Issif
commented
1 month ago Hi,
It's technically doable, I already used NATS for that in other projects. As you can see with the issue you found, it's not a feature requested a lot.
Anyway, here's my answer when someone asking about it at a talk:
- if you have a lot of alerts, you should consider to use a message queue made to handle that, like rabbitmq or kafka
- you should also consider to tune your Falco rules, the alerts are supposed to be security alerts, if you have too much of them, either your rules are too generic, either you should call your lawyer and your insurance because your infra is compromised a lot :sweat_smile:
Note for now, Falco itself doesn't any buffer mechanism, the availability of Falcosidekick should not be an issue, but it's just to say it's a more global issue
rrhubenov
Motivation In a production environment, crucial alarms might be unreceived if an output is down. When relying on Falco as a runtime security tool, this might pose as a problem.
In our use case we setup falcosidekick to send alarms to a backend that logs them. It is crucial we limit the number of alarms that are lost.
The only thing we found is this issue from 3 years ago: https://github.com/falcosecurity/falcosidekick/issues/297 Is there a possibility of including such a feature for a future release?
Thanks!