Falco

Supported OS Linux Windows Mac OS

Integration version2.0.0
Falco - Alerts

Overview

Falco is a cloud-native security tool. It provides near real-time threat detection for cloud, container, and Kubernetes workloads by leveraging runtime insights. Falco can monitor events defined with customizable rules from various sources, including the Linux kernel, and enrich them with metadata from the Kubernetes API server, container runtime, and more. This integration ingests the following logs:

  • Alert: Represents details such as the rule name, description, condition, output message, priority level, and tags

The Falco integration seamlessly ingests the data of Falco logs using the webhook. Before ingestion of the data, it normalizes and enriches the logs, ensuring a consistent data format and enhancing information content for downstream processing and analysis. The integration provides insights into alert logs through the out-of-the-box dashboards.

Setup

Configuration

Metric collection

Falco exposes Prometheus-formatted metrics that provide observability into its runtime, event processing, and security posture. The Datadog Agent can collect these metrics using the OpenMetrics integration. Follow the steps below to enable and configure metric collection from Falco.

1. Enable Prometheus Metrics in Falco

Edit your falco.yaml configuration file to enable the metrics endpoint:

metrics:
  enabled: true
  listen_address: "<FALCO_HOST>"
  listen_port: 8765

Restart Falco to apply the changes:

systemctl restart falco

If Falco is installed using Helm, you can enable metrics with:

helm upgrade -i falco falcosecurity/falco \
  --set metrics.enabled=true \
  --set metrics.listen_address="<FALCO_HOST>" \
  --set metrics.listen_port=8765
2. Configure the Datadog Agent

Update your Datadog Agent configuration to scrape Falco’s Prometheus metrics endpoint. For example, add the following to conf.d/prometheus.d/conf.yaml:

instances:
  - openmetrics_endpoint: http://<FALCO_HOST>:8765/metrics

Replace <FALCO_HOST> with the hostname or IP address where Falco is running.

For Kubernetes environments, you can use Autodiscovery Integration Templates to configure the Agent to automatically discover and scrape Falco metrics endpoints.

3. Validation

After configuration, verify that Falco metrics are being ingested by Datadog. You should see metrics with the prefix falco. in the Datadog Metrics Explorer.

Log Collection

    API Forwarding

    • Update the settings in the configuration file (falco.yaml) as shown below:

      json_output: true
http_output:
  enabled: true
  url: <DATADOG_WEBHOOK_URL> # such as https://http-intake.logs.datadoghq.com/api/v2/logs?dd-api-key=<DD_API_KEY>&ddsource=falco

      • Restart the Falco using below command:

        systemctl restart falco

    • If Falco is installed using Helm, you can use the following command to add or update the HTTP URL:

      helm upgrade -i falco falcosecurity/falco \
--set falco.http_output.enabled=true \
--set falco.http_output.url="https://http-intake.logs.datadoghq.com/api/v2/logs?dd-api-key=<dd-api-key>&ddsource=falco" \
--set falco.json_output=true \
--set json_include_output_property=true
    Agent

    1. Collecting logs is disabled by default in the Datadog Agent, enable it in your datadog.yaml file:

      logs_enabled: true

    2. Add this configuration block to your falco.d/conf.yaml file to start collecting your Falco Logs:

      logs:
  - type: file
    path: <PATH TO LOGS>
    service: myservice
    source: falco

      Change the path and service parameter values and configure them for your environment. See the sample falco.d/conf.yaml for all available configuration options.

    3. Restart the Agent.

    Note: Ensure the datadog-agent user has read and execute access to tail the log files you want to collect from.

