Falco's configuration file is a YAML file containing a collection of key: value
or key: [value list]
pairs.
Any configuration option can be overridden on the command line via the -o/--option key=value
flag. For key: [value list]
options, you can specify individual list items using --option key.subkey=value
.
Config | Type | Description |
---|---|---|
rules_file | List | The location of the rules file(s). This can contain one or more paths to separate rules files. The following examples are equivalent:
You can also specify multiple rules files on the command line via one or more |
time_format_iso_8601 | Boolean | If true (default is false ), the times displayed in log messages and output messages will be in ISO 8601. By default, times are displayed in the local time zone, as governed by /etc/localtime. |
json_output | Boolean | Whether to use JSON output for alert messages. |
json_include_output_property | Boolean | When using json output, whether or not to include the output property itself (e.g. File below a known binary directory opened for writing (user=root .... ) in the JSON output. |
log_stderr | Boolean | If true , log messages describing Falco's activity will be logged to stderr. Note these are not alert messages---these are log messages for Falco itself. |
log_syslog | Boolean | If true , log messages describing Falco's activity will be logged to syslog. |
log_level | Enum with the following possible values: emergency , alert , critical , error , warning , notice , info , debug | Minimum log level to include in logs. Note: these levels are separate from the priority field of rules. This refers only to the log level of Falco's internal logging. |
priority | Enum with the following possible values: emergency , alert , critical , error , warning , notice , info , debug | Minimum rule priority level to load and run. All rules having a priority more severe than this level will be loaded/run. |
syscall_event_drops | List containing the following sub-keys:
| Controls Actions For Dropped System Call Events. |
buffered_outputs | Boolean | Whether or not output to any of the output channels below is buffered. Defaults to false. |
outputs | List containing the following sub-keys:
| A throttling mechanism implemented as a token bucket limits the rate of Falco notifications. This throttling is controlled by the
With these defaults, Falco could send up to 1000 notifications after an initial quiet period, and then up to 1 notification per second afterward. It would gain the full burst back after 1000 seconds of no activity. |
syslog_output | List containing the following sub-keys:
| If true , Falco alerts will be sent via syslog. |
file_output | List containing the following sub-keys:
| If If |
stdout_output | List containing the following sub-keys:
| If enabled is set to true , Falco alerts will be sent to standard output (stdout). |
program_output | List containing the following sub-keys:
| If If The |
http_output | List containing the following sub-keys:
| As of 0.15.0 , if enabled is set to true, Falco alerts will be sent to the HTTP[s] URL defined by url . Currently this is a blocking operation and this output does not support keep_alive . |
webserver | List containing the following sub-keys:
| If
|
grpc | List containing the following sub-keys:
| If Falco supports running a gRPC server with two main binding types:
The gRPC server over the network can only be used with mutual authentication between the clients and the server using TLS certificates, and the following options should be provided:
How to generate the certificates is documented here. Please always remember that the only common thing between server and clients is the root certificate. Every client will need to generate their own certificates signed by the same root CA as the server. |
grpc_output | List containing the following sub-keys:
| If enabled is set to true , Falco will start collecting outputs for the gRPC server. It's important to consume them with an output client. Example of output client here. |
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.