From 79577237a1b62b44e0a4137720c70137c312141a Mon Sep 17 00:00:00 2001 From: Melissa Kilby Date: Fri, 1 Sep 2023 08:18:26 -0700 Subject: [PATCH] cleanup(config): add info about performance impact wrt rule_matching Co-authored-by: Andrea Terzolo Signed-off-by: Melissa Kilby --- falco.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/falco.yaml b/falco.yaml index 4bc6a88f..3a33e957 100644 --- a/falco.yaml +++ b/falco.yaml @@ -137,7 +137,9 @@ # # With Falco 0.36 and beyond, it's now possible to apply multiple rules that match # the same event type, eliminating concerns about rule prioritization based on the -# "first match wins" principle. Read more under the `rule_matching` configuration. +# "first match wins" principle. However, enabling the `all` matching option may result +# in a performance penalty. We recommend carefully testing this alternative setting +# before deploying it in production. Read more under the `rule_matching` configuration. rules_file: - /etc/falco/falco_rules.yaml - /etc/falco/falco_rules.local.yaml @@ -306,6 +308,12 @@ outputs: # trigger, possibly shadowing other rules. # In case `all` is used as value, rules still trigger in the order they were # defined. +# +# Effectively, with this setting, it is now possible to apply multiple rules that match +# the same event type. This eliminates concerns about rule prioritization based on the +# "first match wins" principle. However, enabling the `all` matching option may result in +# a performance penalty. We recommend carefully testing this alternative setting before +# deploying it in production. rule_matching: first