mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-12 22:18:30 +00:00
update: reduce the max burst of event drops
This also introduces a threshold configurable value. Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato
poiana
parent
7ea80e39b1
commit
b8b50932fe
26
falco.yaml
26
falco.yaml
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
# Copyright (C) 2021 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
@ -68,24 +68,34 @@ priority: debug
|
||||
buffered_outputs: false
|
||||
|
||||
# Falco uses a shared buffer between the kernel and userspace to pass
|
||||
# system call information. When falco detects that this buffer is
|
||||
# system call information. When Falco detects that this buffer is
|
||||
# full and system calls have been dropped, it can take one or more of
|
||||
# the following actions:
|
||||
# - "ignore": do nothing. If an empty list is provided, ignore is assumed.
|
||||
# - "log": log a CRITICAL message noting that the buffer was full.
|
||||
# - "alert": emit a falco alert noting that the buffer was full.
|
||||
# - "exit": exit falco with a non-zero rc.
|
||||
# - ignore: do nothing (default when list of actions is empty)
|
||||
# - log: log a CRITICAL message noting that the buffer was full
|
||||
# - alert: emit a Falco alert noting that the buffer was full
|
||||
# - exit: exit Falco with a non-zero rc
|
||||
#
|
||||
# Notice it is not possible to ignore and log/alert messages at the same time.
|
||||
#
|
||||
# The rate at which log/alert messages are emitted is governed by a
|
||||
# token bucket. The rate corresponds to one message every 30 seconds
|
||||
# with a burst of 10 messages.
|
||||
# with a burst of one message.
|
||||
#
|
||||
# The messages are emitted when the percentage of dropped system calls
|
||||
# with respect the number of events in the last second
|
||||
# is greater than the given threshold (a double in the range [0, 1]).
|
||||
#
|
||||
# For debugging/testing it is possible to simulate the drops using
|
||||
# the `simulate_drops: true`. In this case the threshold does not apply.
|
||||
|
||||
syscall_event_drops:
|
||||
threshold: .1
|
||||
actions:
|
||||
- log
|
||||
- alert
|
||||
rate: .03333
|
||||
max_burst: 10
|
||||
max_burst: 1
|
||||
|
||||
# Falco continuously monitors outputs performance. When an output channel does not allow
|
||||
# to deliver an alert within a given deadline, an error is reported indicating
|
||||
|
||||
Loading…
Reference in New Issue
Block a user