update(CHANGELOG.md): release 0.41.2

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>

CHANGELOG.md

@@ -1,5 +1,131 @@
 # Change Log
 
+## v0.41.2
+
+Released on 2025-06-17
+
+
+
+### Minor Changes
+
+* update(build): update container plugin to 0.3.0 [[#3619](https://github.com/falcosecurity/falco/pull/3619)] - [@ekoops](https://github.com/ekoops)
+
+
+
+### Non user-facing changes
+
+* update(build): update container plugin to 0.2.6 [[#3611](https://github.com/falcosecurity/falco/pull/3611)] - [@leogr](https://github.com/leogr)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      1 |
+| Release note    |      1 |
+| Total           |      2 |
+
+## v0.41.1
+
+Released on 2025-06-05
+
+### Bug Fixes
+
+* fix(userspace/falco): when collecting metrics for stats_writer, create a `libs_metrics_collector` for each source [[#3585](https://github.com/falcosecurity/falco/pull/3585)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): only enable prometheus metrics once all inspectors have been opened [[#3588](https://github.com/falcosecurity/falco/pull/3588)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      2 |
+| Total           |      2 |
+
+## v0.41.0
+
+Released on 2025-05-29
+
+### Breaking Changes :warning:
+
+* cleanup(engine)!: only consider .yaml/.yml rule files [[#3551](https://github.com/falcosecurity/falco/pull/3551)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* cleanup(userspace)!: deprecate print of `container.info` [[#3543](https://github.com/falcosecurity/falco/pull/3543)] - [@FedeDP](https://github.com/FedeDP)
+* cleanup(userspace/falco)!: drop deprecated in 0.40.0 CLI flags. [[#3496](https://github.com/falcosecurity/falco/pull/3496)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Major Changes
+
+* new(falco): add json_include_output_fields option [[#3527](https://github.com/falcosecurity/falco/pull/3527)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(build,userspace): switch to use container plugin [[#3482](https://github.com/falcosecurity/falco/pull/3482)] - [@FedeDP](https://github.com/FedeDP)
+* new(docker,scripts,ci): use an override config file to enable ISO 8601 output timeformat on docker images [[#3488](https://github.com/falcosecurity/falco/pull/3488)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Minor Changes
+
+* chore(build): update falcoctl to v0.11.2, rules for artifact follow to v4 [[#3580](https://github.com/falcosecurity/falco/pull/3580)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): bumped falcoctl to 0.11.1 and rules to 4.0.0. [[#3577](https://github.com/falcosecurity/falco/pull/3577)] - [@FedeDP](https://github.com/FedeDP)
+* update(containers): update opencontainers labels [[#3575](https://github.com/falcosecurity/falco/pull/3575)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(metrics): improve restart/hot_reload conditions inspection [[#3562](https://github.com/falcosecurity/falco/pull/3562)] - [@incertum](https://github.com/incertum)
+* update: empty `values` in `exceptions` won't emit a warning anymore [[#3529](https://github.com/falcosecurity/falco/pull/3529)] - [@leogr](https://github.com/leogr)
+* chore(falco.yaml): enable libs_logger by default with info level [[#3507](https://github.com/falcosecurity/falco/pull/3507)] - [@FedeDP](https://github.com/FedeDP)
+
+
+### Bug Fixes
+
+* fix(metrics/prometheus): gracefully handle multiple event sources, avoid erroneous duplicate metrics [[#3563](https://github.com/falcosecurity/falco/pull/3563)] - [@incertum](https://github.com/incertum)
+* fix(ci): properly install rpm systemd-rpm-macro package on building packages pipeline [[#3521](https://github.com/falcosecurity/falco/pull/3521)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): init cmdline options after loading all config files [[#3493](https://github.com/falcosecurity/falco/pull/3493)] - [@FedeDP](https://github.com/FedeDP)
+* fix(cmake): add support for 16K kernel page to jemalloc [[#3490](https://github.com/falcosecurity/falco/pull/3490)] - [@Darkness4](https://github.com/Darkness4)
+* fix(userspace/falco): fix jemalloc enabled in minimal build. [[#3478](https://github.com/falcosecurity/falco/pull/3478)] - [@FedeDP](https://github.com/FedeDP)
+
+
+
+### Non user-facing changes
+
+* chore(deps): Bump submodules/falcosecurity-rules from `4ccf111` to `cb17833` [[#3572](https://github.com/falcosecurity/falco/pull/3572)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake/rules): bump to falco-rules-4.0.0-rc1 [[#3567](https://github.com/falcosecurity/falco/pull/3567)] - [@leogr](https://github.com/leogr)
+* cleanup(userspace/falco): drop unused `libs_metrics_collector` variable. [[#3566](https://github.com/falcosecurity/falco/pull/3566)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3564](https://github.com/falcosecurity/falco/pull/3564)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(build): fixed container custom_target `sed` command. [[#3556](https://github.com/falcosecurity/falco/pull/3556)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `ae6ed41` to `4ccf111` [[#3555](https://github.com/falcosecurity/falco/pull/3555)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(cmake): fix bundled c-ares cmake issue with e.g. SLES [[#3559](https://github.com/falcosecurity/falco/pull/3559)] - [@terror96](https://github.com/terror96)
+* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `ae6ed41` [[#3553](https://github.com/falcosecurity/falco/pull/3553)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: revert "chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431`" [[#3552](https://github.com/falcosecurity/falco/pull/3552)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3550](https://github.com/falcosecurity/falco/pull/3550)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3549](https://github.com/falcosecurity/falco/pull/3549)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(adopters): added SafeDep as adopter [[#3548](https://github.com/falcosecurity/falco/pull/3548)] - [@KunalSin9h](https://github.com/KunalSin9h)
+* update(cmake): update libs and driver to latest master [[#3547](https://github.com/falcosecurity/falco/pull/3547)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3541](https://github.com/falcosecurity/falco/pull/3541)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(userspace): fixed engine `openssl` dep. [[#3535](https://github.com/falcosecurity/falco/pull/3535)] - [@FedeDP](https://github.com/FedeDP)
+* fix(userspace/falco): fix outputs_http timeout [[#3523](https://github.com/falcosecurity/falco/pull/3523)] - [@benierc](https://github.com/benierc)
+* fix(ci): use clang-19 to build modern_ebpf skeleton. [[#3537](https://github.com/falcosecurity/falco/pull/3537)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): update libs and driver to latest master [[#3531](https://github.com/falcosecurity/falco/pull/3531)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3530](https://github.com/falcosecurity/falco/pull/3530)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3525](https://github.com/falcosecurity/falco/pull/3525)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3520](https://github.com/falcosecurity/falco/pull/3520)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3516](https://github.com/falcosecurity/falco/pull/3516)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* docs(README.md): cleanups and enhancements [[#3514](https://github.com/falcosecurity/falco/pull/3514)] - [@leogr](https://github.com/leogr)
+* update(cmake): update libs and driver to latest master [[#3511](https://github.com/falcosecurity/falco/pull/3511)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* chore(deps): Bump submodules/falcosecurity-rules from `1d2c6b1` to `371e431` [[#3510](https://github.com/falcosecurity/falco/pull/3510)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): update libs and driver to latest master [[#3508](https://github.com/falcosecurity/falco/pull/3508)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* update(cmake): update libs and driver to latest master [[#3506](https://github.com/falcosecurity/falco/pull/3506)] - [@github-actions[bot]](https://github.com/apps/github-actions)
+* fix(userspace/falco): when counting `-M` timeout, do not account for async events [[#3505](https://github.com/falcosecurity/falco/pull/3505)] - [@FedeDP](https://github.com/FedeDP)
+* chore(deps): Bump submodules/falcosecurity-rules from `d8415c1` to `1d2c6b1` [[#3504](https://github.com/falcosecurity/falco/pull/3504)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(proposals): correct typo in example [[#3499](https://github.com/falcosecurity/falco/pull/3499)] - [@leogr](https://github.com/leogr)
+* fix(docker): fixed entrypoints paths with new docker context. [[#3492](https://github.com/falcosecurity/falco/pull/3492)] - [@FedeDP](https://github.com/FedeDP)
+* feat(falco/app): move actions not using config before `load_config` [[#3483](https://github.com/falcosecurity/falco/pull/3483)] - [@ekoops](https://github.com/ekoops)
+* refactor(falco/app): apply early return pattern in actions code [[#3484](https://github.com/falcosecurity/falco/pull/3484)] - [@ekoops](https://github.com/ekoops)
+* chore(deps): Bump submodules/falcosecurity-rules from `abf6637` to `d8415c1` [[#3489](https://github.com/falcosecurity/falco/pull/3489)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Add NETWAYS Web Services to ADOPTERS.md [[#3487](https://github.com/falcosecurity/falco/pull/3487)] - [@mocdaniel](https://github.com/mocdaniel)
+* chore: add back Falco static package to the release template. [[#3472](https://github.com/falcosecurity/falco/pull/3472)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |     36 |
+| Release note    |     17 |
+| Total           |     53 |
+
 ## v0.40.0
 
