JSON output

[prasenforu]

For slack , In program we are getting output field, how can we get all data including priority.

https://github.com/falcosecurity/falco/wiki/Falco-Alerts#json-output

[mfdii]

You currently can't dump all of the filter fields as output fields, this would be too long of a list. This would have some performance penalty as well. Currently any output fields (%proc.name for instance) you include in a rule's alert are members of the output_fields object.

Allowing you to specify a template of what fields you want for every event would be a good improvement. This could be done by creating a output_fields macro in the rules file and appending it to rules by default. Another option would be making this available via a config file parameter.

This would also help fix #534. Instead of using -pk, etc, we could provide templates people can enable and put in rules.d. This can then be provided via ConfigMaps in kubernetes environments.

@mstemm thoughts?

[mstemm]

I think the issue might be asking how for the example slack webhook post in the comments for falco.yaml, how to pass all fields to the webhook and not just the output field. @prasenforu is that what you're asking?

[prasenforu]

Yes, I want all field (username, priority, output) what ever field will comes with as part of json as per below document.

{
   "output" : "16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)"
   "priority" : "Error",
   "rule" : "Write below binary dir",
   "time" : "2017-10-09T23:31:56.746609046Z",
   "output_fields" : {
      "user.name" : "root",
      "evt.time" : 1507591916746609046,
      "fd.name" : "/bin/hack",
      "proc.cmdline" : "touch /bin/hack"
   }
}

[mstemm]

So that's more of a question about formatting richer messages to slack. This might be a good starting point: https://api.slack.com/docs/message-attachments.

[prasenforu]

@mstemm

Basically I tried with only jq with dot (.) as below to some webhook url not slack. to get entire json with all field.

program: "jq '.' | curl -d @- -X POST http://mywebhook:9000/hooks/abcd"

But I am not getting proper json.

[mfdii]

I think this is because there’s bug where the json gets escaped. It’s in progress to fix in #560.

[mfdii]

@prasenforu you can try the falcosecurity/falco:dev image to see if this fixes your issue

[prasenforu]

tried with falcosecurity/falco:dev image but getting new issue and daemon keep restarting and finally CrashLoopBackOff or Error.

Sun Apr 28 01:33:54 2019: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco-probe module is loaded.. Exiting.

If I enable eBPF by Uncomment the 3 lines in daemon set getting following error.

* Setting up /usr/src links from host
* Mounting debugfs
Found kernel config at /host/boot/config-3.10.0-957.10.1.el7.x86_64
* Trying to compile BPF probe falco-probe-bpf (falco-probe-bpf-0.1.2765dev-x86_64-3.10.0-957.10.1.el7.x86_64-9757b036ce8501f6d540a07762573634.o)
make[1]: *** /lib/modules/3.10.0-957.10.1.el7.x86_64/build: No such file or directory.  Stop.
make: *** [Makefile:18: all] Error 2
mv: cannot stat '/usr/src/falco-0.1.2765dev/bpf/probe.o': No such file or directory
* Trying to download precompiled BPF probe from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-bpf-0.1.2765dev-x86_64-3.10.0-957.10.1.el7.x86_64-9757b036ce8501f6d540a07762573634.o
curl: (22) The requested URL returned error: 404 Not Found
* Failure to find a BPF probe
Sun Apr 28 01:56:15 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Sun Apr 28 01:56:15 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Sun Apr 28 01:56:15 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Sun Apr 28 01:56:15 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Sun Apr 28 01:56:16 2019: Unable to load the driver. Exiting.
Sun Apr 28 01:56:16 2019: Runtime error: can't open BPF probe '/root/.sysdig/falco-probe-bpf.o': No such file or directory. Exiting.

but no issue with falcosecurity/falco:latest image.

[root@ocpmaster1 k8s-with-rbac]# oc get pod
NAME                    READY     STATUS    RESTARTS   AGE
falco-daemonset-5mb52   1/1       Running   0          7m
falco-daemonset-fkchr   1/1       Running   0          7m
falco-daemonset-lhq8m   1/1       Running   0          7m

[root@ocpmaster1 k8s-with-rbac]# oc logs -f falco-daemonset-5mb52
* Setting up /usr/src links from host
* Unloading falco-probe, if present
* Running dkms install for falco
Error! echo
Your kernel headers for kernel 3.10.0-957.10.1.el7.x86_64 cannot be found at
/lib/modules/3.10.0-957.10.1.el7.x86_64/build or /lib/modules/3.10.0-957.10.1.el7.x86_64/source.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/0.14.0/build/make.log
* Trying to load a system falco-probe, if present
* Trying to find precompiled falco-probe for 3.10.0-957.10.1.el7.x86_64
Found kernel config at /host/boot/config-3.10.0-957.10.1.el7.x86_64
* Trying to download precompiled module from https://s3.amazonaws.com/download.draios.com/stable/sysdig-probe-binaries/falco-probe-0.14.0-x86_64-3.10.0-957.10.1.el7.x86_64-9757b036ce8501f6d540a07762573634.ko
Download succeeded, loading module
Sun Apr 28 02:15:25 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Sun Apr 28 02:15:25 2019: Loading rules from file /etc/falco/falco_rules.yaml:
Sun Apr 28 02:15:26 2019: Loading rules from file /etc/falco/falco_rules.local.yaml:
Sun Apr 28 02:15:26 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Sun Apr 28 02:15:27 2019: Starting internal webserver, listening on port 8765

May I know what is different in dev & latest image.

[Issif]

@prasenforu until #528 comes out with something native, you can try my sidekick, it will format and send event Slack as you expect : https://github.com/Issif/falcosidekick

[leodido]

/triage support

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.