From 20f0d23eb9d30a3bd1e452e20453604754d36816 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 4 Apr 2018 21:58:25 -0700 Subject: [PATCH] Updated Falco Alerts (markdown) --- Falco-Alerts.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Falco-Alerts.md b/Falco-Alerts.md index 0eeea93..38a95ea 100644 --- a/Falco-Alerts.md +++ b/Falco-Alerts.md @@ -36,6 +36,10 @@ file_output: When `keep_alive` is false (the default), for each alert the file is opened for appending, the single alert is written, and the file is closed. The file is not rotated or truncated. If `keep_alive` is set to true, the file is opened before the first alert and kept open for all subsequent alerts. Output is buffered and will be flushed only on close. (This can be changed with `--unbuffered`). +If you'd like to use a program like [logrotate](https://github.com/logrotate/logrotate) to rotate the output file, an example logrotate config is available [here](https://github.com/draios/falco/blob/dev/examples/logrotate/falco). + +As of Falco 0.10.0, falco will close and reopen its file output when signaled with `SIGUSR1`. The logrotate example above depends on it. + ## Syslog Output When configured to send alerts to syslog, a syslog message is sent for each alert. The actual format depends on your syslog daemon, but here's an example: @@ -68,6 +72,8 @@ If `keep_alive` is set to true, before the first alert falco will spawn the prog *Note*: the program spawned by falco is in the same process group as falco and will receive all signals that falco receives. If you want to, say, ignore SIGTERM to allow for a clean shutdown in the face of buffered outputs, you must override the signal handler yourself. +As of Falco 0.10.0, falco will close and reopen its file output when signaled with `SIGUSR1`. + ### Program Output Example: Posting to a Slack Incoming Webhook If you'd like to send falco notifications to a slack channel, here's the required configuration to massage the JSON output to a form required for the slack webhook endpoint: