Falco – Falco Outputshttps://v0-43--falcosecurity.netlify.app/docs/concepts/outputs/Recent content in Falco Outputs on FalcoHugo -- gohugo.ioenDocs: Output Channelshttps://v0-43--falcosecurity.netlify.app/docs/concepts/outputs/channels/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/concepts/outputs/channels/ <h2 id="standard-output">Standard Output</h2> <p>When configured to send alerts via standard output, a line is printed for each alert.</p> <p>Here is an example:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">stdout_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">enabled</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span></code></pre></div><pre tabindex="0"><code>10:20:05.408091526: Warning Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow) </code></pre><p>Standard output is useful when using <a href="https://www.fluentd.org/">Fluentd</a> or <a href="https://www.elastic.co/logstash/">Logstash</a> to capture logs from containers. Alerts can then be stored in <a href="https://www.elastic.co/elasticsearch/">Elasticsearch</a>, and dashboards can be created to visualize the alerts. For more information, read <a href="https://sysdig.com/blog/kubernetes-security-logging-fluentd-falco/">this blog post</a>.</p> <h3 id="standard-output-buffering">Standard Output buffering</h3> <p>If the logs are inspected by tailing container logs (e.g. <code>kubectl logs -f</code> in Kubernetes) it might look like events can take a long time to appear, sometimes longer than 15 minutes. This is not an issue with Falco but is simply a side effect of the system output buffering.</p> <p>However, if realtime update of these logs is necessary it can be forced with the <code>-U/--unbuffered</code> command line option which will ensure the output is flushed for every event at the cost of higher CPU usage.</p> <h2 id="file-output">File Output</h2> <p>When configured to send alerts to a file, a message is written to the file for each alert. The configuration is very similar to the <a href="https://v0-43--falcosecurity.netlify.app/docs/outputs/channels/#standard-output">Standard Output</a> format:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">file_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">enabled</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">keep_alive</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">filename</span>:<span style="color:#bbb"> </span>./events.txt<span style="color:#bbb"> </span></span></span></code></pre></div><p>When the field <code>keep_alive</code> is set to <code>false</code> (default value), for each single alert:</p> <ul> <li>the file is opened for appending</li> <li>the single alert is written</li> <li>the file is closed</li> </ul> <p>If <code>keep_alive</code> is set to <code>true</code>, the file is opened before the first alert, and kept open for all subsequent alerts. Output is buffered and will be flushed only on close. (This can be changed with the <code>--unbuffered</code> command line option).</p> <p>Notice that, regardless <code>keep_alive</code> settings, Falco neither rotates nor truncates the output file. If you'd like to use a program like <a href="https://github.com/logrotate/logrotate">logrotate</a> to rotate the output file, an example logrotate config is available <a href="https://github.com/falcosecurity/falco/blob/ffd8747ec0943db2546c3270826e1700dc4df75f/examples/logrotate/falco">here</a>.</p> <p>As of Falco <code>0.10.0</code>, Falco will close and reopen its file output when signaled with <code>SIGUSR1</code>. The logrotate example above depends on it.</p> <h2 id="syslog-output">Syslog Output</h2> <p>When configured to send alerts to syslog, a syslog message is sent for each alert. The actual format depends on your syslog daemon, but here's a simple configuration example:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">syslog_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">enabled</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>And its respective entry in the syslog service:</p> <pre tabindex="0"><code>Jun 7 10:20:05 ubuntu falco: Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow) </code></pre> <div class="alert alert-primary" role="alert"> Syslog messages are sent with a facility of <strong><code>LOG_USER</code></strong>.<br> The rule's priority is used as the priority of the syslog message. </div> <h2 id="program-output">Program Output</h2> <p>When configured to send alerts to a program, Falco normally starts the program for each alert and writes its contents to the program's standard input. You can only configure a single program output (e.g. route alerts to a single program) at a time.