diff --git a/falco.yaml b/falco.yaml index 04ab4101..173e8ef0 100644 --- a/falco.yaml +++ b/falco.yaml @@ -77,11 +77,12 @@ # configuration, you can run `falco --help` in your terminal. You can also pass # configuration options from this config file as command-line arguments by using # the `-o` flag followed by the option name and value. In the following example, -# three config options (`json_output`, `log_level`, and `log_stderr`) are passed as -# command-line arguments with their corresponding values: -# `falco -o "json_output=true" -o "log_level=debug" -o "log_stderr=true"`. Please -# note that command-line arguments take precedence over the options specified in -# this config file. +# three config options (`json_output`, `log_level`, and +# `modern_bpf.cpus_for_each_syscall_buffer`) are passed as command-line +# arguments with their corresponding values: falco -o "json_output=true" +# -o "log_level=debug" -o "modern_bpf.cpus_for_each_syscall_buffer=4" +# Please note that command-line arguments take precedence over the options +# specified in this config file. ############################### @@ -596,7 +597,8 @@ syscall_event_drops: # [Experimental] `metrics` # -# Generates "Falco internal: metrics snapshot" rule output when `priority=info` at minimum +# Generates "Falco internal: metrics snapshot" rule output when `priority=info` +# at minimum # # periodic metric snapshots (including stats and resource utilization) captured # at regular intervals @@ -642,15 +644,25 @@ syscall_event_drops: # https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations # # Time durations are specified as a number, followed immediately by one of the -# following units: ms - milliseconds s - seconds m - minutes h - hours d - days -# - assuming a day has always 24h w - weeks - assuming a week has always 7d y - -# years - assuming a year has always 365d +# following units: +# ms - millisecond +# s - second +# m - minute +# h - hour +# d - day - assuming a day has always 24h +# w - week - assuming a week has always 7d +# y - year - assuming a year has always 365d # # Example of a valid time duration: 1h30m20s10ms # # A minimum interval of 100ms is enforced for metric collection. However, for # production environments, we recommend selecting one of the following intervals -# for optimal monitoring: 15m 30m 1h 4h 6h +# for optimal monitoring: +# 15m +# 30m +# 1h +# 4h +# 6h # # `output_rule`: To enable seamless metrics and performance monitoring, we # recommend emitting metrics as the rule "Falco internal: metrics snapshot". @@ -688,14 +700,14 @@ syscall_event_drops: # Additionally, please be aware that the current implementation of `libbpf` does # not support granularity of statistics at the bpf tail call level. # -# `send_numeric_zero_values`: When the option is set to true, fields with a numeric -# value of zero will be included in the output. However, this rule does not apply to -# high-level fields such as `n_evts` or `n_drops`; they will always be included in the -# output even if their value is zero. This option can be beneficial for exploring -# the data schema and ensuring that fields with zero values are included in the output. +# `include_empty_values`: When the option is set to true, fields with an empty +# numeric value will be included in the output. However, this rule does not +# apply to high-level fields such as `n_evts` or `n_drops`; they will always be +# included in the output even if their value is empty. This option can be +# beneficial for exploring the data schema and ensuring that fields with empty +# values are included in the output. # -# todo: prometheus export option -# todo: syscall_counters_enabled option +# todo: prometheus export option todo: syscall_counters_enabled option metrics: enabled: false interval: 1h @@ -705,7 +717,7 @@ metrics: kernel_event_counters_enabled: true libbpf_stats_enabled: true convert_memory_to_mb: true - send_numeric_zero_values: false + include_empty_values: false ####################################### diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 58bcc91f..34157cc1 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -69,7 +69,7 @@ falco_configuration::falco_configuration(): m_metrics_kernel_event_counters_enabled(true), m_metrics_libbpf_stats_enabled(true), m_metrics_convert_memory_to_mb(true), - m_metrics_send_numeric_zero_values(false) + m_metrics_include_empty_values(false) { init({}); } @@ -357,7 +357,7 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h m_metrics_kernel_event_counters_enabled = config.get_scalar("metrics.kernel_event_counters_enabled", true); m_metrics_libbpf_stats_enabled = config.get_scalar("metrics.libbpf_stats_enabled", true); m_metrics_convert_memory_to_mb = config.get_scalar("metrics.convert_memory_to_mb", true); - m_metrics_send_numeric_zero_values = config.get_scalar("metrics.send_numeric_zero_values", false); + m_metrics_include_empty_values = config.get_scalar("metrics.include_empty_values", false); std::vector load_plugins; diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index a719940c..2b85ac34 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -122,7 +122,7 @@ public: bool m_metrics_kernel_event_counters_enabled; bool m_metrics_libbpf_stats_enabled; bool m_metrics_convert_memory_to_mb; - bool m_metrics_send_numeric_zero_values; + bool m_metrics_include_empty_values; std::vector m_plugins; diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index 7dc7fd0e..d348580a 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -254,7 +254,7 @@ void stats_writer::collector::get_metrics_output_fields_additional( switch(utilization[stat].type) { case STATS_VALUE_TYPE_U64: - if (utilization[stat].value.u64 == 0 && !m_writer->m_config->m_metrics_send_numeric_zero_values) + if (utilization[stat].value.u64 == 0 && !m_writer->m_config->m_metrics_include_empty_values) { break; } @@ -268,7 +268,7 @@ void stats_writer::collector::get_metrics_output_fields_additional( } break; case STATS_VALUE_TYPE_U32: - if (utilization[stat].value.u32 == 0 && !m_writer->m_config->m_metrics_send_numeric_zero_values) + if (utilization[stat].value.u32 == 0 && !m_writer->m_config->m_metrics_include_empty_values) { break; } @@ -282,7 +282,7 @@ void stats_writer::collector::get_metrics_output_fields_additional( } break; case STATS_VALUE_TYPE_D: - if (utilization[stat].value.d == 0 && !m_writer->m_config->m_metrics_send_numeric_zero_values) + if (utilization[stat].value.d == 0 && !m_writer->m_config->m_metrics_include_empty_values) { break; } @@ -316,7 +316,7 @@ void stats_writer::collector::get_metrics_output_fields_additional( const scap_stats_v2* stats_v2 = inspector->get_capture_stats_v2(flags, &nstats, &rc); if (stats_v2 && nstats > 0 && rc == 0) { - /* Cache n_evts and n_drops to derice n_drops_perc. */ + /* Cache n_evts and n_drops to derive n_drops_perc. */ uint64_t n_evts = 0; uint64_t n_drops = 0; for(uint32_t stat = 0; stat < nstats; stat++) @@ -370,7 +370,7 @@ void stats_writer::collector::get_metrics_output_fields_additional( } m_last_n_drops = n_drops; } - if (stats_v2[stat].value.u64 == 0 && !m_writer->m_config->m_metrics_send_numeric_zero_values) + if (stats_v2[stat].value.u64 == 0 && !m_writer->m_config->m_metrics_include_empty_values) { break; }