 Released on 2025-01-28

CMakeLists.txt

@@ -267,6 +267,12 @@ if(NOT WIN32
    AND NOT MUSL_OPTIMIZED_BUILD
 )
 	include(falcoctl)
+	set(CONTAINER_VERSION "0.3.0")
+	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+		set(CONTAINER_HASH "69816e9c2c72f896a1645d6fe0a2983ba351972c41b28c52f73684e998136746")
+	else() # arm64
+		set(CONTAINER_HASH "8daa93402e11622237c6cf2e4e27fea570d5a4023aba10c1339d991b3232a4a2")
+	endif()
 	include(container_plugin)
 
 	# Generate a binary_dir/falco.yaml that automatically enables the plugin to be used for local

cmake/modules/driver.cmake

@@ -35,9 +35,9 @@ else()
 	# FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or
 	# branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..`
 	if(NOT DRIVER_VERSION)
-		set(DRIVER_VERSION "9c2734a64338abff04c4a8274d3770e40c964e21")
+		set(DRIVER_VERSION "8.1.0+driver")
 		set(DRIVER_CHECKSUM
-			"SHA256=8094cfb04c77b317a4e5a69cf8556dccb54067d1decf9ec920c7cc3fa1ea831a"
+			"SHA256=182e6787bf86249a846a3baeb4dcd31578b76d4a13efa16ce3f44d66b18a77a6"
 		)
 	endif()
 

cmake/modules/falcoctl.cmake

@@ -20,16 +20,16 @@ option(ADD_FALCOCTL_DEPENDENCY "Add falcoctl dependency while building falco" ON
 if(ADD_FALCOCTL_DEPENDENCY)
 	string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-	set(FALCOCTL_VERSION "0.11.0")
+	set(FALCOCTL_VERSION "0.11.2")
 
 	message(STATUS "Building with falcoctl: ${FALCOCTL_VERSION}")
 
 	if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
 		set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-		set(FALCOCTL_HASH "b9d0e0f50813e7172a945f36f70c5c3c16a677ab4c85b35b6f7a155bc92768fc")
+		set(FALCOCTL_HASH "8d55818987c90e54f7406e1c1441a18df1f485db858bb0b3efda5db217be3b48")
 	else() # aarch64
 		set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-		set(FALCOCTL_HASH "689c625d1d414cbf53d39ef94083a53dda3ea4ac4908799fb85f4519e21442e0")
+		set(FALCOCTL_HASH "7c36404b5b7a515df25e7dc6d827a74ebc8526b1b49850954bbdd40860961bc2")
 	endif()
 
 	ExternalProject_Add(

cmake/modules/falcosecurity-libs.cmake

@@ -42,9 +42,9 @@ else()
 	# version (or branch, or commit) just pass the variable - ie., `cmake
 	# -DFALCOSECURITY_LIBS_VERSION=dev ..`
 	if(NOT FALCOSECURITY_LIBS_VERSION)
-		set(FALCOSECURITY_LIBS_VERSION "9c2734a64338abff04c4a8274d3770e40c964e21")
+		set(FALCOSECURITY_LIBS_VERSION "0.21.0")
 		set(FALCOSECURITY_LIBS_CHECKSUM
-			"SHA256=8094cfb04c77b317a4e5a69cf8556dccb54067d1decf9ec920c7cc3fa1ea831a"
+			"SHA256=9e977001dd42586df42a5dc7e7a948c297124865a233402e44bdec68839d322a"
 		)
 	endif()
 

cmake/modules/rules.cmake

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2024 The Falco Authors.
+# Copyright (C) 2025 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
 # in compliance with the License. You may obtain a copy of the License at
@@ -18,9 +18,9 @@ include(ExternalProject)
 