</p> <p>Here you can find an example of how to configure the <code>program_output</code> inside the <code>falco.yaml</code> file:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">program_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">enabled</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">keep_alive</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">program</span>:<span style="color:#bbb"> </span>mail -s &#34;Falco Notification&#34; someone@example.com<span style="color:#bbb"> </span></span></span></code></pre></div><p>If the program cannot normally accept an input from standard input, <code>xargs</code> can be used to pass the Falco events with an argument. For example:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">program_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">enabled</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">keep_alive</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">program</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;xargs -I {} aws --region ${region} sns publish --topic-arn ${falco_sns_arn} --message {}&#34;</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>When <code>keep_alive</code> is set to <code>false</code> (default value), for each alert Falco will run the program <code>mail -s ...</code> and write the alert to the program. The program is run via a shell, so it's possible to specify a command pipeline if you wish to add additional formatting.</p> <p>If <code>keep_alive</code> is set to <code>true</code>, before the first alert Falco will spawn the program and write the alert. The program pipe will be kept open for subsequent alerts. Output is buffered and will be flushed only on close. (This can be changed with the <code>--unbuffered</code> command line option).</p> <div class="alert alert-primary" role="alert"> <h4 class="alert-heading">Controlling the program output</h4> The program spawned by Falco is in the same process group as Falco and will receive all signals that Falco receives. If you want to, say, ignore <code>SIGTERM</code> to allow for a clean shutdown in the face of buffered outputs, you must override the signal handler yourself. <br> As of Falco <code>0.10.0</code>, Falco will close and reopen its file output when signaled with <code>SIGUSR1</code>. </div> <h3 id="example-1-posting-to-a-slack-incoming-webhook">Example 1: Posting to a Slack Incoming Webhook</h3> <p>If you'd like to send Falco notifications to a slack channel, here's the required configuration to massage the JSON output to a form required for the slack webhook endpoint:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Whether to output events in json or text</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">json_output</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>…<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">program_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">enabled</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">program</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;jq &#39;{text: .output}&#39; | curl -d @- -X POST https://hooks.slack.com/services/XXX&#34;</span><span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="example-2-sending-alerts-to-network-channel">Example 2: Sending Alerts to Network Channel</h3> <p>If you'd like to send a stream of alerts over a network connection, here's an example:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Whether to output events in json or text</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">json_output</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span>…<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">program_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">enabled</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">keep_alive</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">program</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;nc host.example.com 1234&#34;</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>Note the use of <code>keep_alive: true</code> to keep the network connection persistent.</p> <h2 id="http-output">HTTP/HTTPS Output</h2> <p>If you'd like to send alerts to an HTTP(S) endpoint, you can use the <code>http_output</code> option:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">json_output</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">...</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">http_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">enabled</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">url</span>:<span style="color:#bbb"> </span>http://some.url/some/path/<span style="color:#bbb"> </span></span></span></code></pre></div><p>Currently, only unencrypted HTTP endpoints and valid HTTPS endpoints are supported (i.e., invalid or self-signed certificates are not supported).</p> <h2 id="json-output">JSON Output</h2> <p>For all output channels, you can switch to JSON output either in the configuration file or on the command line. For each alert, Falco will print a JSON object, on a single line, containing the following properties:</p> <ul> <li><code>time</code>: the time of the alert, in ISO8601 format.</li> <li><code>rule</code>: the rule that resulted in the alert.</li> <li><code>priority</code>: the priority of the rule that generated the alert.</li> <li><code>output</code>: the formatted output string for the alert.</li> <li><code>hostname</code>: the name of the host running Falco (can be the hostname inside the container).</li> <li><code>tags</code>: the list of tags associated with the rule.</li> <li><code>output_fields</code>: for each templated value in the output expression, the value of that field from the event that triggered the alert.</li> </ul> <blockquote> <p>Notice that, besides the ones included automatically, you can also include additional fields to <code>output_fields</code> through <code>append_output</code> settings in the <a href="https://github.com/falcosecurity/falco/blob/master/falco.yaml">configuration</a>.</p> </blockquote> <p>Here's an example:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-javascript" data-lang="javascript"><span style="display:flex;"><span>{<span style="color:#b44">&#34;hostname&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;falco-xczjd&#34;</span>,<span style="color:#b44">&#34;output&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;13:44:05.478445995: Critical A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=kubecon container=ee97d9c4186f shell=sh parent=runc cmdline=sh -c clear; (bash || ash || sh) terminal=34816 container_id=ee97d9c4186f image=docker.io/library/alpine)&#34;</span>,<span style="color:#b44">&#34;priority&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;Critical&#34;</span>,<span style="color:#b44">&#34;rule&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;Terminal shell in container&#34;</span>,<span style="color:#b44">&#34;source&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;syscall&#34;</span>,<span style="color:#b44">&#34;tags&#34;</span><span style="color:#666">:</span>[<span style="color:#b44">&#34;container&#34;</span>,<span style="color:#b44">&#34;mitre_execution&#34;</span>,<span style="color:#b44">&#34;shell&#34;</span>],<span style="color:#b44">&#34;time&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;2023-05-25T13:44:05.478445995Z&#34;</span>, <span style="color:#b44">&#34;output_fields&#34;</span><span style="color:#666">:</span> {<span style="color:#b44">&#34;container.id&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;ee97d9c4186f&#34;</span>,<span style="color:#b44">&#34;container.image.repository&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;docker.io/library/alpine&#34;</span>,<span style="color:#b44">&#34;evt.time&#34;</span><span style="color:#666">:</span><span style="color:#666">1685022245478445995</span>,<span style="color:#b44">&#34;k8s.ns.name&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;default&#34;</span>,<span style="color:#b44">&#34;k8s.pod.name&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;kubecon&#34;</span>,<span style="color:#b44">&#34;proc.cmdline&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;sh -c clear; (bash || ash || sh)&#34;</span>,<span style="color:#b44">&#34;proc.name&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;sh&#34;</span>,<span style="color:#b44">&#34;proc.pname&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;runc&#34;</span>,<span style="color:#b44">&#34;proc.tty&#34;</span><span style="color:#666">:</span><span style="color:#666">34816</span>,<span style="color:#b44">&#34;user.loginuid&#34;</span><span style="color:#666">:-</span><span style="color:#666">1</span>,<span style="color:#b44">&#34;user.name&#34;</span><span style="color:#666">:</span><span style="color:#b44">&#34;root&#34;</span>}} </span></span></code></pre></div><p>Here's the same output, pretty-printed:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-javascript" data-lang="javascript"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;hostname&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;falco-xczjd&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;output&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;13:44:05.478445995: Critical A shell was spawned in a container with an attached terminal (user=root user_loginuid=-1 k8s.ns=default k8s.pod=kubecon container=ee97d9c4186f shell=sh parent=runc cmdline=sh -c clear; (bash || ash || sh) terminal=34816 container_id=ee97d9c4186f image=docker.io/library/alpine)&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;priority&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;Critical&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;rule&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;Terminal shell in container&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;source&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;syscall&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;tags&#34;</span><span style="color:#666">:</span> [ </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;container&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;mitre_execution&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;shell&#34;</span> </span></span><span style="display:flex;"><span> ], </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;time&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;2023-05-25T13:44:05.478445995Z&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;output_fields&#34;</span><span style="color:#666">:</span> { </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;container.id&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;ee97d9c4186f&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;container.image.repository&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;docker.io/library/alpine&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;evt.time&#34;</span><span style="color:#666">:</span> <span