ .Version }}-armv7'
- name_template: 'public.ecr.aws/falcosecurity/falcosidekick:stable'
image_templates:
- 'public.ecr.aws/falcosecurity/falcosidekick:stable-amd64'
- 'public.ecr.aws/falcosecurity/falcosidekick:stable-arm64'
- 'public.ecr.aws/falcosecurity/falcosidekick:stable-armv7'
- name_template: 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}'
image_templates:
- 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-amd64'
- 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-arm64'
- 'public.ecr.aws/falcosecurity/falcosidekick:{{ .Version }}-armv7'
signs:
- id: falcosidekick
signature: "${artifact}.sig"
certificate: "${artifact}.pem"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"]
artifacts: archive
- id: checksum
signature: "${artifact}.sig"
certificate: "${artifact}.pem"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"]
artifacts: checksum
docker_signs:
- id: falcosidekick
cmd: cosign
args: ["sign", "--recursive", "${artifact}"]
artifacts: manifests
output: true
release:
github:
owner: falcosecurity
name: falcosidekick
prerelease: auto

299
CHANGELOG.md
View File

@ -1,254 +1,9 @@
# Changelog
## 2.31.1 - 2025-02-04
#### Fix
- Fix error while closing the writer for `GCPStorage` ([PR#1116](https://github.com/falcosecurity/falcosidekick/pull/1116) thanks to [@chanukya-yekollu-exa](https://github.com/chanukya-yekollu-exa))
## 2.31.0 - 2025-02-03
#### New
- New output: **OTLP Logs** ([PR#1109](https://github.com/falcosecurity/falcosidekick/pull/1109))
#### Enhancement
- Add the namespace and the pod name as labels by default in `Loki` payload ([PR#1087](https://github.com/falcosecurity/falcosidekick/pull/1087) thanks to [@afreyermuth98](https://github.com/afreyermuth98))
- Allow to set the format for the `Loki` payload to JSON ([PR#1091](https://github.com/falcosecurity/falcosidekick/pull/1091))
- Allow to set a template for the subjets for `NATS`/`STAN` outputs ([PR#1099](https://github.com/falcosecurity/falcosidekick/pull/1099))
- Improve the logger with a generic and extensible method ([PR#1102](https://github.com/falcosecurity/falcosidekick/pull/1102))
#### Fix
- Remove forgotten debug line ([PR#1088](https://github.com/falcosecurity/falcosidekick/pull/1088))
- Fix missing templated fields as labls in `Loki` payload ([PR#1091](https://github.com/falcosecurity/falcosidekick/pull/1091))
- Fix creation error of `ClusterPolicyReports` ([PR#1100](https://github.com/falcosecurity/falcosidekick/pull/100))
- Fix missing custom headers for HTTP requests for `Loki` ([PR#1107](https://github.com/falcosecurity/falcosidekick/pull/1107) thanks to [@lsroe](https://github.com/lsroe))
- Fix wrong key format for `Prometheus` format ([PR#1110](https://github.com/falcosecurity/falcosidekick/pull/1110) thanks to [@rubensf](https://github.com/rubensf))
## 2.30.0 - 2024-11-28
#### New
- New output: **Webex** ([PR#979](https://github.com/falcosecurity/falcosidekick/pull/979) thanks to [@k0rventen](https://github.com/k0rventen))
- New output: **OTLP Metrics** ([PR#1012](https://github.com/falcosecurity/falcosidekick/pull/1012) thanks to [@ekoops](https://github.com/ekoops))
- New output: **Datadog Logs** ([PR#1052](https://github.com/falcosecurity/falcosidekick/pull/1052) thanks to [@yohboy](https://github.com/yohboy))
#### Enhancement
- Reuse of the http client for 3-4x increase of the throughput ([PR#962](https://github.com/falcosecurity/falcosidekick/pull/962) thanks to [@alekmaus](https://github.com/aleksmaus))
- Improve outputs throughput handling ([PR#966](https://github.com/falcosecurity/falcosidekick/pull/966) thanks to [@alekmaus](https://github.com/aleksmaus))
- Batching and gzip compression for the `Elastticsearch` output ([PR#967](https://github.com/falcosecurity/falcosidekick/pull/967) thanks to [@alekmaus](https://github.com/aleksmaus))
- Use the same convention for the Prometheus metrics than Falco ([PR#995](https://github.com/falcosecurity/falcosidekick/pull/995))
- Add `APIKey` for `Elasticsearch` output ([PR#980](https://github.com/falcosecurity/falcosidekick/pull/980) thanks to [@alekmaus](https://github.com/aleksmaus))
- Add `Pipeline` configuration for `Elasticsearch` output ([PR#981](https://github.com/falcosecurity/falcosidekick/pull/981 ) thanks to [@alekmaus](https://github.com/aleksmaus))
- Add `MessageThreadID` configuration in `Telegram` output ([PR#1008](https://github.com/falcosecurity/falcosidekick/pull/1008) thanks to [@vashian](https://github.com/vashian))
- Support multi-architecture in build ([PR#1024](https://github.com/falcosecurity/falcosidekick/pull/1024) thanks to [@nickytd](https://github.com/nickytd))
- Add `falco` as source for the `Datadog Events` ([PR#1043](https://github.com/falcosecurity/falcosidekick/pull/1043) thanks to [@maxd-wttj](https://github.com/maxd-wttj))
- Support `AlertManager` output in HA mode ([PR#1051](https://github.com/falcosecurity/falcosidekick/pull/1051))
#### Fix
- Fix `PolicyReports` created in the same namespace than previous event ([PR#978](https://github.com/falcosecurity/falcosidekick/pull/978))
- Fix missing `customFields/extraFields` in the `Elasticsearch` payload ([PR#1033](https://github.com/falcosecurity/falcosidekick/pull/1033))
- Fix incorrect key name for `CloudEvent` spec attribute ([PR#1051](https://github.com/falcosecurity/falcosidekick/pull/1051))
> [!WARNING]
> Breaking change: The Prometheus metrics have different names from this release, it might break the queries for the dashboards and alerts.
## 2.29.0 - 2024-07-01
#### New
- New output: **Dynatrace** ([PR#575](https://github.com/falcosecurity/falcosidekick/pull/575) thanks to [@blu3r4y](https://github.com/blu3r4y))
- New output: **OTLP Traces** ([PR#613](https://github.com/falcosecurity/falcosidekick/pull/613) thanks to [@jjo](https://github.com/jjo))
- New output: **Sumologic** ([PR#656](https://github.com/falcosecurity/falcosidekick/pull/656) thanks to [@mencarellic](https://github.com/mencarellic))
- New output: **Quickwit** ([PR#736](https://github.com/falcosecurity/falcosidekick/pull/736) thanks to [@idrissneumann](https://github.com/idrissneumann))
- New output: **Falco Talon** ([PR#929](https://github.com/falcosecurity/falcosidekick/pull/929))
#### Enhancement
- Add global TLS config ([PR#588](https://github.com/falcosecurity/falcosidekick/pull/588) thanks to [@ibice](https://github.com/ibice))
- Add `source` as label for `Prometheus` metrics ([PR#665](https://github.com/falcosecurity/falcosidekick/pull/665))
- Better logs when TLS is enabled ([PR#668](https://github.com/falcosecurity/falcosidekick/pull/668))
- Add test for utils sorting function ([PR#694](https://github.com/falcosecurity/falcosidekick/pull/694) thanks to [@stevemcquaid](https://github.com/stevemcquaid))
- Refactor of the `InitClient` ([PR#765](https://github.com/falcosecurity/falcosidekick/pull/765) thanks to [@idrissneumann](https://github.com/idrissneumann))
- Allow to use alternative endpoints for the `AWS S3` output ([PR#791](https://github.com/falcosecurity/falcosidekick/pull/791) thanks to [@gysel](https://github.com/gysel))
- Consistent order for the `output_fields` and `tags` ([PR#802](https://github.com/falcosecurity/falcosidekick/pull/802))
- Allow to add custom headers for `AlertManager` output ([PR#827](https://github.com/falcosecurity/falcosidekick/pull/827) thanks to [@Umaaz](https://github.com/Umaaz))
- Add more checks for the `GCP Storage` output ([PR#858](https://github.com/falcosecurity/falcosidekick/pull/858))
- Possibility to create an index template for the `Elasticsearch` output ([PR#868](https://github.com/falcosecurity/falcosidekick/pull/868))
- Possibility to "flatten" the `output_fields` (replace `.` by `_`) for the `Elasticsearch` output to avoid mapping conflicts ([PR#868](https://github.com/falcosecurity/falcosidekick/pull/868))
- Truncate the fields with a length > 512 chars to avoid rejection from some outputs ([PR#871](https://github.com/falcosecurity/falcosidekick/pull/871))
- Change the license to Apache 2.0 ([PR#882](https://github.com/falcosecurity/falcosidekick/pull/882) thanks to [@leogr](https://github.com/leogr))
- Revamp the `PolicyReport` output ([PR#899](https://github.com/falcosecurity/falcosidekick/pull/899))
- New parameter `outputFieldFormat` to modify on the fly the format of the `output` field ([PR#901](https://github.com/falcosecurity/falcosidekick/pull/901))
#### Fix
- Fix missing root CA for the `Kafka` output ([PR#581](https://github.com/falcosecurity/falcosidekick/pull/581) thanks to [@claviola](https://github.com/claviola))
- Fix bug with the extension `source` in the `CloudEvent` output ([PR#587](https://github.com/falcosecurity/falcosidekick/pull/587))
- Fix panics in the `Prometheus` output when `hostname` field is missing ([PR#628](https://github.com/falcosecurity/falcosidekick/pull/628))
- Remove refs to deprecated `ioutil` modules ([PR#639](https://github.com/falcosecurity/falcosidekick/pull/639) thanks to [@testwill](https://github.com/testwill))
- Fix locks in the `Loki` output ([PR#647](https://github.com/falcosecurity/falcosidekick/pull/647) thanks to [@bsod90](https://github.com/bsod90))
- Split the docs for the outputs into multiple files ([PR#648](https://github.com/falcosecurity/falcosidekick/pull/648))
- Fix mTLS client verification failures due to missing ClientCAs ([PR#666](https://github.com/falcosecurity/falcosidekick/pull/666) thanks to [@jgmartinez](https://github.com/jgmartinez))
- Fix wrong env var for pagerduty output ([PR#682](https://github.com/falcosecurity/falcosidekick/pull/682))
- Remove hard settings for usernames in `Mattermost` and `Rocketchat` ([PR#731](https://github.com/falcosecurity/falcosidekick/pull/731))
- Fix multi lines json in the error lines ([PR#764](https://github.com/falcosecurity/falcosidekick/pull/764) thanks to [@idrissneumann](https://github.com/idrissneumann))
- Fix duplicated custom headers in clients ([PR#801](https://github.com/falcosecurity/falcosidekick/pull/801), [PR#857](https://github.com/falcosecurity/falcosidekick/pull/857))
- Fix the labels for the `AlertManager` output ([PR#870](https://github.com/falcosecurity/falcosidekick/pull/870) thanks to [@Umaaz](https://github.com/Umaaz))
## 2.28.0 - 2023-07-18
#### New
- New output: **Redis** ([PR#396](https://github.com/falcosecurity/falcosidekick/pull/396) thanks to [@pandyamarut](https://github.com/pandyamarut))
- New output: **Telegram** ([PR#431](https://github.com/falcosecurity/falcosidekick/pull/431) thanks to [@zufardhiyaulhaq](https://github.com/zufardhiyaulhaq))
- New output: **N8N** ([PR#462](https://github.com/falcosecurity/falcosidekick/pull/462))
- New output: **Grafana OnCall** ([PR#470](https://github.com/falcosecurity/falcosidekick/pull/470))
- New output: **OpenObserve** ([PR#509](https://github.com/falcosecurity/falcosidekick/pull/509))
#### Enhancement
- Add `output` in the description annotation for `AlertManager` output ([PR#341](https://github.com/falcosecurity/falcosidekick/pull/478))
- Allow to set the http method for `Webhook` output ([PR#399](https://github.com/falcosecurity/falcosidekick/pull/399))
- Add `hostname` as prometheus label ([PR#420](https://github.com/falcosecurity/falcosidekick/pull/420) thanks to [@Lowaiz](https://github.com/Lowaiz))
- Allow to replace the brackets ([PR#421](https://github.com/falcosecurity/falcosidekick/pull/421))
- Allow to set custom http headers for `Loki`, `Elasticsearch` and `Grafana` outputs ([PR#428](https://github.com/falcosecurity/falcosidekick/pull/428))
- Add `hostname`, `tags`, `custom` and `templated fields` for `TimescaleDB` output ([PR#438](https://github.com/falcosecurity/falcosidekick/pull/438) thanks to [@hileef](https://github.com/hileef))
- Allow to set thresholds for the dropped events in `AlertManager` ouput ([PR#439](https://github.com/falcosecurity/falcosidekick/pull/439) thanks to [@Lowaiz](https://github.com/Lowaiz))
- Match the `priority` with `AlertManager` severity label ([PR#440](https://github.com/falcosecurity/falcosidekick/pull/440) thanks to [@Lowaiz](https://github.com/Lowaiz))
- Add `rolearn` and `externalid` for the assume role for `AWS` outputs ([PR#494](https://github.com/falcosecurity/falcosidekick/pull/494))
- Allow to set the `region` for `PagerDuty` output ([PR#500](https://github.com/falcosecurity/falcosidekick/pull/500))
- Add TLS option + rewrite send method for the `SMTP` output ([PR#502](https://github.com/falcosecurity/falcosidekick/pull/502))
- Add attributes to `GCP PubSub` messages ([PR#505](https://github.com/falcosecurity/falcosidekick/pull/505) thanks to [@annadorottya](https://github.com/annadorottya))
- Add option for TLS and mTLS for the server ([PR#508](https://github.com/falcosecurity/falcosidekick/pull/508) thanks to [@annadorottya](https://github.com/annadorottya))
- Add setting to auto create the `Kafka` topic ([PR#554](https://github.com/falcosecurity/falcosidekick/pull/554))
- Add option to deploy a HTTP only server for specific endpoints ([PR#565](https://github.com/falcosecurity/falcosidekick/pull/565) thanks to [@annadorottya](https://github.com/annadorottya))
- Support multiple bootstrap servers for `Kafka` output ([PR#571](https://github.com/falcosecurity/falcosidekick/pull/571) thanks to [@ibice](https://github.com/ibice))
- Add option for TLS for `Kafka` output ([PR#574](https://github.com/falcosecurity/falcosidekick/pull/574))
#### Fix
- Fix error handling in `AWS Security Lake` output ([PR#390](https://github.com/falcosecurity/falcosidekick/pull/390))
- Fix breaking brackets in `AWS SNS` messages ([PR#419](https://github.com/falcosecurity/falcosidekick/pull/419))
- Fix setting name for the table of `TimescaleDB` output ([PR#426](https://github.com/falcosecurity/falcosidekick/pull/426) thanks to [@alika](https://github.com/alika))
- Fix cardinality issue with prometheus labels ([PR#427](https://github.com/falcosecurity/falcosidekick/pull/427))
- Fix panic when assert output fields which are nil ([PR#429](https://github.com/falcosecurity/falcosidekick/pull/429))
- Fix dependencies for `Wavefront` output ([PR#432](https://github.com/falcosecurity/falcosidekick/pull/432))
- Fix key pattern for `AWS Security Lake` output ([PR#447](https://github.com/falcosecurity/falcosidekick/pull/447))
- Fix default settings for `Telegram` output ([PR#495](https://github.com/falcosecurity/falcosidekick/pull/495) thanks to [@schfkt](https://github.com/schfkt))
- Fix URL generation for `Spyderbat` output ([PR#506](https://github.com/falcosecurity/falcosidekick/pull/506) thanks to [@bc-sb](https://github.com/bc-sb))
- Fix nil values in `Spyderbat` output ([PR#527](https://github.com/falcosecurity/falcosidekick/pull/527) thanks to [@spider-guy](https://github.com/spider-guy))
- Fix duplicated headers in `SMTP` output ([PR#528](https://github.com/falcosecurity/falcosidekick/pull/528) thanks to [@apsega](https://github.com/apsega))
- Fix missing trim for names and values of labels for `AlertManager` output ([PR#563](https://github.com/falcosecurity/falcosidekick/pull/563) thanks to [@Lowaiz](https://github.com/Lowaiz))
- Fix missing returned errors for `Kafka` output ([PR#573](https://github.com/falcosecurity/falcosidekick/pull/573))
## 2.27.0 - 2022-12-13
#### New
- New output: **Yandex Data Streams** ([PR#336](https://github.com/falcosecurity/falcosidekick/pull/336) thanks to [@preved911](https://github.com/preved911))
- New output: **Node-Red** ([PR#337](https://github.com/falcosecurity/falcosidekick/pull/337))
- New output: **MQTT** ([PR#338](https://github.com/falcosecurity/falcosidekick/pull/338))
- Templated fields: custom fields generated with Go templates ([PR#350](https://github.com/falcosecurity/falcosidekick/pull/350))
- New output: **Zincsearch** ([PR#360](https://github.com/falcosecurity/falcosidekick/pull/360))
- New output: **Gotify** ([PR#362](https://github.com/falcosecurity/falcosidekick/pull/362))
- New output: **Spyderbat** ([PR#368](https://github.com/falcosecurity/falcosidekick/pull/368) thanks to [@spyder-kyle](https://github.com/spyder-kyle))
- New output: **Tekton** ([PR#371](https://github.com/falcosecurity/falcosidekick/pull/371))
- New output: **TimescaleDB** ([PR#378](https://github.com/falcosecurity/falcosidekick/pull/378) thanks to [@jagretti](https://github.com/jagretti))
- New output: **AWS Security Lake** ([PR#387](https://github.com/falcosecurity/falcosidekick/pull/387))
#### Enhancement
- `SMTP` output now uses any SASL auth mechanism ([PR#341](https://github.com/falcosecurity/falcosidekick/pull/341) thanks to [@Lowaiz](https://github.com/Lowaiz))
- Bind `Policy Reports` to Namespace by `ownerReference` ([PR#346](https://github.com/falcosecurity/falcosidekick/pull/346))
- Add extra labels and annotations for `AlertManager` payloads ([PR#347](https://github.com/falcosecurity/falcosidekick/pull/347) thanks to [@Lowaiz](https://github.com/Lowaiz))
- Update default type for `Elasticsearch` documents ([PR#349](https://github.com/falcosecurity/falcosidekick/pull/349))
- Support env vars in custom fields ([PR#353](https://github.com/falcosecurity/falcosidekick/pull/353))
- Update format + default endpoint for `Loki` output ([PR#356](https://github.com/falcosecurity/falcosidekick/pull/356))
- Determine resource names + owner ref for `Policy Reports` ([PR#358](https://github.com/falcosecurity/falcosidekick/pull/358))
- Update `Influxdb` output to use API Token and /api/v2 endpoint ([PR#359](https://github.com/falcosecurity/falcosidekick/pull/359))
- Allow to override the `Slack` channel ([PR#366](https://github.com/falcosecurity/falcosidekick/pull/366))
- Add From, To and Date headers in `SMTP` payload ([PR#364](https://github.com/falcosecurity/falcosidekick/pull/364))
- Improve the check of the payload from `Falco`, it allows now to have an empty output ([PR#372](https://github.com/falcosecurity/falcosidekick/pull/372))
- Allow to set user and api key for `Loki` output for `Grafana Logs` ([PR#379](https://github.com/falcosecurity/falcosidekick/pull/379))
- Add `hostname` in json payload for all outputs ([PR#383](https://github.com/falcosecurity/falcosidekick/pull/383) thanks to [@Lowaiz](https://github.com/Lowaiz))
- Add SASL authentication for `Kafka` output ([PR#385](https://github.com/falcosecurity/falcosidekick/pull/385) thanks to [@Lowaiz](https://github.com/Lowaiz)) and [@lyoung-confluent](https://github.com/lyoung-confluent))
- Support CEF format for `Syslog` output ([PR#386](https://github.com/falcosecurity/falcosidekick/pull/386))
- Allow to disable STS check for `AWS` output ([PR#387](https://github.com/falcosecurity/falcosidekick/pull/387))
#### Fix
- Fix `priority` label was replaced by `source` in `AlertManager` payload ([PR#340](https://github.com/falcosecurity/falcosidekick/pull/340) thanks to [@tks98](https://github.com/tks98))
- Fix missing cert checks + fix inverted logic to use them in codebase ([PR#345](https://github.com/falcosecurity/falcosidekick/pull/345))
- Fix race condition when headers are added to POST requests ([PR#380](https://github.com/falcosecurity/falcosidekick/pull/380) thanks to [@bc-sb](https://github.com/bc-sb))
## 2.26.0 - 2022-06-18
#### Enhancement
- Add `expiresafter` for *AlertManager* output ([PR#323](https://github.com/falcosecurity/falcosidekick/pull/323) thanks to [@anushkamittal20](https://github.com/anushkamittal20))
- Add `extralabels` for *Loki* and *Prometheus* outputs which allow to set fields to use as labels additionally to `rule`, `source`, `priority`, `tags` and `customfields` ([PR#327](https://github.com/falcosecurity/falcosidekick/pull/327))
#### Fix
- Fix *Panic* for Prometheus metrics when `customfields` are set ([PR#333](https://github.com/falcosecurity/falcosidekick/pull/333))
## 2.25.0 - 2022-05-12
#### New
- New output: **Policy Report** ([PR#256](https://github.com/falcosecurity/falcosidekick/pull/256) thanks to [@anushkamittal20](https://github.com/anushkamittal20))
- New output: **Syslog** ([PR#272](https://github.com/falcosecurity/falcosidekick/pull/272) thanks to [@bdluca](https://github.com/bdluca))
- New output: **AWS Kinesis** ([PR#277](https://github.com/falcosecurity/falcosidekick/pull/277) thanks to [@gauravgahlot](https://github.com/gauravgahlot))
- New output: **Zoho Cliq** ([PR#301](https://github.com/falcosecurity/falcosidekick/pull/301) thanks to [@averni](https://github.com/averni))
- Images and Binaries for *arm* and *arm64* ([PR#288](https://github.com/falcosecurity/falcosidekick/pull/288))
- Sign artifacts with *cosign* ([PR#302](https://github.com/falcosecurity/falcosidekick/pull/302))
#### Enhancement
- Add CI steps to push images into AWS ECR ([PR#270](https://github.com/falcosecurity/falcosidekick/pull/270) thanks to [@maxgio92](https://github.com/maxgio92))
- Allow to choose API endpoint for *AlertManager* ([PR#282](https://github.com/falcosecurity/falcosidekick/pull/282) thanks to [@mathildeHermet](https://github.com/maxgiomathildeHermet92))
- Add label `priority` in *AlertManager* events ([PR#276](https://github.com/falcosecurity/falcosidekick/pull/276))
- Update Golang + GolangCI-Lint ([PR#289](https://github.com/falcosecurity/falcosidekick/pull/289) [PR#292](https://github.com/falcosecurity/falcosidekick/pull/292))
- Add version info ([PR#290](https://github.com/falcosecurity/falcosidekick/pull/290))
- Update image base to alpine 3.15 ([PR#291](https://github.com/falcosecurity/falcosidekick/pull/291))
- Increase CircleCI timeout ([PR#293](https://github.com/falcosecurity/falcosidekick/pull/293))
- Support *IRSA* for AWS authentication ([PR#295](https://github.com/falcosecurity/falcosidekick/pull/295) thanks to [@VariableExp0rt](https://github.com/VariableExp0rt))
- Add *tenant* for *Loki* output ([PR#308](https://github.com/falcosecurity/falcosidekick/pull/308) thanks to [@JGodin-C2C](https://github.com/JGodin-C2C))
- Upgrade endpoint for *Loki* ([PR#309](https://github.com/falcosecurity/falcosidekick/pull/309) thanks to [@JGodin-C2C](https://github.com/JGodin-C2C))
- Add `tags` and `source` in events for all outputs ([PR#310](https://github.com/falcosecurity/falcosidekick/pull/310))
- Add `custom_fields` to *Prometheus* series ([PR#314](https://github.com/falcosecurity/falcosidekick/pull/314) thanks to [@LyvingInSync](https://github.com/LyvingInSync))
- Update CircleCI jobs ([PR#316](https://github.com/falcosecurity/falcosidekick/pull/316))
#### Fix
- Fix *OpsGenie* output when keys have "." ([PR#287](https://github.com/falcosecurity/falcosidekick/pull/287))
- Fix typo in README ([PR#299](https://github.com/falcosecurity/falcosidekick/pull/299) thanks to [@oleg-nenashev](https://github.com/oleg-nenashev))
- Fix *GCS* writer not closed ([PR#312](https://github.com/falcosecurity/falcosidekick/pull/312) thanks to [@Milkshak3s](https://github.com/Milkshak3s))
## 2.24.0 - 2021-08-13
#### New
- New output: **Grafana** ([PR#254](https://github.com/falcosecurity/falcosidekick/pull/254))
- New output: **Fission** ([PR#255](https://github.com/falcosecurity/falcosidekick/pull/255) thanks to [@gauravgahlot](https://github.com/gauravgahlot))
- New output: **Yandex Cloud S3** ([PR#261](https://github.com/falcosecurity/falcosidekick/pull/261) thanks to [@nar3k](https://github.com/nar3k))
- New output: **Kafka REST** ([PR#263](https://github.com/falcosecurity/falcosidekick/pull/263) thanks to [@dirien](https://github.com/dirien))
#### Enhancement
- Set header `x-amz-acl` to `bucket-owner-full-control` for output `AWS S3` ([PR#264](https://github.com/falcosecurity/falcosidekick/pull/264) thanks to [@Kaizhe](https://github.com/Kaizhe))
- Docker image is now available on [`AWS ECR Public Gallery`](https://gallery.ecr.aws/falcosecurity/falcosidekick) ([PR#265](https://github.com/falcosecurity/falcosidekick/pull/265) thanks to [@maxgio92](https://github.com/maxgio92))
## 2.23.1 - 2021-06-23
#### Fix
- Fix memory leak with `AddHeaders` method ([PR#252](https://github.com/falcosecurity/falcosidekick/pull/252) thanks to [@distortedsignal](https://github.com/distortedsignal))
## 2.23.0 - 2021-06-23
#### New
- New output: **Wavefront** ([PR#229](https://github.com/falcosecurity/falcosidekick/pull/229) thanks to [@rikatz](https://github.com/rikatz))
- New output: **GCP Cloud Functions** ([PR#241](https://github.com/falcosecurity/falcosidekick/pull/241))
- New output: **GCP Cloud Run** ([PR#243](https://github.com/falcosecurity/falcosidekick/pull/243))
- Allow MutualTLS for some outputs ([PR#231](https://github.com/falcosecurity/falcosidekick/pull/231) thanks to [@jasiam](https://github.com/jasiam))
- Allow *Workload identity* for *GCP* output ([PR#235](https://github.com/falcosecurity/falcosidekick/pull/235) thanks to [@cartyc](https://github.com/cartyc))
- Add basic auth for *Elasticsearch* output ([PR#245](https://github.com/falcosecurity/falcosidekick/pull/245) thanks to [@distortedsignal](https://github.com/distortedsignal))
#### Enhancement
- Reorder fields in *Slack*t, *RocketChat* and *Mattermost* outputs + sort `customer_fields` alphabetically ([PR#226](https://github.com/falcosecurity/falcosidekick/pull/226))
- Set default values for *OpenFaas* output ([PR#232](https://github.com/falcosecurity/falcosidekick/pull/232))
- Re-use session for *AWS* output instead of deprecated `session.New()` ([PR#238](https://github.com/falcosecurity/falcosidekick/pull/238) thanks to [@dchoy](https://github.com/dchoy))
- Reorganize management of headers for outputs ([PR#245](https://github.com/falcosecurity/falcosidekick/pull/245) thanks to [@distortedsignal](https://github.com/distortedsignal))
#### Fix
- Fix init of **DogstatsD** output ([PR#227](https://github.com/falcosecurity/falcosidekick/pull/227))
- Remove duplicated logs + fix some of prefixes ([PR#228](https://github.com/falcosecurity/falcosidekick/pull/228))
- Fif *S3* output when "Default encryption" setting is disabled ([PR#242](https://github.com/falcosecurity/falcosidekick/pull/242) thanks to [@Kaizhe](https://github.com/Kaizhe))
## 2.22.0 - 2021-04-06
#### New
- New output: **AWS S3** ([PR#195](https://github.com/falcosecurity/falcosidekick/pull/195) thanks to [@evalsocket](https://github.com/evalsocket))
- New output: **GCP Storage** ([PR#202](https://github.com/falcosecurity/falcosidekick/pull/202) thanks to [@evalsocket](https://github.com/evalsocket))
- New output: **RabbitMQ** ([PR#210](https://github.com/falcosecurity/falcosidekick/pull/210) thanks to [@evalsocket](https://github.com/evalsocket))
- New output: **OpenFaas** ([PR#208](https://github.com/falcosecurity/falcosidekick/pull/208) thanks to [@developper-guy](https://github.com/developper-guy))
#### Enhancement
- Use higher level Writer api for **Kafka** ([PR#206](https://github.com/falcosecurity/falcosidekick/pull/206) thanks to [@zemek](https://github.com/zemek))
- Reorder *imports* to follow good practices ([PR#205](https://github.com/falcosecurity/falcosidekick/pull/205))
- Prevent misleading error message when *CUSTOMFIELDS* env var is set ([PR#201](https://github.com/falcosecurity/falcosidekick/pull/201) thanks to [@zemek](https://github.com/zemek))
- Use *Events v2* API for **PagerDuty** output ([PR#200](https://github.com/falcosecurity/falcosidekick/pull/200) thanks to [@caWhite](https://github.com/caWhite))
#### Fix
- Fix *outputformat* when using fields or text in **Slack** output ([PR#204](https://github.com/falcosecurity/falcosidekick/pull/204))
- Fix HTML template for **SMTP** output ([PR#199](https://github.com/falcosecurity/falcosidekick/pull/199))
## 2.21.0 - 2021-02-12
#### New
- New output: **Cloud Events** ([PR#169](https://github.com/falcosecurity/falcosidekick/pull/169) thanks to [@n3wscott](https://github.com/n3wscott))
- New output: **WebUI** ([PR#180](https://github.com/falcosecurity/falcosidekick/pull/180))
- New output : **Cloud Events** ([PR#169](https://github.com/falcosecurity/falcosidekick/pull/169) thanks to [@n3wscott](https://github.com/n3wscott))
- New output : **WebUI** ([PR#180](https://github.com/falcosecurity/falcosidekick/pull/180))
#### Enhancement
- Include numeric values for `Alertmanager` outputs ([PR#177](https://github.com/falcosecurity/falcosidekick/pull/177) thanks to to [@alsm](https://github.com/alsm))
- Add `listenaddress` option ([PR#187](https://github.com/falcosecurity/falcosidekick/pull/187) thanks to to [@alsm](https://github.com/alsm))
@ -259,9 +14,9 @@
## 2.20.0 - 2021-01-12
#### New
- New output: **STAN (NATS Streaming)** ([PR#135](https://github.com/falcosecurity/falcosidekick/pull/135))
- New output: **PagerDuty** ([PR#164](https://github.com/falcosecurity/falcosidekick/pull/164))
- New output: **Kubeless** ([PR#170](https://github.com/falcosecurity/falcosidekick/pull/170))
- New output : **STAN (NATS Streaming)** ([PR#135](https://github.com/falcosecurity/falcosidekick/pull/135))
- New output : **PagerDuty** ([PR#164](https://github.com/falcosecurity/falcosidekick/pull/164))
- New output : **Kubeless** ([PR#170](https://github.com/falcosecurity/falcosidekick/pull/170))
#### Enhancement
- CI: clean filters ([PR#138](https://github.com/falcosecurity/falcosidekick/pull/138))
- Replace library for `Kafka` ([PR#139](https://github.com/falcosecurity/falcosidekick/pull/139))
@ -277,8 +32,8 @@
## 2.19.0 - 2020-12-01
#### New
- New output: **Apache Kafka** ([PR#124](https://github.com/falcosecurity/falcosidekick/pull/124) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
- New output: **Cloudwatch Logs** ([PR#127](https://github.com/falcosecurity/falcosidekick/pull/127) thanks to [@cpanato](https://github.com/cpanato))
- New output : **Apache Kafka** ([PR#124](https://github.com/falcosecurity/falcosidekick/pull/124) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
- New output : **Cloudwatch Logs** ([PR#127](https://github.com/falcosecurity/falcosidekick/pull/127) thanks to [@cpanato](https://github.com/cpanato))
#### Enhancement
- Bump Golang version to `1.15` ([PR#128](https://github.com/falcosecurity/falcosidekick/pull/128) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
- Add a contributing document ([PR#123](https://github.com/falcosecurity/falcosidekick/pull/123) thanks to [@cpanato](https://github.com/cpanato))
@ -291,7 +46,7 @@
## 2.18.0 - 2020-11-20
#### New
- New output: **Google Chat** ([PR#107](https://github.com/falcosecurity/falcosidekick/pull/107) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
- New output : **Google Chat** ([PR#107](https://github.com/falcosecurity/falcosidekick/pull/107) thanks to [@KeisukeYamashita](https://github.com/KeisukeYamashita))
#### Enhancement
- Add test for `Mattermost` ([PR#99](https://github.com/falcosecurity/falcosidekick/pull/99) thanks to [@cpanato](https://github.com/cpanato))
- Add golangci lint ([PR#100](https://github.com/falcosecurity/falcosidekick/pull/100) thanks to [@cpanato](https://github.com/cpanato))
@ -305,7 +60,7 @@
## 2.17.0 - 2020-11-13
#### New
- New output: **GCP PubSub** ([PR#97](https://github.com/falcosecurity/falcosidekick/pull/97) thanks to [@IanRobertson-wpe](https://github.com/IanRobertson-wpe))
- New output : **GCP PubSub** ([PR#97](https://github.com/falcosecurity/falcosidekick/pull/97) thanks to [@IanRobertson-wpe](https://github.com/IanRobertson-wpe))
#### Enhancement
- Better instructions for install with `Helm` ([PR#95](https://github.com/falcosecurity/falcosidekick/pull/95) thanks to [@pyaillet](https://github.com/pyaillet))
@ -317,7 +72,7 @@
## 2.15.0 - 2020-10-27
#### New
- New output: **AWS SNS** ([PR#84](https://github.com/falcosecurity/falcosidekick/pull/84))
- New output : **AWS SNS** ([PR#84](https://github.com/falcosecurity/falcosidekick/pull/84))
- A `prometheus` exporter is now available for all metrics
#### Enhancement
- Reduce cardinality of alerts by grouping them for `AlertManager` ([PR#79](https://github.com/falcosecurity/falcosidekick/pull/79) thanks to [@epcim](https://github.com/epcim))
@ -328,8 +83,8 @@ The Helm chart has been migrated to [falcosecurity/charts](https://github.com/fa
## 2.14.0 - 2020-08-10
#### New
- New output: **Azure Event Hubs** ([PR#66](https://github.com/falcosecurity/falcosidekick/pull/66) thanks to [@arminc](https://github.com/arminc))
- New output: **Discord** ([PR#61](https://github.com/falcosecurity/falcosidekick/pull/61) thanks to [@nibalizer](https://github.com/nibalizer))
- New output : **Azure Event Hubs** ([PR#66](https://github.com/falcosecurity/falcosidekick/pull/66) thanks to [@arminc](https://github.com/arminc))
- New output : **Discord** ([PR#61](https://github.com/falcosecurity/falcosidekick/pull/61) thanks to [@nibalizer](https://github.com/nibalizer))
#### Enhancement
- Cert validity of outputs can be disabled ([PR#74](https://github.com/falcosecurity/falcosidekick/pull/74))
- Golang 1.14 is now used for building the Docker image
@ -341,8 +96,8 @@ This release is the last one with an Helm chart, the next ones will be in [Falco
## 2.13.0 - 2020-06-15
#### New
- New output: **Rocketchat**
- New output: **Mattermost**
- New output : **Rocketchat**
- New output : **Mattermost**
# 2.12.3 - 2020-04-21
#### Enhancement
@ -367,8 +122,8 @@ This release is the last one with an Helm chart, the next ones will be in [Falco
## 2.11.0 - 2019-11-13
#### New
- New output: **Webhook**
- New output: **DogStatsD**
- New output : **Webhook**
- New output : **DogStatsD**
- New metrics : *running goroutines*, *number of used CPU*
#### Enhancement
- :boom: Standardization of metric names (to be consistent between *expar* and *(Dog)StatsD*)
@ -379,7 +134,7 @@ This release is the last one with an Helm chart, the next ones will be in [Falco
## 2.10.0 - 2019-10-22
#### New
- New output: **StatsD** ([PR#43](https://github.com/falcosecurity/falcosidekick/pull/40) thanks to [@actgardner](https://github.com/actgardner))
- New output : **StatsD** ([PR#43](https://github.com/falcosecurity/falcosidekick/pull/40) thanks to [@actgardner](https://github.com/actgardner))
## 2.9.3 - 2019-10-18
@ -397,7 +152,7 @@ This release is the last one with an Helm chart, the next ones will be in [Falco
## 2.9.0 - 2019-10-04
#### New
- New output: **Opsgenie**
- New output : **Opsgenie**
#### Enhancement
- New avatar : with colors and squared
#### Fix
@ -405,7 +160,7 @@ This release is the last one with an Helm chart, the next ones will be in [Falco
## 2.8.0 - 2019-09-11
#### New
- New output: **NATS**
- New output : **NATS**
## 2.7.2 - 2019-08-28
#### Enhancement
@ -417,17 +172,17 @@ This release is the last one with an Helm chart, the next ones will be in [Falco
## 2.7.0 - 2019-08-27
#### New
- New output: **Loki**
- New output : **Loki**
## 2.6.0 - 2019-08-26
#### New
- New output: **SMTP** (email)
- New output : **SMTP** (email)
## 2.5.0 - 2019-08-12
#### New
- New output: **AWS Lambda**
- New output: **AWS SQS** ([issue #5](https://github.com/falcosecurity/falcosidekick/issues/5))
- New output: **Teams** ([issue #30](https://github.com/falcosecurity/falcosidekick/issues/30))
- New output : **AWS Lambda**
- New output : **AWS SQS** ([issue #5](https://github.com/falcosecurity/falcosidekick/issues/5))
- New output : **Teams** ([issue #30](https://github.com/falcosecurity/falcosidekick/issues/30))
- A github page has been created : https://falcosecurity.github.io/falcosidekick/
#### Enhancement
@ -445,7 +200,7 @@ This release is the last one with an Helm chart, the next ones will be in [Falco
## 2.2.0 - 2019-06-13
#### New
- A minimum priority for each output can be set
- New output: **Influxdb** ([issue #4](https://github.com/falcosecurity/falcosidekick/issues/4))
- New output : **Influxdb** ([issue #4](https://github.com/falcosecurity/falcosidekick/issues/4))
#### Fix
- Panic happened when trying to add `customfields` but falco event hadn't
@ -457,7 +212,7 @@ This release is the last one with an Helm chart, the next ones will be in [Falco
## 2.0.0 - 2019-05-23
#### New
- New output: **Elasticsearch** ([issue #14](https://github.com/falcosecurity/falcosidekick/issues/14))
- New output : **Elasticsearch** ([issue #14](https://github.com/falcosecurity/falcosidekick/issues/14))
- **New configuration method : we can now use a config file in YAML and/or env vars** (see *README*) ([issue #17](https://github.com/falcosecurity/falcosidekick/issues/17))
- New endpoint : `/debug/vars` gives access to Golang + Custom metrics (see *README*) ([issue #17](https://github.com/falcosecurity/falcosidekick/issues/17))
#### Enhancement
@ -505,7 +260,7 @@ This release is the last one with an Helm chart, the next ones will be in [Falco
## 1.0.3 - 2019-01-30
#### New
- New output: **Alert Manager**
- New output : **Alert Manager**
#### Enhancement
- Add status of posts to Outputs in logs (stdout)

3
CONTRIBUTING.md
View File

@ -20,7 +20,4 @@ This project uses GitHub to manage reviews of pull requests.
* Commits should be as small as possible, while ensuring that each commit is correct independently (i.e., each commit should compile and pass tests).
* All commits must include a `Signed-off-by` line. This line must point to the author's Full Name and their valid email address.
* This can be accomplished by adding the `-s` flag in git.
* Add tests relevant to the fixed bug or new feature.

24
Dockerfile
View File

@ -1,9 +1,21 @@
ARG BASE_IMAGE=alpine:3.19
ARG BUILDER_IMAGE=golang:1.15.5
ARG BASE_IMAGE=alpine:3.12
FROM ${BUILDER_IMAGE} AS build-stage
ENV CGO_ENABLED=0
WORKDIR /src
ADD . .
RUN go mod download
RUN make falcosidekick
# Final Docker image
FROM ${BASE_IMAGE} AS final-stage
LABEL MAINTAINER="Thomas Labarussias <issif+falcosidekick@gadz.org>"
LABEL MAINTAINER "Thomas Labarussias <issif+falcosidekick@gadz.org>"
RUN apk add --update --no-cache ca-certificates gcompat
RUN apk add --update --no-cache ca-certificates
# Create user falcosidekick
RUN addgroup -S falcosidekick && adduser -u 1234 -S falcosidekick -G falcosidekick
@ -12,9 +24,9 @@ RUN addgroup -S falcosidekick && adduser -u 1234 -S falcosidekick -G falcosideki
USER 1234
WORKDIR ${HOME}/app
COPY LICENSE .
COPY falcosidekick .
COPY --from=build-stage /src/LICENSE .
COPY --from=build-stage /src/falcosidekick .
EXPOSE 2801
ENTRYPOINT ["./falcosidekick"]
ENTRYPOINT ["./falcosidekick"]

31
Dockerfile.dev
View File

@ -1,31 +0,0 @@
ARG BUILDER_IMAGE=golang:1.21-bullseye
ARG BASE_IMAGE=alpine:3.19
FROM ${BUILDER_IMAGE} AS build-stage
ENV CGO_ENABLED=0
WORKDIR /src/
COPY . .
RUN make falcosidekick
# Final Docker image
FROM ${BASE_IMAGE} AS final-stage
LABEL MAINTAINER="Thomas Labarussias <issif+falcosidekick@gadz.org>"
RUN apk add --update --no-cache ca-certificates
# Create user falcosidekick
RUN addgroup -S falcosidekick && adduser -u 1234 -S falcosidekick -G falcosidekick
# must be numeric to work with Pod Security Policies:
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
USER 1234
WORKDIR ${HOME}/app
COPY LICENSE .
COPY --from=build-stage /src/falcosidekick .
EXPOSE 2801
ENTRYPOINT ["./falcosidekick"]

206
LICENSE
View File

@ -1,212 +1,6 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2024 The Falco Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-------------------------
MIT License
Copyright (c) 2018 Thomas Labarussias
Copyright (C) 2024 The Falco Authors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