    Data Collected

    Metrics

    falco.container.memory.used
    (gauge)    		Memory usage of the Falco process in container deployments (similar to container_memory_working_set_bytes)
    Shown as byte
    falco.cpu.usage.ratio
    (gauge)    		CPU usage percentage of the Falco process (equivalent to ps output)
    falco.duration.seconds.count
    (count)    		Total duration in seconds that Falco has been running
    Shown as second
    falco.evt.hostname
    (gauge)    		Hostname information
    falco.evt.source
    (gauge)    		Event source information (e.g. syscall or plugin-based sources)
    falco.host.cpu.usage.ratio
    (gauge)    		Overall CPU usage percentage of all running processes on the host system
    falco.host.memory.used
    (gauge)    		Overall memory usage in bytes of all running processes on the host system
    Shown as byte
    falco.host.num.cpus
    (gauge)    		Total number of CPUs on the host system
    Shown as cpu
    falco.host.open.fds
    (gauge)    		Total number of open file descriptors on the host system
    Shown as file
    falco.host.procs.running
    (gauge)    		Number of currently running processes on the host system (from /proc/stat)
    Shown as process
    falco.jemalloc.active.count
    (count)    		Active memory allocation by jemalloc memory allocator
    Shown as byte
    falco.jemalloc.allocated.count
    (count)    		Total allocated memory by jemalloc memory allocator
    Shown as byte
    falco.jemalloc.mapped.count
    (count)    		Memory mapped by jemalloc memory allocator
    Shown as byte
    falco.jemalloc.metadata.count
    (count)    		Memory used for jemalloc metadata
    Shown as byte
    falco.jemalloc.metadata.thp.count
    (count)    		Transparent huge page memory used for jemalloc metadata
    Shown as byte
    falco.jemalloc.resident.count
    (count)    		Resident memory held by jemalloc memory allocator
    Shown as byte
    falco.jemalloc.retained.count
    (count)    		Memory retained by jemalloc for future allocations
    Shown as byte
    falco.jemalloc.zero.reallocs.count
    (count)    		Memory from zero-sized reallocations in jemalloc
    Shown as byte
    falco.kernel.release
    (gauge)    		Kernel release version information
    falco.memory.pss
    (gauge)    		Proportional Set Size memory usage of the Falco process
    Shown as byte
    falco.memory.rss
    (gauge)    		Resident Set Size memory usage of the Falco process
    Shown as byte
    falco.memory.vsz
    (gauge)    		Virtual Set Size memory usage of the Falco process
    Shown as byte
    falco.outputs.queue.num.drops.count
    (count)    		Total number of events dropped from the output queue
    falco.rules.matches.count
    (count)    		Total number of rule matches detected by Falco security rules
    falco.scap.engine.name
    (gauge)    		SCAP engine information (e.g. bpf modern_bpf or kmod)
    falco.scap.n.added.fds.count
    (count)    		Total number of file descriptors added to the internal tracking tables
    Shown as file
    falco.scap.n.added.threads.count
    (count)    		Total number of threads added to the internal tracking tables
    Shown as thread
    falco.scap.n.cached.fd.lookups.count
    (count)    		Total number of successful file descriptor lookups from cache
    falco.scap.n.cached.thread.lookups.count
    (count)    		Total number of successful thread lookups from cache
    falco.scap.n.containers
    (gauge)    		Current number of containers being tracked
    falco.scap.n.drops.buffer.count
    (count)    		Total number of events dropped due to buffer issues
    falco.scap.n.drops.count
    (count)    		Total number of kernel-side event drops
    falco.scap.n.drops.full.threadtable.count
    (count)    		Total number of events dropped due to full thread table
    falco.scap.n.drops.scratch.map.count
    (count)    		Total number of events dropped due to scratch map issues
    falco.scap.n.evts.count
    (count)    		Total number of events captured by the system call capture engine
    falco.scap.n.failed.fd.lookups.count
    (count)    		Total number of failed file descriptor lookups
    Shown as file
    falco.scap.n.failed.thread.lookups.count
    (count)    		Total number of failed thread lookups
    falco.scap.n.fds
    (gauge)    		Current number of file descriptors stored in internal tables
    Shown as file
    falco.scap.n.missing.container.images
    (gauge)    		Number of containers with missing or unknown container images
    falco.scap.n.noncached.fd.lookups.count
    (count)    		Total number of non-cached file descriptor lookups
    Shown as file
    falco.scap.n.noncached.thread.lookups.count
    (count)    		Total number of non-cached thread lookups
    falco.scap.n.removed.fds.count
    (count)    		Total number of file descriptors removed from internal tracking tables
    Shown as file
    falco.scap.n.removed.threads.count
    (count)    		Total number of threads removed from internal tracking tables
    Shown as thread
    falco.scap.n.retrieve.evts.drops.count
    (count)    		Total number of events dropped during retrieval process
    falco.scap.n.retrieved.evts.count
    (count)    		Total number of events successfully retrieved from kernel
    falco.scap.n.store.evts.drops.count
    (count)    		Total number of events dropped during storage process
    falco.scap.n.stored.evts.count
    (count)    		Total number of events successfully stored
    falco.scap.n.threads
    (gauge)    		Current number of threads stored in internal tracking tables
    Shown as thread
    falco.sha256.config.files
    (gauge)    		SHA256 hash information of Falco configuration files
    falco.sha256.rules.files
    (gauge)    		SHA256 hash information of Falco rules files

    Logs

    The Falco integration collects and forwards Falco alert logs to Datadog.

    Events

    The Falco integration does not include any events.

    Support

    For further assistance, contact Datadog Support.