style="color:#666">1685022245478445995</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;k8s.ns.name&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;default&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;k8s.pod.name&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;kubecon&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;proc.cmdline&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;sh -c clear; (bash || ash || sh)&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;proc.name&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;sh&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;proc.pname&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;runc&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;proc.tty&#34;</span><span style="color:#666">:</span> <span style="color:#666">34816</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;user.loginuid&#34;</span><span style="color:#666">:</span> <span style="color:#666">-</span><span style="color:#666">1</span>, </span></span><span style="display:flex;"><span> <span style="color:#b44">&#34;user.name&#34;</span><span style="color:#666">:</span> <span style="color:#b44">&#34;root&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="grpc-output">gRPC Output</h2> <div class="card card-sm pageinfo pageinfo-warning my-4"> <div class="card-body"> <div class="card-text"> <p>The gRPC Output as well as the embedded gRPC server have been deprecated in Falco <code>0.43.0</code> and will be removed in a future release. Until removal and since Falco <code>0.43.0</code>, using any of them will result in a warning informing the user about the deprecation. Users are encouraged to leverage another output and/or Falcosidekick, as the usage will result in an error after the removal.</p> </div> </div> </div> <p>If you'd like to send alerts to an external program connected via gRPC API, you need to enable both the <code>grpc</code> and <code>grpc_output</code> options as described under the <a href="https://v0-43--falcosecurity.netlify.app/docs/grpc/#configuration">gRPC Configuration section</a>.</p>Docs: Alert Formattinghttps://v0-43--falcosecurity.netlify.app/docs/concepts/outputs/formatting/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/concepts/outputs/formatting/ <p>Previous guides introduced the <a href="https://v0-43--falcosecurity.netlify.app/docs/concepts/rules/basic-elements/#output">Output Fields of Falco Rules</a> and provided <a href="https://v0-43--falcosecurity.netlify.app/docs/concepts/rules/style-guide/#output-fields">Guidelines</a> on how to use them. This section highlights additional global formatting options for your deployment, complementing the information previously provided.</p> <p>Adding the same output field to multiple rules by manually editing rule files can be tedious. Fortunately, Falco provides several ways to simplify this process:</p> <ul> <li>Using the <code>append_output</code> configuration option in <code>falco.yaml</code> to add output text or fields to a subset of loaded rules</li> <li>Adding an override to a specific rule to replace its output</li> </ul> <h2 id="appending-extra-output-and-fields-with-append-output">Appending Extra Output and Fields with <code>append_output</code></h2> <p>The <code>append_output</code> option can be specified in the <code>falco.yaml</code> configuration file. You can use it to add extra output to rules specified by source, tag, name, or to all rules unconditionally. The <code>append_output</code> section is a list of items that are applied in the order they appear.</p> <p><strong>Example:</strong></p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">append_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#008000;font-weight:bold">match</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">source</span>:<span style="color:#bbb"> </span>syscall<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">extra_output</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;on CPU %evt.cpu&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">extra_fields</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#008000;font-weight:bold">home_directory</span>:<span style="color:#bbb"> </span><span style="color:#b44">&#34;${HOME}&#34;</span><span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- evt.hostname<span style="color:#bbb"> </span></span></span></code></pre></div><p>In this example:</p> <ul> <li>Every rule with the <code>syscall</code> source will have <code>on CPU %evt.cpu</code> appended at the end of the regular output line.</li> <li>The rule will also include the additional fields (<code>home_directory</code> and <code>evt.hostname</code>) in the JSON output under <code>output_fields</code>. These extra fields do not appear in the regular (text) output.</li> <li>Environment variables (like <code>$HOME</code>) expansion is supported in the configuration file, so for <code>extra_fields</code> as well.</li> </ul> <h3 id="matching-rules">Matching Rules</h3> <p>The <code>match</code> section allows you to filter which rules are modified:</p> <ul> <li><code>source</code>: filters rules by source (e.g., <code>syscall</code> or plugin names)</li> <li><code>rule</code>: filters by the complete rule name</li> <li><code>tags</code>: filters by a list of tags (all listed tags must be present)</li> </ul> <p>If multiple conditions are specified under <code>match</code>, all must be met for the entry to apply. If no conditions are specified—or <code>match</code> is omitted—then the entry applies to all rules.