 if(NOT DEFINED FALCOSECURITY_RULES_FALCO_PATH)
 	# falco_rules.yaml
-	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-3.2.0")
+	set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-4.0.0")
 	set(FALCOSECURITY_RULES_FALCO_CHECKSUM
-		"SHA256=b3990bf0209cfbf6a903b361e458a1f5851a9a5aeee808ad26a5ddbe1377157d"
+		"SHA256=132320ddbfa1e2580981ed1bdd3ee3d0128a1e2306b2bee8978d1f0a930d6127"
 	)
 	set(FALCOSECURITY_RULES_FALCO_PATH
 		"${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml"

docker/driver-loader-buster/Dockerfile

@@ -1,7 +1,11 @@
 FROM debian:buster
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest-buster [driver] [options]"
 

docker/driver-loader/Dockerfile

@@ -1,8 +1,12 @@
 ARG FALCO_IMAGE_TAG=latest
 FROM docker.io/falcosecurity/falco:${FALCO_IMAGE_TAG}-debian
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /root/.falco:/root/.falco -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader:latest [driver] [options]"
 

docker/falco-debian/Dockerfile

@@ -1,7 +1,11 @@
 FROM debian:12-slim
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco/docker/falco-debian"
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco:latest-debian"
 

docker/falco/Dockerfile

@@ -1,7 +1,11 @@
 FROM cgr.dev/chainguard/wolfi-base
 
-LABEL maintainer="cncf-falco-dev@lists.cncf.io"
+LABEL org.opencontainers.image.authors='The Falco Authors https://falco.org' \
-LABEL org.opencontainers.image.source="https://github.com/falcosecurity/falco"
+      org.opencontainers.image.url='https://falco.org' \
+      org.opencontainers.image.source='https://github.com/falcosecurity/falco' \
+      org.opencontainers.image.vendor='Falco Organization' \
+      org.opencontainers.image.licenses='Apache-2.0' \
+      maintainer="cncf-falco-dev@lists.cncf.io"
 
 LABEL usage="docker run -i -t --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /proc:/host/proc:ro  -v /etc:/host/etc:ro falcosecurity/falco:latest"
 # NOTE: for the "least privileged" use case, please refer to the official documentation

scripts/falcoctl/falcoctl.yaml.in

@@ -10,7 +10,7 @@ artifact:
     every: 6h0m0s
     falcoVersions: http://localhost:8765/versions
     refs:
-    - falco-rules:3
+    - falco-rules:4
 indexes:
 - name: falcosecurity
   url: https://falcosecurity.github.io/falcoctl/index.yaml

userspace/falco/app/actions/load_config.cpp

@@ -66,6 +66,10 @@ falco::app::run_result falco::app::actions::load_config(const falco::app::state&
 		}
 	}
 
+	s.config->m_falco_reload_ts = (int64_t)std::chrono::duration_cast<std::chrono::nanoseconds>(
+	                                      std::chrono::system_clock::now().time_since_epoch())
+	                                      .count();
+
 	s.config->m_buffered_outputs = !s.options.unbuffered_outputs;
 
 	return apply_deprecated_options(s);

userspace/falco/app/actions/process_events.cpp

@@ -485,6 +485,10 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
 				}
 
 				if(s.enabled_sources.size() == 1) {
+					if(s.on_inspectors_opened != nullptr) {
+						s.on_inspectors_opened();
+					}
+
 					// optimization: with only one source we don't spawn additional threads
 					process_inspector_events(s,
 					                         src_info->inspector,
@@ -514,6 +518,9 @@ falco::app::run_result falco::app::actions::process_events(falco::app::state& s)
 				break;
 			}
 		}
+		if(s.enabled_sources.size() > 1 && s.on_inspectors_opened != nullptr) {
+			s.on_inspectors_opened();
+		}
 
 		// wait for event processing to terminate for all sources
 		// if a thread terminates with an error, we trigger the app termination

userspace/falco/app/actions/start_webserver.cpp

@@ -44,6 +44,7 @@ falco::app::run_result falco::app::actions::start_webserver(falco::app::state& s
 	                          std::to_string(webserver_config.m_listen_port) + ssl_option + "\n");
 
 	state.webserver.start(state, webserver_config);
+	state.on_inspectors_opened = [&state]() { state.webserver.enable_prometheus_metrics(state); };
 #endif
 	return run_result::ok();
 }

userspace/falco/app/state.h

@@ -116,6 +116,9 @@ struct state {
 
 	falco_webserver webserver;
 #endif
+	// Set by start_webserver to start prometheus metrics
+	// once all inspectors are opened.
+	std::function<void()> on_inspectors_opened = nullptr;
 
 	inline bool is_capture_mode() const { return config->m_engine_mode == engine_kind_t::REPLAY; }
 

userspace/falco/configuration.h

@@ -214,7 +214,15 @@ public:
 	gvisor_config m_gvisor = {};
 
 	yaml_helper m_config;
+
+	//
+	// Runtime-Generated values (not user-configurable)
+	//
+
+	// JSON schema generated from a hardcoded string
 	nlohmann::json m_config_schema;
+	// Timestamp of most recent configuration reload
+	int64_t m_falco_reload_ts{0};
 
 private:
 	void merge_config_files(const std::string& config_name, config_loaded_res& res);

userspace/falco/falco_metrics.cpp

@@ -31,8 +31,36 @@ namespace fs = std::filesystem;
 
