Updated Falco Alerts (markdown)

2025-09-24 11:27:38 +00:00 · 2016-08-05 10:57:48 -07:00
parent 5d419d8144
commit 3b355b9f9a
1 changed files with 13 additions and 0 deletions
--- a/Falco-Alerts.md
+++ b/Falco-Alerts.md
@@ -5,6 +5,7 @@ Falco can send alerts to one or more channels:
 * Standard Output
 * A file
 * Syslog
+* A spawned program

 The channels are configured via the falco configuration file `falco.yaml`. See the [Falco Configuration](Falco Configuration) page for more details. Here are details on each of those channels.

@@ -33,6 +34,18 @@ Jun  7 10:20:05 ubuntu falco: Sensitive file opened for reading by non-trusted p

 Syslog messages are sent with a facility of LOG_USER. The rule's priority is used as the priority of the syslog message.

+## Program Output
+
+When configured to send alerts to a program, for each alert the program is started and written to it's standard input. For example, given a `falco.yaml` configuration of:
+
+```
+program_output:
+  enabled: true
+  program: mail -s "Falco Notification" someone@example.com
+```
+
+For each alert, falco will run the program `mail -s ...` and write the alert to the program.
+
 ## JSON Output

 For all output channels, you can switch to JSON output either in the configuration file or on the command line. For each alert, falco will print a JSON object, on a single line, containing the following properties: