leodido
commented
4 years ago Thanks for reporting this.
Reviewing the way Falco logs out is on our list of TODOs. Thanks :)
Closed smijolovic closed 4 years ago
leodido
commented
4 years ago Thanks for reporting this.
Reviewing the way Falco logs out is on our list of TODOs. Thanks :)
smijolovic
commented
4 years ago Count me in for working with the team on the logging to rsyslog. It's a core area for me....and I have a laundry list for meeting high governance requirements.
Trying to injest falco logs to SIEM now...and it's not exactly seamless. I'm also puzzled trying to address the large number of dropped syscalls.
As I do that, I'll jot down some of the findings:
leodido
commented
4 years ago Yeah @smijolovic, the Syslog output should definitely get a revamp.
I've done some work in this field in the past (take a look at go-syslog), thus I agree.
The Falco's Syslog output should:
Additionally,
smijolovic
commented
4 years ago If possible, also consider RELP. TLS log loss is always possible. We exclusively use RELP over TLS.
stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed. Please refer to a maintainer to get such label added if you think this should be kept open.
falco.yaml documentation and file present various priority levels. Info and error are the two most widely used for production, but when set to info, starting the daemon fails complaining about incorrect priority setting. Apparently, "informational" is the required setting for this as described in the error log, and setting it to that starts the daemon successfully.
For uniformity, I'd recommend using "info" for the priority level.