diff --git a/userspace/falco/falco_metrics.cpp b/userspace/falco/falco_metrics.cpp index ed6d9762..0ef652ab 100644 --- a/userspace/falco/falco_metrics.cpp +++ b/userspace/falco/falco_metrics.cpp @@ -66,6 +66,8 @@ std::string falco_metrics::to_text(const falco::app::state& state) for (auto* inspector: inspectors) { + // Falco wrapper metrics + // for (size_t i = 0; i < sizeof(all_driver_engines) / sizeof(const char*); i++) { if (inspector->check_current_engine(all_driver_engines[i])) @@ -106,18 +108,64 @@ std::string falco_metrics::to_text(const falco::app::state& state) { prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus("evt_source", "falcosecurity", "falco", {{"evt_source", source}}); } - std::vector falco_metrics; + std::vector additional_wrapper_metrics; + + additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("start_ts", + METRICS_V2_MISC, + METRIC_VALUE_TYPE_U64, + METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS, + METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT, + agent_info->start_ts_epoch)); + additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("host_boot_ts", + METRICS_V2_MISC, + METRIC_VALUE_TYPE_U64, + METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS, + METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT, + machine_info->boot_ts_epoch)); + additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("host_num_cpus", + METRICS_V2_MISC, + METRIC_VALUE_TYPE_U32, + METRIC_VALUE_UNIT_COUNT, + METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT, + machine_info->num_cpus)); + additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("outputs_queue_num_drops", + METRICS_V2_MISC, + METRIC_VALUE_TYPE_U64, + METRIC_VALUE_UNIT_COUNT, + METRIC_VALUE_METRIC_TYPE_MONOTONIC, + state.outputs->get_outputs_queue_num_drops())); + + auto now = std::chrono::duration_cast(std::chrono::system_clock::now().time_since_epoch()).count(); + + additional_wrapper_metrics.emplace_back(libs_metrics_collector.new_metric("duration_sec", + METRICS_V2_MISC, + METRIC_VALUE_TYPE_U64, + METRIC_VALUE_UNIT_TIME_S_COUNT, + METRIC_VALUE_METRIC_TYPE_MONOTONIC, + (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS))); + + for (auto metric: additional_wrapper_metrics) + { + prometheus_metrics_converter.convert_metric_to_unit_convention(metric); + prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric, "falcosecurity", "falco"); + } + + // Falco metrics categories + // + // rules_counters_enabled if(state.config->m_metrics_flags & METRICS_V2_RULE_COUNTERS) { const stats_manager& rule_stats_manager = state.engine->get_rule_stats_manager(); const indexed_vector& rules = state.engine->get_rules(); - falco_metrics.emplace_back(libs_metrics_collector.new_metric("rules.matches_total", + auto metric = libs_metrics_collector.new_metric("rules.matches_total", METRICS_V2_RULE_COUNTERS, METRIC_VALUE_TYPE_U64, METRIC_VALUE_UNIT_COUNT, METRIC_VALUE_METRIC_TYPE_MONOTONIC, - rule_stats_manager.get_total().load())); + rule_stats_manager.get_total().load()); + prometheus_metrics_converter.convert_metric_to_unit_convention(metric); + prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric, "falcosecurity", "falco"); for (size_t i = 0; i < rule_stats_manager.get_by_rule_id().size(); i++) { auto rule = rules.at(i); @@ -138,50 +186,14 @@ std::string falco_metrics::to_text(const falco::app::state& state) prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric, "falcosecurity", "falco", const_labels); } } - - falco_metrics.emplace_back(libs_metrics_collector.new_metric("start_ts", - METRICS_V2_MISC, - METRIC_VALUE_TYPE_U64, - METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS, - METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT, - agent_info->start_ts_epoch)); - falco_metrics.emplace_back(libs_metrics_collector.new_metric("host_boot_ts", - METRICS_V2_MISC, - METRIC_VALUE_TYPE_U64, - METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS, - METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT, - machine_info->boot_ts_epoch)); - falco_metrics.emplace_back(libs_metrics_collector.new_metric("host_num_cpus", - METRICS_V2_MISC, - METRIC_VALUE_TYPE_U32, - METRIC_VALUE_UNIT_COUNT, - METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT, - machine_info->num_cpus)); - falco_metrics.emplace_back(libs_metrics_collector.new_metric("outputs_queue_num_drops", - METRICS_V2_MISC, - METRIC_VALUE_TYPE_U64, - METRIC_VALUE_UNIT_COUNT, - METRIC_VALUE_METRIC_TYPE_MONOTONIC, - state.outputs->get_outputs_queue_num_drops())); - - auto now = std::chrono::duration_cast(std::chrono::system_clock::now().time_since_epoch()).count(); - - falco_metrics.emplace_back(libs_metrics_collector.new_metric("duration_sec", - METRICS_V2_MISC, - METRIC_VALUE_TYPE_U64, - METRIC_VALUE_UNIT_TIME_S_COUNT, - METRIC_VALUE_METRIC_TYPE_MONOTONIC, - (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS))); - - - for (auto metric: falco_metrics) - { - prometheus_metrics_converter.convert_metric_to_unit_convention(metric); - prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(metric, "falcosecurity", "falco"); - } - } + // Libs metrics categories + // + // resource_utilization_enabled + // state_counters_enabled + // kernel_event_counters_enabled + // libbpf_stats_enabled for (auto metrics_collector: metrics_collectors) { metrics_collector.snapshot(); diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index 80e78e6d..0d70cdc7 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -320,6 +320,9 @@ void stats_writer::collector::get_metrics_output_fields_wrapper( const scap_agent_info* agent_info = inspector->get_agent_info(); const scap_machine_info* machine_info = inspector->get_machine_info(); + // Falco wrapper metrics + // + /* Wrapper fields useful for statistical analyses and attributions. Always enabled. */ output_fields["evt.time"] = now; /* Some ETLs may prefer a consistent timestamp within output_fields. */ output_fields["falco.version"] = FALCO_VERSION; @@ -373,6 +376,9 @@ void stats_writer::collector::get_metrics_output_fields_additional( nlohmann::json& output_fields, double stats_snapshot_time_delta_sec) { + // Falco metrics categories + // + // rules_counters_enabled if(m_writer->m_config->m_metrics_flags & METRICS_V2_RULE_COUNTERS) { const stats_manager& rule_stats_manager = m_writer->m_engine->get_rule_stats_manager(); @@ -393,6 +399,13 @@ void stats_writer::collector::get_metrics_output_fields_additional( #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__) if (m_writer->m_libs_metrics_collector && m_writer->m_output_rule_metrics_converter) { + // Libs metrics categories + // + // resource_utilization_enabled + // state_counters_enabled + // kernel_event_counters_enabled + // libbpf_stats_enabled + // Refresh / New snapshot m_writer->m_libs_metrics_collector->snapshot(); auto metrics_snapshot = m_writer->m_libs_metrics_collector->get_metrics();