K
Q

Falco output formation

5/5/2021

I am using runtime detection tool Falco to analyse the container behavior for at least 40 seconds, using filters that detect newly spawning and executing processes store the incident file art /opt/falco-incident.txt containing the detected incidents. I try to format the output result one per line, in the format timestamp,uid,user-name,processName

I created the yaml file audit.yaml

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  namespace: ""
  verb: ""
  resources:
  - group: ""
    resource: ""
  - name: audit
    hostPath:
      path: /etc/kubernetes/audit.yaml
      type: File
  - name: audit-log
    hostPath:
      path: /var/log/all-resources.log
      type: FileOrCreate
  - mountPath: /etc/kubernetes/audit.yaml
    name: audit
    readOnly: true
  - mountPath: /var/log/all-resources.log
    name: audit-log
    readOnly: false

I edited the kube-apiserver with adding this 3 lines

 - --audit-policy-file=/etc/kubernetes/audit.yaml
 - --audit-log-path=/var/log/all-resources.log
 - --audit-log-maxage=1

The main question is: How and where to define the desired output which should look like this ?

timestamp,uid,user-name,processName

timestamp,uid,user-name,processName

....

-- O.Man
falco
kubernetes

Similar Questions

API to delete multiple offline agents from Azure DevOps
Rolling update using k8s client-go
How to get pod start time in millisecond in kubernetes
Helm deployment status if tests failed
How to change the internal IP of Kubernetes worker nodes?

1 Answer

7/4/2021

The custom rule should be defined in the file etc/falco/falco_rules_local.yaml. Please check the rules already present in etc/falco/falco_rules.yaml and use the same format to define the new rules.

-- Ashok Kumar
Source: StackOverflow