• Stars
    star
    108
  • Rank 321,259 (Top 7 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 5 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Prometheus Metrics Exporter for Falco output events

falco-exporter

Falco Ecosystem Repository Stable

Release License Go Report Card Docker pulls Architectures

Prometheus Metrics Exporter for Falco output events

Prerequisites

  • Before using falco-exporter, you need Falco installed and running with the gRPC Output enabled (over Unix socket by default).
  • Since falco-exporter v0.3.0:
    • the minimum required version of Falco is 0.24.0
    • if using Helm, the minimum required version of the Falco Chart is v1.2.0
  • Since falco-exporter v0.8.0:
    • the default Unix socket path is /run/falco/falco.sock to be compatible with Falco 0.33.0 and later (in previous version it defaulted to /var/run/falco.sock)

Usage

Run it manually

make
./falco-exporter

Then check the metrics endpoint at http://localhost:9376/metrics

Command line usage:

$ ./falco-exporter --help
Usage of ./falco-exporter:
      --client-ca string               CA root file path for connecting to a Falco gRPC server (default "/etc/falco/certs/ca.crt")
      --client-cert string             cert file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.crt")
      --client-hostname string         hostname for connecting to a Falco gRPC server, if set, takes precedence over --client-socket
      --client-key string              key file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.key")
      --client-port uint16             port for connecting to a Falco gRPC server (default 5060)
      --client-socket string           unix socket path for connecting to a Falco gRPC server (default "unix:///run/falco/falco.sock")
      --listen-address string          address on which to expose the Prometheus metrics (default ":9376")
      --probes-listen-address string   address on which to expose readiness/liveness probes endpoints (default ":19376")
      --server-ca string               CA root file path for metrics https server
      --server-cert string             cert file path for metrics https server
      --server-key string              key file path for metrics https server
      --timeout duration               timeout for initial gRPC connection (default 2m0s)

Run with Docker

To run falco-exporter in a container using Docker:

docker run -v /path/to/falco.sock:/run/falco/falco.sock falcosecurity/falco-exporter

Deploy in Kubernetes

Using Helm

Using the falco-exporter Helm Chart is the easiest way to deploy falco-exporter.

Before installing the chart, add the falcosecurity charts repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Finally, to install the chart with the release name falco-exporter and default configuration values:

helm install falco-exporter falcosecurity/falco-exporter

The full documentation of the Helm Chart is here.

Using resource templates

Alternatively, it is possible to deploy falco-exporter without using Helm. Templates for manual installation are here.

Grafana

The Falco dashboard can be imported into Grafana by copy-paste the provided grafana/dashboard.json or by getting it from the Grafana Dashboards website.

You can find detailed Grafana importing instructions here.

Falco dashboard

Event priority

Falco events have a priority value, as defined here. The exported metrics will include a priority label that uses a numeric index. The meaning of these indices is reported in the following table.

ID Priority
7 debug
6 informational
5 notice
4 warning
3 error
2 critical
1 alert
0 emergency

Connection options

falco-exporter uses gRPC over a Unix socket by default.

You may change this behavior by setting --client-hostname. Note that the Falco gRPC server over the network works only with mutual TLS by design. Therefore, when --client-hostname is set you also need valid certificate files to configure falco-exporter properly (see the Command line usage above).

More Repositories

1

falco

Cloud Native Runtime Security
C++
6,860
star
2

falcosidekick

Connect Falco to your ecosystem
Go
502
star
3

charts

Community managed Helm charts for running Falco with Kubernetes
Go
220
star
4

libs

libsinsp, libscap, the kernel module driver, and the eBPF driver sources
C
200
star
5

falco-talon

Response Engine for managing threats in your Kubernetes
Go
112
star
6

falcosidekick-ui

A simple WebUI with latest events from Falco
Vue
97
star
7

rules

Falco rule repository
Go
92
star
8

falcoctl

Administrative tooling for Falco
Go
81
star
9

event-generator

Generate a variety of suspect actions that are detected by Falco rulesets
Go
73
star
10

plugins

Falco plugins registry
Go
69
star
11

pdig

ptrace-based event producer for udig
C
65
star
12

driverkit

Kit for building Falco drivers: kernel modules or eBPF probes
Go
61
star
13

client-go

Go client and SDK for Falco
Go
52
star
14

community

The Falco Project Community
50
star
15

evolution

Evolution process of The Falco Project
Go
45
star
16

falco-website

Source code of the official Falco website
HTML
32
star
17

test-infra

Falco workflow & testing infrastructure
Jsonnet
30
star
18

plugin-sdk-go

Falco plugins SDK for Go
Go
23
star
19

client-py

Python client and SDK for Falco
Python
19
star
20

falco-playground

Web-application used to validate Falco rules and test against scap file
TypeScript
19
star
21

kernel-crawler

A tool to crawl Linux kernel versions
Python
17
star
22

k8s-metacollector

Fetches the metadata from kubernetes API server and dispatches them to Falco instances
Go
14
star
23

client-rs

The rust language implementation of the Falco client
Rust
14
star
24

kilt

Kilt is a project that defines how to inject foreign apps into containers
Go
13
star
25

testing

All-purpose test suite for Falco and its ecosystem
Go
11
star
26

kernel-testing

Ansible playbooks to provision firecracker VMs and run Falco kernel tests
Dockerfile
11
star
27

deploy-kubernetes

Kubernetes deployment resources for Falco
10
star
28

libs-sdk-go

Go SDK for Falco libs
Go
5
star
29

syscalls-bumper

A tool to automatically update supported syscalls in libs
Go
5
star
30

falco-aws-terraform

Terraform Module for Falco AWS Resources
HCL
5
star
31

plugin-sdk-rs

Falco plugins SDK for Rust
Rust
5
star
32

.github

Default community health files
4
star
33

pigeon

Secrets and config manager for Falco's infrastructure
Go
3
star
34

ebpf-probe

eBPF probe for syscall events
3
star
35

kernel-module

3
star
36

dbg-go

A go tool to work with falcosecurity drivers build grid
Go
2
star
37

plugin-sdk-cpp

Falco plugins SDK for C++
C++
2
star
38

libsinsp

System inspection library
2
star
39

libscap

2
star
40

cncf-green-review-testing

Falco configurations intended for testing with the CNCF Green Reviews Working Group
2
star
41

template-repository

Acts as a template for new repositories
1
star
42

advocacy

Advocacy machinery
1
star
43

peribolos-syncer

Tool to synchronize Peribolos configuration with GitHub people sources of truth.
Go
1
star
44

contrib

Community sandbox to test-drive ideas/projects/code
Python
1
star
45

flycheck-falco-rules

Falco Rules Syntax Checker for Emacs, Using Flycheck
Emacs Lisp
1
star