 /*!
     \class falco_metrics
-    \brief This class is used to convert the metrics provided by the application
+    \brief Converts metrics provided by the application and Falco libraries into a formatted string
-    and falco libs into a string to be return by the metrics endpoint.
+           for the metrics endpoint.
+
+    ## Metrics Overview
+    This section explains why looping over inspectors is necessary.
+    Falco utilizes multiple inspectors when loading plugins with an event source.
+    Most metrics should only be retrieved once, ideally by the syscalls inspector if applicable.
+    To maximize metrics retrieval and prevent duplicate data, the syscalls inspector is always
+    positioned at index 0 in the loop when it exists.
+
+    Wrapper fields: See https://falco.org/docs/concepts/metrics/
+    - `engine_name` and `event_source` are pushed for each inspector.
+    - All other wrapper fields are agnostic and should be retrieved once.
+
+    ## Metrics Collection Behavior
+    - `rules_counters_enabled` -> Agnostic; resides in falco; retrieved from the state, not an
+      inspector; only performed once.
+    - `resource_utilization_enabled` -> Agnostic; resides in libs; inspector is irrelevant;
+      only performed once.
+    - `state_counters_enabled` -> Semi-agnostic; resides in libs; must be retrieved by the syscalls
+      inspector if applicable.
+    - `kernel_event_counters_enabled` -> Resides in libs; must be retrieved by the syscalls
+   inspector; not available for other inspectors.
+    - `kernel_event_counters_per_cpu_enabled` -> Resides in libs; must be retrieved by the syscalls
+      inspector; not available for other inspectors.
+    - `libbpf_stats_enabled` -> Resides in libs; must be retrieved by the syscalls inspector;
+      not available for other inspectors.
+    - `plugins_metrics_enabled` -> Must be retrieved for each inspector.
+    - `jemalloc_stats_enabled` -> Agnostic; resides in falco; inspector is irrelevant;
+      only performed once.
 */
 
 /*!
@@ -42,78 +70,32 @@ namespace fs = std::filesystem;
 
     https://prometheus.io/docs/instrumenting/exposition_formats/#text-based-format
 */
-const std::string falco_metrics::content_type = "text/plain; version=0.0.4";
+const std::string falco_metrics::content_type_prometheus = "text/plain; version=0.0.4";
 
-/*!
+std::string falco_metrics::falco_to_text_prometheus(
-    \brief this method takes an application \c state and returns a textual representation of
+        const falco::app::state& state,
-    its configured metrics.
+        libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter,
-
+        std::vector<metrics_v2>& additional_wrapper_metrics) {
-    The current implementation returns a Prometheus exposition formatted string.
-*/
-std::string falco_metrics::to_text(const falco::app::state& state) {
-	static const char* all_driver_engines[] = {BPF_ENGINE,
-	                                           KMOD_ENGINE,
-	                                           MODERN_BPF_ENGINE,
-	                                           SOURCE_PLUGIN_ENGINE,
-	                                           NODRIVER_ENGINE,
-	                                           GVISOR_ENGINE};
-
-	std::vector<std::shared_ptr<sinsp>> inspectors;
-	std::vector<libs::metrics::libs_metrics_collector> metrics_collectors;
-
-	for(const auto& source : state.enabled_sources) {
-		auto source_info = state.source_infos.at(source);
-		auto source_inspector = source_info->inspector;
-		inspectors.emplace_back(source_inspector);
-		metrics_collectors.emplace_back(
-		        libs::metrics::libs_metrics_collector(source_inspector.get(),
-		                                              state.config->m_metrics_flags));
-	}
-	libs::metrics::prometheus_metrics_converter prometheus_metrics_converter;
 	std::string prometheus_text;
 
-	for(auto inspector : inspectors) {
+	// # HELP falcosecurity_falco_version_info https://falco.org/docs/metrics/
-		// Falco wrapper metrics
+	// # TYPE falcosecurity_falco_version_info gauge
-		//
+	// falcosecurity_falco_version_info{version="0.41.0-100+334ca42"} 1
-		for(size_t i = 0; i < sizeof(all_driver_engines) / sizeof(const char*); i++) {
-			if(inspector->check_current_engine(all_driver_engines[i])) {
-				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-				        "engine_name",
-				        "falcosecurity",
-				        "scap",
-				        {{"engine_name", all_driver_engines[i]}});
-				break;
-			}
-		}
-
-		const scap_agent_info* agent_info = inspector->get_agent_info();
-		const scap_machine_info* machine_info = inspector->get_machine_info();
-		libs::metrics::libs_metrics_collector libs_metrics_collector(inspector.get(), 0);
 	prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
 	        "version",
 	        "falcosecurity",
 	        "falco",
 	        {{"version", FALCO_VERSION}});
 
-		// Not all scap engines report agent and machine infos.
-		if(agent_info) {
-			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-			        "kernel_release",
-			        "falcosecurity",
-			        "falco",
-			        {{"kernel_release", agent_info->uname_r}});
-		}
-		if(machine_info) {
-			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-			        "hostname",
-			        "falcosecurity",
-			        "evt",
-			        {{"hostname", machine_info->hostname}});
-		}
-
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
+	// Note that the rule counter metrics are retrieved from the state, not from any inspector
 	// Distinguish between config and rules files using labels, following Prometheus best
 	// practices: https://prometheus.io/docs/practices/naming/#labels
+
+	// # HELP falcosecurity_falco_sha256_rules_files_info https://falco.org/docs/metrics/
+	// # TYPE falcosecurity_falco_sha256_rules_files_info gauge
+	// falcosecurity_falco_sha256_rules_files_info{file_name="falco_rules.yaml",sha256="6f0078862a26528cb50a860f9ebebbfbe3162e5009187089c73cb0cdf91d0b06"}
+	// 1
 	for(const auto& item : state.config.get()->m_loaded_rules_filenames_sha256sum) {
 		fs::path fs_path = item.first;
 		prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
@@ -123,6 +105,10 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 		        {{"file_name", fs_path.filename()}, {"sha256", item.second}});
 	}
 
+	// # HELP falcosecurity_falco_sha256_config_files_info https://falco.org/docs/metrics/
+	// # TYPE falcosecurity_falco_sha256_config_files_info gauge
+	// falcosecurity_falco_sha256_config_files_info{file_name="falco.yaml",sha256="f97de5fa6f513b5e07cd9f29ee9904ee4267cb120ef6501f8555543d5a98dd1c"}
+	// 1
 	for(const auto& item : state.config.get()->m_loaded_configs_filenames_sha256sum) {
 		fs::path fs_path = item.first;
 		prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
@@ -133,41 +119,9 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 	}
 
 #endif
-
+	// # HELP falcosecurity_falco_outputs_queue_num_drops_total https://falco.org/docs/metrics/
-		for(const std::string& source : inspector->event_sources()) {
+	// # TYPE falcosecurity_falco_outputs_queue_num_drops_total counter
-			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+	// falcosecurity_falco_outputs_queue_num_drops_total 0
-			        "evt_source",
-			        "falcosecurity",
-			        "falco",
-			        {{"evt_source", source}});
-		}
-		std::vector<metrics_v2> additional_wrapper_metrics;
-
-		if(agent_info) {
-			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
-			        "start_ts",
-			        METRICS_V2_MISC,
-			        METRIC_VALUE_TYPE_U64,
-			        METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
-			        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
-			        agent_info->start_ts_epoch));
-		}
-		if(machine_info) {
-			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
-			        "host_boot_ts",
-			        METRICS_V2_MISC,
-			        METRIC_VALUE_TYPE_U64,
-			        METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
-			        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
-			        machine_info->boot_ts_epoch));
-			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
-			        "host_num_cpus",
-			        METRICS_V2_MISC,
-			        METRIC_VALUE_TYPE_U32,
-			        METRIC_VALUE_UNIT_COUNT,
-			        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
-			        machine_info->num_cpus));
-		}
 	additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
 	        "outputs_queue_num_drops",
 	        METRICS_V2_MISC,
@@ -176,63 +130,46 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 	        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
 	        state.outputs->get_outputs_queue_num_drops()));
 
-		if(agent_info) {
+	// # HELP falcosecurity_falco_reload_timestamp_nanoseconds https://falco.org/docs/metrics/
-			auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(
+	// # TYPE falcosecurity_falco_reload_timestamp_nanoseconds gauge
-			                   std::chrono::system_clock::now().time_since_epoch())
+	// falcosecurity_falco_reload_timestamp_nanoseconds 1748338536592811359
-			                   .count();
 	additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
-			        "duration_sec",
+	        "reload_ts",
 	        METRICS_V2_MISC,
-			        METRIC_VALUE_TYPE_U64,
+	        METRIC_VALUE_TYPE_S64,
-			        METRIC_VALUE_UNIT_TIME_S_COUNT,
+	        METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
-			        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+	        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
-			        (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS)));
+	        state.config->m_falco_reload_ts));
-		}
 
-		for(auto metric : additional_wrapper_metrics) {
-			prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
-			prometheus_text +=
-			        prometheus_metrics_converter.convert_metric_to_text_prometheus(metric,
-			                                                                       "falcosecurity",
-			                                                                       "falco");
-		}
-
-		// Falco metrics categories
-		//
-		// rules_counters_enabled
 	if(state.config->m_metrics_flags & METRICS_V2_RULE_COUNTERS) {
+		// rules_counters_enabled
 		const stats_manager& rule_stats_manager = state.engine->get_rule_stats_manager();
 		const indexed_vector<falco_rule>& rules = state.engine->get_rules();
 		const std::vector<std::unique_ptr<std::atomic<uint64_t>>>& rules_by_id =
 		        rule_stats_manager.get_by_rule_id();
-			// Distinguish between rules counters using labels, following Prometheus best practices:
+		// Distinguish between rules counters using labels, following Prometheus best
-			// https://prometheus.io/docs/practices/naming/#labels
+		// practices: https://prometheus.io/docs/practices/naming/#labels
 		for(size_t i = 0; i < rules_by_id.size(); i++) {
 			auto rule = rules.at(i);
 			auto count = rules_by_id[i]->load();
 			if(count > 0) {
-					/* Examples ...
+				// # HELP falcosecurity_falco_rules_matches_total https://falco.org/docs/metrics/
-					    # HELP falcosecurity_falco_rules_matches_total
+				// # TYPE falcosecurity_falco_rules_matches_total counter
-					   https://falco.org/docs/metrics/ # TYPE
+				// falcosecurity_falco_rules_matches_total{priority="4",rule_name="Read sensitive
-					   falcosecurity_falco_rules_matches_total counter
+				// file
-					    falcosecurity_falco_rules_matches_total{priority="4",rule_name="Read
+				// untrusted",source="syscall",tag_T1555="true",tag_container="true",tag_filesystem="true",tag_host="true",tag_maturity_stable="true",tag_mitre_credential_access="true"}
-					   sensitive file
+				// 32 # HELP falcosecurity_falco_rules_matches_total https://falco.org/docs/metrics/
-					   untrusted",source="syscall",tag_T1555="true",tag_container="true",tag_filesystem="true",tag_host="true",tag_maturity_stable="true",tag_mitre_credential_access="true"}
+				// # TYPE falcosecurity_falco_rules_matches_total counter
-					   10 # HELP falcosecurity_falco_rules_matches_total
+				// falcosecurity_falco_rules_matches_total{priority="5",rule_name="Terminal shell in
-					   https://falco.org/docs/metrics/ # TYPE
+				// container",source="syscall",tag_T1059="true",tag_container="true",tag_maturity_stable="true",tag_mitre_execution="true",tag_shell="true"}
-					   falcosecurity_falco_rules_matches_total counter
+				// 1
-					    falcosecurity_falco_rules_matches_total{priority="5",rule_name="Unexpected
-					   UDP
-					   Traffic",source="syscall",tag_TA0011="true",tag_container="true",tag_host="true",tag_maturity_incubating="true",tag_mitre_exfiltration="true",tag_network="true"}
-					   1
-					*/
 				auto metric = libs::metrics::libsinsp_metrics::new_metric(
 				        "rules_matches",
 				        METRICS_V2_RULE_COUNTERS,
 				        METRIC_VALUE_TYPE_U64,
 				        METRIC_VALUE_UNIT_COUNT,
 				        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
-					        rules_by_id[i]->load());
+				        count);
 				prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
 				std::map<std::string, std::string> const_labels = {
 				        {"rule_name", rule->name},
@@ -244,8 +181,7 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 				              [&const_labels](std::string const& tag) {
 					              const_labels.emplace(std::string{"tag_"} + tag, "true");
 				              });
-					prometheus_text +=
+				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
 				        metric,
 				        "falcosecurity",
 				        "falco",
@@ -255,6 +191,7 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 	}
 #ifdef HAS_JEMALLOC
 	if(state.config->m_metrics_flags & METRICS_V2_JEMALLOC_STATS) {
+		// jemalloc_stats_enabled
 		nlohmann::json j;
 		malloc_stats_print(
 		        [](void* to, const char* from) {
@@ -276,8 +213,7 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 				        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
 				        val);
 				prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
-					prometheus_text +=
+				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
-					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
 				        metric,
 				        "falcosecurity",
 				        "falco");
@@ -285,18 +221,86 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 		}
 	}
 #endif
+	return prometheus_text;
 }
 