50
Makefile
View File

@ -2,6 +2,7 @@
SHELL=/bin/bash -o pipefail
.DEFAULT_GOAL:=help
GOPATH := $(shell go env GOPATH)
GOARCH := $(shell go env GOARCH)
GOOS := $(shell go env GOOS)
@ -14,25 +15,6 @@ GO ?= go
DOCKER ?= docker
TEST_FLAGS ?= -v -race
GIT_TAG ?= dirty-tag
GIT_VERSION ?= $(shell git describe --tags --always --dirty)
GIT_HASH ?= $(shell git rev-parse HEAD)
DATE_FMT = +'%Y-%m-%dT%H:%M:%SZ'
SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)
ifdef SOURCE_DATE_EPOCH
BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)")
else
BUILD_DATE ?= $(shell date "$(DATE_FMT)")
endif
GIT_TREESTATE = "clean"
DIFF = $(shell git diff --quiet >/dev/null 2>&1; if [ $$? -eq 1 ]; then echo "1"; fi)
ifeq ($(DIFF), 1)
GIT_TREESTATE = "dirty"
endif
PKG=main
LDFLAGS=-X $(PKG).GitVersion=$(GIT_VERSION) -X $(PKG).gitCommit=$(GIT_HASH) -X $(PKG).gitTreeState=$(GIT_TREESTATE) -X $(PKG).buildDate=$(BUILD_DATE)
# Directories.
ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
TOOLS_DIR := hack/tools
@ -40,34 +22,21 @@ TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR)/bin)
GO_INSTALL = ./hack/go_install.sh
# Binaries.
GOLANGCI_LINT_VER := v1.57.2
GOLANGCI_LINT_VER := v1.32.2
GOLANGCI_LINT_BIN := golangci-lint
GOLANGCI_LINT := $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)
# Docker
IMAGE_TAG := falcosecurity/falcosidekick:latest
## --------------------------------------
## Build
## --------------------------------------
.PHONY: falcosidekick
falcosidekick:
$(GO) mod download
GOOS=$(GOOS) GOARCH=$(GOARCH) $(GO) build -trimpath -ldflags "$(LDFLAGS)" -gcflags all=-trimpath=/src -asmflags all=-trimpath=/src -a -installsuffix cgo -o $@ .
.PHONY: falcosidekick-linux
falcosidekick-linux:
$(GO) mod download
GOOS=linux GOARCH=$(GOARCH) $(GO) build -ldflags "$(LDFLAGS)" -gcflags all=-trimpath=/src -asmflags all=-trimpath=/src -a -installsuffix cgo -o falcosidekick .
$(GO) build -gcflags all=-trimpath=/src -asmflags all=-trimpath=/src -a -installsuffix cgo -o $@ .
.PHONY: build-image
build-image: falcosidekick-linux
$(DOCKER) build -t $(IMAGE_TAG) .
.PHONY: push-image
push-image:
$(DOCKER) push $(IMAGE_TAG)
build-image:
$(DOCKER) build . -t falcosecurity/falcosidekick:latest
## --------------------------------------
## Test
@ -93,14 +62,6 @@ lint: $(GOLANGCI_LINT) ## Lint codebase
lint-full: $(GOLANGCI_LINT) ## Run slower linters to detect possible issues
$(GOLANGCI_LINT) run -v --fast=false
## --------------------------------------
## Release
## --------------------------------------
.PHONY: goreleaser-snapshot
goreleaser-snapshot: ## Release snapshot using goreleaser
LDFLAGS="$(LDFLAGS)" goreleaser --snapshot --skip=sign --clean
## --------------------------------------
## Tooling Binaries
## --------------------------------------
@ -115,4 +76,3 @@ $(GOLANGCI_LINT): ## Build golangci-lint from tools folder.
.PHONY: clean
clean:
rm -rf hack/tools/bin
rm -rf dist

14
OWNERS
View File

@ -1,10 +1,14 @@
approvers:
- Issif
- leogr
- cpanato
- fjogeleit
emeritus_approvers:
- leodido
- nibalizer
- leogr
- cpanato
- KeisukeYamashita
reviewers:
- Issif
- leodido
- nibalizer
- leogr
- cpanato
- KeisukeYamashita
- developer-guy

974
README.md
View File

File diff suppressed because it is too large Load Diff

955
config.go
View File

File diff suppressed because it is too large Load Diff

473
config_example.yaml
View File

@ -1,55 +1,28 @@
#listenaddress: "" # ip address to bind falcosidekick to (default: "" meaning all addresses)
#listenport: 2801 # port to listen for daemon (default: 2801)
debug: false # if true all outputs will print in stdout the payload they send (default: false)
customfields: # custom fields are added to falco events and metrics, if the value starts with % the relative env var is used
customfields: # custom fields are added to falco events
Akey: "AValue"
Bkey: "BValue"
Ckey: "CValue"
templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values
# Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}'
# bracketreplacer: "_" # if not empty, the brackets in keys of Output Fields are replaced
customtags: # custom tags are added to the falco events, if the value starts with % the relative env var is used
- tagA
- tagB
outputFieldFormat: "<timestamp>: <priority> <output> <custom_fields> <templated_fields>" # if not empty, allow to change the format of the output field. (default: "<timestamp>: <priority> <output>")
mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs")
mutualtlsclient: # takes priority over mutualtlsfilespath if not emtpy
certfile: "/etc/certs/client/client.crt" # client certification file
keyfile: "/etc/certs/client/client.key" # client key
cacertfile: "/etc/certs/client/ca.crt" # for server certification
tlsclient:
cacertfile: "/etc/certs/client/ca.crt" # CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty
tlsserver:
deploy: false # if true, TLS server will be deployed instead of HTTP
certfile: "/etc/certs/server/server.crt" # server certification file
keyfile: "/etc/certs/server/server.key" # server key
mutualtls: false # if true, mTLS server will be deployed instead of TLS, deploy also has to be true
cacertfile: "/etc/certs/server/ca.crt" # for client certification if mutualtls is true
notlsport: 2810 # port to serve http server serving selected endpoints (default: 2810)
notlspaths: # if not empty, and tlsserver.deploy is true, a separate http server will be deployed for the specified endpoints
- "/ping"
# - "/metrics"
# - "/healthz"
checkCert: true # check if ssl certificate of the output is valid (default: true)
slack:
webhookurl: "" # Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled
#channel: "" # Slack channel (optionnal)
#footer: "" # Slack footer
#icon: "" # Slack icon (avatar)
#username: "" # Slack username (default: Falcosidekick)
outputformat: "all" # all (default), text, fields
minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
#messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Slack Text above Attachment, displayed in addition to the output from `SLACK_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Slack Text above Attachment, displayed in addition to the output from `SLACK_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
rocketchat:
webhookurl: "" # Rocketchat WebhookURL (ex: http://XXXX/hooks/YYYY), if not empty, Rocketchat output is enabled
#icon: "" # Rocketchat icon (avatar)
#username: "" # Rocketchat username (default: Falcosidekick)
outputformat: "all" # all (default), text, fields
minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# messageformat: "Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields \"user.name\" }}*" # a Go template to format Rocketchat Text above Attachment, displayed in addition to the output from `ROCKETCHAT_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
mattermost:
webhookurl: "" # Mattermost WebhookURL (ex: http://XXXX/hooks/YYYY), if not empty, Mattermosst output is enabled
@ -57,137 +30,53 @@ mattermost:
#icon: "" # Mattermost icon (avatar)
#username: "" # Mattermost username (default: Falcosidekick)
outputformat: "all" # all (default), text, fields
minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# messageformat: "Alert : rule **{{ .Rule }}** triggered by user **{{ index .OutputFields \"user.name\" }}**" # a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `MATTERMOST_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
teams:
webhookurl: "" # Teams WebhookURL, if not empty, Teams output is enabled
webhookurl: "" # Teams WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Teams output is enabled
#activityimage: "" # Image for message section
outputformat: "all" # all (default), text, facts
minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
webex:
# webhookurl: "" # Webex WebhookURL, if not empty, Teams Webex is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
outputformat: "text" # all (default), text, facts
minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
datadog:
# apikey: "" # Datadog API Key, if not empty, Datadog output is enabled
# host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com"
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
datadoglogs:
# apikey: "" # Datadog API Key, if not empty, Datadog Logs output is enabled
# host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/"
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# service: "" # The name of the application or service generating the log events.
alertmanager:
# hostport: "" # Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is enabled
# hostport: "" # http://{domain or ip}:{port}, if not empty, Alertmanager output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# endpoint: "" # alertmanager endpoint for posting alerts: "/api/v1/alerts" or "/api/v2/alerts" (default: "/api/v1/alerts")
# expiresafter: "" if set to a non-zero value, alert expires after that time in seconds (default: 0)
# extralabels: "" # comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2
# extraannotations: "" # comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2
# customseveritymap: "" # comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. (default: "")
# dropeventdefaultpriority: "" # default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug (default: "critical")
# dropeventthresholds: # comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` (default: `"10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning"`)
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
elasticsearch:
# hostport: "" # http://{domain or ip}:{port}, if not empty, Elasticsearch output is enabled
# index: "falco" # index (default: falco)
# type: "_doc"
# pipeline: "" # optional ingest pipeline name
# type: "event"
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# apikey: "" # use this APIKey to authenticate to Elasticsearch if the APIKey is not empty (default: "")
# username: "" # use this username to authenticate to Elasticsearch if the username is not empty (default: "")
# password: "" # use this password to authenticate to Elasticsearch if the password is not empty (default: "")
# flattenfields: false # replace . by _ to avoid mapping conflicts, force to true if createindextemplate==true (default: false)
# createindextemplate: false # create an index template (default: false)
# numberofshards: 3 # number of shards set by the index template (default: 3)
# numberofreplicas: 3 # number of replicas set by the index template (default: 3)
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
# enablecompression: false # if true enables gzip compression for http requests (default: false)
# batching: # batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API
# enabled: true # if true enables batching
# batchsize: 5242880 # batch size in bytes (default: 5 MB)
# flushinterval: 1s # batch fush interval (default: 1s)
# maxconcurrentrequests: 1 # max number of concurrent http requests (default: 1)
quickwit:
# hostport: "" # http(s)://{domain or ip}:{port}, if not empty, Quickwit output is enabled
# apiendpoint: "/api/v1"
# index: "falco" # index (default: falco)
# version: "0.7"
# autocreateindex: false # create the index mapping if true and if the index doesn't already exists
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
influxdb:
# hostport: "" # http://{domain or ip}:{port}, if not empty, Influxdb output is enabled
# database: "falco" # Influxdb database (api v1 only) (default: falco)
# organization: "" # Influxdb organization
# bucket: "falco" # bucket (default: falco)
# precision: "ns" # write precision
# database: "falco" # Influxdb database (default: falco)
# user: "" # user to use if auth is enabled in Influxdb
# password: "" # pasword to use if auth is enabled in Influxdb
# token: "" # API token to use if auth in enabled in Influxdb (disables user and password)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
loki:
# hostport: "" # http://{domain or ip}:{port}, if not empty, Loki output is enabled
# user: "" # user for Grafana Logs
# apikey: "" # API Key for Grafana Logs
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# tenant: "" # Add the Tenant header
# format: "text" # Format for the log entry value: json, text (default)
# endpoint: "/loki/api/v1/push" # The endpoint URL path, default is "/loki/api/v1/push" more info : https://grafana.com/docs/loki/latest/api/#post-apiprompush
# extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
nats:
# hostport: "" # nats://{domain or ip}:{port}, if not empty, NATS output is enabled
# subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
stan:
# hostport: "" # nats://{domain or ip}:{port}, if not empty, STAN output is enabled
# clusterid: "" # Cluster name, if not empty, STAN output is enabled
# clientid: "" # Client ID, if not empty, STAN output is enabled
# subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
aws:
# accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
# secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
# region : "" # aws region (by default, the metadata are used to get it)
# rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
# externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
# checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
# region : "" # aws region (optional if you use EC2 Instance Profile)
lambda:
# functionname : "" # Lambda function name, if not empty, AWS Lambda output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# functionname : "" # Lambda function name, if not empty, AWS Lambda output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
sqs:
# url : "" # SQS Queue URL, if not empty, AWS SQS output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
@ -199,41 +88,16 @@ aws:
# loggroup : "" # AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is enabled
# logstream : "" # AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
s3:
# bucket: "falcosidekick" # AWS S3, bucket name
# prefix: "" # name of prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# endpoint: "" # endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs
# objectcannedacl: "bucket-owner-full-control" # Canned ACL (x-amz-acl) to use when creating the object
securitylake.:
# bucket: "" # Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is enabled
# region: "" # Bucket Region (mandatory)
# prefix: "" # Prefix for keys (mandatory)
# accountid: "" # Account ID (mandatory)
interval: 5 # Time in minutes between two puts to S3 (must be between 5 and 60min) (default: 5min)
batchsize: 1000 # Max number of events by parquet file (default: 1000)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
kinesis:
# streamname: "" # AWS Kinesis Stream Name, if not empty, Kinesis output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
smtp:
# hostport: "" # host:port address of SMTP server, if not empty, SMTP output is enabled
# tls: false # Use TLS connection (true/false). Default: true
# authmechanism: "plain" # SASL Mechanisms : plain, oauthbearer, external, anonymous or none (disable SASL). Default: plain
# user: "" # user for Plain Mechanism
# password: "" # password for Plain Mechanism
# token: "" # OAuthBearer token for OAuthBearer Mechanism
# identity: "" # identity string for Plain and External Mechanisms
# trace: "" trace string for Anonymous Mechanism
# user: "" # user to access SMTP server
# password: "" # password to access SMTP server
# from: "" # Sender address (mandatory if SMTP output is enabled)
# to: "" # comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is enabled)
# outputformat: "" # html (default), text
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
prometheus:
# extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
statsd:
forwarder: "" # The address for the StatsD forwarder, in the form "host:port", if not empty StatsD is enabled
namespace: "falcosidekick." # A prefix for all metrics (default: "falcosidekick.")
@ -245,35 +109,21 @@ dogstatsd:
# key: "value"
opsgenie:
# apikey: "" # Opsgenie API Key, if not empty, Opsgenie output is enabled
# apikey: "2c771471-e2af-4dc6-bd35-e7f6ff479b64" # Opsgenie API Key, if not empty, Opsgenie output is enabled
region: "eu" # (us|eu) region of your domain
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
webhook:
# address: "" # Webhook address, if not empty, Webhook output is enabled
# method: "POST" # HTTP method: POST or PUT (default: POST)
# customHeaders: # Custom headers to add in the request, useful for Authentication
# key: value
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
nodered:
# address: "" # Node-RED address, if not empty, Node-RED output is enabled
# user: "" # User if Basic Auth is enabled for 'http in' node in Node-RED
# password: "" # Password if Basic Auth is enabled for 'http in' node in Node-RED
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
cloudevents:
# address: "" # CloudEvents consumer http address, if not empty, CloudEvents output is enabled
# extensions: # Extensions to add in the outbound Event, useful for routing
# key: value
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# address: "" # CloudEvents consumer http address, if not empty, CloudEvents output is enabled
# extensions: # Extensions to add in the outbound Event, useful for routing
# key: value
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
azure:
eventHub:
@ -292,19 +142,6 @@ gcp:
projectid: "" # The GCP Project ID containing the Pub/Sub Topic
topic: "" # The name of the Pub/Sub topic
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# customAttributes: # Custom attributes to add to the Pub/Sub messages
# key: value
storage:
# prefix : "" # name of prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
bucket: "" # The name of the bucket
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
cloudfunctions:
name: "" # The name of the Cloud Function
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
cloudrun:
endpoint: "" # The URL of the Cloud Function
jwt: "" # Appropriate JWT to invoke the Cloud Function
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
googlechat:
webhookurl: "" # Google Chat WebhookURL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not empty, Google Chat output is enabled
@ -312,40 +149,11 @@ googlechat:
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Slack Text above Attachment, displayed in addition to the output from `SLACK_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Attachment.
cliq:
webhookurl: "" # WebhookURL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq output is enabled
# icon: "" # Cliq icon (avatar)
# useemoji: true # Prefix message with an emoji
# outputformat: "all" # all (default), text, fields
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Cliq Text above Table, displayed in addition to the output from `CLIQ_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Table.
kafka:
hostport: "" # comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is enabled
hostport: "" # Apache Kafka Host:Port (ex: localhost:9092). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is enabled
topic: "" # Name of the topic, if not empty, Kafka output is enabled
# partition: 0 # Partition number of the topic.
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
sasl: "" # SASL authentication mechanism, if empty, no authentication (PLAIN|SCRAM_SHA256|SCRAM_SHA512)
tls: false # Use TLS for the connections (default: false)
username: "" # use this username to authenticate to Kafka via SASL (default: "")
password: "" # use this password to authenticate to Kafka via SASL (default: "")
# async: false # produce messages without blocking (default: false)
# requiredacks: NONE # number of acknowledges from partition replicas required before receiving (default: "NONE")
# compression: "" # enable message compression using this algorithm, no compression (GZIP|SNAPPY|LZ4|ZSTD|NONE) (default: "NONE")
# balancer: "" # partition balancing strategy when producing, (default: "round_robin")
# clientid: "" # specify a client.id when communicating with the broker for tracing
# topiccreation: false # auto create the topic if it doesn't exist (default: false)
kafkarest:
address: "" # The full URL to the topic (example "http://kafkarest:8082/topics/test")
#version: 2 # Kafka Rest Proxy API version 2|1 (default: 2)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
pagerduty:
routingKey: "" # Pagerduty Routing Key, if not empty, Pagerduty output is enabled
region: "us" # Pagerduty Region, can be 'us' or 'eu' (default: us)
minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
kubeless:
function: "" # Name of Kubeless function, if not empty, Kubeless is enabled
@ -353,239 +161,6 @@ kubeless:
port: 8080 # Port of service of Kubeless function
kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcoside is running outside the cluster)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
openfaas:
functionname: "" # Name of OpenFaaS function, if not empty, OpenFaaS is enabled
functionnamespace: "openfaas-fn" # Namespace of OpenFaaS function, "openfaas-fn" (default)
gatewayservice: "gateway" # Service of OpenFaaS Gateway, "gateway" (default)
gatewayport: 8080 # Port of service of OpenFaaS Gateway
gatewaynamespace: "openfaas" # Namespace of OpenFaaS Gateway, "openfaas" (default)
kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
rabbitmq:
url: "" # Rabbitmq URL, if not empty, Rabbitmq output is enabled
queue: "" # Rabbitmq Queue name
minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
wavefront:
endpointtype: "" # Wavefront endpoint type, must be 'direct' or 'proxy'. If not empty, with endpointhost, Wavefront output is enabled
endpointhost: "" # Wavefront endpoint address (only the host). If not empty, with endpointhost, Wavefront output is enabled
endpointtoken: "" # Wavefront token. Must be used only when endpointtype is 'direct'
# endpointmetricport: 2878 # Port to send metrics. Only used when endpointtype is 'proxy'. Defaults to 2878
# metricname: "falco.alert" # Metric to be created in Wavefront. Defaults to falco.alert
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# batchsize: 10000 # Wavefront batch size. If empty uses the default 10000. Only used when endpointtype is 'direct'
# flushintervalseconds: 1 # Wavefront flush interval in seconds. Defaults to 1
grafana:
hostport: "" # http://{domain or ip}:{port}, if not empty, Grafana output is enabled
apikey: "" # API Key to authenticate to Grafana, if not empty, Grafana output is enabled
# dashboardid: # annotations are scoped to a specific dashboard. Optionnal.
# panelid: "" # annotations are scoped to a specific panel. Optionnal.
# allfieldsastags: false # if true, all custom fields are added as tags (default: false)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
grafanaoncall:
webhookurl: "" # if not empty, Grafana OnCall output is enabled
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
webui:
url: "" # WebUI URL, if not empty, WebUI output is enabled
fission:
function: "" # Name of Fission function, if not empty, Fission is enabled
routernamespace: "fission" # Namespace of Fission Router, "fission" (default)
routerservice: "router" # Service of Fission Router, "router" (default)
routerport: 80 # Port of service of Fission Router
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
policyreport:
enabled: false # if true policyreport output is enabled
kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
falconamespace: "" # Set the namespace where Falco is running (only if falcosidekick is running outside the cluster)
maxevents: 1000 # the max number of events per report(default: 1000)
prunebypriority: false # if true; the events with lowest severity are pruned first, in FIFO order (default: false)
yandex:
# accesskeyid: "" # yandex access key
# secretaccesskey: "" # yandex secret access key
# region: "" # yandex storage region (default: ru-central-1)
s3:
# endpoint: "" # yandex storage endpoint (default: https://storage.yandexcloud.net)
# bucket: "falcosidekick" # Yandex storage, bucket name
# prefix: "" # name of prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug
datastreams:
# endpoint: "" # Yandex Data Streams endpoint (default: https://yds.serverless.yandexcloud.net)
# streamname: "" # stream name in format /${region}/${folder_id}/${ydb_id}/${stream_name}
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug
syslog:
# host: "" # Syslog host, if not empty, Syslog output is enabled
# port: "" # Syslog endpoint port number
# protocol: "" # Syslog transport protocol. It can be either "tcp" or "udp" (default: tcp)
# format: "" # Syslog payload format. It can be either "json" or "cef" (default: json)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
mqtt:
broker: "" # Broker address, can start with tcp:// or ssl://, if not empty, MQTT output is enabled
# topic: "falco/events" # Topic for messages (default: falco/events)
# qos: 0 # QOS for messages (default: 0)
# retained: false # If true, messages are retained (default: false)
# user: "" # User if the authentication is enabled in the broker
# password: "" # Password if the authentication is enabled in the broker
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
zincsearch:
# hostport: "" # http://{domain or ip}:{port}, if not empty, ZincSearch output is enabled
# index: "falco" # index (default: falco)
# username: "" # use this username to authenticate to ZincSearch (default: "")
# password: "" # use this password to authenticate to ZincSearch (default: "")
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
gotify:
# hostport: "" # http://{domain or ip}:{port}, if not empty, Gotify output is enabled
# token: "" # API Token
# format: "markdown" # Format of the messages (plaintext, markdown, json) (default: markdown)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
tekton:
# eventListener: "" # EventListener address, if not empty, Tekton output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
spyderbat:
# orguid: "" # Organization to send output to, if not empty, Spyderbat output is enabled
# apikey: "" # Spyderbat API key with access to the organization
# apiurl: "https://api.spyderbat.com" # Spyderbat API url (default: "https://api.spyderbat.com")
# source: "falcosidekick" # Spyderbat source ID, max 32 characters (default: "falcosidekick")
# sourcedescription: "" # Spyderbat source description and display name if not empty, max 256 characters
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
timescaledb:
# host: "" # TimescaleDB host, if not empty, TImescaleDB output is enabled
# port: "5432" # TimescaleDB port (default: 5432)
# user: "postgres" # Username to authenticate with TimescaleDB (default: postgres)
# password: "postgres" # Password to authenticate with TimescaleDB (default: postgres)
# database: "" # TimescaleDB database used
# hypertablename: "falco_events" # Hypertable to store data events (default: falco_events) See TimescaleDB setup for more info
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
redis:
# address: "" # Redis address, if not empty, Redis output is enabled
# password: "" # Password to authenticate with Redis (default: "")
# database: "" # Redis database number (default: 0)
# storagetype: "" # Redis storage type: hashmap or list (default: "list")
# key: "" # Redis storage key name for hashmap, list(default: "falco")
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
telegram:
# token: "" # telegram bot authentication token
# chatid: "" # telegram Identifier of the shared chat
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
n8n:
# address: "" # N8N address, if not empty, N8N output is enabled
# user: "" # Username to authenticate with N8N in basic auth
# password: "" # Password to authenticate with N8N in basic auth
# headerauthname: "" # Header Auth Key to authenticate with N8N
# headerauthvalue: "" # Header Auth Value to authenticate with N8N
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
openobserve:
# hostport: "" # http://{domain or ip}:{port}, if not empty, OpenObserve output is enabled
# organizationName: "default" # Organization name (default: default)
# streamName: "falco" # Stream name (default: falco)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# username: "a" # use this username to authenticate to OpenObserve if the username is not empty (default: "")
# password: "" # use this password to authenticate to OpenObserve if the password is not empty (default: "")
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
dynatrace:
apitoken: "" # Dynatrace API token with the "logs.ingest" scope, more info : https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled
apiurl: "" # Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
sumologic:
receiverURL: "" # Sumologic HTTP Source URL, if not empty, Sumologic output is enabled
# sourceCategory: "" # Override the default Sumologic Source Category
# sourceHost: "" # Override the default Sumologic Source Host
# name: "" # Override the default Sumologic Source Name
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
otlp:
traces:
# endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/traces), if not empty, OTLP Traces output is enabled
# protocol: "" # OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json)
# timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
# headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
# synced: false # Set to true if you want traces to be sent synchronously (default: false)
# duration: 1000 # Artificial span duration in milliseconds (default: 1000)
# extraenvvars: # Extra env vars (override the other settings)
# OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
# OTEL_EXPORTER_OTLP_TIMEOUT: 10000
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # Set if you want to skip TLS certificate validation (default: true)
logs:
# endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/logs), if not empty, OTLP Traces output is enabled
# protocol: "" # OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json)
# timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
# headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
# extraenvvars: # Extra env vars (override the other settings)
# OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
# OTEL_EXPORTER_OTLP_TIMEOUT: 10000
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # Set if you want to skip TLS certificate validation (default: true)
metrics:
# endpoint: "" # OTLP endpoint, typically in the form http(s)://{domain or ip}:4318(/v1/metrics), if not empty, OTLP Metrics output is enabled
# protocol: "" # OTLP transport protocol to be used for metrics data; it can be "grpc" or "http/protobuf" (default: "grpc")
# timeout: "" # OTLP timeout for outgoing metrics in milliseconds (default: "" which uses SDK default: 10000)
# headers: "" # List of headers to apply to all outgoing metrics in the form of "some-key=some-value,other-key=other-value" (default: "")
# extraenvvars: # Extra env vars (override the other settings) (default: "")
# OTEL_EXPORTER_OTLP_METRICS_TIMEOUT: 10000
# OTEL_EXPORTER_OTLP_TIMEOUT: 10000
# minimumpriority: "" # Minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "")
# checkcert: true # Set to false if you want to skip TLS certificate validation (only with https) (default: true)
# extraattributes: "" # Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields
talon:
# address: "" # Falco talon address, if not empty, Falco Talon output is enabled
# checkcert: false # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
logstash:
# address: "" # Logstash address, if not empty, Logstash output is enabled
# port: 5044 # Logstash port number (default: 5044)
# tls: false # communicate over tls; requires Logstash version 8+ to work
# mutualtls: false # or authenticate to the output with TLS; if true, checkcert flag will be ignored (server cert will always be checked) (default: false)
# checkcert: true # Check if ssl certificate of the output is valid (default: true)
# certfile: "" # Use this certificate file instead of the client certificate when using mutual TLS (default: "")
# keyfile: "" # Use this key file instead of the client certificate when using mutual TLS (default: "")
# cacertfile: "" # Use this CA certificate file instead of the client certificate when using mutual TLS (default: "")
# minimumpriority: minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "debug")
# tags: ["falco"] # An additional list of tags that will be added to those produced by Falco (default: [])

