diff --git a/Falco-Configuration.md b/Falco-Configuration.md index ccd349e..7b898ed 100644 --- a/Falco-Configuration.md +++ b/Falco-Configuration.md @@ -7,15 +7,15 @@ Any configuration option can be overridden on the command line via the `-o/--opt The current configuration keys are: -####`rules_file: ` +#### `rules_file: ` the location of the rules file. This can also be overridden on the command line via `-r`. -####`json_output: [true|false]` +#### `json_output: [true|false]` whether to use JSON output for alert messages. -####`log_stderr: [true|false]` +#### `log_stderr: [true|false]` if true, log messages describing falco's activity will be logged to stderr. Note these are *not* alert messages--these are log messages for falco itself. @@ -23,11 +23,11 @@ if true, log messages describing falco's activity will be logged to stderr. Note if true, log messages describing falco's activity will be logged to syslog. -####`log_level: [emergency|alert|critical|error|warning|notice|info|debug]` +#### `log_level: [emergency|alert|critical|error|warning|notice|info|debug]` Minimum log level to include in logs. Note: these levels are separate from the priority field of rules. This refers only to the log level of falco's internal logging. -####`outputs` +#### `outputs` a list containing these sub-keys: @@ -40,13 +40,13 @@ A throttling mechanism implemented as a token bucket limits the rate of falco no With these defaults, falco could send up to 1000 notifications after an initial quiet period, and then up to 1 notification per second afterward. It would gain the full burst back after 1000 seconds of no activity. -####`syslog_output` +#### `syslog_output` a list containing these sub-keys: * `enabled: [true|false]`: if true, falco alerts will be sent via syslog -####`file_output` +#### `file_output` a list containing these sub-keys: @@ -54,13 +54,13 @@ a list containing these sub-keys: * `filename: `: the location of the file to which alerts will be sent -####`stdout_output` +#### `stdout_output` a list containing these sub-keys: * `enabled: [true|false]`: if true, falco alerts will be sent to standard output -####`program_output` +#### `program_output` a list containing these sub-keys: