mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-13 14:34:33 +00:00
update: reduce the max burst of event drops
This also introduces a threshold configurable value. Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
This commit is contained in:
Leonardo Di Donato
poiana
parent
7ea80e39b1
commit
b8b50932fe
26
falco.yaml
26
falco.yaml
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Copyright (C) 2019 The Falco Authors.
|
# Copyright (C) 2021 The Falco Authors.
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
@ -68,24 +68,34 @@ priority: debug
|
|||||||
buffered_outputs: false
|
buffered_outputs: false
|
||||||
|
|
||||||
# Falco uses a shared buffer between the kernel and userspace to pass
|
# Falco uses a shared buffer between the kernel and userspace to pass
|
||||||
# system call information. When falco detects that this buffer is
|
# system call information. When Falco detects that this buffer is
|
||||||
# full and system calls have been dropped, it can take one or more of
|
# full and system calls have been dropped, it can take one or more of
|
||||||
# the following actions:
|
# the following actions:
|
||||||
# - "ignore": do nothing. If an empty list is provided, ignore is assumed.
|
# - ignore: do nothing (default when list of actions is empty)
|
||||||
# - "log": log a CRITICAL message noting that the buffer was full.
|
# - log: log a CRITICAL message noting that the buffer was full
|
||||||
# - "alert": emit a falco alert noting that the buffer was full.
|
# - alert: emit a Falco alert noting that the buffer was full
|
||||||
# - "exit": exit falco with a non-zero rc.
|
# - exit: exit Falco with a non-zero rc
|
||||||
|
#
|
||||||
|
# Notice it is not possible to ignore and log/alert messages at the same time.
|
||||||
#
|
#
|
||||||
# The rate at which log/alert messages are emitted is governed by a
|
# The rate at which log/alert messages are emitted is governed by a
|
||||||
# token bucket. The rate corresponds to one message every 30 seconds
|
# token bucket. The rate corresponds to one message every 30 seconds
|
||||||
# with a burst of 10 messages.
|
# with a burst of one message.
|
||||||
|
#
|
||||||
|
# The messages are emitted when the percentage of dropped system calls
|
||||||
|
# with respect the number of events in the last second
|
||||||
|
# is greater than the given threshold (a double in the range [0, 1]).
|
||||||
|
#
|
||||||
|
# For debugging/testing it is possible to simulate the drops using
|
||||||
|
# the `simulate_drops: true`. In this case the threshold does not apply.
|
||||||
|
|
||||||
syscall_event_drops:
|
syscall_event_drops:
|
||||||
|
threshold: .1
|
||||||
actions:
|
actions:
|
||||||
- log
|
- log
|
||||||
- alert
|
- alert
|
||||||
rate: .03333
|
rate: .03333
|
||||||
max_burst: 10
|
max_burst: 1
|
||||||
|
|
||||||
# Falco continuously monitors outputs performance. When an output channel does not allow
|
# Falco continuously monitors outputs performance. When an output channel does not allow
|
||||||
# to deliver an alert within a given deadline, an error is reported indicating
|
# to deliver an alert within a given deadline, an error is reported indicating
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user