Home

Awesome

falco-exporter

Falco Ecosystem Repository Deprecated

Release License Go Report Card Docker pulls Architectures

NOTICE: This project is currently being deprecated. Contributions are not accepted, and the repository will be fully archived in the future. Starting from Falco version 0.38, Falco can expose Prometheus metrics directly, eliminating the need for a separate exporter. For further details, please refer to the official documentation.

Prometheus Metrics Exporter for Falco output events

Prerequisites

Usage

Run it manually

make
./falco-exporter

Then check the metrics endpoint at http://localhost:9376/metrics

Command line usage:

$ ./falco-exporter --help
Usage of ./falco-exporter:
      --client-ca string               CA root file path for connecting to a Falco gRPC server (default "/etc/falco/certs/ca.crt")
      --client-cert string             cert file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.crt")
      --client-hostname string         hostname for connecting to a Falco gRPC server, if set, takes precedence over --client-socket
      --client-key string              key file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.key")
      --client-port uint16             port for connecting to a Falco gRPC server (default 5060)
      --client-socket string           unix socket path for connecting to a Falco gRPC server (default "unix:///run/falco/falco.sock")
      --listen-address string          address on which to expose the Prometheus metrics (default ":9376")
      --probes-listen-address string   address on which to expose readiness/liveness probes endpoints (default ":19376")
      --server-ca string               CA root file path for metrics https server
      --server-cert string             cert file path for metrics https server
      --server-key string              key file path for metrics https server
      --timeout duration               timeout for initial gRPC connection (default 2m0s)

Run with Docker

To run falco-exporter in a container using Docker:

docker run -v /path/to/falco.sock:/run/falco/falco.sock falcosecurity/falco-exporter

Deploy in Kubernetes

Using Helm

Using the falco-exporter Helm Chart is the easiest way to deploy falco-exporter.

Before installing the chart, add the falcosecurity charts repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Finally, to install the chart with the release name falco-exporter and default configuration values:

helm install falco-exporter falcosecurity/falco-exporter

The full documentation of the Helm Chart is here.

Using resource templates

Alternatively, it is possible to deploy falco-exporter without using Helm. Templates for manual installation are here.

Grafana

The Falco dashboard can be imported into Grafana by copy-paste the provided grafana/dashboard.json or by getting it from the Grafana Dashboards website.

You can find detailed Grafana importing instructions here.

Falco dashboard

Event priority

Falco events have a priority value, as defined here. The exported metrics will include a priority label that uses a numeric index. The meaning of these indices is reported in the following table.

IDPriority
7debug
6informational
5notice
4warning
3error
2critical
1alert
0emergency

Connection options

falco-exporter uses gRPC over a Unix socket by default.

You may change this behavior by setting --client-hostname. Note that the Falco gRPC server over the network works only with mutual TLS by design. Therefore, when --client-hostname is set you also need valid certificate files to configure falco-exporter properly (see the Command line usage above).