github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-20 01:17:46 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(falco)!: remove outputs.rate and outputs.max_burst

Browse Source 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
This commit is contained in:
Andrea Terzolo
2023-09-26 15:55:45 +02:00
committed by poiana
parent 09b1f92267
commit 29d2406414
4 changed files with 1 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
falco.yaml
View File

@@ -273,34 +273,6 @@ json_include_tags_property: true
# output mechanism. By default, buffering is disabled (false). # output mechanism. By default, buffering is disabled (false).
buffered_outputs: false buffered_outputs: false
# [Stable] `outputs`
#
# [DEPRECATED]
# This config is deprecated and it will be removed in Falco 0.37
#
# A throttling mechanism, implemented as a token bucket, can be used to control
# the rate of Falco outputs. Each event source has its own rate limiter,
# ensuring that alerts from one source do not affect the throttling of others.
# The following options control the mechanism:
# - rate: the number of tokens (i.e. right to send a notification) gained per
# second. When 0, the throttling mechanism is disabled. Defaults to 0.
# - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
#
# For example, setting the rate to 1 allows Falco to send up to 1000
# notifications initially, followed by 1 notification per second. The burst
# capacity is fully restored after 1000 seconds of no activity.
#
# Throttling can be useful in various scenarios, such as preventing notification
# floods, managing system load, controlling event processing, or complying with
# rate limits imposed by external systems or APIs. It allows for better resource
# utilization, avoids overwhelming downstream systems, and helps maintain a
# balanced and controlled flow of notifications.
#
# With the default settings, the throttling mechanism is disabled.
outputs:
rate: 0
max_burst: 1000
# [Experimental] `rule_matching` # [Experimental] `rule_matching`
# #
# The `rule_matching` configuration key's values are: # The `rule_matching` configuration key's values are:

18
userspace/falco/app/actions/process_events.cpp
View File

@@ -25,7 +25,6 @@ limitations under the License.
#include <unordered_map> #include <unordered_map>
#include "falco_utils.h" #include "falco_utils.h"
#include "token_bucket.h"
#include "actions.h" #include "actions.h"
#include "helpers.h" #include "helpers.h"
@@ -137,8 +136,6 @@ static falco::app::run_result do_inspect(
stats_writer::collector stats_collector(statsw); stats_writer::collector stats_collector(statsw);
uint64_t duration_start = 0; uint64_t duration_start = 0;
uint32_t timeouts_since_last_success_or_msg = 0; uint32_t timeouts_since_last_success_or_msg = 0;
token_bucket rate_limiter;
const bool rate_limiter_enabled = s.config->m_notifications_rate > 0;
const bool is_capture_mode = source.empty(); const bool is_capture_mode = source.empty();
size_t source_engine_idx = 0; size_t source_engine_idx = 0;
@@ -156,14 +153,6 @@ static falco::app::run_result do_inspect(
source_engine_idx = s.source_infos.at(source)->engine_idx; source_engine_idx = s.source_infos.at(source)->engine_idx;
} }
// if enabled, init rate limiter
if (rate_limiter_enabled)
{
rate_limiter.init(
s.config->m_notifications_rate,
s.config->m_notifications_max_burst);
}
// reset event counter // reset event counter
num_evts = 0; num_evts = 0;
@@ -332,16 +321,9 @@ static falco::app::run_result do_inspect(
if(res != nullptr) if(res != nullptr)
{ {
for(auto& rule_res : *res.get()) for(auto& rule_res : *res.get())
{
if (!rate_limiter_enabled || rate_limiter.claim())
{ {
s.outputs->handle_event(rule_res.evt, rule_res.rule, rule_res.source, rule_res.priority_num, rule_res.format, rule_res.tags); s.outputs->handle_event(rule_res.evt, rule_res.rule, rule_res.source, rule_res.priority_num, rule_res.format, rule_res.tags);
} }
else
{
falco_logger::log(LOG_DEBUG, "Skipping rate-limited notification for rule " + rule_res.rule + "\n");
}
}
} }
num_evts++; num_evts++;

9
userspace/falco/configuration.cpp
View File

@@ -36,8 +36,6 @@ falco_configuration::falco_configuration():
m_json_output(false), m_json_output(false),
m_json_include_output_property(true), m_json_include_output_property(true),
m_json_include_tags_property(true), m_json_include_tags_property(true),
m_notifications_rate(0),
m_notifications_max_burst(1000),
m_rule_matching(falco_common::rule_matching::FIRST), m_rule_matching(falco_common::rule_matching::FIRST),
m_watch_config_files(true), m_watch_config_files(true),
m_buffered_outputs(false), m_buffered_outputs(false),
@@ -264,13 +262,6 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
m_output_timeout = config.get_scalar<uint32_t>("output_timeout", 2000); m_output_timeout = config.get_scalar<uint32_t>("output_timeout", 2000);
m_notifications_rate = config.get_scalar<uint32_t>("outputs.rate", 0);
if(m_notifications_rate != 0)
{
falco_logger::log(LOG_WARNING, "'output.rate' config is deprecated and it will be removed in Falco 0.37\n");
}
m_notifications_max_burst = config.get_scalar<uint32_t>("outputs.max_burst", 1000);
std::string rule_matching = config.get_scalar<std::string>("rule_matching", "first"); std::string rule_matching = config.get_scalar<std::string>("rule_matching", "first");
if (!falco_common::parse_rule_matching(rule_matching, m_rule_matching)) if (!falco_common::parse_rule_matching(rule_matching, m_rule_matching))
{ {

2
userspace/falco/configuration.h
View File

@@ -65,8 +65,6 @@ public:
bool m_json_include_tags_property; bool m_json_include_tags_property;
std::string m_log_level; std::string m_log_level;
std::vector<falco::outputs::config> m_outputs; std::vector<falco::outputs::config> m_outputs;
uint32_t m_notifications_rate;
uint32_t m_notifications_max_burst;
falco_common::priority_type m_min_priority; falco_common::priority_type m_min_priority;
falco_common::rule_matching m_rule_matching; falco_common::rule_matching m_rule_matching;