Hello, I am testing Falco integration with AWS EKS and ECS via FireLens and Log Router respectively.
I have noticed that both EKS and ECS artifacts are dated around 4 yrs back including the task definition file for ECS:
I think I was able to make this task run on ECS by changing tag on "image": "falcosecurity/falco:latest", to run along with amazon/aws-for-fluent-bit:latest container. However, it is periodically exits with Code 1 (and it's supposed to run a Daemon on ECS as well).
Also, when it runs and writes log events out to the designated AWS CloudWatch group ("falco" in my example) the Log entries do not have JSON formatted contents in the "log" element:
{ "container_id": "8a4f652da788db6f12e192f03e0c70ff440a6571d363765f3eb3336752c840dd", "container_name": "/ecs-Falco-2-falco-86d2cc86b2a1e8d56300", "ec2_instance_id": "i-0279e51d31fa06571", "ecs_cluster": "awsome_ecs_cluster", "ecs_task_arn": "arn:aws:ecs:us-west-1:133776528597:task/awsome_ecs_cluster/cba8c86f739642fbbed7308471d8af5e", "ecs_task_definition": "Falco:2", "log": "* Running dkms build failed, couldn't find /var/lib/dkms/falco/4.0.0+driver/build/make.log (with GCC /usr/bin/gcc-6)", "source": "stdout" }
Hello, I am testing Falco integration with AWS EKS and ECS via FireLens and Log Router respectively. I have noticed that both EKS and ECS artifacts are dated around 4 yrs back including the task definition file for ECS:
I think I was able to make this task run on ECS by changing tag on "image": "falcosecurity/falco:latest", to run along with amazon/aws-for-fluent-bit:latest container. However, it is periodically exits with Code 1 (and it's supposed to run a Daemon on ECS as well). Also, when it runs and writes log events out to the designated AWS CloudWatch group ("falco" in my example) the Log entries do not have JSON formatted contents in the "log" element:
{ "container_id": "8a4f652da788db6f12e192f03e0c70ff440a6571d363765f3eb3336752c840dd", "container_name": "/ecs-Falco-2-falco-86d2cc86b2a1e8d56300", "ec2_instance_id": "i-0279e51d31fa06571", "ecs_cluster": "awsome_ecs_cluster", "ecs_task_arn": "arn:aws:ecs:us-west-1:133776528597:task/awsome_ecs_cluster/cba8c86f739642fbbed7308471d8af5e", "ecs_task_definition": "Falco:2", "log": "* Running dkms build failed, couldn't find /var/lib/dkms/falco/4.0.0+driver/build/make.log (with GCC /usr/bin/gcc-6)", "source": "stdout" }I believe previously Falco logs were fully JSON formatted including "nested" value of "log" field in event entries as illustrated in the blog: https://aws.amazon.com/blogs/containers/implementing-runtime-security-in-amazon-eks-using-cncf-falco/ where entries in the "log" elements were 100% JSON formatted:
thanks, Dan Zilberman falco_container_error_bas_json.log