72
docker-compose.yaml
View File

@ -1,72 +0,0 @@
version: "3"
services:
smtp:
image: mailhog/mailhog:latest
ports:
- "1025:1025"
- "8025:8025"
profiles: [smtp]
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.1.0
ports:
- "9200:9200"
- "9300:9300"
environment: #credentials: elastic/elastic
- ELASTIC_PASSWORD=elastic
- discovery.type=single-node
- xpack.security.enabled=false
- xpack.security.transport.ssl.enabled=false
profiles: [elasticsearch]
nats:
image: nats:latest
ports:
- "4222:4222"
- "8222:8222"
command: "--http_port 8222"
hostname: nats
profiles: [nats]
loki:
image: grafana/loki:latest
ports:
- "3100:3100"
command: -config.file=/etc/loki/local-config.yaml
profiles: [loki]
grafana: #credentials: admin/admin
image: grafana/grafana:latest
ports:
- "3000:3000"
depends_on: [loki]
profiles: [loki]
influxdb: #credentials: admin/adminadmin
image: influxdb:latest
environment:
- DOCKER_INFLUXDB_INIT_MODE=setup
- DOCKER_INFLUXDB_INIT_USERNAME=admin
- DOCKER_INFLUXDB_INIT_PASSWORD=adminadmin
- DOCKER_INFLUXDB_INIT_ORG=falco
- DOCKER_INFLUXDB_INIT_BUCKET=falco
ports:
- "8086:8086"
profiles: [influxdb]
alertmanager:
image: prom/alertmanager:latest
ports:
- "9093:9093"
profiles: [alertmanager]
minio:
image: quay.io/minio/minio
environment:
- MINIO_ROOT_USER=root
- MINIO_ROOT_PASSWORD=super-secret
- MINIO_DOMAIN=minio.localhost
command: server /data --console-address ":9001"
ports:
- "9000:9000"
- "9001:9001"
profiles: [minio]

35
docs/outputs/EXAMPLE.md
View File

@ -1,35 +0,0 @@
# Output Name
- **Category**: Category of the output
- **Website**: URL of the output
## Table of content
- [Output Name](#output-name)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------- | ------- | ------------- | ----------- |
| | | | |
| | | | |
| | | | |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
output:
setting: ""
```
## Additional info
## Screenshots

55
docs/outputs/alertmanager.md
View File

@ -1,55 +0,0 @@
# AlertManager
- **Category**: Alerting
- **Website**: https://github.com/prometheus/alertmanager
## Table of content
- [AlertManager](#alertmanager)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| --------------------------------------- | --------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `alertmanager.hostport` | `ALERTMANAGER_HOSTPORT` | | Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is **enabled** |
| `alertmanager.mutualtls` | `ALERTMANAGER_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `alertmanager.checkcert` | `ALERTMANAGER_CHECKCERT` | `true` | check if ssl certificate of the output is valid |
| `alertmanager.endpoint` | `ALERTMANAGER_ENDPOINT` | `/api/v1/alerts` | Alertmanager endpoint for posting alerts `/api/v1/alerts` or `/api/v2/alerts` |
| `alertmanager.expiresafter` | `ALERTMANAGER_EXPIRESAFTER` | `0` | If set to a non-zero value, alert expires after that time in seconds |
| `alertmanager.extralabels` | `ALERTMANAGER_EXTRALABELS` | | Comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: `my_annotation_1:my_value_1, my_annotation_1:my_value_2` |
| `alertmanager.extraannotations` | `ALERTMANAGER_EXTRAANNOTATIONS` | | Comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts Example: `debug:value_1,critical:value2` |
| `alertmanager.customseveritymap` | `ALERTMANAGER_CUSTOMSEVERITYMAP` | | Comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: `debug:value_1,critical:value2` |
| `alertmanager.dropeventdefaultpriority` | `ALERTMANAGER_DROPEVENTDEFAULTPRIORITY` | `critical` | Default priority of dropped events, values are `emergency,alert,critical,error,warning,notice,informational,debug` |
| `alertmanager.dropeventthresholds` | `ALERTMANAGER_DROPEVENTTHRESHOLDS` | `10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning` | Comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` |
| `alertmanager.minimumpriority` | `ALERTMANAGER_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `alertmanager.customheaders` | `ALERTMANAGER_CUSTOMHEADERS` | | Custom headers for the POST request |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
alertmanager:
hostport: "" # http://{domain or ip}:{port}, if not empty, Alertmanager output is enabled
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# endpoint: "" # alertmanager endpoint for posting alerts: "/api/v1/alerts" or "/api/v2/alerts" (default: "/api/v1/alerts")
# expiresafter: "" if set to a non-zero value, alert expires after that time in seconds (default: 0)
# extralabels: "" # comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2
# extraannotations: "" # comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2
# customseveritymap: "" # comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. (default: "")
# dropeventdefaultpriority: "" # default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug (default: "critical")
# dropeventthresholds: # comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` (default: `"10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning"`)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
```
## Screenshots
![alertmanager example](images/alertmanager.png)

76
docs/outputs/aws_cloudwatch_logs.md
View File

@ -1,76 +0,0 @@
# AWS Cloudwatch Logs
- **Category**: Logs
- **Website**: https://aws.amazon.com/cloudwatch/features/
## Table of content
- [AWS Cloudwatch Logs](#aws-cloudwatch-logs)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [CloudWatch Logs Sample IAM Policy](#cloudwatch-logs-sample-iam-policy)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------------------ | ------------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `aws.accesskeyid` | `AWS_ACCESSKEYID` | | AWS access key (optional if you use EC2 Instance Profile) |
| `aws.secretaccesskey` | `AWS_SECRETACCESSKEY` | | AWS secret access key (optional if you use EC2 Instance Profile) |
| `aws.region` | `AWS_REGION` | | AWS region (by default, the metadata are used to get it) |
| `aws.rolearn` | `AWS_ROLEARN` | | AWS role to assume (optional if you use EC2 Instance Profile) |
| `aws.externalid` | `AWS_EXTERNALID` | | External id for the role to assume (optional if you use EC2 Instance Profile) |
| `aws.checkidentity` | `AWS_CHECKIDENTITY` | `true` | Check the identity credentials, set to false for locale developments |
| `aws.cloudwatchlogs.loggroup` | `AWS_CLOUDWATCHLOGS_LOGGROUP` | | AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is **enabled** |
| `aws.cloudwatchlogs.logstream` | `AWS_CLOUDWATCHLOGS_LOGSTREAM` | | AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream |
| `aws.cloudwatchlogs.minimumpriority` | `AWS_CLOUDWATCHLOGS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
aws:
# accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
# secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
# region : "" # aws region (by default, the metadata are used to get it)
# rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
# externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
# checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
cloudwatchlogs:
loggroup : "" # AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is enabled
logstream : "" # AWS CloudWatch Logs Stream name, if empty, Falcosidekick will try to create a log stream
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
> [!NOTE]
When using this AWS output you will need to set the AWS keys or role with some permissions.
### CloudWatch Logs Sample IAM Policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "cloudwacthlogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutRetentionPolicy",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
```
## Screenshots

51
docs/outputs/aws_kinesis.md
View File

@ -1,51 +0,0 @@
# AWS Kinesis
- **Category**: Message Queue / Streaming
- **Website**: https://aws.amazon.com/kinesis/
## Table of content
- [AWS Kinesis](#aws-kinesis)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `aws.accesskeyid` | `AWS_ACCESSKEYID` | | AWS access key (optional if you use EC2 Instance Profile) |
| `aws.secretaccesskey` | `AWS_SECRETACCESSKEY` | | AWS secret access key (optional if you use EC2 Instance Profile) |
| `aws.region` | `AWS_REGION` | | AWS region (by default, the metadata are used to get it) |
| `aws.rolearn` | `AWS_ROLEARN` | | AWS role to assume (optional if you use EC2 Instance Profile) |
| `aws.externalid` | `AWS_EXTERNALID` | | External id for the role to assume (optional if you use EC2 Instance Profile) |
| `aws.checkidentity` | `AWS_CHECKIDENTITY` | `true` | Check the identity credentials, set to false for locale developments |
| `aws.kinesis.streamname` | `AWS_KINESIS_STREAMNAME` | | AWS Kinesis Stream Name, if not empty, Kinesis output is **enabled** |
| `aws.kinesis.minimumpriority` | `AWS_KINESIS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
aws:
# accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
# secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
# region : "" # aws region (by default, the metadata are used to get it)
# rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
# externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
# checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
kinesis:
streamname: "" # AWS Kinesis Stream Name, if not empty, Kinesis output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
> [!NOTE]
When using this AWS output you will need to set the AWS keys or role with some permissions.
## Screenshots

70
docs/outputs/aws_lambda.md
View File

@ -1,70 +0,0 @@
# AWS Lambda
- **Category**: FaaS / Serverless
- **Website**: https://aws.amazon.com/lambda/features/
## Table of content
- [AWS Lambda](#aws-lambda)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Lambda Sample IAM Policy](#lambda-sample-iam-policy)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------------- | ---------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `aws.accesskeyid` | `AWS_ACCESSKEYID` | | AWS access key (optional if you use EC2 Instance Profile) |
| `aws.secretaccesskey` | `AWS_SECRETACCESSKEY` | | AWS secret access key (optional if you use EC2 Instance Profile) |
| `aws.region` | `AWS_REGION` | | AWS region (by default, the metadata are used to get it) |
| `aws.rolearn` | `AWS_ROLEARN` | | AWS role to assume (optional if you use EC2 Instance Profile) |
| `aws.externalid` | `AWS_EXTERNALID` | | External id for the role to assume (optional if you use EC2 Instance Profile) |
| `aws.checkidentity` | `AWS_CHECKIDENTITY` | `true` | Check the identity credentials, set to false for locale developments |
| `aws.lambda.functionname` | `AWS_LAMBDA_FUNCTIONNAME` | | Lambda function name, if not empty, AWS Lambda output is **enabled** |
| `aws.lambda.minimumpriority` | `AWS_LAMBDA_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
aws:
# accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
# secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
# region : "" # aws region (by default, the metadata are used to get it)
# rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
# externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
# checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
lambda:
functionname : "" # Lambda function name, if not empty, AWS Lambda output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
> [!NOTE]
When using this AWS output you will need to set the AWS keys or role with some permissions.
### Lambda Sample IAM Policy
```json
{
"Version": "2012-10-17",
"Id": "lambda",
"Statement": [
{
"Sid": "invoke",
"Effect": "Allow",
"Principal": "*",
"Action": "lambda:InvokeFunction",
"Resource": "*"
}
]
}
```
## Screenshots

57
docs/outputs/aws_s3.md
View File

@ -1,57 +0,0 @@
# AWS S3
- **Category**: Object storage
- **Website**: https://aws.amazon.com/s3/features/
## Table of content
- [AWS S3](#aws-s3)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
|--------------------------|--------------------------|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------|
| `aws.accesskeyid` | `AWS_ACCESSKEYID` | | AWS access key (optional if you use EC2 Instance Profile) |
| `aws.secretaccesskey` | `AWS_SECRETACCESSKEY` | | AWS secret access key (optional if you use EC2 Instance Profile) |
| `aws.region` | `AWS_REGION` | | AWS region (by default, the metadata are used to get it) |
| `aws.rolearn` | `AWS_ROLEARN` | | AWS role to assume (optional if you use EC2 Instance Profile) |
| `aws.externalid` | `AWS_EXTERNALID` | | External id for the role to assume (optional if you use EC2 Instance Profile) |
| `aws.checkidentity` | `AWS_CHECKIDENTITY` | `true` | Check the identity credentials, set to false for locale developments |
| `aws.s3.bucket` | `AWS_S3_BUCKET` | | AWS S3 bucket name, if not empty, AWS S3 output is **enabled** |
| `aws.s3.prefix` | `AWS_S3_PREFIX` | | Prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
| `aws.s3.minimumpriority` | `AWS_S3_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `aws.s3.endpoint` | `AWS_S3_ENDPOINT` | | Endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs |
| `aws.s3.objectcannedacl` | `AWS_S3_OBJECTCANNEDACL` | `bucket-owner-full-control` | Canned ACL (`x-amz-acl`) to use when creating the object |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
aws:
# accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
# secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
# region : "" # aws region (by default, the metadata are used to get it)
# rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
# externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
# checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
s3:
bucket: "falcosidekick" # AWS S3, bucket name
prefix : "" # Prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# endpoint: "" # endpoint URL that overrides the default generated endpoint, use this for S3 compatible APIs
# objectcannedacl: "bucket-owner-full-control" # Canned ACL (x-amz-acl) to use when creating the object
```
## Additional info
> [!NOTE]
When using this AWS output you will need to set the AWS keys or role with some permissions.
## Screenshots

61
docs/outputs/aws_security_lake.md
View File

@ -1,61 +0,0 @@
# AWS Security Lake
- **Category**: SIEM
- **Website**: https://aws.amazon.com/security-lake/
## Table of content
- [AWS Security Lake](#aws-security-lake)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------------------- | ---------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `aws.accesskeyid` | `AWS_ACCESSKEYID` | | AWS access key (optional if you use EC2 Instance Profile) |
| `aws.secretaccesskey` | `AWS_SECRETACCESSKEY` | | AWS secret access key (optional if you use EC2 Instance Profile) |
| `aws.region` | `AWS_REGION` | | AWS region (by default, the metadata are used to get it) |
| `aws.rolearn` | `AWS_ROLEARN` | | AWS role to assume (optional if you use EC2 Instance Profile) |
| `aws.externalid` | `AWS_EXTERNALID` | | External id for the role to assume (optional if you use EC2 Instance Profile) |
| `aws.checkidentity` | `AWS_CHECKIDENTITY` | `true` | Check the identity credentials, set to false for locale developments |
| `aws.securitylake.bucket` | `AWS_SECURITYLAKE_BUCKET` | | Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is **enabled** |
| `aws.securitylake.region` | `AWS_SECURITYLAKE_REGION` | | Bucket Region for AWS SecurityLake data |
| `aws.securitylake.prefix` | `AWS_SECURITYLAKE_PREFIX` | | Prefix for keys |
| `aws.securitylake.accountid` | `AWS_SECURITYLAKE_ACCOUNTID` | | Account ID |
| `aws.securitylake.interval` | `AWS_SECURITYLAKE_INTERVAL` | `5` | Time in minutes between two puts to S3 (must be between 5 and 60min) |
| `aws.securitylake.batchsize` | `AWS_SECURITYLAKE_BATCHSIZE` | `1000` | Max number of events by parquet file |
| `aws.securitylake.minimumpriority` | `AWS_SECURITYLAKE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
aws:
# accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
# secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
# region : "" # aws region (by default, the metadata are used to get it)
# rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
# externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
# checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
securitylake.:
bucket: "" # Bucket for AWS SecurityLake data, if not empty, AWS SecurityLake output is enabled
region: "" # Bucket Region
prefix: "" # Prefix for keys
accountid: "" # Account ID
# interval: 5 # Time in minutes between two puts to S3 (must be between 5 and 60min) (default: 5min)
# batchsize: 1000 # Max number of events by parquet file (default: 1000)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
> [!NOTE]
When using this AWS output you will need to set the AWS keys or role with some permissions.
## Screenshots

73
docs/outputs/aws_sns.md
View File

@ -1,73 +0,0 @@
# AWS SNS
- **Category**: Message queue / Streaming
- **Website**: https://aws.amazon.com/sns/features/
## Table of content
- [AWS SNS](#aws-sns)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [SNS Sample Policy](#sns-sample-policy)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `aws.accesskeyid` | `AWS_ACCESSKEYID` | | AWS access key (optional if you use EC2 Instance Profile) |
| `aws.secretaccesskey` | `AWS_SECRETACCESSKEY` | | AWS secret access key (optional if you use EC2 Instance Profile) |
| `aws.region` | `AWS_REGION` | | AWS region (by default, the metadata are used to get it) |
| `aws.rolearn` | `AWS_ROLEARN` | | AWS role to assume (optional if you use EC2 Instance Profile) |
| `aws.externalid` | `AWS_EXTERNALID` | | External id for the role to assume (optional if you use EC2 Instance Profile) |
| `aws.checkidentity` | `AWS_CHECKIDENTITY` | `true` | Check the identity credentials, set to false for locale developments |
| `aws.sns.topicarn` | `AWS_SNS_TOPICARN` | | SNS TopicArn, if not empty, AWS SNS output is **enabled** |
| `aws.sns.rawjson` | `AWS_SNS_RAWJSON` | `false` | end Raw JSON or parse it |
| `aws.sns.minimumpriority` | `AWS_SNS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
aws:
# accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
# secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
# region : "" # aws region (by default, the metadata are used to get it)
# rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
# externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
# checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
sns:
# topicarn : "" # SNS TopicArn, if not empty, AWS SNS output is enabled
rawjson: false # Send Raw JSON or parse it (default: false)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
> [!NOTE]
When using this AWS output you will need to set the AWS keys or role with some permissions.
### SNS Sample Policy
```json
{
"Version": "2012-10-17",
"Id": "sns",
"Statement": [
{
"Sid": "publish",
"Effect": "Allow",
"Principal": "*",
"Action": "sns:Publish",
"Resource": "arn:aws:sqs:*:111122223333:queue1"
}
]
}
```
## Screenshots

72
docs/outputs/aws_sqs.md
View File

@ -1,72 +0,0 @@
# AWS SQS
- **Category**: Message queue / Streaming
- **Website**: https://aws.amazon.com/sqs/features/
## Table of content
- [AWS SQS](#aws-sqs)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [SQS Sample IAM Policy](#sqs-sample-iam-policy)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `aws.accesskeyid` | `AWS_ACCESSKEYID` | | AWS access key (optional if you use EC2 Instance Profile) |
| `aws.secretaccesskey` | `AWS_SECRETACCESSKEY` | | AWS secret access key (optional if you use EC2 Instance Profile) |
| `aws.region` | `AWS_REGION` | | AWS region (by default, the metadata are used to get it) |
| `aws.rolearn` | `AWS_ROLEARN` | | AWS role to assume (optional if you use EC2 Instance Profile) |
| `aws.externalid` | `AWS_EXTERNALID` | | External id for the role to assume (optional if you use EC2 Instance Profile) |
| `aws.checkidentity` | `AWS_CHECKIDENTITY` | `true` | Check the identity credentials, set to false for locale developments |
| `aws.sqs.url` | `AWS_SQS_URL` | | SQS Queue URL, if not empty, AWS SQS output is **enabled** |
| `aws.sqs.minimumpriority` | `AWS_SQS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
aws:
# accesskeyid: "" # aws access key (optional if you use EC2 Instance Profile)
# secretaccesskey: "" # aws secret access key (optional if you use EC2 Instance Profile)
# region : "" # aws region (by default, the metadata are used to get it)
# rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
# externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)
# checkidentity: true # check the identity credentials, set to false for locale developments (default: true)
sqs:
# url : "" # SQS Queue URL, if not empty, AWS SQS output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
> [!NOTE]
When using this AWS output you will need to set the AWS keys or role with some permissions.
### SQS Sample IAM Policy
```json
{
"Version": "2012-10-17",
"Id": "sqs",
"Statement": [
{
"Sid": "sendMessage",
"Effect": "Allow",
"Principal": "*",
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:*:111122223333:queue1"
}
]
}
```
## Screenshots
![aws sqs example](images/aws_sqs.png)

