Enabling Event Sources
Historically, Falco supported consuming events coming from one event source only. This means that to consume events from more than one event source, users needed to deploy many instances of Falco, each configured with a different source.
The only exception was the legacy implementation of the Kubernetes Audit Events, which allowed receiving events from the k8s_audit event sources in parallel with the syscall one. However, it wasn't standardized and has been substituted in favor of a plugin-based porting starting from Falco 0.32.0.
Since version 0.33.0, Falco introduced a standard support for consuming events from multiple event sources running in parallel within the same Falco instance. You can check this feature's design principles and rationale at falcosecurity/falco/issues/2074.
The default behavior of Falco is to enable event collection from all the event sources it knows. The set of known event sources includes the syscall one by default, plus any other sources defined by plugins with event sourcing capability loaded through Falco's configuration.
Each of the enabled event sources causes Falco to start a new ad-hoc isolated thread through which events for a single source are generated, consumed, and evaluated through security rules. In each isolated thread, events are still processed sequentially one-by-one.
Falco guarantees feature parity between running multiple event sources in the same Falco instance, and running the same set of event sources each in a separate single-source instance of Falco. As such, when running more than one event source Falco does not allow any correlation logic between events coming from different event sources.
In fact, the set of security rules loaded in Falco is entirely partitioned by event source. From the perspective of the Falco rule engine, each security rule is defined for one and only event source and can uniquely be triggered by events coming from it.
The set of enabled event sources can be changed through the --enable-source and --disable-source CLI options.
The two can't be mixed together and follow this logic:
--disable-sourceDisables one single event source among the set of enabled ones. This assumes Falco's default behavior of enabling every loaded event source. Can be passed multiple times to disable multiple event sources.
For example, passing
--disable-source=syscall --disable-source=k8s_sauditas Falco CLI argument will disable live event consumption for thesyscalland thek8s_auditevent sources. Disabling unknown event sources, or disabling all the loaded ones, results in an error.--enable-sourceEnables one single event source among the set of loaded ones. This disables Falco's default behavior, and makes it consider every loaded source as disabled by default in order to enable each of them selectively. Can be passed multiple times to enable multiple event sources.
For example, passing
--enable-source=syscall --enable-source=k8s_sauditas Falco CLI argument will enable live event consumption for thesyscalland thek8s_auditevent sources only, even if others are loaded. Enabling unknown event sources results in an error.
The syscall event source requires a little extra attention.
Since Falco will always load syscall implicitly, single event-source deployments using a plugin (e.g. a Falco instance configured to consume AWS CloudTrail events only) will require specifying --disable-source=syscall, unless the option --enable-source=<plugin_source_name> had been passed explicitly.
Likewise, this also means that passing --enable-source=syscall won't have an effect on Falco unless a plugin with event source capability had been already enabled.
Offline Captures
Offline captures based on trace files are not affected by this logic. In that case, Falco is capable of processing events coming from different event sources out of the box with no additional configuration.Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.