fntlnz
commented
5 years ago Hi @gfrntz can you expand a bit more?
Closed gfrntz closed 5 years ago
fntlnz
commented
5 years ago Hi @gfrntz can you expand a bit more?
oke-py
commented
5 years ago @gfrntz Did you mean like this?
Base document: https://github.com/falcosecurity/falco/tree/dev/integrations/k8s-using-daemonset
Command:
diff -up ../../falco.yaml k8s-with-rbac/falco-config/falco.yamlOutput:
--- ../../falco.yaml 2019-05-23 21:59:04.000000000 +0900
+++ k8s-with-rbac/falco-config/falco.yaml 2019-05-24 07:30:12.000000000 +0900
@@ -40,7 +40,7 @@ rules_file:
time_format_iso_8601: false
# Whether to output events in json or text
-json_output: false
+json_output: true
# When using json output, whether or not to include the "output" property
# itself (e.g. "File below a known binary directory opened for writing
@@ -160,10 +160,19 @@ webserver:
# Also, the program will be closed and reopened if falco is signaled with
# SIGUSR1.
program_output:
- enabled: false
+ enabled: true
keep_alive: false
- program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+ program: |
+ jq 'if .priority == "Emergency" or .priority == "Critical" or .priority == "Error" then
+ { attachments: [{ text: .output, color: "danger" }]}
+ elif .priority == "Warning" or .priority == "Notice" then
+ { attachments: [{ text: .output, color: "warning" }]}
+ elif .priority == "Informational" then
+ { attachments: [{ text: .output, color: "good" }]}
+ else
+ { attachments: [{ text: .output }]}
+ end' | curl -d @- -X POST https://hooks.slack.com/services/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
http_output:
enabled: false
- url: http://some.url
\ No newline at end of file
+ url: http://some.url
gfrntz
commented
5 years ago @oke-py thanks!
Hi all, How can i add colors to falco json output to slack notification? I can't find some examples for this.