Falco

Supported OS Linux Windows Mac OS

통합 버전2.0.1

Falco - Alerts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Overview

Falco is a cloud-native security tool. It provides near real-time threat detection for cloud, container, and Kubernetes workloads by leveraging runtime insights. Falco can monitor events defined with customizable rules from various sources, including the Linux kernel, and enrich them with metadata from the Kubernetes API server, container runtime, and more. This integration ingests the following logs:

Alert: Represents details such as the rule name, description, condition, output message, priority level, and tags

The Falco integration seamlessly ingests the data of Falco logs using the webhook. Before ingestion of the data, it normalizes and enriches the logs, ensuring a consistent data format and enhancing information content for downstream processing and analysis. The integration provides insights into alert logs through the out-of-the-box dashboards.

Setup

Configuration

Metric collection

Falco exposes Prometheus-formatted metrics that provide observability into its runtime, event processing, and security posture. The Datadog Agent can collect these metrics using the OpenMetrics integration. Follow the steps below to enable and configure metric collection from Falco.

1. Enable Prometheus Metrics in Falco

Edit your falco.yaml configuration file to enable the metrics endpoint:

metrics:
  enabled: true
  listen_address: "<FALCO_HOST>"
  listen_port: 8765

Restart Falco to apply the changes:

systemctl restart falco

If Falco is installed using Helm, you can enable metrics with:

helm upgrade -i falco falcosecurity/falco \
  --set metrics.enabled=true \
  --set metrics.listen_address="<FALCO_HOST>" \
  --set metrics.listen_port=8765

2. Configure the Datadog Agent

Update your Datadog Agent configuration to scrape Falco’s Prometheus metrics endpoint. For example, add the following to conf.d/prometheus.d/conf.yaml:

instances:
  - openmetrics_endpoint: http://<FALCO_HOST>:8765/metrics

Replace <FALCO_HOST> with the hostname or IP address where Falco is running.

For Kubernetes environments, you can use Autodiscovery Integration Templates to configure the Agent to automatically discover and scrape Falco metrics endpoints.

3. Validation

After configuration, verify that Falco metrics are being ingested by Datadog. You should see metrics with the prefix falco. in the Datadog Metrics Explorer.

Log Collection

API Forwarding

Update the settings in the configuration file (falco.yaml) as shown below:
```
json_output: true
http_output:
  enabled: true
  url: <DATADOG_WEBHOOK_URL> 
```
Note: Replace <DATADOG_WEBHOOK_URL> with the correct intake URL for your Datadog site, such as https://http-intake.logs.us3.datadoghq.com/api/v2/logs?dd-api-key=<dd-api-key>&ddsource=falco for US3.
- Restart the Falco using below command:
```
systemctl restart falco
```
If Falco is installed using Helm, you can use the following command to add or update the HTTP URL:
```
helm upgrade -i falco falcosecurity/falco \
--set falco.http_output.enabled=true \
--set falco.http_output.url="<DATADOG_WEBHOOK_URL>" \
--set falco.json_output=true \
--set json_include_output_property=true
```
Note: Replace <DATADOG_WEBHOOK_URL> with the correct intake URL for your Datadog site, such as https://http-intake.logs.us3.datadoghq.com/api/v2/logs?dd-api-key=<dd-api-key>&ddsource=falco for US3.

Agent

Update the settings in the configuration file (falco.yaml) as shown below:

json_output: true
file_output:
  enabled: true
  filename: <PATH TO LOGS>

Collecting logs is disabled by default in the Datadog Agent, enable it in your datadog.yaml file:
```
logs_enabled: true
```
Add this configuration block to your falco.d/conf.yaml file to start collecting your Falco Logs:
```
logs:
  - type: file
    path: <PATH TO LOGS>
    service: <SERVICE NAME>
    source: falco
```
Change the path and service parameter values and configure them for your environment. See the sample falco.d/conf.yaml for all available configuration options.
Restart the Agent.

