github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-27 10:28:54 +00:00
Code Issues Projects Releases Wiki Activity

Updated Running Falco (markdown)

Mark Stemm 2017-03-29 15:17:47 -07:00
parent 2b6847f342
commit 5e4f391d6b
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Running-Falco.md

@ -23,10 +23,11 @@ Usage: falco [options]
Options: Options:
-h, --help Print this page -h, --help Print this page
-c Configuration file (default <source dir>/falco.yaml, /etc/falco.yaml) -c Configuration file (default /mnt/sf_mstemm/work/src/falco/falco.yaml, /etc/falco.yaml)
-A Monitor all events, including those with EF_DROP_FALCO flag. -A Monitor all events, including those with EF_DROP_FALCO flag.
-d, --daemon Run as a daemon -d, --daemon Run as a daemon
-D <pattern> Disable any rules matching the regex <pattern>. Can be specified multiple times. -D <pattern> Disable any rules matching the regex <pattern>. Can be specified multiple times.
Can not be specified with -t.
-e <events_file> Read the events from <events_file> (in .scap format) instead of tapping into live. -e <events_file> Read the events from <events_file> (in .scap format) instead of tapping into live.
-k <url>, --k8s-api=<url> -k <url>, --k8s-api=<url>
Enable Kubernetes support by connecting to the API server Enable Kubernetes support by connecting to the API server
@ -52,6 +53,7 @@ Options:
Marathon url is optional and defaults to Mesos address, port 8080. Marathon url is optional and defaults to Mesos address, port 8080.
The API servers can also be specified via the environment variable The API servers can also be specified via the environment variable
FALCO_MESOS_API. FALCO_MESOS_API.
-M <num_seconds> Stop collecting after <num_seconds> reached.
-o, --option <key>=<val> Set the value of option <key> to <val>. Overrides values in configuration file. -o, --option <key>=<val> Set the value of option <key> to <val>. Overrides values in configuration file.
<key> can be a two-part <key>.<subkey> <key> can be a two-part <key>.<subkey>
-p <output_format>, --print=<output_format> -p <output_format>, --print=<output_format>
@ -67,7 +69,12 @@ Options:
Can be specified multiple times to read from multiple files. Can be specified multiple times to read from multiple files.
-s <stats_file> If specified, write statistics related to falco's reading/processing of events -s <stats_file> If specified, write statistics related to falco's reading/processing of events
to this file. (Only useful in live mode). to this file. (Only useful in live mode).
-T <tag> Disable any rules with a tag=<tag>. Can be specified multiple times.
Can not be specified with -t.
-t <tag> Only run those rules with a tag=<tag>. Can be specified multiple times.
Can not be specified with -T/-D.
-v Verbose output. -v Verbose output.
--version Print version number.
``` ```