+std::string falco_metrics::sources_to_text_prometheus(
+        const falco::app::state& state,
+        libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter,
+        std::vector<metrics_v2>& additional_wrapper_metrics) {
+	static const char* all_driver_engines[] = {BPF_ENGINE,
+	                                           KMOD_ENGINE,
+	                                           MODERN_BPF_ENGINE,
+	                                           SOURCE_PLUGIN_ENGINE,
+	                                           NODRIVER_ENGINE,
+	                                           GVISOR_ENGINE};
+	static re2::RE2 drops_buffer_pattern("n_drops_buffer_([^_]+(?:_[^_]+)*)_(enter|exit)$");
+	static re2::RE2 cpu_pattern("(\\d+)");
+
+	std::string prometheus_text;
+	bool agent_info_written = false;
+	bool machine_info_written = false;
+
+	// Then, source-bound metrics
+	for(const auto& source : state.enabled_sources) {
+		auto source_info = state.source_infos.at(source);
+		auto source_inspector = source_info->inspector;
+
+		// First thing: list of enabled engine names
+
+		// Falco wrapper metrics Part A: Repeated for each inspector, accounting for plugins w/
+		// event sources
+
+		/* Examples ...
+		    # HELP falcosecurity_scap_engine_name_info https://falco.org/docs/metrics/
+		    # TYPE falcosecurity_scap_engine_name_info gauge
+		    falcosecurity_scap_engine_name_info{engine_name="source_plugin",evt_source="dummy"} 1
+		    # HELP falcosecurity_scap_engine_name_info https://falco.org/docs/metrics/
+		    # TYPE falcosecurity_scap_engine_name_info gauge
+		    falcosecurity_scap_engine_name_info{engine_name="bpf",evt_source="syscall"} 1
+		*/
+
+		for(size_t j = 0; j < sizeof(all_driver_engines) / sizeof(const char*); j++) {
+			if(source_inspector->check_current_engine(all_driver_engines[j])) {
+				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+				        "engine_name",
+				        "falcosecurity",
+				        "scap",
+				        {{"engine_name", std::string(all_driver_engines[j])},
+				         {"evt_source", source}});
+				break;
+			}
+		}
+
+		// Inspectors' metrics collectors
 		// Libs metrics categories
 		//
 		// resource_utilization_enabled
 		// state_counters_enabled
 		// kernel_event_counters_enabled
+		// kernel_event_counters_per_cpu_enabled
 		// libbpf_stats_enabled
-	for(auto metrics_collector : metrics_collectors) {
+		auto metrics_collector =
+		        libs::metrics::libs_metrics_collector(source_inspector.get(),
+		                                              state.config->m_metrics_flags);
 		metrics_collector.snapshot();
 		auto metrics_snapshot = metrics_collector.get_metrics();
 
