Enabling Event Sources

Last modified November 30, 2022
Control the input of Falco enabling and disabling Event Sources

Historically, Falco supported consuming events coming from one event source only. This means that to consume events from more than one event source, users needed to deploy many instances of Falco, each configured with a different source.

The only exception was the legacy implementation of the Kubernetes Audit Events, which allowed receiving events from the k8s_audit event sources in parallel with the syscall one. However, it wasn't standardized and has been substituted in favor of a plugin-based porting starting from Falco 0.32.0.

Since version 0.33.0, Falco introduced a standard support for consuming events from multiple event sources running in parallel within the same Falco instance. You can check this feature's design principles and rationale at falcosecurity/falco/issues/2074.

The default behavior of Falco is to enable event collection from all the event sources it knows. The set of known event sources includes the syscall one by default, plus any other sources defined by plugins with event sourcing capability loaded through Falco's configuration.

Each of the enabled event sources causes Falco to start a new ad-hoc isolated thread through which events for a single source are generated, consumed, and evaluated through security rules. In each isolated thread, events are still processed sequentially one-by-one.

Falco guarantees feature parity between running multiple event sources in the same Falco instance, and running the same set of event sources each in a separate single-source instance of Falco. As such, when running more than one event source Falco does not allow any correlation logic between events coming from different event sources.

In fact, the set of security rules loaded in Falco is entirely partitioned by event source. From the perspective of the Falco rule engine, each security rule is defined for one and only event source and can uniquely be triggered by events coming from it.

The set of enabled event sources can be changed through the --enable-source and --disable-source CLI options.
The two can't be mixed together and follow this logic:

  • --disable-source

    Disables one single event source among the set of enabled ones. This assumes Falco's default behavior of enabling every loaded event source. Can be passed multiple times to disable multiple event sources.

    For example, passing --disable-source=syscall --disable-source=k8s_saudit as Falco CLI argument will disable live event consumption for the syscall and the k8s_audit event sources. Disabling unknown event sources, or disabling all the loaded ones, results in an error.

  • --enable-source

    Enables one single event source among the set of loaded ones. This disables Falco's default behavior, and makes it consider every loaded source as disabled by default in order to enable each of them selectively. Can be passed multiple times to enable multiple event sources.

    For example, passing --enable-source=syscall --enable-source=k8s_saudit as Falco CLI argument will enable live event consumption for the syscall and the k8s_audit event sources only, even if others are loaded. Enabling unknown event sources results in an error.

Last modified November 30, 2022: refactor /docs/event-sources (558280b)