Note: Ensure the datadog-agent user has read and execute access to tail the log files you want to collect from.

master

Data Collected

Metrics


falco.container.memory.used (gauge)	Memory usage of the Falco process in container deployments (similar to container_memory_working_set_bytes) Shown as byte
falco.cpu.usage.ratio (gauge)	CPU usage percentage of the Falco process (equivalent to ps output)
falco.duration.seconds.count (count)	Total duration in seconds that Falco has been running Shown as second
falco.evt.hostname (gauge)	Hostname information
falco.evt.source (gauge)	Event source information (e.g. syscall or plugin-based sources)
falco.host.cpu.usage.ratio (gauge)	Overall CPU usage percentage of all running processes on the host system
falco.host.memory.used (gauge)	Overall memory usage in bytes of all running processes on the host system Shown as byte
falco.host.num.cpus (gauge)	Total number of CPUs on the host system Shown as cpu
falco.host.open.fds (gauge)	Total number of open file descriptors on the host system Shown as file
falco.host.procs.running (gauge)	Number of currently running processes on the host system (from /proc/stat) Shown as process
falco.jemalloc.active.count (count)	Active memory allocation by jemalloc memory allocator Shown as byte
falco.jemalloc.allocated.count (count)	Total allocated memory by jemalloc memory allocator Shown as byte
falco.jemalloc.mapped.count (count)	Memory mapped by jemalloc memory allocator Shown as byte
falco.jemalloc.metadata.count (count)	Memory used for jemalloc metadata Shown as byte
falco.jemalloc.metadata.thp.count (count)	Transparent huge page memory used for jemalloc metadata Shown as byte
falco.jemalloc.resident.count (count)	Resident memory held by jemalloc memory allocator Shown as byte
falco.jemalloc.retained.count (count)	Memory retained by jemalloc for future allocations Shown as byte
falco.jemalloc.zero.reallocs.count (count)	Memory from zero-sized reallocations in jemalloc Shown as byte
falco.kernel.release (gauge)	Kernel release version information
falco.memory.pss (gauge)	Proportional Set Size memory usage of the Falco process Shown as byte
falco.memory.rss (gauge)	Resident Set Size memory usage of the Falco process Shown as byte
falco.memory.vsz (gauge)	Virtual Set Size memory usage of the Falco process Shown as byte
falco.outputs.queue.num.drops.count (count)	Total number of events dropped from the output queue
falco.rules.matches.count (count)	Total number of rule matches detected by Falco security rules
falco.scap.engine.name (gauge)	SCAP engine information (e.g. bpf modern_bpf or kmod)
falco.scap.n.added.fds.count (count)	Total number of file descriptors added to the internal tracking tables Shown as file
falco.scap.n.added.threads.count (count)	Total number of threads added to the internal tracking tables Shown as thread
falco.scap.n.cached.fd.lookups.count (count)	Total number of successful file descriptor lookups from cache
falco.scap.n.cached.thread.lookups.count (count)	Total number of successful thread lookups from cache
falco.scap.n.containers (gauge)	Current number of containers being tracked
falco.scap.n.drops.buffer.count (count)	Total number of events dropped due to buffer issues
falco.scap.n.drops.count (count)	Total number of kernel-side event drops
falco.scap.n.drops.full.threadtable.count (count)	Total number of events dropped due to full thread table
falco.scap.n.drops.scratch.map.count (count)	Total number of events dropped due to scratch map issues
falco.scap.n.evts.count (count)	Total number of events captured by the system call capture engine
falco.scap.n.failed.fd.lookups.count (count)	Total number of failed file descriptor lookups Shown as file
falco.scap.n.failed.thread.lookups.count (count)	Total number of failed thread lookups
falco.scap.n.fds (gauge)	Current number of file descriptors stored in internal tables Shown as file
falco.scap.n.missing.container.images (gauge)	Number of containers with missing or unknown container images
falco.scap.n.noncached.fd.lookups.count (count)	Total number of non-cached file descriptor lookups Shown as file
falco.scap.n.noncached.thread.lookups.count (count)	Total number of non-cached thread lookups
falco.scap.n.removed.fds.count (count)	Total number of file descriptors removed from internal tracking tables Shown as file
falco.scap.n.removed.threads.count (count)	Total number of threads removed from internal tracking tables Shown as thread
falco.scap.n.retrieve.evts.drops.count (count)	Total number of events dropped during retrieval process
falco.scap.n.retrieved.evts.count (count)	Total number of events successfully retrieved from kernel
falco.scap.n.store.evts.drops.count (count)	Total number of events dropped during storage process
falco.scap.n.stored.evts.count (count)	Total number of events successfully stored
falco.scap.n.threads (gauge)	Current number of threads stored in internal tracking tables Shown as thread
falco.sha256.config.files (gauge)	SHA256 hash information of Falco configuration files
falco.sha256.rules.files (gauge)	SHA256 hash information of Falco rules files

Logs

The Falco integration collects and forwards Falco alert logs to Datadog.

Events

The Falco integration does not include any events.

Support

For further assistance, contact Datadog Support.