37
docs/outputs/azure_event_hub.md
View File

@ -1,37 +0,0 @@
# Azure EventHub
- **Category**: Message queue / Streaming
- **Website**: https://azure.microsoft.com/en-in/services/event-hubs/²
## Table of content
- [Azure EventHub](#azure-eventhub)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| -------------------------------- | -------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `azure.eventhub.name` | `AZURE_EVENTHUB_NAME` | | Name of the Hub, if not empty, EventHub is **enabled** |
| `azure.eventhub.namespace` | `AZURE_EVENTHUB_NAMESPACE` | | Name of the space the Hub is in |
| `azure.eventhub.minimumpriority` | `AZURE_EVENTHUB_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
azure:
eventhub:
name: "" # Name of the Hub, if not empty, EventHub is enabled
namespace: "" # Name of the space the Hub is in
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

59
docs/outputs/cliq.md
View File

@ -1,59 +0,0 @@
# Zoho Cliq
- **Category**: Chat
- **Website**: https://www.zoho.com/cliq/
## Table of content
- [Zoho Cliq](#zoho-cliq)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Message Formatting](#message-formatting)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------- | ---------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `cliq.webhookurl` | `CLIQ_WEBHOOKURL` | | WebhookURL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq output is **enabled** |
| `cliq.icon` | `CLIQ_ICON` | | Cliq icon (avatar) |
| `cliq.useemoji` | `CLIQ_USEEMOJI` | `true` | Prefix message text with an emoji |
| `cliq.outputformat` | `CLIQ_OUTPUTFORMAT` | `all` | `all`, `text`, `fields` |
| `cliq.messageformat` | `CLIQ_MESSAGEFORMAT` | | A Go template to format Cliq Text above Attachment, displayed in addition to the output from `CLIQ_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
| `cliq.minimumpriority` | `CLIQ_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
cliq:
webhookurl: "" # WebhookURL (ex: https://cliq.zoho.eu/api/v2/channelsbyname/XXXX/message?zapikey=YYYY), if not empty, Cliq output is enabled
# icon: "" # Cliq icon (avatar)
# useemoji: true # Prefix message text with an emoji
# outputformat: "all" # all (default), text, fields
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index.OutputFields "user.name" }}*' # a Go template to format Cliq Text above Table, displayed in addition to the output from `CLIQ_OUTPUTFORMAT`, see [Slack Message Formatting](#slack-message-formatting) in the README for details. If empty, no Text is displayed before Table.
```
## Additional info
### Message Formatting
The `CLIQ_MESSAGEFORMAT` environment variable and `cliq.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Cliq alert.
These templates are evaluated on the JSON data from each Falco event. The following fields are available:
| Template Syntax | Description |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `{{ .Output }}` | A formatted string from Falco describing the event. |
| `{{ .Priority }}` | The priority of the event, as a string. |
| `{{ .Rule }}` | The name of the rule that generated the event. |
| `{{ .Time }}` | The timestamp when the event occurred. |
| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.
## Screenshots

48
docs/outputs/cloudevents.md
View File

@ -1,48 +0,0 @@
# Cloud Events
- **Category**: FaaS / Serverless
- **Website**: https://cloudevents.io/
## Table of content
- [Cloud Events](#cloud-events)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `cloudevents.address` | `CLOUDEVENTS_ADDRESS` | | CloudEvents consumer http address, if not empty, CloudEvents output is **enabled** |
| `cloudevents.extensions` | `CLOUDEVENTS_EXTENSIONS` | | Extensions to add in the outbound Event, useful for routing |
| `cloudevents.mutualtls` | `CLOUDEVENTS_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `cloudevents.checkcert` | `CLOUDEVENTS_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `cloudevents.minimumpriority` | `CLOUDEVENTS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
cloudevents:
address: "" # CloudEvents consumer http address, if not empty, CloudEvents output is enabled
# extensions: # Extensions to add in the outbound Event, useful for routing
# key: value
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
> [!NOTE]
This output works with [`KNative`](https://knative.dev/).
## Screenshots

41
docs/outputs/datadog.md
View File

@ -1,41 +0,0 @@
# Datadog
- **Category**: Observability
- **Website**: https://www.datadoghq.com/
## Table of content
- [Datadog](#datadog)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------- | ------------------------- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `datadog.apikey` | `DATADOG_APIKEY` | | Datadog API Key, if not empty, Datadog output is **enabled** |
| `datadog.host` | `DATADOG_HOST` | `https://api.datadoghq.com` | Datadog host. Override if you are on the Datadog EU site |
| `datadog.minimumpriority` | `DATADOG_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
datadog:
apikey: "" # Datadog API Key, if not empty, Datadog output is enabled
# host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com"
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
Filter the events in the UI with `sources: falco`.
## Screenshots
![datadog example](images/datadog.png)

43
docs/outputs/datadog_logs.md
View File

@ -1,43 +0,0 @@
# Datadog Logs
- **Category**: Logs
- **Website**: https://www.datadoghq.com/
## Table of content
- [Datadog Logs](#datadogLogs)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
|-------------------------------|-----------------------------| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
| `datadoglogs.apikey` | `DATADOGLOGS_APIKEY` | | Datadog API Key, if not empty, Datadog Logs output is **enabled** |
| `datadoglogs.host` | `DATADOGLOGS_HOST` | `https://http-intake.logs.datadoghq.com/` | Datadog host. Override if you are on the Datadog EU site |
| `datadoglogs.minimumpriority` | `DATADOGLOGS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `datadoglogs.service` | `DATADOGLOGS_SERVICE` | `""` | The name of the application or service generating the log events. |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
datadoglogs:
apikey: "" # Datadog API Key, if not empty, Datadog Logs output is enabled
# host: "" # Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/"
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# service: "" # The name of the application or service generating the log events.
```
## Additional info
Filter the logs in the UI with `sources: falco`.
## Screenshots
![datadog example](images/datadog_logs.png)

39
docs/outputs/discord.md
View File

@ -1,39 +0,0 @@
# Discord
- **Category**: Chat
- **Website**: https://www.discord.com/
## Table of content
- [Discord](#discord)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `discord.webhookurl` | `DISCORD_WEBHOOKURL` | | Discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is **enabled** |
| `discord.ICON` | `DISCORD_ICON` | | Discord icon (avatar) |
| `discord.minimumpriority` | `DISCORD_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
discord:
webhookurl: "" # discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is enabled
# icon: "" # Discord icon (avatar)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots
![discord example](images/discord.png)

38
docs/outputs/dogstatsd.md
View File

@ -1,38 +0,0 @@
# Dogstatsd
- **Category**: Metrics / Observability
- **Website**: https://docs.datadoghq.com/developers/dogstatsd/?tab=go
## Table of content
- [Dogstatsd](#dogstatsd)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| --------------------- | --------------------- | ---------------- | ------------------------------------------------------------------------------------------------------- |
| `dogstastd.forwarded` | `DOGSTASTD_FORWARDED` | | The address for the DogStatsD forwarder, in the form "host:port", if not empty DogStatsD is **enabled** |
| `dogstastd.namespace` | `DOGSTASTD_NAMESPACE` | `falcosidekick.` | A prefix for all metrics |
| `dogstastd.tags` | `DOGSTASTD_TAGS` | | Comma separeted list of key:value to add as tags to the metrics |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
dogstatsd:
forwarder: "" # The address for the DogStatsD forwarder, in the form "host:port", if not empty DogStatsD is enabled
namespace: "falcosidekick." # A prefix for all metrics (default: "falcosidekick.")
# tag : # Tags to add to the metrics
# key: "value"
```
## Additional info
## Screenshots

41
docs/outputs/dynatrace.md
View File

@ -1,41 +0,0 @@
# Dynatrace
- **Category**: Metrics / Observability
- **Website**: https://www.dynatrace.com/
## Table of content
- [Dynatrace](#dynatrace)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| --------------------------- | --------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `dynatrace.api_token` | `DYNATRACE_APITOKEN` | | Dynatrace API token with the "logs.ingest" scope, more info: https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled |
| `dynatrace.apiurl` | `DYNATRACE_APIURL` | | Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge |
| `dynatrace.minimumpriority` | `DYNATRACE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `dynatrace.checkcert` | `DYNATRACE_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
dynatrace:
apitoken: "" # Dynatrace API token with the "logs.ingest" scope, more info : https://dt-url.net/8543sda, if not empty, Dynatrace output is enabled
apiurl: "" # Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
```
## Additional info
## Screenshots
![Dynatrace example](images/dynatrace.png)

79
docs/outputs/elasticsearch.md
View File

@ -1,79 +0,0 @@
# Elasticsearch
- **Category**: Logs
- **Website**: https://www.elastic.co/elasticsearch/
## Table of content
- [Elasticsearch](#elasticsearch)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------------------- | -------------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `elasticsearch.hostport` | `ELASTICSEARCH_HOSTPORT` | | http://{domain or ip}:{port}, if not empty, Elasticsearch output is **enabled** |
| `elasticsearch.index` | `ELASTICSEARCH_INDEX` | `falco` | Index |
| `elasticsearch.type` | `ELASTICSEARCH_TYPE` | `_doc` | Index |
| `elasticsearch.pipeline` | `ELASTICSEARCH_PIPELINE` | | Optional ingest pipeline name. Documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html |
| `elasticsearch.suffix` | `ELASTICSEARCH_SUFFIX` | `daily` | Date suffix for index rotation : `daily`, `monthly`, `annually`, `none` |
| `elasticsearch.apikey` | `ELASTICSEARCH_APIKEY` | | Use this APIKey to authenticate to Elasticsearch |
| `elasticsearch.username` | `ELASTICSEARCH_USERNAME` | | Use this username to authenticate to Elasticsearch |
| `elasticsearch.password` | `ELASTICSEARCH_PASSWORD` | | Use this password to authenticate to Elasticsearch |
| `elasticsearch.flattenfields` | `ELASTICSEARCH_FLATTENFIELDS` | `false` | Replace . by _ to avoid mapping conflicts, force to true if `createindextemplate=true` |
| `elasticsearch.createindextemplate` | `ELASTICSEARCH_CREATEINDEXTEMPLATE` | `false` | Create an index template |
| `elasticsearch.numberofshards` | `ELASTICSEARCH_NUMBEROFSHARDS` | `3` | Number of shards set by the index template |
| `elasticsearch.numberofreplicas` | `ELASTICSEARCH_NUMBEROFREPLICAS` | `3` | Number of replicas set by the index template |
| `elasticsearch.customheaders` | `ELASTICSEARCH_CUSTOMHEADERS` | | Custom headers to add in POST, useful for Authentication |
| `elasticsearch.mutualtls` | `ELASTICSEARCH_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `elasticsearch.checkcert` | `ELASTICSEARCH_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `elasticsearch.minimumpriority` | `ELASTICSEARCH_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `elasticsearch.maxconcurrentrequests` | `ELASTICSEARCH_MAXCONCURRENTREQUESTS` | `1` | Max number of concurrent requests |
| `elasticsearch.enablecompression` | `ELASTICSEARCH_ENABLECOMPRESSION` | `false` | Enables gzip compression |
| `elasticsearch.batching.enabled` | `ELASTICSEARCH_BATCHING_ENABLED` | `false` | Enables batching (utilizing Elasticsearch bulk API) |
| `elasticsearch.batching.batchsize` | `ELASTICSEARCH_BATCHING_BATCHSIZE` | `5242880` | Batch size in bytes, default 5MB |
| `elasticsearch.batching.flushinterval`| `ELASTICSEARCH_BATCHING_FLUSHINTERVAL` | `1s` | Batch flush interval, use valid Go duration string |
> [!NOTE]
The Env var values override the settings from yaml file.
> [!NOTE]
Increasing the default number of concurrent requests is a good way to increase throughput of the http outputs. This also increases the potential number of open connections. Choose wisely.
> [!NOTE]
Enabling batching for Elasticsearch is invaluable when the expected number of falco alerts is in the hundreds or thousands per second. The batching of data can be fine-tuned for your specific use case. The batch request is sent to Elasticsearch when the pending data size reaches `batchsize` or upon the `flushinterval`.
Enabling gzip compression increases throughput even further.
> [!WARNING]
By enabling the creation of the index template with `elasticsearch.createindextemplate=true`, the output fields of the Falco events will be flatten to avoid any mapping conflict.
## Example of config.yaml
```yaml
elasticsearch:
# hostport: "" # http://{domain or ip}:{port}, if not empty, Elasticsearch output is enabled
# index: "falco" # index (default: falco)
# type: "_doc"
# suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none
# username: "" # use this username to authenticate to Elasticsearch if the username is not empty (default: "")
# password: "" # use this password to authenticate to Elasticsearch if the password is not empty (default: "")
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# enablecompression: # if true enables gzip compression for http requests (default: false)
# batching: # batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API
# enabled: true # if true enables batching
# batchsize: 5242880 # batch size in bytes (default: 5 MB)
# flushinterval: 1s # batch fush interval (default: 1s)
# maxconcurrentrequests: # max number of concurrent http requests (default: 1)
```
## Screenshots
With Kibana:
![kibana example](images/kibana.png)

36
docs/outputs/falcosidekick-ui.md
View File

@ -1,36 +0,0 @@
# Falcosidekick-UI
- **Category**: Metrics / Observability
- **Website**: https://github.com/falcosecurity/falcosidekick-ui
## Table of content
- [Falcosidekick-UI](#falcosidekick-ui)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------- | ----------- | ------------- | ---------------------------------------------------- |
| `webui.url` | `WEBUI_URL` | | WebUI URL, if not empty, WebUI output is **enabled** |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
webui:
url: "" # WebUI URL, if not empty, WebUI output is enabled
```
## Additional info
## Screenshots
![falcosidekick-ui dashboard](images/falcosidekick-ui_dashboard.png)
![falcosidekick-ui events](images/falcosidekick-ui_events.png)

46
docs/outputs/fission.md
View File

@ -1,46 +0,0 @@
# Fission
- **Category**: FaaS / Serverless
- **Website**: URL of the output
## Table of content
- [Fission](#fission)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `fission.function` | `FISSION_FUNCTION` | | Name of Fission function, if not empty, Fission is **enabled** |
| `fission.routernamespace` | `FISSION_ROUTERNAMESPACE` | `fission` | Namespace of Fission Router |
| `fission.routerservice` | `FISSION_ROUTERSERVICE` | `router` | Service of Fission Router |
| `fission.routerport` | `FISSION_ROUTERPORT` | `80` | Port of service of Fission Router |
| `fission.mutualtls` | `FISSION_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `fission.checkcert` | `FISSION_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `fission.minimumpriority` | `FISSION_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
fission:
function: "" # Name of Fission function, if not empty, Fission is enabled
routernamespace: "fission" # Namespace of Fission Router, "fission" (default)
routerservice: "router" # Service of Fission Router, "router" (default)
routerport: 80 # Port of service of Fission Router
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
```
## Additional info
## Screenshots

38
docs/outputs/gcp_cloud_functions.md
View File

@ -1,38 +0,0 @@
# GCP Cloud Functions
- **Category**: FaaS / Serverless
- **Website**: https://cloud.google.com/functions
## Table of content
- [GCP Cloud Functions](#gcp-cloud-functions)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------------------ | ------------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `gcp.credentials` | `GCP_CREDENTIALS` | | The base64-encoded JSON key file for the GCP service account |
| `gcp.cloudfunctions.name` | `GCP_CLOUDFUNCTIONS_NAME` | | The name of the Cloud Function, if not empty, Google Cloud Functions is **enabled** |
| `gcp.cloudfunctions.minimumpriority` | `GCP_CLOUDFUNCTIONS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
gcp:
credentials: "" # The base64-encoded JSON key file for the GCP service account
cloudfunctions:
name: "" # The name of the Cloud Function, if not empty, GCP Cloud Functions is enabled
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

40
docs/outputs/gcp_cloud_run.md
View File

@ -1,40 +0,0 @@
# GCP Cloud Run
- **Category**: Faas / Serverless
- **Website**: https://cloud.google.com/run
## Table of content
- [GCP Cloud Run](#gcp-cloud-run)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------------ | ------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `gcp.credentials` | `GCP_CREDENTIALS` | | The base64-encoded JSON key file for the GCP service account |
| `gcp.cloudrun.endpoint` | `GCP_CLOUDRUN_ENDPOINT` | | The URL of the Cloud Run, if not empty, Google Cloud Run is **enabled** |
| `gcp.cloudrun.jwt` | `GCP_CLOUDRUN_JWT` | | Appropriate JWT to invoke the Cloud Function |
| `gcp.cloudrun.minimumpriority` | `GCP_CLOUDRUN_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
gcp:
credentials: "" # The base64-encoded JSON key file for the GCP service account
cloudrun:
endpoint: "" # The URL of the Cloud Function
jwt: "" # Appropriate JWT to invoke the Cloud Function
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

43
docs/outputs/gcp_pub_sub.md
View File

@ -1,43 +0,0 @@
# GCP PubSub
- **Category**: Message queue / Streaming
- **Website**: https://cloud.google.com/pubsub
## Table of content
- [GCP PubSub](#gcp-pubsub)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `gcp.credentials` | `GCP_CREDENTIALS` | | The base64-encoded JSON key file for the GCP service account |
| `gcp.pubsub.projectid` | `GCP_PUBSUB_PROJECTID` | | The GCP Project ID containing the Pub/Sub Topic, if not empty, GCP PubSub is **enabled** |
| `gcp.pubsub.topic` | `GCP_PUBSUB_TOPIC` | | The name of the Pub/Sub topic |
| `gcp.pubsub.customattributes` | `GCP_PUBSUB_CUSTOMATTRIBUTES` | | Custom attributes to add to the Pub/Sub messages |
| `gcp.pubsub.minimumpriority` | `GCP_PUBSUB_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
gcp:
credentials: "" # The base64-encoded JSON key file for the GCP service account
pubsub:
projectid: "" # The GCP Project ID containing the Pub/Sub Topic, if not empty, GCP PubSub is enabled
topic: "" # The name of the Pub/Sub topic
# customattributes: # Custom attributes to add to the Pub/Sub messages
# key: value
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

40
docs/outputs/gcp_storage.md
View File

@ -1,40 +0,0 @@
# GCP Storage
- **Category**: Object storage
- **Website**: https://cloud.google.com/storage
## Table of content
- [GCP Storage](#gcp-storage)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------------- | ----------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `gcp.credentials` | `GCP_CREDENTIALS` | | The base64-encoded JSON key file for the GCP service account |
| `gcp.storage.bucket` | `GCP_STORAGE_BUCKET` | | The name of the bucket, if not empty, GCP Storage is **enabled** |
| `gcp.storage.prefix` | `GCP_STORAGE_PREFIX` | | Prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
| `gcp.storage.minimumpriority` | `GCP_STORAGE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
gcp:
credentials: "" # The base64-encoded JSON key file for the GCP service account
storage:
bucket: "" # The name of the bucket, if not empty, GCP Storage is enabled
prefix : "" # Prefix, keys will have format: gs://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

63
docs/outputs/googlechat.md
View File

@ -1,63 +0,0 @@
# Google Chat
- **Category**: Chat
- **Website**: https://workspace.google.com/products/chat/
## Table of content
- [Google Chat](#google-chat)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Message Formatting](#message-formatting)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------------- | ---------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `googlechat.webhookurl` | `GOOGLECHAT_WEBHOOKURL` | | Google Chat WebhookURL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not empty, Google Chat output is **enabled** |
| `googlechat.outputformat` | `GOOGLECHAT_OUTPUTFORMAT` | `all` | `all`, `text` |
| `googlechat.messageformat` | `GOOGLECHAT_MESSAGEFORMAT` | | A Go template to format Googlechat Text above Attachment, displayed in addition to the output from `GOOGLECHAT_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
| `googlechat.minimumpriority` | `GOOGLECHAT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
googlechat:
webhookurl: "" # Google Chat WebhookURL (ex: https://chat.googleapis.com/v1/spaces/XXXXXX/YYYYYY), if not empty, Google Chat output is enabled
# outputformat: "" # all (default), text
# messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index.OutputFields "user.name" }}*' # a Go template to format Google Chat Text above Attachment, displayed in addition to the output from `GOOGLECHAT_OUTPUTFORMAT`.
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
### Message Formatting
The `GOOGLECHAT_MESSAGEFORMAT` environment variable and `googlechat.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Googlechat alert.
These templates are evaluated on the JSON data from each Falco event. The following fields are available:
| Template Syntax | Description |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `{{ .Output }}` | A formatted string from Falco describing the event. |
| `{{ .Priority }}` | The priority of the event, as a string. |
| `{{ .Rule }}` | The name of the rule that generated the event. |
| `{{ .Time }}` | The timestamp when the event occurred. |
| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.
## Screenshots
(GOOGLECHAT_OUTPUTFORMAT="**all**")
![google chat example](images/google_chat_no_fields.png)
(GOOGLECHAT_OUTPUTFORMAT="**text**")
![google chat text example](images/google_chat_example.png)

43
docs/outputs/gotify.md
View File

@ -1,43 +0,0 @@
# Gotify
- **Category**: Message queue / Streaming
- **Website**: https://gotify.net/
## Table of content
- [Gotify](#gotify)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------ | ------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `gotify.hostport` | `GOTIFY_HOSTPORT` | | http://{domain or ip}:{port}, if not empty, Gotify output is **enabled** |
| `gotify.token` | `GOTIFY_TOKEN` | | API Token |
| `gotify.format` | `GOTIFY_FORMAT` | `markdown` | Format of the messages (`plaintext`, `markdown`, `json`) |
| `gotify.checkcert` | `GOTIFY_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `gotify.minimumpriority` | `GOTIFY_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
gotify:
hostport: "" # http://{domain or ip}:{port}, if not empty, Gotify output is enabled
token: "" # API Token
# format: "markdown" # Format of the messages (plaintext, markdown, json) (default: markdown)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots
![gotify example](images/gotify.jpg)

52
docs/outputs/grafana.md
View File

@ -1,52 +0,0 @@
# Grafana
- **Category**: Logs
- **Website**: https://grafana.com/
## Table of content
- [Grafana](#grafana)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `grafana.hostport` | `GRAFANA_HOSTPORT` | | http://{domain or ip}:{port}, if not empty, Grafana output is **enabled** |
| `grafana.apikey` | `GRAFANA_HOSTPORT` | | API Key to authenticate to Grafana |
| `grafana.dashboardid` | `GRAFANA_DASHBOARDID` | | Annotations are scoped to a specific dashboard. Optionnal. |
| `grafana.panelid` | `GRAFANA_PANELID` | | Annotations are scoped to a specific panel. Optionnal. |
| `grafana.allfieldsastags` | `GRAFANA_ALLFIELDSASTAGS` | `false` | If true, all custom fields are added as tags |
| `grafana.customheaders` | `GRAFANA_CUSTOMHEADERS` | | Custom headers for the POST request |
| `grafana.checkcert` | `GRAFANA_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `grafana.minimumpriority` | `GRAFANA_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
grafana:
hostport: "" # http://{domain or ip}:{port}, if not empty, Grafana output is enabled
apikey: "" # API Key to authenticate to Grafana, if not empty, Grafana output is enabled
# dashboardid: "" # annotations are scoped to a specific dashboard. Optionnal.
# panelid: "" # annotations are scoped to a specific panel. Optionnal.
# allfieldsastags: false # if true, all custom fields are added as tags (default: false)
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
> [!NOTE]
This output creates annotations.
## Screenshots

