Version 0.26.2

Generating sample events

If you’d like to check if Falco is working properly, we have the event-generator tool that can perform an activity for both our syscall and k8s audit related rules.

The tool provides a command to run either some or all sample events.

event-generator run [regexp]

Without arguments it runs all actions, otherwise only those actions matching the given regular expression.

The full command line documentation is here.

Downloads

ArtifactsVersion
binariesdownload linkRelease
container imagesdocker pull falcosecurity/event-generator:latestDocker Image Version (latest semver)

Sample events

System Call Activity

Warning — We strongly recommend that you run the program within Docker (see below), since some commands might alter your system. For example, some actions modify files and directories below /bin, /etc, /dev, etc.

The syscall collection performs a variety of suspect actions that are detected by the default Falco ruleset.

docker run -it --rm falcosecurity/event-generator run syscall --loop

The above command loops forever, incessantly generating a sample event each second.

Kubernetes Auditing Activity

The k8saudit collection generates activity that matches the k8s audit event ruleset.

event-generator run k8saudit --loop

The above command loops forever, creating resources in the current namespace and deleting them after each iteration. Use the --namespace option to choose a different namespace.

Running the Event Generator in K8s

We’ve also provided K8s resource object files that make it easy to run the event generator in K8s Clusters:

For example, you can run the following to create the necessary objects in the current namespace and then generate events continuously:

kubectl apply -f deployment/role-rolebinding-serviceaccount.yaml \
  -f deployment/event-generator.yaml

The above command applies to the default namespace. Use the --namespace option to deploy in a different namespace. Events will be generated in the same namespace.

You can also find more examples in the repository documentation.