diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 2c96473f..9829e763 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -54,7 +54,7 @@ endif() set(SCAP_HOST_ROOT_ENV_VAR_NAME "HOST_ROOT") set(SCAP_HOSTNAME_ENV_VAR "FALCO_HOSTNAME") -set(SINSP_AGENT_CGROUP_MEM_PATH_ENV_VAR "FALCO_CGROUP_MEM") +set(SINSP_AGENT_CGROUP_MEM_PATH_ENV_VAR "FALCO_CGROUP_MEM_PATH") if(NOT LIBSCAP_DIR) set(LIBSCAP_DIR "${FALCOSECURITY_LIBS_SOURCE_DIR}") diff --git a/falco.yaml b/falco.yaml index dec1d4d0..9b274106 100644 --- a/falco.yaml +++ b/falco.yaml @@ -566,83 +566,90 @@ base_syscalls: custom_set: [] repair: false -# stats_v2: periodic stats and resource utilization metrics, initial release +# metrics: periodic stats and resource utilization metrics, initial release # # --- [Description] # -# stats_v2 reflects a stats re-design from the ground up. Falco now natively supports +# `metrics` reflects a stats/metrics re-design from the ground up. Falco natively supports # resource utilization metrics and enhanced specialized metrics to monitor Falco's -# performance in production. The new metrics are exposed as monotonic counters or snapshots +# performance in production. Metrics are exposed as monotonic counters or snapshots # emitted at a pre-defined interval. Each metric is captured in the same consolidated log message. -# In addition, relevant wrapper fields are added, allowing you to perform sophisticated and customized -# statistical analyses and correlations. Lastly, the new stats framework can be easily extended -# with new metrics. +# In addition, relevant wrapper fields are added, allowing the end user to perform customized +# statistical analyses and correlations. Lastly, the metrics framework can be easily extended in the future. # # Notice: Schema and output field names are not guaranteed to be stable -# and might change until stats_v2 reaches a stable release. +# and might change until `metrics` reaches a stable release. # # --- [Usage] # # Disabled by default. # -# Env variable `-E FALCO_HOSTNAME=myhostname` customizes hostname in case -# you deploy in Kubernetes where the hostname can be equivalent to the pod name. +# Env variable `-E FALCO_HOSTNAME=myhostname` customizes hostname for Kubernetes +# deployments where the hostname can be equivalent to the pod name. # -# `stats_interval_preset`: -# preset 0: default -> means skip, not enabled -# preset 1: 15 -> 900000 -# preset 2: 30 -> 1800000 -# preset 3: 1
-> 3600000 - We recommend this option for large production environments -# preset 4: 4 -> 14400000 -# preset 5: 6 -> 21600000 -# preset 6: 12 -> 43200000 +# `interval`: +# Define the stats interval following the Prometheus time duration definitions. +# https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations # -# `stats_interval_ms`: -# If greater than 0 it overrides `stats_interval_preset`. -# We recommend this option for testing and debugging only, -# use small intervals with caution also for debugging. +# Time durations are specified as a number, followed immediately by one of the following units: +# ms - milliseconds +# s - seconds +# m - minutes +# h - hours +# d - days - assuming a day has always 24h +# w - weeks - assuming a week has always 7d +# y - years - assuming a year has always 365d # -# `stats_internal_rule`: -# Emit new stats as rule `Falco internal: resource utilization stats metrics`. -# We recommend this option for a seamless performance monitoring especially -# if you preserve Falco logs in a data lake. Can be used in conjunction with -# `stats_filename` and Prometheus exporter support is planned for the future. +# Example of a valid time duration: 1h30m20s10ms # -# `stats_filename`: -# Append stats to a `jsonl` file. Use with caution in production and log rotate file. -# Can be used in conjunction with `stats_internal_rule` and Prometheus exporter -# support is planned for the future. +# A minimum of 