diff --git a/falco.yaml b/falco.yaml index 945ea182..a0b5fa85 100644 --- a/falco.yaml +++ b/falco.yaml @@ -1,5 +1,5 @@ # -# Copyright (C) 2019 The Falco Authors. +# Copyright (C) 2021 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -68,24 +68,34 @@ priority: debug buffered_outputs: false # Falco uses a shared buffer between the kernel and userspace to pass -# system call information. When falco detects that this buffer is +# system call information. When Falco detects that this buffer is # full and system calls have been dropped, it can take one or more of # the following actions: -# - "ignore": do nothing. If an empty list is provided, ignore is assumed. -# - "log": log a CRITICAL message noting that the buffer was full. -# - "alert": emit a falco alert noting that the buffer was full. -# - "exit": exit falco with a non-zero rc. +# - ignore: do nothing (default when list of actions is empty) +# - log: log a CRITICAL message noting that the buffer was full +# - alert: emit a Falco alert noting that the buffer was full +# - exit: exit Falco with a non-zero rc +# +# Notice it is not possible to ignore and log/alert messages at the same time. # # The rate at which log/alert messages are emitted is governed by a # token bucket. The rate corresponds to one message every 30 seconds -# with a burst of 10 messages. +# with a burst of one message. +# +# The messages are emitted when the percentage of dropped system calls +# with respect the number of events in the last second +# is greater than the given threshold (a double in the range [0, 1]). +# +# For debugging/testing it is possible to simulate the drops using +# the `simulate_drops: true`. In this case the threshold does not apply. syscall_event_drops: + threshold: .1 actions: - log - alert rate: .03333 - max_burst: 10 + max_burst: 1 # Falco continuously monitors outputs performance. When an output channel does not allow # to deliver an alert within a given deadline, an error is reported indicating