Add hostname to slack notification

[ashishxooa]

Hi,

Is there a way where I can append the hostname to the messages I 'm getting on slack?

Eg. I 've received the below alert. Which gives me the container id, now this container ID could be anywhere on my servers running docker.

10:19:08.010189604: Informational Container with sensitive mount started (user=root command=runc:[1:CHILD] init docker123321-mysql (id=c2feddeb9679) image=alpine:latest mounts=/etc:/mnt/etc::true:rprivate)

How do I know quickly the host from this alert? It could be variable like $Hostname or even hard-coded value but it's needed. Thanks.

[mfdii]

@mstemm Sysdig doesn't have a hostname field. I assume we should open this against sysdig?

[mstemm]

Yeah I guess handling it in sysdig would be fine. It's on the line between something that should be added in the event or something added to the alert.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[leodido]

@mfdii @mstemm could you please update the status of this?

/triage support

[mstemm]

No changes yet. You could always add the hostname when creating the json that goes to the slack webhook, but there isn't anything automatic from falco.

[ashishxooa]

@mstemm so different web hook configuration for different hosts?

[mstemm]

What the fix for this would look like would be to add filtercheck fields something like %host.name to sysdig, and then using them in falco. Then the text of the falco alert would have the hostname.

What I meant by "add the hostname when creating the json" was that you could change the json however you wished before sending it to the slack webhook, including adding a hostname.

[fntlnz]

Closing in favor of https://github.com/falcosecurity/falco/issues/528