Home

Awesome

falco-exporter

Falco Ecosystem Repository Stable

Release License Go Report Card Docker pulls Architectures

Prometheus Metrics Exporter for Falco output events

Prerequisites

Usage

Run it manually

make
./falco-exporter

Then check the metrics endpoint at http://localhost:9376/metrics

Command line usage:

$ ./falco-exporter --help
Usage of ./falco-exporter:
      --client-ca string               CA root file path for connecting to a Falco gRPC server (default "/etc/falco/certs/ca.crt")
      --client-cert string             cert file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.crt")
      --client-hostname string         hostname for connecting to a Falco gRPC server, if set, takes precedence over --client-socket
      --client-key string              key file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.key")
      --client-port uint16             port for connecting to a Falco gRPC server (default 5060)
      --client-socket string           unix socket path for connecting to a Falco gRPC server (default "unix:///run/falco/falco.sock")
      --listen-address string          address on which to expose the Prometheus metrics (default ":9376")
      --probes-listen-address string   address on which to expose readiness/liveness probes endpoints (default ":19376")
      --server-ca string               CA root file path for metrics https server
      --server-cert string             cert file path for metrics https server
      --server-key string              key file path for metrics https server
      --timeout duration               timeout for initial gRPC connection (default 2m0s)

Run with Docker

To run falco-exporter in a container using Docker:

docker run -v /path/to/falco.sock:/run/falco/falco.sock falcosecurity/falco-exporter

Deploy in Kubernetes

Using Helm

Using the falco-exporter Helm Chart is the easiest way to deploy falco-exporter.

Before installing the chart, add the falcosecurity charts repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Finally, to install the chart with the release name falco-exporter and default configuration values:

helm install falco-exporter falcosecurity/falco-exporter

The full documentation of the Helm Chart is here.

Using resource templates

Alternatively, it is possible to deploy falco-exporter without using Helm. Templates for manual installation are here.

Grafana

The Falco dashboard can be imported into Grafana by copy-paste the provided grafana/dashboard.json or by getting it from the Grafana Dashboards website.

You can find detailed Grafana importing instructions here.

Falco dashboard

Event priority

Falco events have a priority value, as defined here. The exported metrics will include a priority label that uses a numeric index. The meaning of these indices is reported in the following table.

IDPriority
7debug
6informational
5notice
4warning
3error
2critical
1alert
0emergency

Connection options

falco-exporter uses gRPC over a Unix socket by default.

You may change this behavior by setting --client-hostname. Note that the Falco gRPC server over the network works only with mutual TLS by design. Therefore, when --client-hostname is set you also need valid certificate files to configure falco-exporter properly (see the Command line usage above).