falco-exporter
Prometheus Metrics Exporter for Falco output events
Prerequisites
- Before using falco-exporter, you need Falco installed and running with the gRPC Output enabled (over Unix socket by default).
- Since falco-exporter
v0.3.0:- the minimum required version of Falco is
0.24.0 - if using Helm, the minimum required version of the Falco Chart is
v1.2.0
- the minimum required version of Falco is
- Since falco-exporter
v0.8.0:- the default Unix socket path is
/run/falco/falco.sockto be compatible with Falco 0.33.0 and later (in previous version it defaulted to/var/run/falco.sock)
- the default Unix socket path is
Usage
Run it manually
make
./falco-exporterThen check the metrics endpoint at http://localhost:9376/metrics
Command line usage:
$ ./falco-exporter --help
Usage of ./falco-exporter:
--client-ca string CA root file path for connecting to a Falco gRPC server (default "/etc/falco/certs/ca.crt")
--client-cert string cert file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.crt")
--client-hostname string hostname for connecting to a Falco gRPC server, if set, takes precedence over --client-socket
--client-key string key file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.key")
--client-port uint16 port for connecting to a Falco gRPC server (default 5060)
--client-socket string unix socket path for connecting to a Falco gRPC server (default "unix:///run/falco/falco.sock")
--listen-address string address on which to expose the Prometheus metrics (default ":9376")
--probes-listen-address string address on which to expose readiness/liveness probes endpoints (default ":19376")
--server-ca string CA root file path for metrics https server
--server-cert string cert file path for metrics https server
--server-key string key file path for metrics https server
--timeout duration timeout for initial gRPC connection (default 2m0s)
Run with Docker
To run falco-exporter in a container using Docker:
docker run -v /path/to/falco.sock:/run/falco/falco.sock falcosecurity/falco-exporterDeploy in Kubernetes
Using Helm
Using the falco-exporter Helm Chart is the easiest way to deploy falco-exporter.
Before installing the chart, add the falcosecurity charts repository:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo updateFinally, to install the chart with the release name falco-exporter and default configuration values:
helm install falco-exporter falcosecurity/falco-exporterThe full documentation of the Helm Chart is here.
Using resource templates
Alternatively, it is possible to deploy falco-exporter without using Helm. Templates for manual installation are here.
Grafana
The Falco dashboard can be imported into Grafana by copy-paste the provided grafana/dashboard.json or by getting it from the Grafana Dashboards website.
You can find detailed Grafana importing instructions here.
Event priority
Falco events have a priority value, as defined here.
The exported metrics will include a priority label that uses a numeric index. The meaning of these indices is reported in the following table.
| ID | Priority |
|---|---|
| 7 | debug |
| 6 | informational |
| 5 | notice |
| 4 | warning |
| 3 | error |
| 2 | critical |
| 1 | alert |
| 0 | emergency |
Connection options
falco-exporter uses gRPC over a Unix socket by default.
You may change this behavior by setting --client-hostname. Note that the Falco gRPC server over the network works only with mutual TLS by design. Therefore, when --client-hostname is set you also need valid certificate files to configure falco-exporter properly (see the Command line usage above).