Forwarding Alerts

Forward Falco Alerts to third parties with Falcosidekick

Falco alerts can easily be forwarded to third-party systems. Their JSON format allows them to be easily consumed for storage, analysis and reaction.

Falcosidekick

Falcosidekick is a proxy forwarder, it acts as central point for any fleet of Falco instances using their http outputs to send their alerts.

The currently available outputs are chat, alert, log, storage, streaming systems, etc.

Falcosidekick

Falcosidekick can also add custom fields to the alerts, filter them by priority and expose a Prometheus metrics endpoint.

The full documentation and the project repository are here.

Falcosidekick can be deployed with Falco in Kubernetes clusters with the official Falco Helm chart.

Its configuration can be made through a yaml file and/or env vars.

Outputs

The available outputs in Falcosidekick are:

Chat

Metrics / Observability

Alerting

Logs

Object Storage

FaaS / Serverless

Message queue / Streaming

Email

Database

Web

SIEM

Workflow

Traces

Response engine

Other

Installation in Kubernetes with Helm

See the available Helm values to configure Falcosidekick.

helm install falco falcosecurity/falco \
-n falco --create-namespace \
--set falcosidekick.enabled=true \
--set tty=true 

Installation in Docker

Use the env vars to configure Falcosidekick.

docker run -d -p 2801:2801 -e SLACK_WEBHOOKURL=XXXX falcosecurity/falcosidekick:2.27.0

Installation on the host

Adapt the version and the architecture to your environment. You can find all the releases here.

sudo mkdir -p /etc/falcosidekick
wget https://github.com/falcosecurity/falcosidekick/releases/download/2.27.0/falcosidekick_2.27.0_linux_amd64.tar.gz && sudo tar -C /usr/local/bin/ -xzf falcosidekick_2.27.0_linux_amd64.tar.gz

See the example config file to create your own in /etc/falcosidekick/config.yaml.

To enable and start the service, you can use a systemd unit /etc/systemd/system/falcosidekick.service like this one:

[Unit]
Description=Falcosidekick
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=1
ExecStart=/usr/local/bin/falcosidekick -c /etc/falcosidekick/config.yaml
EOF
systemctl enable falcosidekick
systemctl start falcosidekick

Falcosidekick UI

Falcosidekick comes with its own interface to visualize the events and get statistics.

Falcosidekick UI

Installation in Kubernetes with Helm

You can install the UI at the same moment as Falcosidekick by adding the argument --set falcosidekick.webui.enabled=true.

helm install falco falcosecurity/falco \
-n falco --create-namespace \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
--set tty=true 

Then create a port-forward to access it: kubectl port-forward svc falco-falcosidekick-ui 2802:2802 -n falco. The default credentials are admin/admin.

The full documentation and the repository of the project are here.