100ms is enforced, however we recommend choosing one of the following intervals for production: +# 15m +# 30m +# 1h +# 4h +# 6h # -# `include_resource_utilization`: +# `output_rule`: +# Emit metrics as rule `Falco internal: resource utilization stats metrics`. +# We recommend this option for seamless performance monitoring especially +# if Falco logs are preserved in a data lake. +# Note: This option requires setting `log_level` at minimum to `info`. +# +# `output_file`: +# Append stats to a `jsonl` file. Use with caution in production, Falco does not rotate the file. +# +# `resource_utilization_enabled`: # Emit CPU and memory usages. CPU usage is percentage of one CPU, # can be normalized to total number of CPUs to determine overall usage. # Memory metrics are currently kept in raw units, `kb` for RSS, PSS and VSZ # or `bytes` for container_memory_used. Use `convert_memory_to_mb` to # uniformly convert each memory metric to MB. -# `-E FALCO_CGROUP_MEM=customfile` let's you customize the container_memory_used -# file which defaults to Kubernetes `/sys/fs/cgroup/memory/memory.usage_in_bytes`. +# `-E FALCO_CGROUP_MEM_PATH=customfile` let's you customize the container_memory_used +# file which defaults to Kubernetes `/sys/fs/cgroup/memory/memory.usage_in_bytes` that is +# similar to Kubernetes `container_memory_working_set_bytes` of the Falco container. # -# `include_kernel_evts_counters`: +# `kernel_event_counters_enabled`: # Emit kernel side event and drop counters, compare to `syscall_event_drops`, -# however this option reflects monotonic counters since Falco start -# flushed at a constant stats interval and therefore can be an alternative. +# however this option reflects monotonic counters since Falco start, +# exported at a constant stats interval and therefore can be regarded as an alternative. +# kernel event conters are prefixed with `n_` e.g. `n_evts`, `n_drops`, `n_drops_buffer_total` ... # -# `include_libbpf_stats`: +# `libbpf_stats_enabled`: # Exposes `bpftool prog show` like stats, e.g. number of invocations # of each bpf program Falco attached as well as time spent in each program in nanoseconds. # Requires kernels >= 5.1 plus kernel config `bpf_stats_enabled`. # This option or equivalent stats are not supported for non `*bpf*` drivers. +# Note that currently `libbpf` does not support stats granularity at the bpf tail call level. # # todo: Prometheus export option -# todo: syscall counters option +# todo: userspace_syscall_event_counters_enabled option -stats_v2: +metrics: enabled: false - stats_interval_preset: 3 - stats_interval_ms: 0 - stats_internal_rule: true - # stats_filename: /tmp/falco_stats.jsonl - include_resource_utilization: true - include_kernel_evts_counters: true - include_libbpf_stats: true + interval: 1h + output_rule: true + # output_file: /tmp/falco_stats.jsonl + resource_utilization_enabled: true + kernel_event_counters_enabled: true + libbpf_stats_enabled: true convert_memory_to_mb: true diff --git a/userspace/engine/CMakeLists.txt b/userspace/engine/CMakeLists.txt index 7ee9a1b9..32c8c406 100644 --- a/userspace/engine/CMakeLists.txt +++ b/userspace/engine/CMakeLists.txt @@ -15,6 +15,7 @@ set(FALCO_ENGINE_SOURCE_FILES falco_engine.cpp falco_load_result.cpp falco_utils.cpp + falco_metrics.cpp json_evt.cpp evttype_index_ruleset.cpp formats.cpp diff --git a/userspace/engine/falco_metrics.cpp b/userspace/engine/falco_metrics.cpp new file mode 100644 index 00000000..bf56d2b7 --- /dev/null +++ b/userspace/engine/falco_metrics.cpp @@ -0,0 +1,145 @@ +/* +Copyright (C) 2023 The Falco Authors. + +This file is part of falco. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*/ +#include +#include + +#include "falco_utils.h" +#include "utils.h" +#include "banned.h" // This raises a compilation error when certain functions are used + +#include + +// these follow the POSIX standard +#define RGX_PROMETHEUS_TIME_DURATION_PATTERN "([0-9]+[a-z]+)" +#define RGX_PROMETHEUS_NUMBER_PATTERN "([0-9]+)" +#define RGX_PROMETHEUS_UNIT_PATTERN "([a-z]+)" + +// using pre-compiled regex for better performance +static re2::RE2 s_rgx_prometheus_time_duration(RGX_PROMETHEUS_TIME_DURATION_PATTERN, re2::RE2::POSIX); +static re2::RE2 s_rgx_prometheus_number(RGX_PROMETHEUS_NUMBER_PATTERN, re2::RE2::POSIX); +static re2::RE2 s_rgx_prometheus_unit(RGX_PROMETHEUS_UNIT_PATTERN, re2::RE2::POSIX); + +// Prometheus time durations: https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations +#define PROMETHEUS_UNIT_Y "y" ///> assuming a year has always 365d +#define PROMETHEUS_UNIT_W "w" ///> assuming a week has always 7d +#define PROMETHEUS_UNIT_D "d" ///> assuming a day has always 24h +#define PROMETHEUS_UNIT_H "h" ///> hour +#define PROMETHEUS_UNIT_M "m" ///> minute +#define PROMETHEUS_UNIT_S "s" ///> second +#define PROMETHEUS_UNIT_MS "ms" ///> millisecond + +// standard time unit conversions to milliseconds +#define SECOND_TO_MS 1000 +#define MINUTE_TO_MS SECOND_TO_MS * 60 +#define HOUR_TO_MS MINUTE_TO_MS * 60 +#define DAY_TO_MS HOUR_TO_MS * 24 +#define WEEK_TO_MS DAY_TO_MS * 7 +#define YEAR_TO_MS WEEK_TO_MS * 365 + +namespace falco +{ +namespace metrics +{ + +uint64_t parse_metrics_interval(std::string interval_str) +{ + uint64_t interval = 0; + /* Sanitize user input, remove possible whitespaces. */ + interval_str.erase(remove_if(interval_str.begin(), interval_str.end(), isspace), interval_str.end()); + + if(!interval_str.empty()) + { + /* Option 1: Passing interval directly in ms. Will be deprecated in the future. */ + if(std::all_of(interval_str.begin(), interval_str.end(), ::isdigit)) + { + /* todo: deprecate for Falco 0.36. */ + interval = std::stoull(interval_str, nullptr, 0); + std::cerr << "Metrics interval was passed as numeric value without Prometheus time unit, this option will no longer be supported starting Falco 0.36" << std::endl; + } + /* Option 2: Passing a Prometheus time duration. + * https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations + */ + else + { + re2::StringPiece input(interval_str); + std::string r; + std::string cur_interval_str; + uint64_t cur_interval; + std::string cur_unit; + bool valid = true; + /* Note that parsing is done at start up only. */ + while(re2::RE2::FindAndConsume(&input, s_rgx_prometheus_time_duration, &r)) + { + RE2::Extract(r, s_rgx_prometheus_number, "\\1", &cur_interval_str); + cur_interval = std::stoull(cur_interval_str, nullptr, 0); + if(cur_interval > 0) + { + RE2::Extract(r, s_rgx_prometheus_unit, "\\1", &cur_unit); + if(cur_unit == PROMETHEUS_UNIT_MS) + { + interval += cur_interval; + } + else if(cur_unit == PROMETHEUS_UNIT_S) + { + interval += cur_interval * SECOND_TO_MS; + } + else if(cur_unit == PROMETHEUS_UNIT_M) + { + interval += cur_interval * MINUTE_TO_MS; + } + else if(cur_unit == PROMETHEUS_UNIT_H) + { + interval += cur_interval * HOUR_TO_MS; + } + else if(cur_unit == PROMETHEUS_UNIT_D) + { + interval += cur_interval * DAY_TO_MS; + } + else if(cur_unit == PROMETHEUS_UNIT_W) + { + interval += cur_interval * WEEK_TO_MS; + } + else if(cur_unit == PROMETHEUS_UNIT_Y) + { + interval += cur_interval * YEAR_TO_MS; + } + else + { + valid = false; + } + } + else + { + valid = false; + } + } + if (!valid) + { + // invalidate if any invalid unit or no corresponding numeric value was found + interval = 0; + } + } + } + + return interval; +} + + +} // namespace metrics +} // namespace falco \ No newline at end of file diff --git a/userspace/engine/falco_metrics.h b/userspace/engine/falco_metrics.h new file mode 100644 index 00000000..82664139 --- /dev/null +++ b/userspace/engine/falco_metrics.h @@ -0,0 +1,49 @@ +/* +Copyright (C) 2023The Falco Authors. + +This file is part of falco. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +*/ + +#pragma once + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef __GNUC__ +#define likely(x) __builtin_expect(!!(x), 1) +#define unlikely(x) __builtin_expect(!!(x), 0) +#else +#define likely(x) (x) +#define unlikely(x) (x) +#endif + +namespace falco +{ +namespace metrics +{ + +uint64_t parse_metrics_interval(std::string interval_str); + + +} // namespace metrics +} // namespace falco diff --git a/userspace/falco/app/actions/process_events.cpp b/userspace/falco/app/actions/process_events.cpp index 08eb7ee3..d026dd4d 100644 --- a/userspace/falco/app/actions/process_events.cpp +++ b/userspace/falco/app/actions/process_events.cpp @@ -401,50 +401,41 @@ static std::shared_ptr init_stats_writer(const options& opts, std: { auto statsw = std::make_shared(outputs, config); std::string err; - uint64_t stats_interval_ms = 0; - if (config->m_stats_v2_enabled && config->m_stats_v2_stats_interval_preset > 0) - { - uint16_t index = config->m_stats_v2_stats_interval_preset; - if(index <= MAX_STATS_PRESET_INDEX) - { - /* Index 0 reserved, milliseconds representation for 15min, 30min, 1hr, 4hrs, 6hrs, 12hrs. */ - std::vector vect{0LLU, 900000LU, 1800000LU, 3600000LU, 14400000LU, 21600000LU, 43200000LU}; - stats_interval_ms = vect[index]; - } - else - { - // todo: warning message - stats_interval_ms = 0; - } - } + uint64_t interval = 0; /* Continue cmd args support and old defaults for backward compatibility, scheduled for deprecation. */ - if (stats_interval_ms == 0 && opts.stats_interval > 0) + if(!config->m_metrics_enabled && opts.stats_interval > 0) { - stats_interval_ms = opts.stats_interval; + interval = opts.stats_interval; } - /* New config. Exact stats_interval_ms in falco.yaml overrides presets. */ - if (config->m_stats_v2_enabled && config->m_stats_v2_stats_interval_ms > 0) + /* New metrics and configs over falco.yaml. */ + else if(config->m_metrics_enabled && config->m_metrics_interval > 0) { - stats_interval_ms = config->m_stats_v2_stats_interval_ms; + interval = config->m_metrics_interval; } - if (stats_interval_ms > 0) + /* Enforce minimum bound of 100ms. */ + if(interval > 100) { - if (!stats_writer::init_ticker(stats_interval_ms, err)) + if(!stats_writer::init_ticker(interval, err)) { throw falco_exception(err); } + /* Only support new info message for new metrics and configs over falco.yaml. */ + if(config->m_metrics_enabled) + { + falco_logger::log(LOG_INFO, "Setting metrics interval to " + config->m_metrics_interval_str + ", equivalent to " + std::to_string(interval) + " (ms)\n"); + } } /* Continue cmd args support for backward compatibility, scheduled for deprecation. */ - if (!config->m_stats_v2_enabled && !opts.stats_filename.empty()) + if(!config->m_metrics_enabled && !opts.output_file.empty()) { - statsw.reset(new stats_writer(opts.stats_filename, outputs, config)); + statsw.reset(new stats_writer(opts.output_file, outputs, config)); } - /* New config. */ - else if (config->m_stats_v2_enabled && !config->m_stats_v2_stats_filename.empty()) + /* New metrics and configs over falco.yaml. */ + else if(config->m_metrics_enabled && !config->m_metrics_output_file.empty()) { - statsw.reset(new stats_writer(config->m_stats_v2_stats_filename, outputs, config)); + statsw.reset(new stats_writer(config->m_metrics_output_file, outputs, config)); } return statsw; } diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp index 28193974..7dda508f 100644 --- a/userspace/falco/app/options.cpp +++ b/userspace/falco/app/options.cpp @@ -219,7 +219,7 @@ void options::define(cxxopts::Options& opts) ("p,print", "Add additional information to each falco notification's output.\nWith -pc or -pcontainer will use a container-friendly format.\nWith -pk or -pkubernetes will use a kubernetes-friendly format.