-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Allow for custom outputs wrapper fields #3277
Comments
@falcosecurity/falco-maintainers |
I'm in favor of something like that. Some time ago, I thought I would make a plugin for that, but I never did it. Now, I agree it makes sense to have this feature built-in to Falco for static fields. Also, see that this may be somehow related to #3235. Maybe, we can design the two things at the same time just my 2 cents |
PS I would consider force outputting these static fields under a specific class (e.g., |
👍
yes this would be great!
Edit: We can offer prefixes. For my use however, the name needs to be in an exact way, can't have a prefix. |
/milestone 0.39.0 /assign |
Can you provide a real use case for not having a prefix? Let me explain: I wanted to avoid polluting the root keys in the JSON because this can create clashes in the future (e.g., think about one user who uses a custom key named |
That's a great call out. The one use case that comes to mind is that your downstream systems requires a very specific key and it has to string match exactly. But I agree we would need to have rule(s) for name clashes in place. |
If we don't want to namespace the key, I see only two compelling solutions:
|
I am going to play the Devil's advocate but if downstream requires fields that would otherwise be used by Falco or not namespaced, shouldn't there be a translation unit like https://docs.fluentd.org/ be put between Falco and that downstream to rearrange the output ? It might be a cannon for shooting a fly though. |
Hi, I think this is a feature of falcosidekick for years. For whom don't know the project, it's a proxy forwarder between a fleet of Falco and third parties. You have for now 2 settings:
Here's a dummy example: customfields:
Akey: "AValue"
Bkey: "BValue"
Ckey: "%ENV_VAR"
templatedfields:
"k8s.ns.labels.foo": '{{ or (index . "k8s.ns.labels.foo") "bar" }}' # keep the value of the 'k8s.ns.labels.foo' or set it with 'bar' The config of Falcosidekick is here. Moreover, I'll replicate these behaviors to inject tags to the payload, as requested by an end-user. I chose to inject values into the Here's a real use case from a member of our community:
Solution:
|
These are both good reasons not to implement this. And I'm wondering if it is worth implementing this feature (even though I'm still not against it). 🤔 |
Thanks Sam, Thomas and Leo. Hearing all of your concerns. We can think more about it. The good news is that with Luca's patch static fields from for example ENV variables can now be appended to the |
@incertum I'd propose to move this for 0.40. Would it work for you? |
/milestone 0.40.0 |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
Not yet entirely sure about this. Pushing to the following release. /remove-lifecycle stale |
Motivation
Falco currently sends alerts/logs with a predefined set of wrapper fields, some of which are configurable (such as tags, etc.).
For example:
Feature
For certain use cases, the end user may need to add custom static wrapper fields similar to
hostname
. We could support the following:falco.yaml
brainstorming: @LucaGuerra you always have great ideas on how to design the newfalco.yaml
UX, any ideas?Dynamic custom fields that can change for each event or rule would not be supported. For such use cases, a custom plugin should be developed.
We have had similar requests in the past, but I can’t find the best issues to reference right now.
The text was updated successfully, but these errors were encountered: