From 0df18fd78680b5b16e1691c2f69c3cb6fa4a0717 Mon Sep 17 00:00:00 2001
From: Leonardo Di Donato <leodidonato@gmail.com>
Date: Fri, 16 Apr 2021 09:47:49 +0000
Subject: [PATCH] update(userspace/falco): print out current time when a
 timeouts notification gets emitted

Also, print out the time of the last processed event in the output
fields of the notification.

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
---
 falco.yaml                |  1 +
 userspace/falco/falco.cpp | 16 +++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/falco.yaml b/falco.yaml
index 6883d239..19aa857a 100644
--- a/falco.yaml
+++ b/falco.yaml
@@ -110,6 +110,7 @@ syscall_event_drops:
 # Here you can configure the maximum number of consecutive timeouts without an event
 # after which you want Falco to alert.
 # By default this value is set to 1000 consecutive timeouts without an event at all.
+# How this value maps to a time interval depends on the CPU frequency.
 
 syscall_event_timeouts:
   max_consecutives: 1000
diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp
index 33b3a421..1edd5a6d 100644
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -23,6 +23,7 @@ limitations under the License.
 #include <vector>
 #include <algorithm>
 #include <string>
+#include <chrono>
 #include <functional>
 #include <signal.h>
 #include <fcntl.h>
@@ -253,7 +254,7 @@ uint64_t do_inspect(falco_engine *engine,
 	sinsp_evt* ev;
 	StatsFileWriter writer;
 	uint64_t duration_start = 0;
-	uint64_t timeouts_since_last_success_or_msg = 0;
+	uint32_t timeouts_since_last_success_or_msg = 0;
 
 	sdropmgr.init(inspector,
 		      outputs,
@@ -304,12 +305,17 @@ uint64_t do_inspect(falco_engine *engine,
 			if(unlikely(ev == nullptr))
 			{
 				timeouts_since_last_success_or_msg++;
-				if(timeouts_since_last_success_or_msg > 100)
+				if(timeouts_since_last_success_or_msg > config.m_syscall_evt_timeout_max_consecutives)
 				{
 					std::string rule = "Falco internal: timeouts notification";
-					std::string msg = rule + ". 100 consecutive timeouts without event.";
-					std::map<std::string, std::string> of;
-					outputs->handle_msg(duration_start, falco_common::PRIORITY_DEBUG, msg, rule, of);
+					std::string msg = rule + ". " + std::to_string(config.m_syscall_evt_timeout_max_consecutives) + " consecutive timeouts without event.";
+					std::string last_event_time_str;
+					sinsp_utils::ts_to_string(duration_start, &last_event_time_str, false, true);
+					std::map<std::string, std::string> o = {
+						{"last_event_time", last_event_time_str},
+					};
+					auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
+					outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, o);
 					// Reset the timeouts counter, Falco alerted
 					timeouts_since_last_success_or_msg = 0;
 				}