Updated Falco Configuration (markdown)

Falco-Configuration.md

@@ -46,9 +46,26 @@ Minimum log level to include in logs. Note: these levels are separate from the p
 
 Minimum rule priority level to load and run. All rules having a priority more severe than this level will be loaded/run. 
 
+#### `syscall_event_drops`
+
+Controls [Actions For Dropped System Call Events]. An object containing these sub-keys:
+
+* `actions`: A list containing one or more of these sub-keys:
+** `ignore`: do nothing. If an empty list is provided, ignore is assumed.
+** `log`: log a CRITICAL message noting that the buffer was full.
+** `alert`: emit a falco alert noting that the buffer was full.
+** `exit`: exit falco with a non-zero rc.
+* `rate`: The steady-state rate at which actions can be taken. Units of actions/second. Default 0.03333 (one action per 30 seconds).
+* `max_burst`: The maximum number of actions that can be taken before the steady-state rate is applied.
+
+
+#### `buffered_outputs: [true|false]
+
+# Whether or not output to any of the output channels below is buffered. Defaults to false.
+
 #### `outputs`
 
-a list containing these sub-keys:
+An object containing these sub-keys:
 
 * `rate: <notifications/second>`
 * `outputs: max_burst: <number of messages>`
@@ -61,13 +78,13 @@ With these defaults, falco could send up to 1000 notifications after an initial
 
 #### `syslog_output`
 
-a list containing these sub-keys:
+An object containing these sub-keys:
 
 * `enabled: [true|false]`: if true, falco alerts will be sent via syslog
 
 #### `file_output`
 
-a list containing these sub-keys:
+An object containing these sub-keys:
 
 * `enabled: [true|false]`: if true, falco alerts will be sent to the specified file
 * `keep_alive: [true|false]`: If false (default), will reopen file for every alert. If true, will open the file once and keep it open for all alerts. Might be necessary to also specify `--unbuffered` on falco command line.
@@ -76,13 +93,13 @@ a list containing these sub-keys:
 
 #### `stdout_output`
 
-a list containing these sub-keys:
+An object containing these sub-keys:
 
 * `enabled: [true|false]`: if true, falco alerts will be sent to standard output
 
 #### `program_output`
 
-a list containing these sub-keys:
+An object containing these sub-keys:
 
 * `enabled: [true|false]`: if true, falco alerts will be sent to a program
 * `keep_alive: [true|false]`: If false (default), run program for each alert. If true, will spawn program once and keep it open for all alerts. Might be necessary to also specify `--unbuffered` on falco command line.
@@ -90,7 +107,7 @@ a list containing these sub-keys:
 
 #### http_output
 
-a list containing these sub-keys:
+An object containing these sub-keys:
 * `enabled: [true|false]`: if true, falco alerts will be sent to the specified url
 * `url: <url>`: Send alerts to the provided url.
 
@@ -98,7 +115,7 @@ For more details, see [the full documentation on http outputs](https://github.co
 
 #### `webserver`
 
-a list containing these sub-keys:
+An object containing these sub-keys:
 * `enabled: [true|false]`: if true, falco will start an embedded webserver to accept k8s audit events
 * `listen_port`: The port on which to listen for k8s audit events. Default 8765.
 * `k8s_audit_endpoint`: The uri on which to listen for k8s audit events. Default `/k8s_audit`.