You are viewing documentation for Falco version: v0.26.2

Falco v0.26.2 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version



Version 0.36.0
The Falco Project Changelog Falco Examples Getting Started Download Install Running Build Falco from source Third-Party Integrations Configuration Rules Default and Local Rules Files Default Macros Supported Fields for Conditions and Outputs Event Sources Falco Drivers Kubernetes Audit Events Actions For Dropped System Call Events Generating sample events K8s Pod Security Policy (PSP) Support gRPC API Outputs Version Go Client Python Client Falco Alerts Formatting Alerts for Containers and Orchestration

Generating sample events

If you’d like to check if Falco is working properly, we have the event-generator tool that can perform an activity for both our syscall and k8s audit related rules.

The tool provides a command to run either some or all sample events.

event-generator run [regexp]

Without arguments it runs all actions, otherwise only those actions matching the given regular expression.

The full command line documentation is here.

Downloads

ArtifactsVersion
binariesdownload linkRelease
container imagesdocker pull falcosecurity/event-generator:latestDocker Image Version (latest semver)

Sample events

System Call Activity

Warning — We strongly recommend that you run the program within Docker (see below), since some commands might alter your system. For example, some actions modify files and directories below /bin, /etc, /dev, etc.

The syscall collection performs a variety of suspect actions that are detected by the default Falco ruleset.

docker run -it --rm falcosecurity/event-generator run syscall --loop

The above command loops forever, incessantly generating a sample event each second.

Kubernetes Auditing Activity

The k8saudit collection generates activity that matches the k8s audit event ruleset.

event-generator run k8saudit --loop

The above command loops forever, creating resources in the current namespace and deleting them after each iteration. Use the --namespace option to choose a different namespace.

Running the Event Generator in K8s

We’ve also provided K8s resource object files that make it easy to run the event generator in K8s Clusters:

For example, you can run the following to create the necessary objects in the current namespace and then generate events continuously:

kubectl apply -f deployment/role-rolebinding-serviceaccount.yaml \
  -f deployment/event-generator.yaml

The above command applies to the default namespace. Use the --namespace option to deploy in a different namespace. Events will be generated in the same namespace.

You can also find more examples in the repository documentation.

Table of contents