mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-19 17:14:26 +00:00
cleanup(falco)!: remove outputs.rate and outputs.max_burst
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
This commit is contained in:
Andrea Terzolo
poiana
28
falco.yaml
28
falco.yaml
@@ -273,34 +273,6 @@ json_include_tags_property: true
|
||||
# output mechanism. By default, buffering is disabled (false).
|
||||
buffered_outputs: false
|
||||
|
||||
# [Stable] `outputs`
|
||||
#
|
||||
# [DEPRECATED]
|
||||
# This config is deprecated and it will be removed in Falco 0.37
|
||||
#
|
||||
# A throttling mechanism, implemented as a token bucket, can be used to control
|
||||
# the rate of Falco outputs. Each event source has its own rate limiter,
|
||||
# ensuring that alerts from one source do not affect the throttling of others.
|
||||
# The following options control the mechanism:
|
||||
# - rate: the number of tokens (i.e. right to send a notification) gained per
|
||||
# second. When 0, the throttling mechanism is disabled. Defaults to 0.
|
||||
# - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
|
||||
#
|
||||
# For example, setting the rate to 1 allows Falco to send up to 1000
|
||||
# notifications initially, followed by 1 notification per second. The burst
|
||||
# capacity is fully restored after 1000 seconds of no activity.
|
||||
#
|
||||
# Throttling can be useful in various scenarios, such as preventing notification
|
||||
# floods, managing system load, controlling event processing, or complying with
|
||||
# rate limits imposed by external systems or APIs. It allows for better resource
|
||||
# utilization, avoids overwhelming downstream systems, and helps maintain a
|
||||
# balanced and controlled flow of notifications.
|
||||
#
|
||||
# With the default settings, the throttling mechanism is disabled.
|
||||
outputs:
|
||||
rate: 0
|
||||
max_burst: 1000
|
||||
|
||||
# [Experimental] `rule_matching`
|
||||
#
|
||||
# The `rule_matching` configuration key's values are:
|
||||
|
||||
@@ -25,7 +25,6 @@ limitations under the License.
|
||||
#include <unordered_map>
|
||||
|
||||
#include "falco_utils.h"
|
||||
#include "token_bucket.h"
|
||||
|
||||
#include "actions.h"
|
||||
#include "helpers.h"
|
||||
@@ -137,8 +136,6 @@ static falco::app::run_result do_inspect(
|
||||
stats_writer::collector stats_collector(statsw);
|
||||
uint64_t duration_start = 0;
|
||||
uint32_t timeouts_since_last_success_or_msg = 0;
|
||||
token_bucket rate_limiter;
|
||||
const bool rate_limiter_enabled = s.config->m_notifications_rate > 0;
|
||||
const bool is_capture_mode = source.empty();
|
||||
size_t source_engine_idx = 0;
|
||||
|
||||
@@ -156,14 +153,6 @@ static falco::app::run_result do_inspect(
|
||||
source_engine_idx = s.source_infos.at(source)->engine_idx;
|
||||
}
|
||||
|
||||
// if enabled, init rate limiter
|
||||
if (rate_limiter_enabled)
|
||||
{
|
||||
rate_limiter.init(
|
||||
s.config->m_notifications_rate,
|
||||
s.config->m_notifications_max_burst);
|
||||
}
|
||||
|
||||
// reset event counter
|
||||
num_evts = 0;
|
||||
|
||||
@@ -332,16 +321,9 @@ static falco::app::run_result do_inspect(
|
||||
if(res != nullptr)
|
||||
{
|
||||
for(auto& rule_res : *res.get())
|
||||
{
|
||||
if (!rate_limiter_enabled || rate_limiter.claim())
|
||||
{
|
||||
s.outputs->handle_event(rule_res.evt, rule_res.rule, rule_res.source, rule_res.priority_num, rule_res.format, rule_res.tags);
|
||||
}
|
||||
else
|
||||
{
|
||||
falco_logger::log(LOG_DEBUG, "Skipping rate-limited notification for rule " + rule_res.rule + "\n");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
num_evts++;
|
||||
|
||||
@@ -36,8 +36,6 @@ falco_configuration::falco_configuration():
|
||||
m_json_output(false),
|
||||
m_json_include_output_property(true),
|
||||
m_json_include_tags_property(true),
|
||||
m_notifications_rate(0),
|
||||
m_notifications_max_burst(1000),
|
||||
m_rule_matching(falco_common::rule_matching::FIRST),
|
||||
m_watch_config_files(true),
|
||||
m_buffered_outputs(false),
|
||||
@@ -264,13 +262,6 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
|
||||
|
||||
m_output_timeout = config.get_scalar<uint32_t>("output_timeout", 2000);
|
||||
|
||||
m_notifications_rate = config.get_scalar<uint32_t>("outputs.rate", 0);
|
||||
if(m_notifications_rate != 0)
|
||||
{
|
||||
falco_logger::log(LOG_WARNING, "'output.rate' config is deprecated and it will be removed in Falco 0.37\n");
|
||||
}
|
||||
m_notifications_max_burst = config.get_scalar<uint32_t>("outputs.max_burst", 1000);
|
||||
|
||||
std::string rule_matching = config.get_scalar<std::string>("rule_matching", "first");
|
||||
if (!falco_common::parse_rule_matching(rule_matching, m_rule_matching))
|
||||
{
|
||||
|
||||
@@ -65,8 +65,6 @@ public:
|
||||
bool m_json_include_tags_property;
|
||||
std::string m_log_level;
|
||||
std::vector<falco::outputs::config> m_outputs;
|
||||
uint32_t m_notifications_rate;
|
||||
uint32_t m_notifications_max_burst;
|
||||
|
||||
falco_common::priority_type m_min_priority;
|
||||
falco_common::rule_matching m_rule_matching;
|
||||
|
||||
Reference in New Issue
Block a user