\nAdditionally, specifying -pc/-pk will change the interpretation of %container.info in rule output fields.", cxxopts::value(print_additional), "") ("P,pidfile", "When run as a daemon, write pid to specified file", cxxopts::value(pidfilename)->default_value("/var/run/falco.pid"), "") ("r", "Rules file/directory (defaults to value set in configuration file, or /etc/falco_rules.yaml). This option can be passed multiple times to read from multiple files/directories.", cxxopts::value>(), "") - ("s", "If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode).", cxxopts::value(stats_filename), "") + ("s", "If specified, append statistics related to Falco's reading/processing of events to this file (only useful in live mode).", cxxopts::value(output_file), "") ("stats-interval", "When using -s , write statistics every ms. This uses signals, so don't recommend intervals below 200 ms. Defaults to 5000 (5 seconds).", cxxopts::value(stats_interval)->default_value("5000"), "") ("S,snaplen", "Capture the first bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.", cxxopts::value(snaplen)->default_value("0"), "") ("support", "Print support information including version, rules files used, etc. and exit.", cxxopts::value(print_support)->default_value("false")) diff --git a/userspace/falco/app/options.h b/userspace/falco/app/options.h index a63e3674..b6341b44 100644 --- a/userspace/falco/app/options.h +++ b/userspace/falco/app/options.h @@ -70,7 +70,7 @@ public: std::string pidfilename; // Rules list as passed by the user, via cmdline option '-r' std::list rules_filenames; - std::string stats_filename; + std::string output_file; uint64_t stats_interval; uint64_t snaplen; bool print_support; diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 288a8b39..286a7e18 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -26,6 +26,7 @@ limitations under the License. #include #include #include "falco_utils.h" +#include "falco_metrics.h" #include "configuration.h" #include "logger.h" @@ -60,7 +61,7 @@ falco_configuration::falco_configuration(): m_cpus_for_each_syscall_buffer(2), m_syscall_drop_failed_exit(false), m_base_syscalls_repair(false), - m_stats_v2_enabled(false) + m_metrics_enabled(false) { init({}); } @@ -339,15 +340,15 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h config.get_sequence>(m_base_syscalls_custom_set, std::string("base_syscalls.custom_set")); m_base_syscalls_repair = config.get_scalar("base_syscalls.repair", false); - m_stats_v2_enabled = config.get_scalar("stats_v2.enabled", false); - m_stats_v2_stats_interval_preset = config.get_scalar("stats_v2.stats_interval_preset", 0); - m_stats_v2_stats_interval_ms = config.get_scalar("stats_v2.stats_interval_ms", 0); - m_stats_v2_stats_internal_rule = config.get_scalar("stats_v2.stats_internal_rule", true); - m_stats_v2_stats_filename = config.get_scalar("stats_v2.stats_filename", ""); - m_stats_v2_include_resource_utilization = config.get_scalar("stats_v2.include_resource_utilization", true); - m_stats_v2_include_kernel_evts_counters = config.get_scalar("stats_v2.include_kernel_evts_counters", true); - m_stats_v2_include_libbpf_stats = config.get_scalar("stats_v2.include_libbpf_stats", true); - m_stats_v2_convert_memory_to_mb = config.get_scalar("stats_v2.convert_memory_to_mb", true); + m_metrics_enabled = config.get_scalar("metrics.enabled", false); + m_metrics_interval_str = config.get_scalar("metrics.interval", "0"); + m_metrics_interval = falco::metrics::parse_metrics_interval(m_metrics_interval_str); + m_metrics_stats_rule_enabled = config.get_scalar("metrics.stats_rule_enabled", true); + m_metrics_output_file = config.get_scalar("metrics.output_file", ""); + m_metrics_resource_utilization_enabled = config.get_scalar("metrics.resource_utilization_enabled", true); + m_metrics_kernel_event_counters_enabled = config.get_scalar("metrics.kernel_event_counters_enabled", true); + m_metrics_libbpf_stats_enabled = config.get_scalar("metrics.libbpf_stats_enabled", true); + m_metrics_convert_memory_to_mb = config.get_scalar("metrics.convert_memory_to_mb", true); std::vector