+		// Source plugin
+		if(source != falco_common::syscall_source) {
+			// Performed repeatedly for each inspectors' libs metrics collector
+			for(auto& metric : metrics_snapshot) {
+				if(metric.flags & METRICS_V2_PLUGINS) {
+					prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
+					prometheus_text +=
+					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
+					                metric,
+					                "falcosecurity",
+					                "plugins");
+				}
+			}
+		} else {
+			// Source syscall
 			for(auto& metric : metrics_snapshot) {
 				prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
 				std::string prometheus_subsystem = "scap";
@@ -314,10 +318,9 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 				   strncmp(metric.name, "n_drops_cpu", 11) == 0)  // prefix match
 				{
 					std::string name_str(metric.name);
-				re2::RE2 pattern("(\\d+)");
 					std::string cpu_number;
-				if(re2::RE2::PartialMatch(name_str, pattern, &cpu_number)) {
+					if(re2::RE2::PartialMatch(name_str, cpu_pattern, &cpu_number)) {
-					re2::RE2::GlobalReplace(&name_str, pattern, "");
+						re2::RE2::GlobalReplace(&name_str, cpu_pattern, "");
 						// possible double __ will be sanitized within libs
 						auto metric_new = libs::metrics::libsinsp_metrics::new_metric(
 						        name_str.c_str(),
@@ -326,13 +329,16 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 						        METRIC_VALUE_UNIT_COUNT,
 						        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
 						        metric.value.u64);
-					const std::map<std::string, std::string>& const_labels = {{"cpu", cpu_number}};
+						const std::map<std::string, std::string>& const_labels = {
+						        {"cpu", cpu_number}};
 						/* Examples ...
-					    # HELP falcosecurity_scap_n_evts_cpu_total https://falco.org/docs/metrics/
+						    # HELP falcosecurity_scap_n_evts_cpu_total
-					    # TYPE falcosecurity_scap_n_evts_cpu_total counter
+						   https://falco.org/docs/metrics/ # TYPE
+						   falcosecurity_scap_n_evts_cpu_total counter
 						    falcosecurity_scap_n_evts_cpu_total{cpu="7"} 237
-					    # HELP falcosecurity_scap_n_drops_cpu_total https://falco.org/docs/metrics/
+						    # HELP falcosecurity_scap_n_drops_cpu_total
-					    # TYPE falcosecurity_scap_n_drops_cpu_total counter
+						   https://falco.org/docs/metrics/ # TYPE
+						   falcosecurity_scap_n_drops_cpu_total counter
 						    falcosecurity_scap_n_drops_cpu_total{cpu="7"} 0
 						*/
 						prometheus_text +=
@@ -343,16 +349,15 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 						                const_labels);
 					}
 				} else if(strcmp(metric.name, "n_drops_buffer_total") == 0) {
-				// Skip the libs aggregate metric since we distinguish between buffer drops using
+					// Skip the libs aggregate metric since we distinguish between buffer drops
-				// labels similar to the rules_matches
+					// using labels similar to the rules_matches
 					continue;
 				} else if(strncmp(metric.name, "n_drops_buffer", 14) == 0)  // prefix match
 				{
-				re2::RE2 pattern("n_drops_buffer_([^_]+(?:_[^_]+)*)_(enter|exit)$");
 					std::string drop;
 					std::string dir;
 					std::string name_str(metric.name);
-				if(re2::RE2::FullMatch(name_str, pattern, &drop, &dir)) {
+					if(re2::RE2::FullMatch(name_str, drops_buffer_pattern, &drop, &dir)) {
 						auto metric_new = libs::metrics::libsinsp_metrics::new_metric(
 						        "n_drops_buffer",
 						        METRICS_V2_KERNEL_COUNTERS,
@@ -380,12 +385,114 @@ std::string falco_metrics::to_text(const falco::app::state& state) {
 						                const_labels);
 					}
 				} else {
-				prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+					prometheus_text +=
+					        prometheus_metrics_converter.convert_metric_to_text_prometheus(
 					                metric,
 					                "falcosecurity",
 					                prometheus_subsystem);
 				}
 			}
 		}
+
+		// Source wrapper metrics Part B: Agnostic, performed only once.
+		if(agent_info_written && machine_info_written) {
+			continue;
+		}
+
+		const scap_agent_info* agent_info = nullptr;
+		if(!agent_info_written) {
+			agent_info = source_inspector->get_agent_info();
+		}
+		const scap_machine_info* machine_info = nullptr;
+		if(!machine_info_written) {
+			machine_info = source_inspector->get_machine_info();
+		}
+
+		// Not all scap engines report agent and machine infos.
+		// However, recent lib refactors enable a linux lite platform, allowing non-syscall
+		// inspectors to retrieve these metrics if the syscall inspector is unavailable.
+		// We only push these info once.
+		if(agent_info) {
+			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+			        "kernel_release",
+			        "falcosecurity",
+			        "falco",
+			        {{"kernel_release", agent_info->uname_r}});
+			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
+			        "start_ts",
+			        METRICS_V2_MISC,
+			        METRIC_VALUE_TYPE_U64,
+			        METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
+			        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
+			        agent_info->start_ts_epoch));
+			auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(
+			                   std::chrono::system_clock::now().time_since_epoch())
+			                   .count();
+			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
+			        "duration_sec",
+			        METRICS_V2_MISC,
+			        METRIC_VALUE_TYPE_U64,
+			        METRIC_VALUE_UNIT_TIME_S_COUNT,
+			        METRIC_VALUE_METRIC_TYPE_MONOTONIC,
+			        (uint64_t)((now - agent_info->start_ts_epoch) / ONE_SECOND_IN_NS)));
+			agent_info_written = true;
+		}
+
+		if(machine_info) {
+			prometheus_text += prometheus_metrics_converter.convert_metric_to_text_prometheus(
+			        "hostname",
+			        "falcosecurity",
+			        "evt",
+			        {{"hostname", machine_info->hostname}});
+			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
+			        "host_boot_ts",
+			        METRICS_V2_MISC,
+			        METRIC_VALUE_TYPE_U64,
+			        METRIC_VALUE_UNIT_TIME_TIMESTAMP_NS,
+			        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
+			        machine_info->boot_ts_epoch));
+			additional_wrapper_metrics.emplace_back(libs::metrics::libsinsp_metrics::new_metric(
+			        "host_num_cpus",
+			        METRICS_V2_MISC,
+			        METRIC_VALUE_TYPE_U32,
+			        METRIC_VALUE_UNIT_COUNT,
+			        METRIC_VALUE_METRIC_TYPE_NON_MONOTONIC_CURRENT,
+			        machine_info->num_cpus));
+			machine_info_written = true;
+		}
+	}  // End inspector loop
+
+	return prometheus_text;
+}
+
+/*!
+    \brief this method takes an application \c state and returns a textual representation of
+    its configured metrics.
+
+    The current implementation returns a Prometheus exposition formatted string.
+*/
+std::string falco_metrics::to_text_prometheus(const falco::app::state& state) {
+	libs::metrics::prometheus_metrics_converter prometheus_metrics_converter;
+	std::string prometheus_text;
+
+	std::vector<metrics_v2> additional_wrapper_metrics;
+
+	// Falco global metrics, once
+	prometheus_text += falco_to_text_prometheus(state,
+	                                            prometheus_metrics_converter,
+	                                            additional_wrapper_metrics);
+	// Metrics for each source
+	prometheus_text += sources_to_text_prometheus(state,
+	                                              prometheus_metrics_converter,
+	                                              additional_wrapper_metrics);
+
+	for(auto metric : additional_wrapper_metrics) {
+		prometheus_metrics_converter.convert_metric_to_unit_convention(metric);
+		prometheus_text +=
+		        prometheus_metrics_converter.convert_metric_to_text_prometheus(metric,
+		                                                                       "falcosecurity",
+		                                                                       "falco");
+	}
+
 	return prometheus_text;
 }

userspace/falco/falco_metrics.h

@@ -26,6 +26,16 @@ struct state;
 
 class falco_metrics {
 public:
-	static const std::string content_type;
+	static const std::string content_type_prometheus;
-	static std::string to_text(const falco::app::state& state);
+	static std::string to_text_prometheus(const falco::app::state& state);
+
+private:
+	static std::string falco_to_text_prometheus(
+	        const falco::app::state& state,
+	        libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter,
+	        std::vector<metrics_v2>& additional_wrapper_metrics);
+	static std::string sources_to_text_prometheus(
+	        const falco::app::state& state,
+	        libs::metrics::prometheus_metrics_converter& prometheus_metrics_converter,
+	        std::vector<metrics_v2>& additional_wrapper_metrics);
 };

userspace/falco/stats_writer.cpp

@@ -233,7 +233,6 @@ void stats_writer::worker() noexcept {
 	bool use_file = !m_config->m_metrics_output_file.empty();
 	auto tick = stats_writer::get_ticker();
 	auto last_tick = tick;
-	auto first_tick = tick;
 
 	while(true) {
 // blocks until a message becomes availables
@@ -244,9 +243,8 @@ void stats_writer::worker() noexcept {
 			return;
 		}
 
-		// this helps waiting for the first tick
 		tick = stats_writer::get_ticker();
-		if(first_tick != tick) {
+
 		if(last_tick != tick) {
 			m_total_samples++;
 		}
@@ -275,7 +273,6 @@ void stats_writer::worker() noexcept {
 		}
 	}
 }
-}
 
 stats_writer::collector::collector(const std::shared_ptr<stats_writer>& writer): m_writer(writer) {}
 
