falcosidekick icon indicating copy to clipboard operation
falcosidekick copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Feature request: Support for heartbeat messages for outputs

Open jceresini opened this issue 3 years ago • 7 comments

Motivation

We would like to send falco messages from multiple clusters to a SIEM. It would be nice if the SIEM could detect if we stopped receiving logs from a given cluster though (for example, if the cluster has an outbound firewall configured that breaks connectivity). We could configure the SIEM to alert if data isn't seen from a given cluster for a certain period of time, if we could guarantee sidekick would send at least some messages on a reasonable interval.

It would be nice to be able to configure a set interval, maybe per-output, to send generic heartbeat-like messages.

Feature

Certain outputs could have a config option (or maybe theres a global config option for all outputs) to set the heartbeat interval. Defaults to no heartbeats. If configured, sends a message at the provided interval. (for example every hour, or once a day, not overly chatty)

Alternatives

Another option could be to allow us to configure liveness probes in the sidekick helm chart that trigger the messages via the /test handler in falcosidekick.

jceresini avatar Oct 29 '21 19:10 jceresini

Hello,

I don't like the idea to change the liveness probe, this is not its purpose but we can think about something else like you ask.

Heartbeats are a particular use case, I don't think we want to have it for all outputs. A dedicated output should be enough, I guess.

I'll add this in my todo for 2.25.0 and submit a proposal to community.

Issif avatar Nov 02 '21 20:11 Issif

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jan 31 '22 22:01 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Mar 02 '22 22:03 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Apr 02 '22 05:04 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Apr 02 '22 05:04 poiana

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jul 25 '22 15:07 poiana

/remove-lifecycle stale

Issif avatar Jul 25 '22 15:07 Issif

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Oct 23 '22 15:10 poiana

/remove-lifecycle rotten

Issif avatar Oct 31 '22 10:10 Issif

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Nov 30 '22 15:11 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Dec 30 '22 15:12 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Dec 30 '22 15:12 poiana