</p> <h2 id="adding-an-override-to-a-specific-rule">Adding an Override to a Specific Rule</h2> <p>Note that <code>append_output</code> only <em>adds</em> output to an existing rule; it does not remove or replace existing fields. To remove or replace output fields, you can add another rule file (loaded after the original) that uses an <a href="https://v0-43--falcosecurity.netlify.app/docs/rules/overriding/#append-and-replace-items-in-a-rule">override</a>. For example:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span>- <span style="color:#008000;font-weight:bold">rule</span>:<span style="color:#bbb"> </span>Read sensitive file trusted after startup<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">output</span>:<span style="color:#bbb"> </span>A file (user=%user.name command=%proc.cmdline file=%fd.name) was read after startup<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">override</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#008000;font-weight:bold">output</span>:<span style="color:#bbb"> </span>replace<span style="color:#bbb"> </span></span></span></code></pre></div><h3 id="suggested-output-fields">Suggested Output Fields</h3> <p>By default, Falco can also include &quot;suggested&quot; fields from plugins implementing the extraction capabilities. This is especially useful if certain plugins mark some fields as recommended for output. Those fields will appear automatically in your alerts.</p> <p>Below is an example configuration entry that enables suggested output fields unconditionally for any source:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#008000;font-weight:bold">append_output</span>:<span style="color:#bbb"> </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>- <span style="color:#008000;font-weight:bold">suggested_output</span>:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># Enable the use of extractor plugins&#39; suggested fields for all matching sources.</span><span style="color:#bbb"> </span></span></span></code></pre></div><p>When <code>suggested_output</code> is set to <code>true</code>, any extractor plugin that provides &quot;suggested&quot; fields will add them to the output in the form <code>plugin_field_name=$plugin.field_name</code>.</p> <h3 id="command-line-usage">Command-Line Usage</h3> <p>You can also specify this option on the command line via the <code>-o</code> flag, for example:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>falco ... <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> -o <span style="color:#b44">&#39;append_output[]={&#34;match&#34;: {&#34;source&#34;: &#34;syscall&#34;}, &#34;extra_output&#34;: &#34;on CPU %evt.cpu&#34;, &#34;extra_fields&#34;: [&#34;evt.hostname&#34;]}&#39;</span> </span></span></code></pre></div>Docs: Alerts Forwardinghttps://v0-43--falcosecurity.netlify.app/docs/concepts/outputs/forwarding/Mon, 01 Jan 0001 00:00:00 +0000https://v0-43--falcosecurity.netlify.app/docs/concepts/outputs/forwarding/ <p>Falco alerts can easily be forwarded to third-party systems. Their JSON format allows them to be easily consumed for storage, analysis and reaction.</p> <h2 id="falcosidekick">Falcosidekick</h2> <p>Falcosidekick is a proxy forwarder that acts as a central point for any fleet of Falco instances, using their HTTP outputs to send alerts.</p> <p>It supports forwarding alerts to various outputs such as chat platforms, alerting systems, logs, storage services, and streaming systems.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/falcosidekick_forwarding.png" alt="Falcosidekick" loading="lazy" /> </p> <p>Falcosidekick can also add custom fields to the alerts, filter them by priority and expose a Prometheus metrics endpoint.</p> <p>The full documentation and the project repository are <a href="https://github.com/falcosecurity/falcosidekick">here</a>.</p> <p>Falcosidekick can be deployed with Falco in Kubernetes clusters with the official Falco <a href="https://github.com/falcosecurity/charts">Helm chart</a>.</p> <p>Its configuration can be made through a yaml file and/or env vars.</p> <h3 id="outputs">Outputs</h3> <div class="alert alert-primary" role="alert"> Follow the links to know what are the settings of each output. </div> <p>The available outputs in Falcosidekick are:</p> <p><em>Chat</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/slack.md"><strong>Slack</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rocketchat.md"><strong>Rocketchat</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mattermost.md"><strong>Mattermost</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/teams.md"><strong>Teams</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webex.md"><strong>Webex</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/discord.md"><strong>Discord</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/googlechat.md"><strong>Google Chat</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cliq.md"><strong>Zoho Cliq</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/telegram.md"><strong>Telegram</strong></a></li> </ul> <p><em>Metrics / Observability</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/datadog.md"><strong>Datadog</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/influxdb.md"><strong>Influxdb</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/statsd.md"><strong>StatsD</strong></a> (for monitoring of <code>falcosidekick</code>)</li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dogstatsd.md"><strong>DogStatsD</strong></a> (for monitoring of <code>falcosidekick</code>)</li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/prometheus.md"><strong>Prometheus</strong></a> (for both events and monitoring of <code>falcosidekick</code>)</li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/wavefront.md"><strong>Wavefront</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/spyderbat.md"><strong>Spyderbat</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/timescaledb.md"><strong>TimescaleDB</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/dynatrace.md"><strong>Dynatrace</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/otlp_metrics.md"><strong>OTEL Metrics</strong></a> (for both events and monitoring of <code>falcosidekick</code>)</li> </ul> <p><em>Alerting</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/alertmanager.md"><strong>AlertManager</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/opsgenie.md"><strong>Opsgenie</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/pagerduty.md"><strong>PagerDuty</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana_oncall.md"><strong>Grafana OnCall</strong></a></li> </ul> <p><em>Logs</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md"><strong>Elasticsearch</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/loki.md"><strong>Loki</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_cloudwatch_logs.md"><strong>AWS CloudWatchLogs</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/grafana.md"><strong>Grafana</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/syslog.md"><strong>Syslog</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs//zincsearch.md"><strong>Zincsearch</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openobserve.md"><strong>OpenObserve</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/sumologic.md"><strong>SumoLogic</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/quickwit.md"><strong>Quickwit</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/datadog_logs.md"><strong>Datadog Logs</strong></a></li> </ul> <p><em>Object Storage</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_s3.md"><strong>AWS S3</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_storage.md"><strong>GCP Storage</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_s3.md"><strong>Yandex S3 Storage</strong></a></li> </ul> <p><em>FaaS / Serverless</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_lambda.md"><strong>AWS Lambda</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_run.md"><strong>GCP Cloud Run</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_cloud_functions.md"><strong>GCP Cloud Functions</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/fission.md"><strong>Fission</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/cloudevents.md"><strong>KNative (CloudEvents)</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kubeless.md"><strong>Kubeless</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/openfaas.md"><strong>OpenFaaS</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/tekton.md"><strong>Tekton</strong></a></li> </ul> <p><em>Message queue / Streaming</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nats.md"><strong>NATS</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/stan.md"><strong>STAN (NATS Streaming)</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sqs.md"><strong>AWS SQS</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_sns.md"><strong>AWS SNS</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_kinesis.md"><strong>AWS Kinesis</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gcp_pub_sub.md"><strong>GCP PubSub</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafka.md"><strong>Apache Kafka</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/kafkarest.md"><strong>Kafka Rest Proxy</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/rabbitmq.md"><strong>RabbitMQ</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/azure_event_hub.md"><strong>Azure Event Hubs</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/yandex_datastreams.md"><strong>Yandex Data Streams</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/mqtt.md"><strong>MQTT</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/gotify.md"><strong>Gotify</strong></a></li> </ul> <p><em>Email</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/smtp.md"><strong>SMTP</strong></a></li> </ul> <p><em>Database</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/redis.md"><strong>Redis</strong></a></li> </ul> <p><em>Web</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/webhook.md"><strong>Webhook</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/nodered.md"><strong>Node-RED</strong></a></li> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/falcosidekick-ui.md"><strong>WebUI</strong></a></li> </ul> <p><em>SIEM</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/aws_security_lake.md"><strong>AWS Security Lake</strong></a></li> </ul> <p><em>Workflow</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/n8n.md"><strong>n8n</strong></a></li> </ul> <p><em>Traces</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/otlp_traces.md"><strong>OTEL Traces</strong></a></li> </ul> <p><em>Response engine</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/talon.md"><strong>Falco Talon</strong></a></li> </ul> <p><em>Other</em></p> <ul> <li><a href="https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/policy_report.md"><strong>Policy Report</strong></a></li> </ul> <h3 id="installation-in-kubernetes-with-helm">Installation in Kubernetes with Helm</h3> <p>See the available <a href="https://github.com/falcosecurity/charts/blob/master/charts/falcosidekick/values.yaml">Helm values</a> to configure Falcosidekick.