Enabling Event Sources
Historically, Falco supported consuming events coming from one event source only. This means that to consume events from more than one event source, users needed to deploy many instances of Falco, each configured with a different source.
The only exception was the legacy implementation of the Kubernetes Audit Events, which allowed receiving events from the k8s_audit event sources in parallel with the syscall one. However, it wasn't standardized and has been substituted in favor of a plugin-based porting starting from Falco 0.32.0.
Since version 0.33.0, Falco introduced a standard support for consuming events from multiple event sources running in parallel within the same Falco instance. You can check this feature's design principles and rationale at falcosecurity/falco/issues/2074.
Falco's default behavior is enabling event collection from all the event sources it knows. The set of known event sources includes the syscall one by default, plus any other sources defined by plugins with event sourcing capability loaded through Falco's configuration.
Each of the enabled event sources causes Falco to start a new ad-hoc isolated thread through which events for a single source are generated, consumed, and evaluated through security rules. In each isolated thread, events are still processed sequentially one-by-one.
Falco guarantees feature parity between running multiple event sources in the same Falco instance, and running the same set of event sources each in a separate single-source instance of Falco. As such, when running more than one event source Falco does not allow any correlation logic between events coming from different event sources.
In fact, the set of security rules loaded in Falco is entirely partitioned by event source. From the perspective of the Falco rule engine, each security rule is defined for one and only event source and can uniquely be triggered by events coming from it.
The set of enabled event sources can be changed through the --enable-source and --disable-source CLI options.
The two can't be mixed together and follow this logic:
--disable-sourceDisables one single event source among the set of enabled ones. This assumes Falco's default behavior of enabling every loaded event source. Can be passed multiple times to disable multiple event sources.
For example, passing
--disable-source=syscall --disable-source=k8s_sauditas Falco CLI argument will disable live event consumption for thesyscalland thek8s_auditevent sources. Disabling unknown event sources, or disabling all the loaded ones, results in an error.--enable-sourceEnables one single event source among the set of loaded ones. This disables Falco's default behavior, and makes it consider every loaded source as disabled by default in order to enable each of them selectively. Can be passed multiple times to enable multiple event sources.
For example, passing
--enable-source=syscall --enable-source=k8s_sauditas Falco CLI argument will enable live event consumption for thesyscalland thek8s_auditevent sources only, even if others are loaded. Enabling unknown event sources results in an error.
The syscall event source requires a little extra attention.
Since Falco will always load syscall implicitly, single event-source deployments using a plugin (e.g. a Falco instance configured to consume AWS CloudTrail events only) will require specifying --disable-source=syscall, unless the option --enable-source=<plugin_source_name> had been passed explicitly.
Likewise, this also means that passing --enable-source=syscall won't have an effect on Falco unless a plugin with event source capability had been already enabled.
Capture Files
This logic does not apply when Falco is reproducing events from a capture file. In that case, Falco is capable of processing events coming from different event sources out of the box with no additional configuration.Plugins Implementing the syscall Source
Since version 3.0.0 of the plugin API, released starting from Falco 0.35.0, plugins with event sourcing capability have the possibility of producing system events just like the Falco Drivers. Falco runs plugins of this kind as regular plugins with event sourcing capability loaded through Falco's configuration, and would interpret their supported event source as syscall.
When the syscall source is enabled, by default Falco always opens its event stream by leveraging one of the configured Falco Drivers. When a plugin implementing the syscall event source is loaded through the Falco configuration, users can specify the --nodriver option to instruct Falco about opening the syscall event stream by using the plugin instead of the drivers. The --nodriver option is used in mutual exclusion with the other driver selection options (e.g. -g, modern-bpf, etc...).
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.