Awesome
falco-exporter
NOTICE: This project is currently being deprecated. Contributions are not accepted, and the repository will be fully archived in the future. Starting from Falco version 0.38, Falco can expose Prometheus metrics directly, eliminating the need for a separate exporter. For further details, please refer to the official documentation.
Prometheus Metrics Exporter for Falco output events
Prerequisites
- Before using falco-exporter, you need Falco installed and running with the gRPC Output enabled (over Unix socket by default).
- Since falco-exporter
v0.3.0
:- the minimum required version of Falco is
0.24.0
- if using Helm, the minimum required version of the Falco Chart is
v1.2.0
- the minimum required version of Falco is
- Since falco-exporter
v0.8.0
:- the default Unix socket path is
/run/falco/falco.sock
to be compatible with Falco 0.33.0 and later (in previous version it defaulted to/var/run/falco.sock
)
- the default Unix socket path is
Usage
Run it manually
make
./falco-exporter
Then check the metrics endpoint at http://localhost:9376/metrics
Command line usage:
$ ./falco-exporter --help
Usage of ./falco-exporter:
--client-ca string CA root file path for connecting to a Falco gRPC server (default "/etc/falco/certs/ca.crt")
--client-cert string cert file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.crt")
--client-hostname string hostname for connecting to a Falco gRPC server, if set, takes precedence over --client-socket
--client-key string key file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.key")
--client-port uint16 port for connecting to a Falco gRPC server (default 5060)
--client-socket string unix socket path for connecting to a Falco gRPC server (default "unix:///run/falco/falco.sock")
--listen-address string address on which to expose the Prometheus metrics (default ":9376")
--probes-listen-address string address on which to expose readiness/liveness probes endpoints (default ":19376")
--server-ca string CA root file path for metrics https server
--server-cert string cert file path for metrics https server
--server-key string key file path for metrics https server
--timeout duration timeout for initial gRPC connection (default 2m0s)
Run with Docker
To run falco-exporter in a container using Docker:
docker run -v /path/to/falco.sock:/run/falco/falco.sock falcosecurity/falco-exporter
Deploy in Kubernetes
Using Helm
Using the falco-exporter Helm Chart is the easiest way to deploy falco-exporter.
Before installing the chart, add the falcosecurity
charts repository:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
Finally, to install the chart with the release name falco-exporter
and default configuration values:
helm install falco-exporter falcosecurity/falco-exporter
The full documentation of the Helm Chart is here.
Using resource templates
Alternatively, it is possible to deploy falco-exporter without using Helm. Templates for manual installation are here.
Grafana
The Falco dashboard can be imported into Grafana by copy-paste the provided grafana/dashboard.json or by getting it from the Grafana Dashboards website.
You can find detailed Grafana importing instructions here.
Event priority
Falco events have a priority value, as defined here.
The exported metrics will include a priority
label that uses a numeric index. The meaning of these indices is reported in the following table.
ID | Priority |
---|---|
7 | debug |
6 | informational |
5 | notice |
4 | warning |
3 | error |
2 | critical |
1 | alert |
0 | emergency |
Connection options
falco-exporter uses gRPC over a Unix socket by default.
You may change this behavior by setting --client-hostname
. Note that the Falco gRPC server over the network works only with mutual TLS by design. Therefore, when --client-hostname
is set you also need valid certificate files to configure falco-exporter properly (see the Command line usage above).