From 7fa90fd0577139a0cae7aa656b1b9706a356dbde Mon Sep 17 00:00:00 2001
From: Mark Stemm <mark.stemm@sysdig.com>
Date: Mon, 9 Oct 2017 16:56:21 -0700
Subject: [PATCH] Updated Falco Configuration (markdown)

---
 Falco-Configuration.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Falco-Configuration.md b/Falco-Configuration.md
index a2ba6d3..aaa37c7 100644
--- a/Falco-Configuration.md
+++ b/Falco-Configuration.md
@@ -64,6 +64,7 @@ a list containing these sub-keys:
 a list containing these sub-keys:
 
 * `enabled: [true|false]`: if true, falco alerts will be sent to the specified file
+* `keep_alive: [true|false]`: If false (default), will reopen file for every alert. If true, will open the file once and keep it open for all alerts. Might be necessary to also specify `--unbuffered` on falco command line.
 * `filename: <path>`: the location of the file to which alerts will be sent
 
 
@@ -78,6 +79,7 @@ a list containing these sub-keys:
 a list containing these sub-keys:
 
 * `enabled: [true|false]`: if true, falco alerts will be sent to a program
+* `keep_alive: [true|false]`: If false (default), run program for each alert. If true, will spawn program once and keep it open for all alerts. Might be necessary to also specify `--unbuffered` on falco command line.
 * `program: <program>`: the program to run for each alert. This is started via a shell, so you can specify a command pipeline to allow for additional formatting.