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm install falco falcosecurity/falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>-n falco --create-namespace <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set <span style="color:#b8860b">tty</span><span style="color:#666">=</span><span style="color:#a2f">true</span> </span></span></code></pre></div><h3 id="installation-in-docker">Installation in Docker</h3> <p>Use the env vars to configure Falcosidekick.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>docker run -d -p 2801:2801 -e <span style="color:#b8860b">SLACK_WEBHOOKURL</span><span style="color:#666">=</span>XXXX falcosecurity/falcosidekick:2.27.0 </span></span></code></pre></div><h3 id="installation-on-the-host">Installation on the host</h3> <p>Adapt the version and the architecture to your environment. You can find all the releases <a href="https://github.com/falcosecurity/falcosidekick/releases">here</a>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>sudo mkdir -p /etc/falcosidekick </span></span><span style="display:flex;"><span>wget https://github.com/falcosecurity/falcosidekick/releases/download/2.27.0/falcosidekick_2.27.0_linux_amd64.tar.gz <span style="color:#666">&amp;&amp;</span> sudo tar -C /usr/local/bin/ -xzf falcosidekick_2.27.0_linux_amd64.tar.gz </span></span></code></pre></div><p>See the example config file to create your own in <code>/etc/falcosidekick/config.yaml</code>.</p> <p>To enable and start the service, you can use a systemd unit <code>/etc/systemd/system/falcosidekick.service</code> like this one:</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#666">[</span>Unit<span style="color:#666">]</span> </span></span><span style="display:flex;"><span><span style="color:#b8860b">Description</span><span style="color:#666">=</span>Falcosidekick </span></span><span style="display:flex;"><span><span style="color:#b8860b">After</span><span style="color:#666">=</span>network.target </span></span><span style="display:flex;"><span><span style="color:#b8860b">StartLimitIntervalSec</span><span style="color:#666">=</span><span style="color:#666">0</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#666">[</span>Service<span style="color:#666">]</span> </span></span><span style="display:flex;"><span><span style="color:#b8860b">Type</span><span style="color:#666">=</span>simple </span></span><span style="display:flex;"><span><span style="color:#b8860b">Restart</span><span style="color:#666">=</span>always </span></span><span style="display:flex;"><span><span style="color:#b8860b">RestartSec</span><span style="color:#666">=</span><span style="color:#666">1</span> </span></span><span style="display:flex;"><span><span style="color:#b8860b">ExecStart</span><span style="color:#666">=</span>/usr/local/bin/falcosidekick -c /etc/falcosidekick/config.yaml </span></span><span style="display:flex;"><span>EOF </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>systemctl <span style="color:#a2f">enable</span> falcosidekick </span></span><span style="display:flex;"><span>systemctl start falcosidekick </span></span></code></pre></div><h2 id="falcosidekick-ui">Falcosidekick UI</h2> <p>Falcosidekick comes with its own interface to visualize the events and get statistics.</p> <p><img src="https://v0-43--falcosecurity.netlify.app/docs/images/falcosidekick_forwarding_ui_1.png" alt="Falcosidekick UI" loading="lazy" /> </p> <h3 id="installation-in-kubernetes-with-helm-1">Installation in Kubernetes with Helm</h3> <p>You can install the UI at the same moment as Falcosidekick by adding the argument <code>--set falcosidekick.webui.enabled=true</code>.</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>helm install falco falcosecurity/falco <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>-n falco --create-namespace <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set falcosidekick.webui.enabled<span style="color:#666">=</span><span style="color:#a2f">true</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span>--set <span style="color:#b8860b">tty</span><span style="color:#666">=</span><span style="color:#a2f">true</span> </span></span></code></pre></div><p>Then create a port-forward to access it: <code>kubectl port-forward svc falco-falcosidekick-ui 2802:2802 -n falco</code>. The default credentials are <code>admin/admin</code>.</p> <p>The full documentation and the repository of the project are <a href="https://github.com/falcosecurity/falcosidekick-ui">here</a>.</p>