load_plugins; diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index b81bcc54..c8ec7da2 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -112,16 +112,16 @@ public: std::unordered_set m_base_syscalls_custom_set; bool m_base_syscalls_repair; - // stats_v2 configs - bool m_stats_v2_enabled; - uint16_t m_stats_v2_stats_interval_preset; - uint64_t m_stats_v2_stats_interval_ms; - bool m_stats_v2_stats_internal_rule; - std::string m_stats_v2_stats_filename; - bool m_stats_v2_include_resource_utilization; - bool m_stats_v2_include_kernel_evts_counters; - bool m_stats_v2_include_libbpf_stats; - bool m_stats_v2_convert_memory_to_mb; + // metrics configs + bool m_metrics_enabled; + std::string m_metrics_interval_str; + uint64_t m_metrics_interval; + bool m_metrics_stats_rule_enabled; + std::string m_metrics_output_file; + bool m_metrics_resource_utilization_enabled; + bool m_metrics_kernel_event_counters_enabled; + bool m_metrics_libbpf_stats_enabled; + bool m_metrics_convert_memory_to_mb; std::vector m_plugins; diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index ca85e5d1..b10533bb 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -26,6 +26,7 @@ limitations under the License. #include "logger.h" #include "banned.h" // This raises a compilation error when certain functions are used #include "config_falco.h" +#include // note: ticker_t is an uint16_t, which is enough because we don't care about // overflows here. Threads calling stats_writer::handle() will just @@ -157,7 +158,7 @@ stats_writer::collector::collector(std::shared_ptr writer) { } -std::map stats_writer::collector::get_stats_v2_output_fields_wrapper(std::shared_ptr inspector, uint64_t now, std::string src, uint64_t num_evts, double stats_snapshot_time_delta_sec) +std::map stats_writer::collector::get_metrics_output_fields_wrapper(std::shared_ptr inspector, uint64_t now, std::string src, uint64_t num_evts, double stats_snapshot_time_delta_sec) { std::map output_fields; const scap_agent_info* agent_info = inspector->get_agent_info(); @@ -203,7 +204,7 @@ std::map stats_writer::collector::get_stats_v2_output_ } -std::map stats_writer::collector::get_stats_v2_output_fields_additional(std::shared_ptr inspector, std::map output_fields, double stats_snapshot_time_delta_sec, std::string src) +std::map stats_writer::collector::get_metrics_output_fields_additional(std::shared_ptr inspector, std::map output_fields, double stats_snapshot_time_delta_sec, std::string src) { const scap_agent_info* agent_info = inspector->get_agent_info(); const scap_machine_info* machine_info = inspector->get_machine_info(); @@ -212,7 +213,7 @@ std::map stats_writer::collector::get_stats_v2_output_ /* Resource utilization, CPU and memory usage etc. */ uint32_t nstats = 0; int32_t rc = 0; - if (m_writer->m_config->m_stats_v2_include_resource_utilization) + if (m_writer->m_config->m_metrics_resource_utilization_enabled) { const scap_stats_v2* utilization; auto buffer = inspector->get_sinsp_stats_v2_buffer(); @@ -225,7 +226,7 @@ std::map stats_writer::collector::get_stats_v2_output_ switch(utilization[stat].type) { case STATS_VALUE_TYPE_U64: - if (m_writer->m_config->m_stats_v2_convert_memory_to_mb && strncmp(utilization[stat].name, "container_memory_used", 21) == 0) + if (m_writer->m_config->m_metrics_convert_memory_to_mb && strncmp(utilization[stat].name, "container_memory_used", 21) == 0) { output_fields[utilization[stat].name] = std::to_string(utilization[stat].value.u64 / (double)1024 / (double)1024); } @@ -235,7 +236,7 @@ std::map stats_writer::collector::get_stats_v2_output_ } break; case STATS_VALUE_TYPE_U32: - if (m_writer->m_config->m_stats_v2_convert_memory_to_mb && strncmp(utilization[stat].name, "memory_", 7) == 0) + if (m_writer->m_config->m_metrics_convert_memory_to_mb && strncmp(utilization[stat].name, "memory_", 7) == 0) { output_fields[utilization[stat].name] = std::to_string(utilization[stat].value.u32 / (double)1024); } @@ -264,11 +265,11 @@ std::map stats_writer::collector::get_stats_v2_output_ rc = 0; uint32_t flags = 0; - if (m_writer->m_config->m_stats_v2_include_kernel_evts_counters) + if (m_writer->m_config->m_metrics_kernel_event_counters_enabled) { flags |= PPM_SCAP_STATS_KERNEL_COUNTERS; } - if (m_writer->m_config->m_stats_v2_include_libbpf_stats && !inspector->check_current_engine(KMOD_ENGINE) && (machine_info->flags & PPM_BPF_STATS_ENABLED)) + if (m_writer->m_config->m_metrics_libbpf_stats_enabled && !inspector->check_current_engine(KMOD_ENGINE) && (machine_info->flags & PPM_BPF_STATS_ENABLED)) { flags |= PPM_SCAP_STATS_LIBBPF_STATS; } @@ -316,7 +317,7 @@ std::map stats_writer::collector::get_stats_v2_output_ void stats_writer::collector::collect(std::shared_ptr inspector, const std::string &src, uint64_t num_evts) { - if (m_writer->m_config->m_stats_v2_enabled || m_writer->has_output()) + if (m_writer->m_config->m_metrics_enabled || m_writer->has_output()) { /* Collect stats / metrics once per ticker period. */ auto tick = stats_writer::get_ticker(); @@ -332,15 +333,15 @@ void stats_writer::collector::collect(std::shared_ptr inspector, const st double stats_snapshot_time_delta_sec = (stats_snapshot_time_delta / (double)ONE_SECOND_IN_NS); /* Get respective metrics output_fields. */ - std::map output_fields = stats_writer::collector::get_stats_v2_output_fields_wrapper(inspector, now, src, num_evts, stats_snapshot_time_delta_sec); - output_fields = stats_writer::collector::get_stats_v2_output_fields_additional(inspector, output_fields, stats_snapshot_time_delta_sec, src); + std::map output_fields = stats_writer::collector::get_metrics_output_fields_wrapper(inspector, now, src, num_evts, stats_snapshot_time_delta_sec); + output_fields = stats_writer::collector::get_metrics_output_fields_additional(inspector, output_fields, stats_snapshot_time_delta_sec, src); /* Pipe to respective output. */ - if (m_writer->m_config->m_stats_v2_enabled && m_writer->m_config->m_stats_v2_stats_internal_rule && m_writer->m_outputs) + if (m_writer->m_config->m_metrics_enabled && m_writer->m_config->m_metrics_stats_rule_enabled && m_writer->m_outputs) { std::string rule = "Falco internal: resource utilization stats metrics"; std::string msg = ""; - m_writer->m_outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, output_fields); + m_writer->m_outputs->handle_msg(now, falco_common::PRIORITY_INFORMATIONAL, msg, rule, output_fields); } if (m_writer->has_output()) { diff --git a/userspace/falco/stats_writer.h b/userspace/falco/stats_writer.h index a0efbd74..932cf482 100644 --- a/userspace/falco/stats_writer.h +++ b/userspace/falco/stats_writer.h @@ -63,14 +63,14 @@ public: void collect(std::shared_ptr inspector, const std::string& src, uint64_t num_evts); /*! - \brief Collect snapshot stats v2 wrapper fields as internal rule formatted output fields. + \brief Collect snapshot metrics wrapper fields as internal rule formatted output fields. */ - std::map get_stats_v2_output_fields_wrapper(std::shared_ptr inspector, uint64_t now, std::string src, uint64_t num_evts, double stats_snapshot_time_delta_sec); + std::map get_metrics_output_fields_wrapper(std::shared_ptr inspector, uint64_t now, std::string src, uint64_t num_evts, double stats_snapshot_time_delta_sec); /*! - \brief Collect snapshot stats v2 syscalls related metrics as internal rule formatted output fields. + \brief Collect snapshot metrics syscalls related metrics as internal rule formatted output fields. */ - std::map get_stats_v2_output_fields_additional(std::shared_ptr inspector, std::map output_fields, double stats_snapshot_time_delta_sec, std::string src); + std::map get_metrics_output_fields_additional(std::shared_ptr inspector, std::map output_fields, double stats_snapshot_time_delta_sec, std::string src); private: std::shared_ptr m_writer;