44
docs/outputs/grafana_oncall.md
View File

@ -1,44 +0,0 @@
# Grafana OnCall
- **Category**: Alerting
- **Website**: https://grafana.com/products/oncall/
## Table of content
- [Grafana OnCall](#grafana-oncall)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------------- | ------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `grafanaoncall.webhookurl` | `GRAFANAONCALL_WEBHOOKURL` | | If not empty, Grafana OnCall output is enabled |
| `grafanaoncall.customheaders` | `GRAFANAONCALL_CUSTOMHEADERS` | | Custom headers for the POST request |
| `grafanaoncall.mutualtls` | `GRAFANAONCALL_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `grafanaoncall.checkcert` | `GRAFANAONCALL_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `grafanaoncall.minimumpriority` | `GRAFANAONCALL_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
grafanaoncall:
webhookurl: "" # if not empty, Grafana OnCall output is enabled
# customheaders: # Custom headers to add in POST, useful for Authentication
# key: value
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots
![grafana oncall example](images/grafana-oncall.png)

BIN
docs/outputs/images/datadog_logs.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 375 KiB

BIN
docs/outputs/images/dynatrace.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 230 KiB

BIN
docs/outputs/images/falcosidekick-ui_dashboard.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 482 KiB

BIN
docs/outputs/images/falcosidekick-ui_events.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 509 KiB

BIN
docs/outputs/images/gotify.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 37 KiB

BIN
docs/outputs/images/grafana-oncall.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 112 KiB

BIN
docs/outputs/images/grafana_quickwit.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 376 KiB

BIN
docs/outputs/images/n8n.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 108 KiB

BIN
docs/outputs/images/node-red.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 134 KiB

BIN
docs/outputs/images/openobserve.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 331 KiB

BIN
docs/outputs/images/otlp_metrics-prom_view.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 81 KiB

BIN
docs/outputs/images/otlp_traces-grafana_explore.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 75 KiB

BIN
docs/outputs/images/otlp_traces-traces_view.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 193 KiB

BIN
docs/outputs/images/sumologic.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 155 KiB

BIN
docs/outputs/images/telegram.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 56 KiB

BIN
docs/outputs/images/webex.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 162 KiB

BIN
docs/outputs/images/zincsearch.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 367 KiB

67
docs/outputs/influxdb.md
View File

@ -1,67 +0,0 @@
# InfluxDB
- **Category**: Metrics/Observability
- **Website**: https://www.influxdata.com/products/influxdb/
## Table of content
- [InfluxDB](#influxdb)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Result](#result)
## Configuration
| Setting | Env var | Default value | Description |
| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `influxdb.hostport` | `INFLUXDB_HOSTPORT` | | http://{domain or ip}:{port}, if not empty, Influxdb output is **enabled** |
| `influxdb.database` | `INFLUXDB_DATABASE` | `falco` | Influxdb database (api v1 only) |
| `influxdb.organization` | `INFLUXDB_ORGANISATION` | | Influxdb organisation |
| `influxdb.bucket` | `INFLUXDB_BUCKET` | `falco` | Metrics bucket |
| `influxdb.precision` | `INFLUXDB_PRECISION` | `ns` | Write precision |
| `influxdb.user` | `INFLUXDB_USER` | | User to use if auth is enabled in Influxdb |
| `influxdb.password` | `INFLUXDB_PASSWORD` | | Password to use if auth is enabled in Influxdb |
| `influxdb.token` | `INFLUXDB_TOKEN` | | API token to use if auth in enabled in Influxdb (disables user and password) |
| `influxdb.mutualtls` | `INFLUXDB_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `influxdb.checkcert` | `INFLUXDB_CHECKCERT` | `true` | Check if ssl certificate of the output is valid | `mattermost.minimumpriority` | `MATTERMOST_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`
| `influxdb.minimumpriority` | `INFLUXDB_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
influxdb:
# hostport: "" # http://{domain or ip}:{port}, if not empty, Influxdb output is enabled
# database: "falco" # Influxdb database (api v1 only) (default: falco)
# organization: "" # Influxdb organization
# bucket: "falco" # Metrics bucket (default: falco)
# precision: "ns" # Write precision
# user: "" # user to use if auth is enabled in Influxdb
# password: "" # pasword to use if auth is enabled in Influxdb
# token: "" # API token to use if auth in enabled in Influxdb (disables user and password)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
```
## Result
```bash
> use falco
Using database falco
> show series
key
---
events,akey=AValue,bkey=BValue,ckey=CValue,priority=Debug,rule=Testrule
events,akey=A_Value,bkey=B_Value,ckey=C_Value,priority=Debug,rule=Test_rule
> select * from events
name: events
time akey bkey ckey priority rule value
---- ---- ---- ---- -------- ---- -----
1560433816893368400 AValue BValue CValue Debug Testrule This is a test from falcosidekick
1560441359119741800 A_Value B_Value C_Value Debug Test_rule This is a test from falcosidekick
```

57
docs/outputs/kafka.md
View File

@ -1,57 +0,0 @@
# Kafka
- **Category**: Message queue / Streaming
- **Website**: https://kafka.apache.org/
## Table of content
- [Kafka](#kafka)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------- | ----------------------- | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `kafka.hostport` | `KAFKA_HOSTPORT` | | Comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is **enabled** |
| `kafka.topic` | `KAFKA_TOPIC` | | Name of the topic |
| `kafka.topiccreation` | `KAFKA_TOPICCREATION` | `false` | Auto create the topic if it doesn't exist |
| `kafka.sasl` | `KAFKA_SASL` | | SASL authentication mechanism, if empty, no authentication (`PLAIN`, `SCRAM_SHA256`, `SCRAM_SHA512`) |
| `kafka.tls` | `KAFKA_TSL` | `false` | Use TLS for the connections |
| `kafka.username` | `KAFKA_USERNAME` | | Use this username to authenticate to Kafka via SASL |
| `kafka.password` | `KAFKA_PASSWORD` | | Use this password to authenticate to Kafka via SASL |
| `kafka.async` | `KAFKA_ASYNC` | `false` | Produce messages without blocking |
| `kafka.requiredacks` | `KAFKA_REQUIREDACKS` | `NONE` | Number of acknowledges from partition replicas required before receiving |
| `kafka.compression` | `KAFKA_COMPRESSION` | `NONE` | Enable message compression using this algorithm (`GZIP`, `SNAPPY`, `LZ4`, `ZSTD`, `NONE`) |
| `kafka.balancer` | `KAFKA_BALANCER` | `round_robin` | Partition balancing strategy when producing |
| `kafka.clientid` | `KAFKA_CLIENTID` | | Specify a client.id when communicating with the broker for tracing |
| `kafka.minimumpriority` | `KAFKA_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
kafka:
hostport: "" # Comma separated list of Apache Kafka bootstrap nodes for establishing the initial connection to the cluster (ex: localhost:9092,localhost:9093). Defaults to port 9092 if no port is specified after the domain, if not empty, Kafka output is enabled
topic: "" # Name of the topic
# topiccreation: false # auto create the topic if it doesn't exist (default: false)
# sasl: "" # SASL authentication mechanism, if empty, no authentication (PLAIN|SCRAM_SHA256|SCRAM_SHA512)
# tls: false # Use TLS for the connections (default: false)
# username: "" # use this username to authenticate to Kafka via SASL (default: "")
# password: "" # use this password to authenticate to Kafka via SASL (default: "")
# async: false # produce messages without blocking (default: false)
# requiredacks: NONE # number of acknowledges from partition replicas required before receiving (default: "NONE")
# compression: "" # enable message compression using this algorithm (GZIP|SNAPPY|LZ4|ZSTD|NONE) (default: "NONE")
# balancer: "" # partition balancing strategy when producing (default: "round_robin")
# clientid: "" # specify a client.id when communicating with the broker for tracing
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

41
docs/outputs/kafkarest.md
View File

@ -1,41 +0,0 @@
# Kafka Rest
- **Category**: Message queue / Streaming
- **Website**: https://docs.confluent.io/platform/current/kafka-rest/index.html
## Table of content
- [Kafka Rest](#kafka-rest)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| --------------------------- | --------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `kafkarest.address` | `KAFKAREST_ADDRESS` | | The full URL to the topic (example "http://kafkarest:8082/topics/test"), if not empty, Kafka Rest is **enabled** |
| `kafkarest.version` | `KAFKAREST_VERSION` | `2` | Kafka Rest Proxy API version `2` or `1` |
| `kafkarest.mutualtls` | `KAFKAREST_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `kafkarest.checkcert` | `KAFKAREST_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `kafkarest.minimumpriority` | `KAFKAREST_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
kafkarest:
address: "" # The full URL to the topic (example "http://kafkarest:8082/topics/test")
# version: 2 # Kafka Rest Proxy API version 2|1 (default: 2)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

46
docs/outputs/kubeless.md
View File

@ -1,46 +0,0 @@
# Kubeless
- **Category**: FaaS / Serverless
- **Website**: https://kubeless.io/
## Table of content
- [Kubeless](#kubeless)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `kubeless.function` | `KUBELESS_FUNCTION` | | Name of Kubeless function, if not empty, Kubeless is **enabled** |
| `kubeless.namespace` | `KUBELESS_NAMESPACE` | | Namespace of Kubeless function (mandatory) |
| `kubeless.port` | `KUBELESS_PORT` | `8080` | Port of service of Kubeless function |
| `kubeless.port` | `KUBELESS_PORT` | `~/.kube/config` | Port of service of Kubeless function |
| `kubeless.kubeconfig` | `KUBELESS_KUBECONFIG` | `true` | Kubeconfig file to use (only if falcosidekick is running outside the cluster) |
| `kubeless.minimumpriority` | `KUBELESS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
kubeless:
function: "" # Name of Kubeless function, if not empty, Kubeless is enabled
namespace: "" # Namespace of Kubeless function (mandatory)
port: 8080 # Port of service of Kubeless function
kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
```
## Additional info
> [!WARNING]
`Kubeless` is no more maintained, consider to use a different output.
## Screenshots

51
docs/outputs/logstash.md
View File

@ -1,51 +0,0 @@
# Logstash
- **Category**: Logs
- **Website**: https://github.com/elastic/logstash
## Table of content
- [Logstash](#logstash)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `logstash.address` | `LOGSTASH_ADDRESS` | | Logstash address, if not empty, Logstash output is **enabled** |
| `logstash.port` | `LOGSTASH_PORT` | 5044 | Logstash port number |
| `logstash.tls` | `LOGSTASH_TLS` | false | Use TLS connection (true/false) |
| `logstash.mutualtls` | `LOGSTASH_MUTUALTLS` | false | Authenticate to the output with TLS; if true, checkcert flag will be ignored (server cert will always be checked) |
| `logstash.checkcert` | `LOGSTASH_CHECKCERT` | true | Check if ssl certificate of the output is valid |
| `logstash.certfile` | `LOGSTASH_CERTFILE` | | Use this certificate file instead of the client certificate when using mutual TLS |
| `logstash.keyfile` | `LOGSTASH_KEYFILE` | | Use this key file instead of the client certificate when using mutual TLS |
| `logstash.cacertfile` | `LOGSTASH_CACERTFILE` | | Use this CA certificate file instead of the client certificate when using mutual TLS |
| `logstash.minimumpriority` | `LOGSTASH_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `logstash.tags` | `LOGSTASH_TAGS` | | An additional list of tags that will be added to those produced by Falco; these tags may help in decision-making while routing logs |
> [!NOTE]
Values stored in environment variables will override the settings from yaml file.
## Example of config.yaml
```yaml
logstash:
address: "" # Logstash address, if not empty, Logstash output is enabled
# port: 5044 # Logstash port number (default: 5044)
# tls: false # communicate over tls; requires Logstash version 8+ to work
# mutualtls: false # or authenticate to the output with TLS; if true, checkcert flag will be ignored (server cert will always be checked) (default: false)
# checkcert: true # Check if ssl certificate of the output is valid (default: true)
# certfile: "" # Use this certificate file instead of the client certificate when using mutual TLS (default: "")
# keyfile: "" # Use this key file instead of the client certificate when using mutual TLS (default: "")
# cacertfile: "" # Use this CA certificate file instead of the client certificate when using mutual TLS (default: "")
# minimumpriority: minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "debug")
# tags: ["falco"] # An additional list of tags that will be added to those produced by Falco (default: [])
```
## Additional info
## Screenshots

56
docs/outputs/loki.md
View File

@ -1,56 +0,0 @@
# Loki
- **Category**: Logs
- **Website**: https://grafana.com/oss/loki/
## Table of content
- [Loki](#loki)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description | | | | |
| ---------------------- | ---------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `loki.hostport` | `LOKI_HOSTPORT` | | http://{domain or ip}:{port}, if not empty, Loki output is **enabled** | | | | |
| `loki.user` | `LOKI_USER` | | User for Grafana Logs | | | | |
| `loki.apikey` | `LOKI_APIKEY` | | API KEy for Grafana Logs | | | | |
| `loki.tenant` | `LOKI_TENANT` | | Add the tenant header if needed | | | | |
| `loki.format` | `LOKI_FORMAT` | `text` | Format for the log entry value: json, text | | | | |
| `loki.endpoint` | `LOKI_ENDPOINT` | `/loki/api/v1/push` | The endpoint URL path, more info : https://grafana.com/docs/loki/latest/api/#post-apiprompush | | | | |
| `loki.extralabels` | `LOKI_EXTRALABELS` | | comma separated list of fields to use as labels additionally to `rule`, `source`, `priority`, `tags` and `custom_fields` | | | | |
| `loki.customheaders` | `LOKI_CUSTOMHEADERS` | | Custom headers to add in POST, useful for Authentication | | | | |
| `loki.mutualtls` | `LOKI_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) | | | | |
| `loki.checkcert` | `LOKI_CHECKCERT` | `/api/v1/alerts` | Check if ssl certificate of the output is valid | `mattermost.minimumpriority` | `MATTERMOST_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `loki.minimumpriority` | `LOKI_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` | | | | |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
loki:
# hostport: "" # http://{domain or ip}:{port}, if not empty, Loki output is enabled
# user: "" # user for Grafana Logs
# apikey: "" # API Key for Grafana Logs
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# tenant: "" # Add the tenant header if needed. Enabled if not empty
# format: "text" # Format for the log entry value: json, text (default)
# endpoint: "/loki/api/v1/push" # The endpoint URL path, default is "/loki/api/v1/push" more info : https://grafana.com/docs/loki/latest/api/#post-apiprompush
# extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
```
## Screenshots
With Grafana
![loki example](images/loki.png)

68
docs/outputs/mattermost.md
View File

@ -1,68 +0,0 @@
# Mattermost
- **Category**: Chat/Messaging
- **Website**: https://github.com/mattermost/mattermost
## Table of content
- [Mattermost](#mattermost)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Message Formatting](#message-formatting)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------------- | ---------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `mattermost.webhookurl` | `MATTERMOST_WEBHOOKURL` | | Mattermost WebhookURL (ex: https://hooks.mattermost.com/services/XXXX/YYYY/ZZZZ), if not empty, Mattermost output is **enabled** |
| `mattermost.icon` | `MATTERMOST_ICON` | `https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png` | Mattermost icon (avatar) |
| `mattermost.username` | `MATTERMOST_USERNAME` | `Falcosidekick` | Mattermost username |
| `mattermost.outputformat` | `MATTERMOST_OUTPUTFORMAT` | `all` | Mattermost message format: `all`, `text`, `field` |
| `mattermost.messageformat` | `MATTERMOST_MESSAGEFORMAT` | | A Go template to format Mattermost Text above Attachment, displayed in addition to the output from `MATTERMOST_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
| `mattermost.mutualtls` | `MATTERMOST_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `mattermost.checkcert` | `MATTERMOST_CHECKCERT` | `/api/v1/alerts` | Check if ssl certificate of the output is valid | `mattermost.minimumpriority` | `MATTERMOST_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`
| `mattermost.minimumpriority` | `MATTERMOST_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
mattermost:
webhookurl: "" # Mattermost WebhookURL (ex: http://XXXX/hooks/YYYY), if not empty, Mattermost output is enabled
# icon: "" # Mattermost icon (avatar)
# username: "" # Mattermost username (default: Falcosidekick)
# outputformat: "all" # all (default), text, fields
# messageformat: "Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields \"user.name\" }}*" # a Go template to format Mattermost Text above Attachment, displayed in addition to the output from `MATTERMOST_OUTPUTFORMAT`. If empty, no Text is displayed before Attachment.
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
### Message Formatting
The `MATTERMOST_MESSAGEFORMAT` environment variable and `mattermost.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Mattermost alert.
These templates are evaluated on the JSON data from each Falco event. The following fields are available:
| Template Syntax | Description |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `{{ .Output }}` | A formatted string from Falco describing the event. |
| `{{ .Priority }}` | The priority of the event, as a string. |
| `{{ .Rule }}` | The name of the rule that generated the event. |
| `{{ .Time }}` | The timestamp when the event occurred. |
| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.
## Screenshots
![mattermost example](images/mattermost.png)

47
docs/outputs/mqtt.md
View File

@ -1,47 +0,0 @@
# MQTT
- **Category**: Message queue / Streaming
- **Website**: https://mqtt.org/
## Table of content
- [MQTT](#mqtt)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------- | ---------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `mqtt.broker` | `MQTT_BROKER` | | Broker address, can start with tcp:// or ssl://, if not empty, MQTT output is **enabled** |
| `mqtt.topic` | `MQTT_TOPIC` | `falco/events` | Topic for messages |
| `mqtt.qos` | `MQTT_QOS` | `0` | QOS for messages |
| `mqtt.retained` | `MQTT_RETAINED` | `false` | If true, messages are retained |
| `mqtt.user` | `MQTT_USER` | | User if the authentication is enabled in the broker |
| `mqtt.password` | `MQTT_PASSWORD` | | Password if the authentication is enabled in the broker |
| `mqtt.checkcert` | `MQTT_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `mqtt.minimumpriority` | `MQTT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
mqtt:
broker: "" # Broker address, can start with tcp:// or ssl://, if not empty, MQTT output is enabled
topic: "falco/events" # Topic for messages (default: falco/events)
# qos: 0 # QOS for messages (default: 0)
# retained: false # If true, messages are retained (default: false)
# user: "" # User if the authentication is enabled in the broker
# password: "" # Password if the authentication is enabled in the broker
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

48
docs/outputs/n8n.md
View File

@ -1,48 +0,0 @@
# N8N
- **Category**: Workflow
- **Website**: https://n8n.io/
## Table of content
- [N8N](#n8n)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| --------------------- | --------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `n8n.address` | `N8N_ADDRESS` | | N8N address, if not empty, N8N output is **enabled** |
| `n8n.user` | `N8N_USER` | | Username to authenticate with N8N in basic auth |
| `n8n.password` | `N8N_PASSWORD` | | Password to authenticate with N8N in basic auth |
| `n8n.headerauthname` | `N8N_HEADERAUTHNAME` | | Header Auth Value to authenticate with N8N |
| `n8n.headerauthvalue` | `N8N_HEADERAUTHVALUE` | | Check if ssl certificate of the output is valid |
| `n8n.checkcert` | `N8N_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `n8n.minimumpriority` | `N8N_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
n8n:
address: "" # N8N address, if not empty, N8N output is enabled
# user: "" # Username to authenticate with N8N in basic auth
# password: "" # Password to authenticate with N8N in basic auth
# headerauthname: "" # Header Auth Key to authenticate with N8N
# headerauthvalue: "" #
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots
![n8n example](images/n8n.png)

45
docs/outputs/nats.md
View File

@ -1,45 +0,0 @@
# NATS
- **Category**: Message queue / Streaming
- **Website**: https://nats.io/
## Table of content
- [NATS](#nats)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [subjecttemplate: "falco.." # template for the subject, tokens and will be automatically replaced (default: falco..)](#subjecttemplate-falco--template-for-the-subject-tokens--and--will-be-automatically-replaced-default-falco)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
# subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
| Setting | Env var | Default value | Description |
| ---------------------- | ---------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `nats.hostport` | `NATS_HOSTPORT` | | nats://{domain or ip}:{port}, if not empty, NATS output is **enabled** |
| `nats.subjecttemplate` | `NATS_SUBJECTTEMPLATE` | `falco.<priority>.<rule>` | Template for the subject, tokens <priority> and <rule> will be automatically replaced |
| `nats.mutualtls` | `NATS_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `nats.checkcert` | `NATS_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `nats.minimumpriority` | `NATS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
nats:
hostport: "" # nats://{domain or ip}:{port}, if not empty, NATS output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
```
## Additional info
## Screenshots

