mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
0e40ad26c4
Instead of running bash as the sysdig container does, run falco. This makes sense as falco doesn't have a general purpose use like sysdig does. To make it easier to run both in docker and as a daemon using the default command line, enable both syslog and stdout/stderr output by default. Now that falco dups stdout/stderr to /dev/null when daemonizing, the stdout/stderr is just thrown away. And when running in docker, the syslog output will just be discarded unless someone plumbs the container's syslog output. Update README.md to reflect that specifying the falco command is not necessary.
26 lines
539 B
YAML
26 lines
539 B
YAML
# File containing Falco rules, loaded at startup.
|
|
rules_file: /etc/falco_rules.yaml
|
|
|
|
# Whether to output events in json or text
|
|
json_output: false
|
|
|
|
# Send information logs to stderr and/or syslog Note these are *not* security
|
|
# notification logs! These are just Falco lifecycle (and possibly error) logs.
|
|
log_stderr: true
|
|
log_syslog: true
|
|
|
|
|
|
# Where security notifications should go.
|
|
# Multiple outputs can be enabled.
|
|
|
|
syslog_output:
|
|
enabled: true
|
|
|
|
file_output:
|
|
enabled: false
|
|
filename: ./events.txt
|
|
|
|
stdout_output:
|
|
enabled: true
|
|
|