@@ -353,6 +350,7 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 	/* Wrapper fields useful for statistical analyses and attributions. Always enabled. */
 	output_fields["evt.time"] =
 	        now; /* Some ETLs may prefer a consistent timestamp within output_fields. */
+	output_fields["falco.reload_ts"] = m_writer->m_config->m_falco_reload_ts;
 	output_fields["falco.version"] = FALCO_VERSION;
 	if(agent_info) {
 		output_fields["falco.start_ts"] = agent_info->start_ts_epoch;
@@ -416,7 +414,8 @@ void stats_writer::collector::get_metrics_output_fields_wrapper(
 
 void stats_writer::collector::get_metrics_output_fields_additional(
         nlohmann::json& output_fields,
-        double stats_snapshot_time_delta_sec) {
+        double stats_snapshot_time_delta_sec,
+        const std::string& src) {
 	// Falco metrics categories
 	//
 	// rules_counters_enabled
@@ -480,7 +479,8 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 #endif
 
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
-	if(m_writer->m_libs_metrics_collector && m_writer->m_output_rule_metrics_converter) {
+	if(m_writer->m_libs_metrics_collectors.find(src) != m_writer->m_libs_metrics_collectors.end() &&
+	   m_writer->m_output_rule_metrics_converter) {
 		// Libs metrics categories
 		//
 		// resource_utilization_enabled
@@ -489,8 +489,9 @@ void stats_writer::collector::get_metrics_output_fields_additional(
 		// libbpf_stats_enabled
 
 		// Refresh / New snapshot
-		m_writer->m_libs_metrics_collector->snapshot();
+		auto& libs_metrics_collector = m_writer->m_libs_metrics_collectors[src];
-		auto metrics_snapshot = m_writer->m_libs_metrics_collector->get_metrics();
+		libs_metrics_collector->snapshot();
+		auto metrics_snapshot = libs_metrics_collector->get_metrics();
 		// Cache n_evts and n_drops to derive n_drops_perc.
 		uint64_t n_evts = 0;
 		uint64_t n_drops = 0;
@@ -613,7 +614,8 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector,
                                       uint64_t num_evts) {
 	if(m_writer->has_output()) {
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
-		if(!m_writer->m_libs_metrics_collector) {
+		if(m_writer->m_libs_metrics_collectors.find(src) ==
+		   m_writer->m_libs_metrics_collectors.end()) {
 			uint32_t flags = m_writer->m_config->m_metrics_flags;
 			// Note: ENGINE_FLAG_BPF_STATS_ENABLED check has been moved to libs, that is, when
 			// libbpf stats is not enabled in the kernel settings we won't collect them even if the
@@ -627,7 +629,7 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector,
 				flags &= ~(METRICS_V2_KERNEL_COUNTERS | METRICS_V2_KERNEL_COUNTERS_PER_CPU |
 				           METRICS_V2_STATE_COUNTERS | METRICS_V2_LIBBPF_STATS);
 			}
-			m_writer->m_libs_metrics_collector =
+			m_writer->m_libs_metrics_collectors[src] =
 			        std::make_unique<libs::metrics::libs_metrics_collector>(inspector.get(), flags);
 		}
 
@@ -659,7 +661,8 @@ void stats_writer::collector::collect(const std::shared_ptr<sinsp>& inspector,
 			                                  num_evts,
 			                                  now,
 			                                  stats_snapshot_time_delta_sec);
-			get_metrics_output_fields_additional(output_fields, stats_snapshot_time_delta_sec);
+
+			get_metrics_output_fields_additional(output_fields, stats_snapshot_time_delta_sec, src);
 
 			/* Send message in the queue */
 			stats_writer::msg msg;

userspace/falco/stats_writer.h

@@ -79,10 +79,13 @@ public:
 		   fields.
 		*/
 		void get_metrics_output_fields_additional(nlohmann::json& output_fields,
-		                                          double stats_snapshot_time_delta_sec);
+		                                          double stats_snapshot_time_delta_sec,
+		                                          const std::string& src);
 
 		std::shared_ptr<stats_writer> m_writer;
-		stats_writer::ticker_t m_last_tick = 0;
+		// Init m_last_tick w/ invalid value to enable metrics logging immediately after
+		// startup/reload
+		stats_writer::ticker_t m_last_tick = std::numeric_limits<ticker_t>::max();
 		uint64_t m_last_now = 0;
 		uint64_t m_last_n_evts = 0;
 		uint64_t m_last_n_drops = 0;
@@ -151,7 +154,9 @@ private:
 	tbb::concurrent_bounded_queue<stats_writer::msg> m_queue;
 #endif
 #if defined(__linux__) and !defined(MINIMAL_BUILD) and !defined(__EMSCRIPTEN__)
-	std::unique_ptr<libs::metrics::libs_metrics_collector> m_libs_metrics_collector;
+	// Per source map of libs metrics collectors
+	std::unordered_map<std::string, std::unique_ptr<libs::metrics::libs_metrics_collector>>
+	        m_libs_metrics_collectors;
 	std::unique_ptr<libs::metrics::output_rule_metrics_converter> m_output_rule_metrics_converter;
 #endif
 	std::shared_ptr<falco_outputs> m_outputs;

userspace/falco/webserver.cpp

@@ -58,11 +58,6 @@ void falco_webserver::start(const falco::app::state &state,
 		              res.set_content(versions_json_str, "application/json");
 	              });
 
-	if(state.config->m_metrics_enabled && webserver_config.m_prometheus_metrics_enabled) {
-		m_server->Get("/metrics", [&state](const httplib::Request &, httplib::Response &res) {
-			res.set_content(falco_metrics::to_text(state), falco_metrics::content_type);
-		});
-	}
 	// run server in a separate thread
 	if(!m_server->is_valid()) {
 		m_server = nullptr;
@@ -105,3 +100,13 @@ void falco_webserver::stop() {
 		m_running = false;
 	}
 }
+
+void falco_webserver::enable_prometheus_metrics(const falco::app::state &state) {
+	if(state.config->m_metrics_enabled &&
+	   state.config->m_webserver_config.m_prometheus_metrics_enabled) {
+		m_server->Get("/metrics", [&state](const httplib::Request &, httplib::Response &res) {
+			res.set_content(falco_metrics::to_text_prometheus(state),
+			                falco_metrics::content_type_prometheus);
+		});
+	}
+}

userspace/falco/webserver.h

@@ -40,6 +40,7 @@ public:
 	virtual void start(const falco::app::state& state,
 	                   const falco_configuration::webserver_config& webserver_config);
 	virtual void stop();
+	virtual void enable_prometheus_metrics(const falco::app::state& state);
 
 private:
 	bool m_running = false;