Featured Image for Falcosidekick 2.28.0
Thomas Labarussias

Falcosidekick 2.28.0

It's summertime, it's hot, and many people are on vacation, but the Falco community is still there. Six months after the release of Falcosidekick's latest upgrade, version 2.28.0 becomes officially available.

The number of pulls of the official Falcosidekick image from Docker Hub has also just reached 15M, which we consider mind-blowing. It took it 3 years to reach the first 5M pulls and now it's needed less than six months to do it again. Awesome!

Once more, Falcosidekick expands Falco's integrability with a lot of new outputs. That and the introduction of many new features has been possible thanks to the hard work of the community. You can find a comprehensive list of these in the changelog.

New outputs

With every new release, the number of integrations of Falcosidekick increases. We have reached the number of 58 available outputs already, and we hope the threshold of 60 will be left behind very soon.

Redis

Redis is a well-known in-memory database with many years of adoption on its path. It is now possible for Falcosidekick to use it as an output destination, thanks to the contributions of pandyamarut.

Telegram

Telegram, the instant messaging platform, is becoming more and more used by companies for notifications, and thanks to zufardhiyaulhaq, it can receive Falco alerts too.

N8N

Do you want to extend the possibilities or just avoid developing a script to react to Falco events? Here comes n8n.

Grafana OnCall

At the last KubeCon, we met with some of the Grafana maintainers. We discussed the integration of Falco using Falcosidekick within the OnCall project. It's done now.

OpenObserve

OpenObserve is a young but promising full stack observability platform.

New features

Aside from new outputs, we introduced very important and useful new features. Let's do a recap of them.

Use different methods for the Webhook output

Since its implementation, the Webhook output has only used the HTTP method POST. Now, you can choose between the POST and PUT methods to send your data, extending the catalog of possible REST APIs to use it with.

webhook:
  method: "POST" # HTTP method: POST or PUT (default: POST)

Replace the brackets in the payload

Some Falco fields refer to lists and reflect that their keys contain brackets, like proc.args[0], proc.args[1], etc. Unfortunately, some outputs may refuse payloads with brackets in keys. For this reason, we introduced the possibility of replacing them with any other chosen character:

bracketreplacer: "_" # if not empty, the brackets in keys of Output Fields are replaced

Set custom headers for Loki, Elasticsearch and Grafana outputs

If you want to protect your private instances of Loki, Grafana, or Elasticsearch you may need to specify custom headers. This new feature allows you to do so.

elasticsearch:
  customHeaders: # Custom headers to add in POST. Useful for Authentication
    key: value

Match the priority with the severity for the AlertManager output

AlertManager is a pretty common software at companies also using Prometheus. Until now, the mapping between the Priority of Falco events and the Severity of AlertManager was already predefined. You can now define it depending on your needs thanks to Lowaiz.

alertmanager:
  customseveritymap: "" # comma separated list of tuple composed of a ':' separated Falco priority and Alertmanager severity that is used to override the severity label associated to the priority level of falco event. Example: debug:value_1,critical:value2. Default mapping: emergency:critical,alert:critical,critical:critical,error:warning,warning:warning,notice:information,informational:information,debug:information. (default: "")

Set thresholds for the dropped events for the AlertManager output

Another contribution from Lowaiz: You can now configure a set of thresholds to start dropping the events.

alertmanager:
  # dropeventdefaultpriority: "" # default priority of dropped events, values are emergency|alert|critical|error|warning|notice|informational|debug (default: "critical")
  dropeventthresholds: # comma separated list of priority re-evaluation thresholds of dropped events composed of a ':' separated integer threshold and string priority. Example: `10000:critical, 100:warning, 1:informational` (default: `"10000:critical, 1000:critical, 100:critical, 10:warning, 1:warning"`)

Better integration with TimescaleDB

We thank hileef for improving the integration with TimescaleDB.

User roleARN and externalID for the AWS outputs

Under some situations, you may want Falcosidekick to assume a role, possibly from another account. You can do it with the new pair of settings rolearn and externalid:

aws:
  rolearn: "" # aws role to assume (optional if you use EC2 Instance Profile)
  externalid: "" # external id for the role to assume (optional if you use EC2 Instance Profile)

Set the region for the PagerDuty output

Falcosidekick allows you to select between one of the two different regions' PagerDuty offers now.

pagerduty:
  region: "us" # Pagerduty Region, can be 'us' or 'eu' (default: us)

Allow TLS for the SMTP output

It is now possible to communicate with an SMTP server using TLS.

smtp:
  tls: false # Use TLS connection (true/false). Default: true

Set attributes to GCP PubSUb messages

GCP PubSub accepts attributes in its messages. You can specify yours, thanks to annadorottya.

gcp:
  customAttributes: # Custom attributes to add to the Pub/Sub messages
    key: value

More options for TLS and mTLS

These are the most relevant changes of this release. To improve security, Falcosidekick can now listen using HTTPS with TLS. You can also be more specific with the keys and certificates for the mTLS for the outputs.

mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs")
  # certfile: "/etc/certs/client/client.crt" # client certification file
  keyfile: "/etc/certs/client/client.key" # client key
  cacertfile: "/etc/certs/client/ca.crt" # for server certification
tlsserver:
  # certfile: "/etc/certs/server/server.crt" # server certification file
  keyfile: "/etc/certs/server/server.key" # server key

The mutualtlsfilespath setting is kept for now for backward compatibility but it will be remove in future

In some edge cases, you may need some endpoints to listen in HTTP only. You can specifically define them together with the associated port:

tlsserver:
  notlsport: 2810 # port to serve http server serving selected endpoints (default: 2810)
  notlspaths: # if not empty, a separate http server will be deployed for the specified endpoints
    - "/metrics"
    - "/healthz"

Thanks to annadorottya for her impressive work on this functionality.

Autocreate the topic for the Kafka output

When Falcosidekick doesn't detect the topic, it can create it automatically. This feature is not enabled by default.

kafka:
  topiccreation: false # auto create the topic if it doesn't exist (default: false)

Support multiple bootstrap servers and TLS for the Kafka output

To get better resiliency, you can now specify several bootstrap servers and even communicate with them with TLS, thanks to ibice.

kafka:
  tls: false # Use TLS for the connections (default: false)

Fixes

We're not going to go into detail about all the corrections made in this version - you can find the full list here. Thanks to everyone who reported issues and to those who have corrected them.

The most important have been:

  • Fix breaking brackets in AWS SNS messages.
  • Fix setting name for the table of TimescaleDB output (thanks to alika).
  • Fix the cardinality issue with Prometheus labels.
  • Fix panic when asserting output fields that are nil.
  • Fix URL generation for Spyderbat output (thanks to bc-sb).
  • Fix nil values in Spyderbat output (thanks to spider-guy).
  • Fix duplicated headers in SMTP output (thanks to apsega).

Conclusion

The respective Helm charts are also updated and allow you to test for yourself all these great new features. Just issue the helm repo update; helm upgrade --reuse-values -n falco command to do so.

Falcosidekick is now mentioned in the official Falco docs. It's a shy beginning, but more details will come shortly.

Once again, thanks to all the adopters and contributors who helped and contributed to this project all these years. We would never have reached this success without you.