46
docs/outputs/nodered.md
View File

@ -1,46 +0,0 @@
# Node-RED
- **Category**: Workflow
- **Website**: https://nodered.org/
## Table of content
- [Node-RED](#node-red)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------- | ------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `nodered.address` | `NODERED_ADDRESS` | | Node-RED address, if not empty, Node-RED output is **enabled** |
| `nodered.user` | `NODERED_USER` | | User if Basic Auth is enabled for 'http in' node in Node-RED |
| `nodered.password` | `NODERED_PASSWORD` | | Password if Basic Auth is enabled for 'http in' node in Node-RED |
| `nodered.customheaders` | `NODERED_CUSTOMHEADERS` | | Custom headers for the POST request |
| `nodered.checkcert` | `NODERED_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `nodered.minimumpriority` | `NODERED_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
nodered:
address: "" # Node-RED address, if not empty, Node-RFED output is enabled
# user: "" # User if Basic Auth is enabled for 'http in' node in Node-RED
# password: "" # Password if Basic Auth is enabled for 'http in' node in Node-RED
# customHeaders: # Custom headers to add in POST, useful for Authentication
# key: value
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
```
## Additional info
## Screenshots
![node-red example](images/node-red.png)

47
docs/outputs/openfaas.md
View File

@ -1,47 +0,0 @@
# OpenFaaS
- **Category**: FaaS / Serverlesss
- **Website**: https://www.openfaas.com/
## Table of content
- [OpenFaaS](#openfaas)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------------- | ---------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `openfaas.functionname` | `OPENFAAS_FUNCTIONNAME` | | Name of OpenFaaS function, if not empty, OpenFaaS is **enabled** |
| `openfaas.functionnamespace` | `OPENFAAS_FUNCTIONNAMESPACE` | `openfaas-fn` | Namespace of OpenFaaS function |
| `openfaas.gatewayservice` | `OPENFAAS_GATEWAYSERVICE` | `gateway` | Service of OpenFaaS Gateway |
| `openfaas.gatewayport` | `OPENFAAS_GATEWAYPORT` | `8080` | Port of service of OpenFaaS Gateway |
| `openfaas.gatewaynamespace` | `OPENFAAS_GATEWAYNAMESPACE` | `openfaas` | Namespace of OpenFaaS Gateway |
| `openfaas.kubeconfig` | `OPENFAAS_KUBECONFIG` | `~/.kube/config` | Kubeconfig file to use (only if falcosidekick is running outside the cluster) |
| `openfaas.checkcert` | `OPENFAAS_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `openfaas.minimumpriority` | `OPENFAAS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
openfaas:
functionname: "" # Name of OpenFaaS function, if not empty, OpenFaaS is enabled
functionnamespace: "openfaas-fn" # Namespace of OpenFaaS function, "openfaas-fn" (default)
gatewayservice: "gateway" # Service of OpenFaaS Gateway, "gateway" (default)
gatewayport: 8080 # Port of service of OpenFaaS Gateway
gatewaynamespace: "openfaas" # Namespace of OpenFaaS Gateway, "openfaas" (default)
kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
```
## Additional info
## Screenshots

52
docs/outputs/openobserve.md
View File

@ -1,52 +0,0 @@
# OpenObserve
- **Category**: Logs
- **Website**: https://openobserve.ai/
## Table of content
- [OpenObserve](#openobserve)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------------ | ------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `openobserve.hostport` | `OPENOBSERVE_HOSTPORT` | | http://{domain or ip}:{port}, if not empty, OpenObserve output is **enabled** |
| `openobserve.organizationname` | `OPENOBSERVE_ORGANIZATIONNAME` | `default` | Organization name |
| `openobserve.streamname` | `OPENOBSERVE_STREAMNAME` | `falco` | Stream name |
| `openobserve.username` | `OPENOBSERVE_USERNAME` | | Use this username to authenticate to OpenObserve |
| `openobserve.password` | `OPENOBSERVE_PASSWORD` | | Use this password to authenticate to OpenObserve |
| `openobserve.customheaders` | `OPENOBSERVE_CUSTOMHEADERS` | | Custom headers to add in POST, useful for Authentication |
| `openobserve.mutualtls` | `OPENOBSERVE_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `openobserve.checkcert` | `OPENOBSERVE_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `openobserve.minimumpriority` | `OPENOBSERVE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
openobserve:
hostport: "" # http://{domain or ip}:{port}, if not empty, OpenObserve output is enabled
# organizationname: "default" # Organization name (default: default)
# streamname: "falco" # Stream name (default: falco)
# username: "a" # use this username to authenticate to OpenObserve (default: "")
# password: "" # use this password to authenticate to OpenObserve (default: "")
# customheaders: # Custom headers to add in POST, useful for Authentication
# key: value
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots
![openobserve example](images/openobserve.png)

40
docs/outputs/opsgenie.md
View File

@ -1,40 +0,0 @@
# Opsgenie
- **Category**: Alerting
- **Website**: https://www.opsgenie.com/
## Table of content
- [Opsgenie](#opsgenie)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `opsgenie.apikey` | `OPSGENIE_APIKEY` | | Opsgenie API Key, if not empty, Opsgenie output is **enabled** |
| `opsgenie.region` | `OPSGENIE_REGION` | `us` | Region of your domain (`us`, `eu`) |
| `opsgenie.minimumpriority` | `OPSGENIE_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
opsgenie:
apikey: "" # Opsgenie API Key, if not empty, Opsgenie output is enabled
region: "eu" # Region of your domain (us|eu) (default: us)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots
![opsgenie example](images/opsgenie.png)

51
docs/outputs/otlp_logs.md
View File

@ -1,51 +0,0 @@
# OTEL Logs
- **Category**: Logs
- **Website**: <https://opentelemetry.io/docs/concepts/signals/logs/>
## Table of content
- [OTEL Logs](#otel-logs)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
## Configuration
| Setting | Env var | Default value | Description |
| --------------------------- | --------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `otlp.logs.endpoint` | `OTLP_LOGS_ENDPOINT` | | OTLP endpoint in the form of http://{domain or ip}:4318/v1/logs |
| `otlp.logs.protocol` | `OTLP_LOGS_PROTOCOL` | `http/protobuf` (from SDK) | OTLP Protocol: `http/protobuf`, `grpc` |
| `otlp.logs.timeout` | `OTLP_LOGS_TIMEOUT` | `10000` (from SDK) | Timeout value in milliseconds |
| `otlp.logs.headers` | `OTLP_LOGS_HEADERS` | | List of headers to apply to all outgoing logs in the form of "some-key=some-value,other-key=other-value" |
| `otlp.logs.synced` | `OTLP_LOGS_SYNCED` | `false` | Set to `true` if you want logs to be sent synchronously |
| `otlp.logs.minimumpriority` | `OTLP_LOGS_MINIMUMPRIORITY` | `""` (=`debug`) | minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `otlp.logs.checkcert` | `OTLP_LOGS_CHECKCERT` | `false` | Set if you want to skip TLS certificate validation |
| `otlp.logs.duration` | `OTLP_LOGS_DURATION` | `1000` | Artificial span duration in milliseconds (as Falco doesn't provide an ending timestamp) |
| `otlp.logs.extraenvvars` | `OTLP_LOGS_EXTRAENVVARS` | | Extra env vars (override the other settings) |
> [!NOTE]
For the extra Env Vars values see [standard `OTEL_*` environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/)
## Example of config.yaml
```yaml
otlp:
logs:
# endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/logs), if not empty, OTLP Traces output is enabled
protocol: "" # OTLP protocol: http/protobuf, grpc (default: "" which uses SDK default: "http/protobuf")
# timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
# headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
# extraenvvars: # Extra env vars (override the other settings)
# OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
# OTEL_EXPORTER_OTLP_TIMEOUT: 10000
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # Set if you want to skip TLS certificate validation (default: true)
```
## Additional info
> [!WARNING]
Because of the way the OTEL SDK is structured, the OTLP outputs don't appear in the metrics (Prometheus, Statsd, ...)
and the error logs just specify `OTEL` as output.

208
docs/outputs/otlp_metrics.md
View File

@ -1,208 +0,0 @@
# OTEL Metrics
- **Category**: Metrics/Observability
- **Website**: <https://opentelemetry.io/docs/concepts/signals/metrics/>
## Table of content
- [OTEL Metrics](#otel-metrics)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Running a whole stack with docker-compose](#running-a-whole-stack-with-docker-compose)
- [Requirements](#requirements)
- [Configuration files](#configuration-files)
- [Run it](#run-it)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------------ | ------------------------------ | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| `otlp.metrics.endpoint` | `OTLP_METRICS_ENDPOINT` | | OTLP endpoint, typically in the form http(s)://{domain or ip}:4318(/v1/metrics) |
| `otlp.metrics.protocol` | `OTLP_METRICS_PROTOCOL` | `http/protobuf` (from SDK) | OTLP Protocol: `http/protobuf`, `grpc` |
| `otlp.metrics.timeout` | `OTLP_METRICS_TIMEOUT` | `10000` (from SDK) | OTLP timeout for outgoing metrics in milliseconds |
| `otlp.metrics.headers` | `OTLP_METRICS_HEADERS` | `""` | List of headers to apply to all outgoing metrics in the form of `some-key=some-value,other-key=other-value` |
| `otlp.metrics.extraenvvars` | `OTLP_METRICS_EXTRAENVVARS` | `""` | Extra env vars (override the other settings) |
| `otlp.metrics.minimumpriority` | `OTLP_METRICS_MINIMUMPRIORITY` | `""` (=`debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `otlp.metrics.checkcert` | `OTLP_METRICS_CHECKCERT` | `true` | Set to false if you want to skip TLS certificate validation (only with https) |
| `otlp.metrics.extraattributes` | `OTLP_METRICS_EXTRAATTRIBUTES` | `""` | Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields |
> [!NOTE]
For the extra Env Vars values see [standard `OTEL_*` environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/)
> [!WARNING]
If you use `grpc`, the endpoint format must be `http(s)://{domain or ip}:4318`
If you use `http/protobuf`, the endpoint format must be `http(s)://{domain or ip}:4318/v1/traces`
## Example of config.yaml
```yaml
otlp:
metrics:
# endpoint: "" # OTLP endpoint, typically in the form http(s)://{domain or ip}:4318(/v1/metrics), if not empty, OTLP Metrics output is enabled
# protocol: "" # OTLP protocol: http/protobuf, grpc (default: "" which uses SDK default: "http/protobuf")
# timeout: "" # OTLP timeout for outgoing metrics in milliseconds (default: "" which uses SDK default: 10000)
# headers: "" # List of headers to apply to all outgoing metrics in the form of "some-key=some-value,other-key=other-value" (default: "")
# extraenvvars: # Extra env vars (override the other settings) (default: "")
# OTEL_EXPORTER_OTLP_METRICS_TIMEOUT: 10000
# OTEL_EXPORTER_OTLP_TIMEOUT: 10000
# minimumpriority: "" # Minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "")
# checkcert: true # Set to false if you want to skip TLS certificate validation (only with https) (default: true)
# extraattributes: "" # Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields
```
## Additional info
> [!NOTE]
This output is used to collect metrics about Falco events and Falcosidekick inputs and outputs in OTLP metrics format.
> [!WARNING]
Because of the way the OTEL SDK is structured, the OTLP outputs don't appear in the metrics (Prometheus, Statsd, ...)
and the error logs just specify `OTEL` as output.
## Running a whole stack with docker-compose
Below `docker-compose` file runs a stack of:
- `falco`
- `falcosidekick`
- `prometheus` as metrics backend
- OTEL collector to collect OTEL metrics from `falcosidekick` and let prometheus scrape them
- `events-generator` to generate arbitrary Falco events
### Requirements
A local Linux kernel capable of running `falco`--modern-bpf`, see <https://falco.org/blog/falco-modern-bpf/>.
### Configuration files
You need to create these files:
- `./docker-compose.yaml`: minimal docker-compose configuration
```yaml
---
services:
falco:
image: falcosecurity/falco:0.39.0
privileged: true
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- /dev:/host/dev
- /proc:/host/proc:ro
- /boot:/host/boot:ro
- /lib/modules:/host/lib/modules:ro
- /usr:/host/usr:ro
- /etc/falco:/host/etc:ro
command: [
"/usr/bin/falco" ,
"-o", "json_output=true",
"-o", "http_output.enabled=true",
"-o", "http_output.url=http://sidekick:2801", # Set the HTTP output url to Falcosidekick endpoint
"-o", "http_output.insecure=true"
]
sidekick:
image: falcosidekick:latest
ports:
- "2801:2801" # Expose default port towards Falco instance
environment:
- OTLP_METRICS_ENDPOINT=http://otel-collector:4317
- OTLP_METRICS_CHECKCERT=false
otel-collector:
image: otel/opentelemetry-collector-contrib
volumes:
- ./config.yaml:/etc/otelcol-contrib/config.yaml
ports:
- "4317:4317" # Expose OTLP gRPC port
prometheus:
image: prom/prometheus:latest
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
ports:
- "9090:9090" # Expose port to access Prometheus expression browser
event-generator:
image: falcosecurity/event-generator
command: run
restart: always
trigger:
image: alpine
command: [ # Alternate reads to /etc/shadow with creations of symlinks from it
"sh",
"-c",
"while true; do cat /etc/shadow > /dev/null; sleep 5; ln -s /etc/shadow shadow; rm shadow; sleep 5; done"
]
```
> `./docker-compose.yaml` mentions the `falcosidekick:latest` docker image, that must be locally available before
> bringing up the stack. You can build it from source by cloning the repository and issuing the building commands:
> ```shell
> git clone https://github.com/falcosecurity/falcosidekick.git
> cd falcosidekick
> go build . && docker build . -t falcosidekick:latest
> ```
- `./config.yaml`: minimal OTEL collector configuration
```yaml
---
receivers:
otlp:
protocols:
grpc:
endpoint: "0.0.0.0:4317"
exporters:
prometheus:
endpoint: "0.0.0.0:9090"
service:
pipelines:
metrics:
receivers: [otlp]
processors: []
exporters: [prometheus]
```
- `./prometheus.yml`: minimal prometheus configuration
```yaml
global:
scrape_interval: 5s
scrape_configs:
- job_name: 'otel-collector'
static_configs:
- targets: ['otel-collector:9090']
```
### Run it
To bring up the stack, and see the results on prometheus expression browser:
1. Bring up the stack
```shell
docker compose up
```
2. Navigate to <http://localhost:9090/graph> to start browsing the local prometheus expression browser
3. Navigate to the `Graph` tab and adjust the time interval to be comparable to the stack uptime (e.g.: 15 minutes)
5. To get information regarding the `falcosecurity_falco_rules_matches_total` metric, you can enter a simple query like
`falcosecurity_falco_rules_matches_total` or `sum by (rule) (falcosecurity_falco_rules_matches_total)` and press
`Execute`
6. Explore the obtained results
![Falco metrics view](images/otlp_metrics-prom_view.png)
1. Bring down the stack
```shell
docker compose down
```

253
docs/outputs/otlp_traces.md
View File

@ -1,253 +0,0 @@
# OTEL Traces
- **Category**: Traces
- **Website**: <https://opentelemetry.io/docs/concepts/signals/traces/>
## Table of content
- [OTEL Traces](#otel-traces)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Running a whole stack with docker-compose](#running-a-whole-stack-with-docker-compose)
- [Requirements](#requirements)
- [Configuration files](#configuration-files)
- [Run it](#run-it)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------------- | ----------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `otlp.traces.endpoint` | `OTLP_TRACES_ENDPOINT` | | OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/traces) |
| `otlp.traces.protocol` | `OTLP_TRACES_PROTOCOL` | `http/protobuf` (from SDK) | OTLP Protocol: `http/protobuf`, `grpc` |
| `otlp.traces.timeout` | `OTLP_TRACES_TIMEOUT` | `10000` (from SDK) | Timeout value in milliseconds |
| `otlp.traces.headers` | `OTLP_TRACES_HEADERS` | | List of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" |
| `otlp.traces.synced` | `OTLP_TRACES_SYNCED` | `false` | Set to `true` if you want traces to be sent synchronously |
| `otlp.traces.minimumpriority` | `OTLP_TRACES_MINIMUMPRIORITY` | `""` (=`debug`) | minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
| `otlp.traces.checkcert` | `OTLP_TRACES_CHECKCERT` | `false` | Set if you want to skip TLS certificate validation |
| `otlp.traces.duration` | `OTLP_TRACES_DURATION` | `1000` | Artificial span duration in milliseconds (as Falco doesn't provide an ending timestamp) |
| `otlp.traces.extraenvvars` | `OTLP_TRACES_EXTRAENVVARS` | | Extra env vars (override the other settings) |
> [!NOTE]
For the extra Env Vars values see [standard `OTEL_*` environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/)
> [!WARNING]
If you use `grpc`, the endpoint format must be `http(s)://{domain or ip}:4318`
If you use `http/protobuf`, the endpoint format must be `http(s)://{domain or ip}:4318/v1/traces`
## Example of config.yaml
```yaml
otlp:
traces:
# endpoint: "" # OTLP endpoint in the form of http(s)://{domain or ip}:4318(/v1/traces), if not empty, OTLP Traces output is enabled
# protocol: "" # OTLP protocol: http/protobuf, grpc (default: "" which uses SDK default: "http/protobuf")
# timeout: "" # OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000)
# headers: "" # OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "")
# synced: false # Set to true if you want traces to be sent synchronously (default: false)
# duration: 1000 # Artificial span duration in milliseconds (default: 1000)
# extraenvvars: # Extra env vars (override the other settings)
# OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000
# OTEL_EXPORTER_OTLP_TIMEOUT: 10000
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # Set if you want to skip TLS certificate validation (default: true)
```
## Additional info
> [!NOTE]
The OTLP Traces are only available for the source: `syscalls`.
> [!WARNING]
Because of the way the OTEL SDK is structured, the OTLP outputs don't appear in the metrics (Prometheus, Statsd, ...)
and the error logs just specify `OTEL` as output.
## Running a whole stack with docker-compose
Below `docker-compose` file runs a stack of:
- `falco`
- `falcosidekick`
- `events-generator` to generate arbitrary falco events
- [Tempo](https://grafana.com/oss/tempo/) as OTLP traces backend
- [Grafana](https://grafana.com/oss/grafana/) for visualization
### Requirements
A local Linux kernel capable of running `falco`--modern-bpf`, see
<https://falco.org/blog/falco-modern-bpf/>.
### Configuration files
You need to create these files:
- `./docker-compose.yaml`: minimal docker-compose configuration
```yaml
---
version: "3.9"
services:
falco:
image: falcosecurity/falco-no-driver:latest
privileged: true
command: "falco --modern-bpf -r /etc/falco/rules"
volumes:
- /var/run/docker.sock:/host/var/run/docker.sock
- /dev:/host/dev
- /proc:/host/proc:ro
- /boot:/host/boot:ro
- /lib/modules:/host/lib/modules:ro
- ./etc/falco:/etc/falco:ro
falcosidekick:
# Build from locally cloned repository
build: ../../../
volumes:
- ./etc/falco:/etc/falco:ro
command: -c /etc/falco/falcosidekick.yaml
ports:
- 2801:2801
environment:
- OTLP_TRACES_ENDPOINT=http://traces-backend:4318/v1/traces
- OTLP_HEADERS=X-Scope-OrgID=1
- OTLP_TRACES_SYNCED=true
traces-backend:
image: grafana/tempo:latest
ports:
- 4317
- 4318
- 3200
volumes:
- ./etc/tempo:/etc/tempo:ro
command: "-config.file /etc/tempo/config.yaml"
restart: always
grafana:
image: grafana/grafana:10.0.3
volumes:
- ./etc/grafana/provisioning:/etc/grafana/provisioning:ro
environment:
- GF_AUTH_ANONYMOUS_ENABLED=true
- GF_AUTH_ANONYMOUS_ORG_ROLE=Admin
- GF_AUTH_DISABLE_LOGIN_FORM=true
- GF_FEATURE_TOGGLES_ENABLE=traceqlEditor
ports:
- "3000:3000"
event-generator:
image: falcosecurity/event-generator
command: run
restart: always
trigger:
image: alpine
command: ["sh", "-c", "while true; do cat /etc/shadow > /dev/null; sleep 5; done"]
```
- `./etc/falco/falco.yaml`: minimal falco configuration
```yaml
---
debug: true
outputs:
rate: 1
max_burst: 1000
json_output: true
http_output:
enabled: true
url: http://falcosidekick:2801
#url: http://172.17.0.1:2801
user_agent: "falcosecurity/falco"
# Tell Falco to not verify the remote server.
insecure: true
plugins:
- name: json
library_path: libjson.so
stdout_output:
enabled: true
log_stderr: true
syscall_buf_size_preset: 4
```
- `./etc/falco/rules/` folder: from upstream
<https://github.com/falcosecurity/rules.git>
```shell
mkdir -p ./etc/falco/upstream-rules
git clone --depth 1 https://github.com/falcosecurity/rules/ ./etc/falco/upstream-rules
ln -s upstream-rules/rules ./etc/falco/rules
```
- `./etc/grafana/provisioning/datasources/datasources.yaml`: provisioning Tempo
backend as Grafana datasource
```yaml
apiVersion: 1
datasources:
- name: Tempo
type: tempo
access: proxy
orgId: 1
url: http://traces-backend:3200
basicAuth: false
isDefault: true
version: 1
editable: false
apiVersion: 1
uid: tempo
jsonData:
httpMethod: GET
serviceMap:
datasourceUid: prometheus
```
- `./etc/tempo/config.yaml`: minimal tempo configuration
```yaml
---
server:
http_listen_port: 3200
distributor:
receivers:
otlp:
protocols:
http:
grpc:
log_received_spans:
enabled: true
storage:
trace:
backend: local
local:
path: /tmp/tempo/blocks
```
### Run it
To bring up the stack, and peek at how Grafana shows it:
1. Bring up the stack
```shell
docker-compose up
```
1. Navigate to <http://localhost:3000/> to start browsing the local Grafana UI
1. Navigate to [/explore](http://localhost:3000/explore/), choose `Tempo` datasource, and query `{}`, or just click [here](http://localhost:3000/explore?orgId=1&left=%7B%22datasource%22:%22tempo%22,%22queries%22:%5B%7B%22refId%22:%22A%22,%22datasource%22:%7B%22type%22:%22tempo%22,%22uid%22:%22tempo%22%7D,%22queryType%22:%22traceql%22,%22limit%22:20,%22query%22:%22%7B%7D%22%7D%5D) for such already crafted query.
![Grafana explore](images/otlp_traces-grafana_explore.png)
1. Click on any of the shown traces on the left panel, you should see something
similar to the below attached screenshot.
![Falco traces view](images/otlp_traces-traces_view.png)
1. Bring down the stack
```shell
docker-compose down
```

37
docs/outputs/pagerduty.md
View File

@ -1,37 +0,0 @@
# PagerDuty
- **Category**: Alerting
- **Website**: https://pagerduty.com/
## Table of content
- [PagerDuty](#pagerduty)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| --------------------------- | --------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `pagerduty.routingkey` | `PAGERDUTY_ROUTINGKEY` | | Pagerduty Routing Key, if not empty, Pagerduty output is **enabled** |
| `pagerduty.region` | `PAGERDUTY_REGION` | `us` | Pagerduty Region (`us`, `eu`) |
| `pagerduty.minimumpriority` | `PAGERDUTY_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
pagerduty:
routingkey: "" # Pagerduty Routing Key, if not empty, Pagerduty output is enabled
region: "us" # Pagerduty Region, can be 'us' or 'eu' (default: us)
minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

52
docs/outputs/policy_report.md
View File

@ -1,52 +0,0 @@
# Policy Report
- **Category**: Other
- **Website**: https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report/falco-adapter
## Table of content
- [Policy Report](#policy-report)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Installing Policy Report Custom Resource Definition (CRD)](#installing-policy-report-custom-resource-definition-crd)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------------ | ------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `policyreport.enabled` | `POLICYREPORT_ENABLED` | | If true; policyreport output is **enabled** |
| `policyreport.kubeconfig` | `POLICYREPORT_KUBECONFIG` | `~/.kube/config` | Kubeconfig file to use (only if falcosidekick is running outside the cluster) |
| `policyreport.falconamespace` | `POLICYREPORT_FALCONAMESPACE` | | Set the namespace where Falco is running (only if falcosidekick is running outside the cluster) |
| `policyreport.maxevents` | `POLICYREPORT_MAXEVENTS` | `1000` | The max number of events that can be in a policyreport |
| `policyreport.minimumpriority` | `POLICYREPORT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
policyreport:
enabled: false # if true; policyreport output is enabled
kubeconfig: "~/.kube/config" # kubeconfig file to use (only if falcosidekick is running outside the cluster)
falconamespace: "" # set the namespace where Falco is running (only if falcosidekick is running outside the cluster)
maxevents: 1000 # the max number of events that can be in a policyreport (default: 1000)
minimumpriority: "debug" # events with a priority above this are mapped to fail in PolicyReport Summary and lower that those are mapped to warn (default="")
```
## Additional info
### Installing Policy Report Custom Resource Definition (CRD)
> [!WARNING]
This output works only for the sources `syscalls` and `k8saudit`.
> [!WARNING]
Installation of the Policy Report Custom Resource Definition (CRD) is a prerequisite for using the Policy Report output.
Information about how to find and install the CRD for the reports can be found [here](https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report#installing).
## Screenshots

36
docs/outputs/prometheus.md
View File

@ -1,36 +0,0 @@
# Prometheus
- **Category**: Metrics / Observability
- **Website**: https://prometheus.io/
## Table of content
- [Prometheus](#prometheus)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------ | ------------------------ | ------------- | -------------------------------------------------------------------------------------------------------------- |
| `prometheus.extralabels` | `PROMETHEUS_EXTRALABELS` | | Comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
prometheus:
# extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
```
## Additional info
> [!NOTE]
This output is used to collect metrics about Falco events and Falcosidekick outputs in prometheus format, scrape the endpoint `/metrics` to collect them.
## Screenshots

50
docs/outputs/quickwit.md
View File

@ -1,50 +0,0 @@
# Quickwit
- **Category**: Logs
- **Website**: https://quickwit.io/
## Table of content
- [Quickwit](#quickwit)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------------- | ------------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| `quickwit.hostport` | `QUICKWIT_HOSTPORT` | | http://{domain or ip}:{port}, if not empty, Quickwit output is **enabled** |
| `quickwit.apiendpoint` | `QUICKWIT_APIENDPOINT` | `api/v1` | API endpoint (containing the API version, overideable in case of quickwit behind a reverse proxy with URL rewriting) |
| `quickwit.index` | `QUICKWIT_INDEX` | `falco` | Index |
| `quickwit.version` | `QUICKWIT_VERSION` | `0.7` | Version of quickwit |
| `quickwit.autocreateindex` | `QUICKWIT_AUTOCREATEINDEX` | `false` | Autocreate a `falco` index mapping if it doesn't exists |
| `quickwit.customheaders` | `QUICKWIT_CUSTOMHEADERS` | | Custom headers to add in POST, useful for Authentication |
| `quickwit.mutualtls` | `QUICKWIT_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `quickwit.checkcert` | `QUICKWIT_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `quickwit.minimumpriority` | `QUICKWIT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
quickwit:
# hostport: ""
# apiendpoint: "/api/v1"
# index: "falco"
# version: "0.7"
# autocreateindex: false
# customHeaders:
# key: value
# mutualtls: false
# checkcert: true
# minimumpriority: ""
```
## Screenshots
With Grafana:
![Grafana example](images/grafana_quickwit.png)

37
docs/outputs/rabbitmq.md
View File

@ -1,37 +0,0 @@
# RabbitMQ
- **Category**: Message queue / Streaming
- **Website**: https://www.rabbitmq.com/
## Table of content
- [RabbitMQ](#rabbitmq)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| -------------------------- | -------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `rabbitmq.url` | `RABBITMQ_URL` | | Rabbitmq URL, if not empty, Rabbitmq output is **enabled** |
| `rabbitmq.queue` | `RABBITMQ_QUEUE` | | Rabbitmq Queue name |
| `rabbitmq.minimumpriority` | `RABBITMQ_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
rabbitmq:
url: "" # Rabbitmq URL, if not empty, Rabbitmq output is enabled
queue: "" # Rabbitmq Queue name
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

43
docs/outputs/redis.md
View File

@ -1,43 +0,0 @@
# Redis
- **Category**: Database
- **Website**: https://redis.com/
## Table of content
- [Redis](#redis)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------- | ----------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `redis.address` | `REDIS_ADDRESS` | | Redis address, if not empty, Redis output is **enabled** |
| `redis.database` | `REDIS_DATABASE` | `0` | Redis database number |
| `redis.storagetype` | `REDIS_STORAGETYPE` | `list` | Redis storage type: `hashmap` or `list` |
| `redis.key` | `REDIS_KEY` | `falco` | Redis storage key name |
| `redis.password` | `REDIS_PASSWORD` | | Password to authenticate with Redis |
| `redis.minimumpriority` | `REDIS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
redis:
address: "" # Redis address, if not empty, Redis output is enabled
# database: "" # Redis database number (default: 0)
# storagetype: "" # Redis storage type: hashmap or list (default: list)
# key: "" # Redis storage key name (default: "falco")
# password: "" # Password to authenticate with Redis (default: "")
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

63
docs/outputs/rocketchat.md
View File

@ -1,63 +0,0 @@
# Rocketchat
- **Category**: Chat/Messaging
- **Website**: https://rocket.chat
## Table of content
- [Rocketchat](#rocketchat)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Message Formatting](#message-formatting)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------------- | ---------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `rocketchat.webhookurl` | `ROCKETCHAT_WEBHOOKURL` | | Rocketchat WebhookURL (ex: https://hooks.rocketchat.com/services/XXXX/YYYY/ZZZZ), if not empty, Rocketchat output is **enabled** |
| `rocketchat.icon` | `ROCKETCHAT_ICON` | `https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png` | Rocketchat icon (avatar) |
| `rocketchat.username` | `ROCKETCHAT_USERNAME` | `Falcosidekick` | Rocketchat username |
| `rocketchat.outputformat` | `ROCKETCHAT_OUTPUTFORMAT` | `all` | Rocketchat message format: `all`, `text`, `field` |
| `rocketchat.messageformat` | `ROCKETCHAT_MESSAGEFORMAT` | | A Go template to format Rocketchat Text above Attachment, displayed in addition to the output from `ROCKETCHAT_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
| `rocketchat.mutualtls` | `ROCKETCHAT_MUTUALTLS` | `false` | Authenticate to the output with TLS, if true, checkcert flag will be ignored (server cert will always be checked) |
| `rocketchat.checkcert` | `ROCKETCHAT_CHECKCERT` | `true` | check if ssl certificate of the output is valid | `rocketchat.minimumpriority` | `ROCKETCHAT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""`
| `rocketchat.minimumpriority` | `ROCKETCHAT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
rocketchat:
webhookurl: "" # Rocketchat WebhookURL (ex: http://XXXX/hooks/YYYY), if not empty, Rocketchat output is enabled
# icon: "" # Rocketchat icon (avatar)
# username: "" # Rocketchat username (default: Falcosidekick)
# outputformat: "all" # all (default), text, fields
# messageformat: "Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields \"user.name\" }}*" # a Go template to format Rocketchat Text above Attachment, displayed in addition to the output from `ROCKETCHAT_OUTPUTFORMAT`. If empty, no Text is displayed before Attachment.
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
### Message Formatting
The `ROCKETCHAT_MESSAGEFORMAT` environment variable and `rocketchat.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Rocketchat alert.
These templates are evaluated on the JSON data from each Falco event. The following fields are available:
| Template Syntax | Description |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `{{ .Output }}` | A formatted string from Falco describing the event. |
| `{{ .Priority }}` | The priority of the event, as a string. |
| `{{ .Rule }}` | The name of the rule that generated the event. |
| `{{ .Time }}` | The timestamp when the event occurred. |
| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.

77
docs/outputs/slack.md
View File

@ -1,77 +0,0 @@
# Slack
- **Category**: Chat/Messaging
- **Website**: https://slack.com
## Table of content
- [Slack](#slack)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Message Formatting](#message-formatting)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------- | ----------------------- | --------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `slack.webhookurl` | `SLACK_WEBHOOKURL` | | Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is **enabled** |
| `slack.channel` | `SLACK_CHANNEL` | | Override the Slack channel |
| `slack.footer` | `SLACK_FOOTER` | `https://github.com/falcosecurity/falcosidekick` | Slack footer |
| `slack.icon` | `SLACK_ICON` | `https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png` | Slack icon (avatar) |
| `slack.username` | `SLACK_USERNAME` | `Falcosidekick` | Slack username |
| `slack.outputformat` | `SLACK_OUTPUTFORMAT` | `all` | Slack message format: `all`, `text`, `field` |
| `slack.messageformat` | `SLACK_MESSAGEFORMAT` | | A Go template to format Slack Text above Attachment, displayed in addition to the output from `SLACK_OUTPUTFORMAT`, see [Message Formatting](#message-formatting) in the README for details. If empty, no Text is displayed before Attachment. |
| `slack.minimumpriority` | `SLACK_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
slack:
webhookurl: "" # Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled
# channel: "" # Override the Slack channel
# footer: "" # Slack footer (default: https://github.com/falcosecurity/falcosidekick)
# icon: "" # Slack icon (avatar)
# username: "" # Slack username (default: Falcosidekick)
# outputformat: "all" # all (default), text, fields
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# messageformat: 'Alert : rule *{{ .Rule }}* triggered by user *{{ index .OutputFields "user.name" }}*' # a Go template to format Slack Text above Attachment, displayed in addition to the output from `SLACK_OUTPUTFORMAT`. If empty, no Text is displayed before Attachment.
```
## Additional info
### Message Formatting
The `SLACK_MESSAGEFORMAT` environment variable and `slack.messageformat` YAML value accept a [Go template](https://golang.org/pkg/text/template/) which can be used to format the text of a Slack alert.
These templates are evaluated on the JSON data from each Falco event. The following fields are available:
| Template Syntax | Description |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `{{ .Output }}` | A formatted string from Falco describing the event. |
| `{{ .Priority }}` | The priority of the event, as a string. |
| `{{ .Rule }}` | The name of the rule that generated the event. |
| `{{ .Time }}` | The timestamp when the event occurred. |
| `{{ index .OutputFields \"<field name>\" }}` | A map of additional optional fields emitted depending on the event. These may not be present for every event, in which case they expand to the string `<no value>` |
Go templates also support some basic methods for text manipulation which can be used to improve the clarity of alerts - see the documentation for details.
## Screenshots
(SLACK_OUTPUTFORMAT="**all**")
![slack example](images/slack.png)
(SLACK_OUTPUTFORMAT="**text**")
![slack no fields example](images/slack_no_fields.png)
(SLACK_OUTPUTFORMAT="**fields**" and SLACK_MESSAGEFORMAT="**Alert: rule \*{{ .Rule }}\* triggered by user \*{{ index .OutputFields \"user.name\" }}\***")
![slack message format example](images/slack_fields_messageformat.png)

65
docs/outputs/smtp.md
View File

@ -1,65 +0,0 @@
# SMTP
- **Category**: Email
- **Website**: https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
## Table of content
- [SMTP](#smtp)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------- | ---------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `smtp.hostport` | `SMTP_HOSTPORT` | | host:port address of SMTP server, if not empty, SMTP output is **enabled** |
| `smtp.tls` | `SMTP_TLS` | `true` | Use TLS connection (true/false) |
| `smtp.authmechanism` | `SMTP_AUTHMECHANISM` | `plain` | SASL Mechanisms : `plain`, `oauthbearer`, `external`, `anonymous` or `none` (disable SASL) |
| `smtp.user` | `SMTP_USER` | | User for Plain Mechanism |
| `smtp.password` | `SMTP_PASSWORD` | | Password for Plain Mechanism |
| `smtp.token` | `SMTP_TOKEN` | | OAuthBearer token for OAuthBearer Mechanism |
| `smtp.identity` | `SMTP_IDENTITY` | | Identity string for Plain and External Mechanisms |
| `smtp.trace` | `SMTP_TRACE` | | Trace string for Anonymous Mechanism |
| `smtp.from` | `SMTP_FROM` | | Sender address (mandatory if SMTP output is enabled) |
| `smtp.to` | `SMTP_TO` | | Comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is enabled) |
| `smtp.outputformat` | `SMTP_OUTPUTFORMAT` | `html` | `html`, `text` |
| `smtp.minimumpriority` | `SMTP_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
> [!WARNING]
The `smtp` can't work with the Office365 domains because of the authentication method used by the platform, it includes outlook.com, office365.com, hotmail.com, ...
## Example of config.yaml
```yaml
smtp:
hostport: "" # host:port address of SMTP server, if not empty, SMTP output is enabled
# tls: true # use TLS connection (true/false), default is "true"
# authmechanism: "plain" # SASL Mechanisms : plain, oauthbearer, external, anonymous or none (disable SASL). Default: plain
# user: "" # user for Plain Mechanism
# password: "" # password for Plain Mechanism
# token: "" # OAuthBearer token for OAuthBearer Mechanism
# identity: "" # identity string for Plain and External Mechanisms
# trace: "" trace string for Anonymous Mechanism
# from: "" # Sender address (mandatory if SMTP output is enabled)
# to: "" # comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is enabled)
# outputformat: "" # html (default), text
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Screenshots
(SMTP_OUTPUTFORMAT="**html**")
![smtp html example](images/smtp_html.png)
(SMTP_OUTPUTFORMAT="**text**")
![smtp plaintext example](images/smtp_plaintext.png)

43
docs/outputs/spyderbat.md
View File

@ -1,43 +0,0 @@
# Spyderbat
- **Category**: Metrics / Observability
- **Website**: https://www.spyderbat.com/
## Table of content
- [Spyderbat](#spyderbat)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------------- | ----------------------------- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `spyperbat.orgui` | `SPYPERBAT_ORGUID` | | Organization to send output to, if not empty, Spyderbat output is **enabled** |
| `spyperbat.apikey` | `SPYPERBAT_APIKEY` | | Spyderbat API key with access to the organization |
| `spyperbat.apiurl` | `SPYPERBAT_APIURL` | `https://api.spyderbat.com` | Spyderbat API url |
| `spyperbat.source` | `SPYPERBAT_SOURCE` | `falcosidekick` | Spyderbat source ID, max 32 characters |
| `spyperbat.sourcedescription` | `SPYPERBAT_SOURCEDESCRIPTION` | | Spyderbat source description and display name if not empty, max 256 characters |
| `spyperbat.minimumpriority` | `SPYPERBAT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
spyderbat:
orguid: "" # Organization to send output to, if not empty, Spyderbat output is enabled
apikey: "" # Spyderbat API key with access to the organization
# apiurl: "https://api.spyderbat.com" # Spyderbat API url (default: "https://api.spyderbat.com")
# source: "falcosidekick" # Spyderbat source ID, max 32 characters (default: "falcosidekick")
# sourcedescription: "" # Spyderbat source description and display name if not empty, max 256 characters
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
## Screenshots

44
docs/outputs/stan.md
View File

@ -1,44 +0,0 @@
# STAN
- **Category**: Message queue / Streaming
- **Website**: https://docs.nats.io/nats-streaming-concepts/intro
## Table of content
- [STAN](#stan)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------- | ---------------------- | ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `stan.hostport` | `STAN_HOSTPORT` | | stan://{domain or ip}:{port}, if not empty, STAN output is **enabled** |
| `stan.subjecttemplate` | `STAN_SUBJECTTEMPLATE` | `falco.<priority>.<rule>` | Template for the subject, tokens <priority> and <rule> will be automatically replaced |
| `stan.clusterid` | `STAN_CLUSTERID` | | Cluster name (mandatory) |
| `stan.clientid` | `STAN_CLIENTID` | | Client ID (mandatory) |
| `stan.checkcert` | `STAN_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `stan.minimumpriority` | `STAN_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
stan:
hostport: "" # stan://{domain or ip}:{port}, if not empty, STAN output is enabled
clusterid: "" # Cluster name (mandatory)
clientid: "" # Client ID (mandatory)
# subjecttemplate: "falco.<priority>.<rule>" # template for the subject, tokens <priority> and <rule> will be automatically replaced (default: falco.<priority>.<rule>)
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
```
## Additional info
## Screenshots

38
docs/outputs/statsd.md
View File

@ -1,38 +0,0 @@
# StatsD
- **Category**: Metrics / Observability
- **Website**: https://github.com/statsd/statsd
## Table of content
- [StatsD](#statsd)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------ | ------------------ | ---------------- | ------------------------------------------------------------------------------------------------- |
| `statsd.forwarder` | `STATSD_FORWARDER` | | The address for the StatsD forwarder, in the form "host:port", if not empty StatsD is **enabled** |
| `statsd.namespace` | `STATSD_NAMESPACE` | `falcosidekick.` | A prefix for all metrics |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
statsd:
forwarder: "" # The address for the StatsD forwarder, in the form "host:port", if not empty StatsD is enabled
namespace: "falcosidekick." # A prefix for all metrics (default: "falcosidekick.")
```
## Additional info
> [!NOTE]
This output is used to collect metrics about Falco events and Falcosidekick outputs.
## Screenshots

46
docs/outputs/sumologic.md
View File

@ -1,46 +0,0 @@
# SumoLogic
- **Category**: Logs
- **Website**: https://www.sumologic.com/
## Table of content
- [SumoLogic](#sumologic)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ---------------------- | ---------------------- | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `sumologic.receiverurl` | `SUMOLOGIC_RECEIVERURL` | | https://[SumoEndpoint]/receiver/v1/http/[UniqueHTTPCollectorCode], if not empty, SumoLogic output is **enabled** |
| `sumologic.sourcecategory` | `SUMOLOGIC_SOURCECATEGORY` | | Override the default Source Category for the collector |
| `sumologic.sourcehost` | `SUMOLOGIC_SOURCEHOST` | | Override the default Source Host for the collector |
| `sumologic.name` | `SUMOLOGIC_NAME` | | Override the default Name for the collector |
| `sumologic.checkcert` | `SUMOLOGIC_CHECKCERT` | | Check if ssl certificate of the output is valid |
| `sumologic.minimumpriority` | `SUMOLOGIC_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
sumologic:
receiverURL: "" # Sumologic HTTP Source URL, if not empty, Sumologic output is enabled
# sourceCategory: "" # Override the default Sumologic Source Category
# sourceHost: "" # Override the default Sumologic Source Host
# Name: "" # Override the default Sumologic Source Name
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
```
## Screenshots
With SumoLogic
![sumologic example](images/sumologic.png)

44
docs/outputs/syslog.md
View File

@ -1,44 +0,0 @@
# Syslog
- **Category**: Syslog
- **Website**: https://en.wikipedia.org/wiki/Syslog
## Table of content
- [Syslog](#syslog)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ------------------------ | ------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `syslog.host` | `SYSLOG_HOST` | | Syslog host, if not empty, Syslog output is enabled |
| `syslog.port` | `SYSLOG_PORT` | | Syslog endpoint port number |
| `syslog.protocol` | `SYSLOG_PROTOCOL` | `tcp` | Syslog transport protocol. It can be either `tcp` or `udp` |
| `syslog.format` | `SYSLOG_FORMAT` | `json` | Syslog payload format. It can be either `json` or `cef` |
| `syslog.minimumpriority` | `SYSLOG_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
syslog:
host: "" # Syslog host, if not empty, Syslog output is enabled
port: "" # Syslog endpoint port number
# protocol: "" # Syslog transport protocol. It can be either "tcp" or "udp" (default: tcp)
# format: "" # Syslog payload format. It can be either "json" or "cef" (default: json)
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Additional info
```
# Recommended version rsyslogd 8.2102 or newer
rsyslogd -v to check the version
```
## Screenshots

40
docs/outputs/talon.md
View File

@ -1,40 +0,0 @@
# Falco Talon
- **Category**: Response engine
- **Website**: https://docs.falco-talon.org
## Table of content
- [Falco Talon](#falco-talon)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Additional info](#additional-info)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------- | ----------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `talon.address` | `TALON_ADDRESS` | | Talon address, if not empty, Talon output is **enabled** |
| `talon.checkcert` | `TALON_CHECKCERT` | `true` | Check if ssl certificate of the output is valid |
| `talon.minimumpriority` | `TALON_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
talon:
address: "" # Talon address, if not empty, Talon output is enabled
# minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
# checkcert: true # check if ssl certificate of the output is valid (default: true)
```
## Additional info
> [!WARNING]
> Falco Talon is active under development and this integration may change in the future to reflect this evolution.
## Screenshots

46
docs/outputs/teams.md
View File

@ -1,46 +0,0 @@
# Teams
- **Category**: Chat/Messaging
- **Website**: https://teams.com
## Table of content
- [Teams](#teams)
- [Table of content](#table-of-content)
- [Configuration](#configuration)
- [Example of config.yaml](#example-of-configyaml)
- [Screenshots](#screenshots)
## Configuration
| Setting | Env var | Default value | Description |
| ----------------------- | ----------------------- | --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| `teams.webhookurl` | `TEAMS_WEBHOOKURL` | | Teams WebhookURL, if not empty, Teams output is **enabled** |
| `teams.activityimage` | `TEAMS_ACTIVITYIMAGE` | `https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png` | Image for message section |
| `teams.outputformat` | `TEAMS_OUTPUTFORMAT` | `all` | `all`, `text`, `facts` |
| `teams.minimumpriority` | `TEAMS_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
> [!NOTE]
The Env var values override the settings from yaml file.
## Example of config.yaml
```yaml
teams:
webhookurl: "" # Teams WebhookURL, if not empty, Teams output is enabled
# activityimage: "" # Image for message section
# outputformat: "text" # all (default), text, facts
# minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default)
```
## Screenshots
(TEAMS_OUTPUTFORMAT="**all**")
![teams example](images/teams.png)
(TEAMS_OUTPUTFORMAT="**text**")
![teams facts only](images/teams_text.png)

Some files were not shown because too many files have changed in this diff Show More