github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-02 11:45:23 +00:00
Code Issues Projects Releases Wiki Activity

cleanup(metrics/prometheus): add detailed logic explanation wrt inspector loop

Browse Source 
Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
This commit is contained in:
Melissa Kilby 2025-05-21 05:16:10 +00:00 committed by Federico Di Pierro
parent 65b210b037
commit 59d00d7630
1 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
userspace/falco/falco_metrics.cpp
View File

@ -31,8 +31,36 @@ namespace fs = std::filesystem;
/*!
\class falco_metrics
\brief This class is used to convert the metrics provided by the application
and falco libs into a string to be return by the metrics endpoint.
\brief Converts metrics provided by the application and Falco libraries into a formatted string
for the metrics endpoint.
## Metrics Overview
This section explains why looping over inspectors is necessary.
Falco utilizes multiple inspectors when loading plugins with an event source.
Most metrics should only be retrieved once, ideally by the syscalls inspector if applicable.
To maximize metrics retrieval and prevent duplicate data, the syscalls inspector is always
positioned at index 0 in the loop when it exists.
Wrapper fields: See https://falco.org/docs/concepts/metrics/
- `engine_name` and `event_source` are pushed for each inspector.
- All other wrapper fields are agnostic and should be retrieved once.
## Metrics Collection Behavior
- `rules_counters_enabled` -> Agnostic; resides in falco; retrieved from the state, not an
inspector; only performed once.
- `resource_utilization_enabled` -> Agnostic; resides in libs; inspector is irrelevant;
only performed once.
- `state_counters_enabled` -> Semi-agnostic; resides in libs; must be retrieved by the syscalls
inspector if applicable.
- `kernel_event_counters_enabled` -> Resides in libs; must be retrieved by the syscalls
inspector; not available for other inspectors.
- `kernel_event_counters_per_cpu_enabled` -> Resides in libs; must be retrieved by the syscalls
inspector; not available for other inspectors.
- `libbpf_stats_enabled` -> Resides in libs; must be retrieved by the syscalls inspector;
not available for other inspectors.
- `plugins_metrics_enabled` -> Must be retrieved for each inspector.
- `jemalloc_stats_enabled` -> Agnostic; resides in falco; inspector is irrelevant;
only performed once.
*/
/*!