diff --git a/userspace/falco/app/actions/process_events.cpp b/userspace/falco/app/actions/process_events.cpp index c92a2d0f..80361be3 100644 --- a/userspace/falco/app/actions/process_events.cpp +++ b/userspace/falco/app/actions/process_events.cpp @@ -235,6 +235,12 @@ static falco::app::run_result do_inspect( } // for capture mode, the source name can change at every event + // TODO: This may currently cause issues for multiple event sources. We are deferring + // the fix to Falco 0.42.0. + // For multiple event sources, it generates `n` metrics logs per source at a time, as + // expected, with the engine_name correctly reflected. However, the order may interfere, + // as the correct inspector for the syscalls event source seems to never get passed, + // resulting in most metrics being missing. stats_collector.collect(inspector, inspector->event_sources()[source_engine_idx], num_evts); diff --git a/userspace/falco/falco_metrics.cpp b/userspace/falco/falco_metrics.cpp index 1df8e83d..9d38a128 100644 --- a/userspace/falco/falco_metrics.cpp +++ b/userspace/falco/falco_metrics.cpp @@ -61,7 +61,9 @@ std::string falco_metrics::to_text(const falco::app::state& state) { std::vector> inspectors; std::vector metrics_collectors; - for(const auto& source : state.enabled_sources) { + // Note: Must rely on loaded_sources, which ensures that the syscall source (if applicable) is + // ordered first. + for(const auto& source : state.loaded_sources) { auto source_info = state.source_infos.at(source); auto source_inspector = source_info->inspector; inspectors.emplace_back(source_inspector); @@ -75,9 +77,8 @@ std::string falco_metrics::to_text(const falco::app::state& state) { for(size_t i = 0; i < inspectors.size(); ++i) { // Start inspector loop auto& inspector = inspectors[i]; - // Falco wrapper metrics, repeated for each inspector, accounting for plugins w/ event - // sources - // + // Falco wrapper metrics Part A: Repeated for each inspector, accounting for plugins w/ + // event sources /* Examples ... # HELP falcosecurity_scap_engine_name_info https://falco.org/docs/metrics/ @@ -99,15 +100,15 @@ std::string falco_metrics::to_text(const falco::app::state& state) { } } + // Note: For this to hold true, we must rely on loaded_sources above, which ensures that the + // syscall source (if applicable) is ordered first. if(i != 0) { continue; } - // Falco wrapper metrics; Performed only once, the first inspector is typically the syscalls - // event source - // + // Falco wrapper metrics Part B: Performed only once. Each inspector contains a list of all + // event sources. - // Each inspector includes all event sources /* Examples ... # HELP falcosecurity_falco_evt_source_info https://falco.org/docs/metrics/ # TYPE falcosecurity_falco_evt_source_info gauge @@ -133,6 +134,7 @@ std::string falco_metrics::to_text(const falco::app::state& state) { {{"version", FALCO_VERSION}}); // Not all scap engines report agent and machine infos. + // Therefore, if the syscalls inspector is available, use it to retrieve these metrics if(agent_info) { prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus( "kernel_release", @@ -149,6 +151,7 @@ std::string falco_metrics::to_text(const falco::app::state& state) { } #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__) + // Note that the rule counter metrics are retrieved from the state, not from any inspector // Distinguish between config and rules files using labels, following Prometheus best // practices: https://prometheus.io/docs/practices/naming/#labels for(const auto& item : state.config.get()->m_loaded_rules_filenames_sha256sum) {