docs(falco.yaml): improve rate limiter config docs

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2025-07-16 15:51:55 +00:00 · 2022-07-21 10:05:39 +00:00 · 2022-07-21 10:05:39 +00:00 · bec103de1a
commit bec103de1a
parent 6c74aa1a29
1 changed files with 7 additions and 2 deletions
--- a/falco.yaml
+++ b/falco.yaml
@ -187,14 +187,19 @@ syscall_event_timeouts:
 output_timeout: 2000

 # A throttling mechanism implemented as a token bucket limits the
-# rate of falco notifications. This throttling is controlled by the following configuration
-# options:
+# rate of Falco notifications. One rate limiter is assigned to each event
+# source, so that alerts coming from one can't influence the throttling
+# mechanism of the others. This is controlled by the following options:
 #  - rate: the number of tokens (i.e. right to send a notification)
 #    gained per second. When 0, the throttling mechanism is disabled.
 #    Defaults to 0.
 #  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
 #
 # With these defaults, the throttling mechanism is disabled.
+# For example, by setting rate to 1 Falco could send up to 1000 notifications
+# after an initial quiet period, and then up to 1 notification per second
+# afterward. It would gain the full burst back after 1000 seconds of
+# no activity.

 outputs:
  rate: 0