Falco Configuration Options
Falco's configuration file is a YAML file containing a collection of key: value
or key: [value list]
pairs.
Any configuration option can be overridden on the command line via the -o/--option key=value
flag.
For key: [value list]
options, you can specify individual list items using --option key.subkey=value
.
Falco options
Apply either via falco.yaml or with the -o/--option argument.
Option Name | Option Type | Description |
---|---|---|
rules_file | List | The location of the rules file(s). This can contain one or more paths to separate rules files. The following examples are equivalent:
You can also specify multiple rules files on the command line via one or more |
plugins | A list of objects. Each object has the following sub-keys:
| Defines the set of plugins Falco can load.
If if |
load_plugins | A list of plugin names, corresponding to the name sub-key from the plugins config item. Example:
| Defines the set of plugins that will actually be loaded. This is optional--if the property is not present, all plugins named in the plugins list will be loaded. All loaded plugins supporting the event sourcing capability will add a new event source in Falco. By default, all event sources known by Falco are enabled for live sessions and can be turned on and off with the --enabled-source and --disable-source command line options. |
watch_config_files | Boolean | If true (default is true ), watch the config file and all loaded rules files for modification. When any of these files gets modified, Falco will do a hot reload to propagate the changes. |
time_format_iso_8601 | Boolean | If true (default is false ), the times displayed in log messages and output messages will be in ISO 8601. By default, times are displayed in the local time zone, as governed by /etc/localtime. |
json_output | Boolean | If true (default is false ), print falco alert messages and rules file loading/validation results as json, which allows for easier consumption by downstream programs. Also changes falco --version CLI argument output as json. |
json_include_output_property | Boolean | If true (default is true ), when using json output, whether or not to include the output property itself (e.g. File below a known binary directory opened for writing (user=root .... ) in the JSON output. |
json_include_tags_property | Boolean | When using json output, whether or not to include the tags property in the json output. If set to true (default is true ), outputs caused by rules with no tags will have a tags field set to an empty array. If set to false , the tags field will not be included in the json output at all. |
log_stderr | Boolean | If true , log messages describing Falco's activity will be logged to stderr. Note these are not alert messages---these are log messages for Falco itself. |
log_syslog | Boolean | If true , log messages describing Falco's activity will be logged to syslog. |
log_level | Enum with the following possible values: emergency , alert , critical , error , warning , notice , info , debug | Minimum log level to include in logs. Note: these levels are separate from the priority field of rules. This refers only to the log level of Falco's internal logging. |
libs_logger | List containing the following sub-keys:
| Since version 0.32.2, Falco is capable of managing the logs coming from libs. If enabled, the libs logger send its log records the same outputs supported by alco (stderr and syslog). |
priority | Enum with the following possible values: emergency , alert , critical , error , warning , notice , info , debug | Minimum rule priority level to load and run. All rules having a priority more severe than this level will be loaded/run. |
buffered_outputs | Boolean | Whether or not output to any of the output channels below is buffered. Defaults is false . |
syscall_event_drops | List containing the following sub-keys:
| Controls Actions For Dropped System Call Events. |
syscall_event_timeouts | List containing the following sub-keys:
| Since version 0.28.1, Falco allows configuring the maximum number of consecutive timeouts without an event before sending an alert. |
output_timeout | Integer | Since version 0.27.0, Falco allows specifying the duration in milliseconds to wait before considering all the configured outputs blocked. Default is 2000ms. |
syslog_output | List containing the following sub-keys:
| If true , Falco alerts will be sent via syslog. |
file_output | List containing the following sub-keys:
| If If |
stdout_output | List containing the following sub-keys:
| If enabled is set to true , Falco alerts will be sent to standard output (stdout). |
program_output | List containing the following sub-keys:
| If If The |
http_output | List containing the following sub-keys:
| As of 0.15.0 , if enabled is set to true , Falco alerts will be sent to the HTTP[s] URL defined by url . Currently this is a blocking operation and this output does not support keep_alive . |
webserver | List containing the following sub-keys:
| If
|
grpc | List containing the following sub-keys:
| If Falco supports running a gRPC server with two main binding types:
The gRPC server over the network can only be used with mutual authentication between the clients and the server using TLS certificates, and the following options should be provided:
How to generate the certificates is documented here. Please always remember that the only common thing between server and clients is the root certificate. Every client will need to generate their own certificates signed by the same root CA as the server. |
grpc_output | List containing the following sub-keys:
| If enabled is set to true , Falco will start collecting outputs for the gRPC server. It's important to consume them with an output client. Example of output client here. |
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.