From 199a1c22c6bb906fcbf3236f17565a37ba5e3ba4 Mon Sep 17 00:00:00 2001 From: Leonardo Di Donato Date: Fri, 19 Mar 2021 15:45:00 +0000 Subject: [PATCH] fix(userspace/falco): n_evts does not containd the dropped events count Signed-off-by: Leonardo Di Donato --- falco.yaml | 2 +- userspace/falco/event_drops.cpp | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/falco.yaml b/falco.yaml index a0b5fa85..6fb19538 100644 --- a/falco.yaml +++ b/falco.yaml @@ -80,7 +80,7 @@ buffered_outputs: false # # The rate at which log/alert messages are emitted is governed by a # token bucket. The rate corresponds to one message every 30 seconds -# with a burst of one message. +# with a burst of one message (by default). # # The messages are emitted when the percentage of dropped system calls # with respect the number of events in the last second diff --git a/userspace/falco/event_drops.cpp b/userspace/falco/event_drops.cpp index 16ae2478..3d646c15 100644 --- a/userspace/falco/event_drops.cpp +++ b/userspace/falco/event_drops.cpp @@ -87,14 +87,11 @@ bool syscall_evt_drop_mgr::process_event(sinsp *inspector, sinsp_evt *evt) delta.n_drops++; } - if(m_simulate_drops || (delta.n_drops > 0 && delta.n_evts > 0)) + if(delta.n_drops > 0) { double ratio = delta.n_drops; - // Number of events can possiblity be zero here only when simulating drops - // In which case, ratio holds an infinite value - // Assuming IEC 559 (aka IEEE 754 - std::numeric_limits::is_iec559) is true - // Anyways, this is always greater than zero when not simulating drops - ratio /= delta.n_evts; + // Assuming the number of event does not contains the dropped ones + ratio /= delta.n_drops + delta.n_evts; // When simulating drops the threshold is always zero if(ratio > m_threshold)