Extend Falco outputs with falcosidekick
(2021-04-13) edit: update to integrate Falcosidekick-UI
use last versions of Falco
helm chart which embeds Falcosidekick
as dependency
By default, Falco has 5 outputs for its events: stdout, file, gRPC, shell and http. As you can see in the following diagram:
Even if they're convenient, we can quickly be limited to integrating Falco with other components. Here comes Falcosidekick
, a little daemon that extends that number of possible outputs.
The current list of available Falcosidekick
outputs (version v2.22.0
) is:
- Slack
- Rocketchat
- Mattermost
- Teams
- Datadog
- Discord
- AlertManager
- Elasticsearch
- Loki
- NATS
- STAN (NATS Streaming)
- Influxdb
- AWS Lambda
- AWS SQS
- AWS SNS
- AWS CloudWatchLogs
- AWS S3
- SMTP (email)
- Opsgenie
- StatsD (for monitoring of
falcosidekick
) - DogStatsD (for
monitoring of
falcosidekick
) - Webhook
- Azure Event Hubs
- Prometheus (for both events and monitoring of
falcosidekick
) - GCP PubSub
- GCP Storage
- Google Chat
- Apache Kafka
- PagerDuty
- Kubeless
- OpenFaaS
- WebUI (a Web UI for displaying latest events in real time)
Beyond that, it provides metrics about the number of events and let you add custom fields
in events, for example environment, region, etc
In this article, we'll see how to deploy together in a Kubernetes cluster Falco
, Falcosidekick
and Falcosidekick-UI
.
We'll use Helm
(version 3) for installing all components and for a better user experience, the official Falco
chart is able to install and set all configurations for us:
For this tutorial, we'll send the events in a Slack channel, so get your webhook URL first.
Run the following Helm
--set falcosidekick.enabled=true
enables deployment ofFalcosidekick
asideFalco
and configuresFalco
for sending its events toFalcosidekick
--set falcosidekick.webui.enabled=true
enables deployment ofFalcosidekick-UI
and configureFalcosidekick
for using it as output--set falcosidekick.config.slack.webhookurl="https://hooks.slack.com/services/XXXX"
enablesSlack
as output forFalcosidekick
All possible values can be seen in the according Helm
charts, see the repository
After few seconds you should get:
You can test the deployment of Falcosidekick
with a typical port forward:
It's alive !
We can send a test event to Slack to test whether it works or not. Falcosidekick
provides a useful endpoint for that:
In logs you'll get:
We can notice the fist line of logs [INFO] : Enabled Outputs : [Slack WebUI]
, we do have 2 enabled outputs, Slack
and WebUI
(Falcosidekick-UI
)
And in your Slack channel:
Tip: For Slack and some other ouputs, the message format can be customized, more informations in README
We'll now add some custom fields and test a more realistic event.
Upgrade your deployment:
Send a more advanced test event to Falcosidekick
(still with the port forward aside):
Falco
community also provides a Web UI for following live events an get statistics about last. (Tip: you can add filters by clicking on any label)
By default, you can access to it through a port forward too:
You now have access in your browser with the URL: http://localhost:2802/ui
Get involved
If you would like to find out more about Falco:
- Get started in Falco.org.
- Check out the Falco project on GitHub.
- Get involved Falco community.
- Meet the maintainers on the Falco Slack.
- Follow @falco_org on Twitter.
And that's it!
Enjoy