You are viewing documentation for Falco version: v0.26.2

Falco v0.26.2 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version

Extend Falco outputs with falcosidekick

June 22, 2020  —  Thomas Labarussias

By default, Falco has 5 outputs for its events: stdout, file, gRPC, shell and http. As you see in the following diagram:

falco extendend architecture

Even if they’re convenient, we can quickly be limited to integrating Falco with other components. Here comes falcosidekick, a little daemon that extends that number of possible outputs.

The current list of available falcosidekick outputs (version 2.13.0) is:

Beyond that, it provides metrics about the number of events and let you add custom fields in events, for example environment, region, etc

In this article, we’ll see how to integrate it in a Kubernetes aside Falco with Helm (version 3). For installing Falco with Helm see the community chart:

kubectl -n falco get pods

NAME          READY   STATUS    RESTARTS   AGE
falco-562mb   1/1     Running   0          3m10s
falco-pvl27   1/1     Running   0          3m10s
falco-d4mgr   1/1     Running   0          3m10s

We’ll send the events in a Slack channel for this tutorial, so [get your webhook URL](https:// first.

Install falcosidekick with helm:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falcosidekick falcosecurity/falcosidekick --namespace falco --set config.slack.webhookurl="https://hooks.slack.com/services/XXXX"

kubectl -n falco get pods

NAME                            READY   STATUS    RESTARTS   AGE
falco-562mb                     1/1     Running   0          65m
falco-pvl27                     1/1     Running   0          65m
falco-d4mgr                     1/1     Running   0          65m
falcosidekick-dddffd6bf-r6bwq   1/1     Running   0          42s

You can now test it with a typical port-forwarding:

kubectl port-forward svc/falcosidekick -n falco 2801:2801

curl -s http://localhost:2801/ping

pong

It’s alive !

Now, we send an event to Slack to test whether it works or not:

curl -sI http://localhost:2801/test

HTTP/1.1 200 OK
Date: Mon, 22 Jun 2020 21:13:48 GMT

In logs you’ll get:

kubectl logs deployment/falcosidekick -n falco

2020/06/22 21:12:56 [INFO]  : Enabled Outputs : Slack
2020/06/22 21:12:56 [INFO]  : Falco Sidekick is up and listening on port 2801
2020/06/22 21:13:34 [DEBUG] : Test sent

And in Slack:

falcosidekick slack test

For Slack and some other ouputs, the message format can be customized, more informations in README.

We’ll now add some custom fields and test a more realistic event.

Edit the values.yaml like this :

  customfields: "environment:production,datacenter:paris"

Send an event to falcosidekick :

curl "http://localhost:2801/" -d'{"output":"A more realistic test event","priority":"Error","rule":"Fake rule","time":"2020-06-22T23:28:00.746609046Z", "output_fields": {"evt.time":1507591916746609046,"fd.name":"/bin/hack","proc.cmdline":"touch /bin/hack","user.name":"root"}}'

falcosidekick slack test 2

Last but not least, it’s time to use falcosidekick as output processor for our beloved Falco.

In the chart helm folder falco, edit values.yaml:

jsonOutput: true
jsonIncludeOutputProperty: true
httpOutput:
  enabled: true
  url: "http://falcosidekick:2801/"

helm upgrade falco . --namespace falco

Release "falco" has been upgraded. Happy Helming!

And that’s it!

falcosidekick slack test 3

falco extendend architecture

Enjoy