github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-27 18:40:22 +00:00
Code Issues Projects Releases Wiki Activity

fix(metrics/prometheus): non-duplicate evt_source retrieval

Browse Source 
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
This commit is contained in:
Melissa Kilby 2025-05-21 16:23:05 +00:00 committed by Federico Di Pierro
parent 59d00d7630
commit 87cdaa7d38
1 changed files with 20 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
userspace/falco/falco_metrics.cpp
View File

@ -128,15 +128,6 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
}
}
// Note: For this to hold true, we must rely on loaded_sources above, which ensures that the
// syscall source (if applicable) is ordered first.
if(i != 0) {
continue;
}
// Falco wrapper metrics Part B: Performed only once. Each inspector contains a list of all
// event sources.
/* Examples ...
# HELP falcosecurity_falco_evt_source_info https://falco.org/docs/metrics/
# TYPE falcosecurity_falco_evt_source_info gauge
@ -145,14 +136,24 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
# TYPE falcosecurity_falco_evt_source_info gauge
falcosecurity_falco_evt_source_info{evt_source="dummy_c"} 1
*/
for(const std::string& source : inspector->event_sources()) {
// It seems that the current sources are appended. For instance, the dummy_c plugin event
// source contains syscalls again as well
const std::string& last_source = inspector->event_sources().back();
prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
"evt_source",
"falcosecurity",
"falco",
{{"evt_source", source}});
{{"evt_source", last_source}});
// Note: For this to hold true, we must rely on loaded_sources above, which ensures that the
// syscall source (if applicable) is ordered first.
if(i != 0) {
continue;
}
// Falco wrapper metrics Part B: Agnostic, performed only once.
const scap_agent_info* agent_info = inspector->get_agent_info();
const scap_machine_info* machine_info = inspector->get_machine_info();
prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
@ -162,7 +163,8 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
{{"version", FALCO_VERSION}});
// Not all scap engines report agent and machine infos.
// Therefore, if the syscalls inspector is available, use it to retrieve these metrics
// However, recent lib refactors enable a linux lite platform, allowing non-syscall
// inspectors to retrieve these metrics if the syscall inspector is unavailable.
if(agent_info) {
prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
"kernel_release",
@ -387,8 +389,8 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
continue;
}
// Performed only once, the first inspector is typically the syscalls event source
//
// Performed only once, the first inspector must be the syscalls event source, as ensured by
// the ordering above, if applicable, to maximize metrics retrieval.
for(auto& metric : metrics_snapshot) {
prometheus_metrics_converter.convert_metric_to_unit_convention(metric);