A simple daemon for enhancing available outputs for Falco. It takes a falco's event and forwards it to different outputs.
It works as a single endpoint for as many as you want falco
instances :
Currently available outputs are :
- Slack
- Rocketchat
- Mattermost
- Teams
- Datadog
- Discord
- AlertManager
- Elasticsearch
- Loki
- NATS
- Influxdb
- AWS Lambda
- AWS SQS
- AWS SNS
- SMTP (email)
- Opsgenie
- StatsD (for monitoring of
falcosidekick
) - DogStatsD (for monitoring of
falcosidekick
) - Webhook
- Azure Event Hubs
Prior to install the chart, add the falcosecurity
charts repository:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
To install the chart with the release name falcosidekick
run:
helm install falcosidekick falcosecurity/falcosidekick
After a few seconds, Falcosidekick should be running.
Tip: List all releases using
helm list
, a release is a name used to track a specific deployment
To uninstall the falcosidekick
deployment:
helm uninstall falcosidekick
The command removes all the Kubernetes components associated with the chart and deletes the release.
The following table lists the configurable parameters of the Falcosidekick chart and their default values.
Parameter | Description | Default |
---|---|---|
replicaCount |
number of running pods | 1 |
listenport |
port to listen for daemon | 2801 |
debug |
if true all outputs will print in stdout the payload they send | false |
customfields |
a list of comma separated custom fields to add to falco events, syntax is "key:value,key:value" | |
checkcert |
check if ssl certificate of the output is valid | true |
slack.webhookurl |
Slack Webhook URL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty , Slack output is enabled |
|
slack.footer |
Slack Footer | https://github.com/falcosecurity/falcosidekick |
slack.icon |
Slack icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png |
slack.username |
Slack username | falcosidekick |
slack.outputformat |
all (default), text (only text is displayed in Slack), fields (only fields are displayed in Slack) |
all |
slack.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
slack.messageformat |
a Go template to format Slack Text above Attachment, displayed in addition to the output from slack.outputformat . If empty, no Text is displayed before Attachment |
|
rocketchat.webhookurl |
Rocketchat Webhook URL (ex: https://XXXX/hooks/YYYY), if not empty , Rocketchat output is enabled |
|
rocketchat.icon |
Rocketchat icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png |
rocketchat.username |
Rocketchat username | falcosidekick |
rocketchat.outputformat |
all (default), text (only text is displayed in Rocketcaht), fields (only fields are displayed in Rocketchat) |
all |
rocketchat.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
rockerchat.messageformat |
a Go template to format Rocketchat Text above Attachment, displayed in addition to the output from slack.outputformat . If empty, no Text is displayed before Attachment |
|
mattermost.webhookurl |
Mattermost Webhook URL (ex: https://XXXX/hooks/YYYY), if not empty , Mattermost output is enabled |
|
mattermost.footer |
Mattermost Footer | https://github.com/falcosecurity/falcosidekick |
mattermost.icon |
Mattermost icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png |
mattermost.username |
Mattermost username | falcosidekick |
mattermost.outputformat |
all (default), text (only text is displayed in Slack), fields (only fields are displayed in Mattermost) |
all |
mattermost.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
mattermost.messageformat |
a Go template to format Mattermost Text above Attachment, displayed in addition to the output from slack.outputformat . If empty, no Text is displayed before Attachment |
|
teams.webhookurl |
Teams Webhook URL (ex: https://outlook.office.com/webhook/XXXXXX/IncomingWebhook/YYYYYY"), if not empty , Teams output is enabled |
|
teams.activityimage |
Teams section image | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png |
teams.outputformat |
all (default), text (only text is displayed in Teams), facts (only facts are displayed in Teams) |
all |
teams.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
datadog.apikey |
Datadog API Key, if not empty , Datadog output is enabled |
|
datadog.host |
Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://api.datadoghq.com" | https://api.datadoghq.com |
datadog.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
discord.webhookurl |
Discord WebhookURL (ex: https://discord.com/api/webhooks/xxxxxxxxxx...), if not empty, Discord output is enabled | |
discord.icon |
Discord icon (avatar) | https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png |
discord.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
alertmanager.hostport |
AlertManager http://host:port, if not empty , AlertManager is enabled |
|
alertmanager.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
elasticsearch.hostport |
Elasticsearch http://host:port, if not empty , Elasticsearch is enabled |
|
elasticsearch.index |
Elasticsearch index | falco |
elasticsearch.type |
Elasticsearch document type | event |
elasticsearch.suffix |
date suffix for index rotation : daily , monthly , annually , none |
daily |
elasticsearch.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
influxdb.hostport |
Influxdb http://host:port, if not empty , Influxdb is enabled |
|
influxdb.database |
Influxdb database | falco |
influxdb.user |
User to use if auth is enabled in Influxdb | |
influxdb.password |
Password to use if auth is enabled in Influxdb | |
influxdb.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
loki.hostport |
Loki http://host:port, if not empty , Loki is enabled |
|
loki.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
nats.hostport |
NATS "nats://host:port", if not empty , NATS is enabled |
|
nats.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
aws.accesskeyid |
AWS Access Key Id (optionnal if you use EC2 Instance Profile) | |
aws.secretaccesskey |
AWS Secret Access Key (optionnal if you use EC2 Instance Profile) | |
aws.region |
AWS Region (optionnal if you use EC2 Instance Profile) | |
aws.lambda.functionname |
AWS Lambda Function Name, if not empty, AWS Lambda output is enabled | |
aws.lambda.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
aws.sns.topicarn |
AWS SNS TopicARN, if not empty, AWS SNS output is enabled | |
aws.sns.rawjson |
Send RawJSON from falco or parse it to AWS SNS |
|
aws.sns.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
aws.sqs.url |
AWS SQS Queue URL, if not empty, AWS SQS output is enabled | |
aws.sqs.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
smtp.hostport |
"host:port" address of SMTP server, if not empty, SMTP output is enabled | |
smtp.user |
user to access SMTP server | |
smtp.password |
password to access SMTP server | |
smtp.from |
Sender address (mandatory if SMTP output is enabled) | |
smtp.to |
comma-separated list of Recipident addresses, can't be empty (mandatory if SMTP output is enabled) | |
smtp.outputformat |
html, text | html |
smtp.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
opsgenie.apikey |
Opsgenie API Key, if not empty, Opsgenie output is enabled | |
opsgenie.region |
(us or eu ) region of your domain |
us |
opsgenie.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
statsd.forwarder |
The address for the StatsD forwarder, in the form http://host:port, if not empty StatsD is enabled | |
statsd.namespace |
A prefix for all metrics | falcosidekick |
dogstatsd.forwarder |
The address for the DogStatsD forwarder, in the form http://host:port, if not empty DogStatsD is enabled | |
dogstatsd.namespace |
A prefix for all metrics | falcosidekick |
dogstatsd.tags |
A comma-separated list of tags to add to all metrics | |
webhook.address |
Webhook address, if not empty, Webhook output is enabled | |
webhook.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
azure.eventhub.name |
Name of the Hub, if not empty, EventHub is enabled | |
azure.eventhub.namespace |
Name of the space the Hub is in | |
azure.eventhub.minimumpriority |
minimum priority of event for using use this output, order is `emergency | alert |
Specify each parameter using the --set key=value[,key=value]
argument to helm install
. For example,
helm install falcosidekick --set debug=true falcosecurity/falcosidekick
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example:
helm install falcosidekick -f values.yaml falcosecurity/falcosidekick
Tip: You can use the default values.yaml
A prometheus
endpoint can be scrapped at /metrics
.