Prometheus Metrics Exporter for Falco output events

• Before using falco-exporter, you need Falco installed and running with the gRPC Output enabled (over Unix socket by default).
• Since falco-exporter v0.3.0:
  • the minimum required version of Falco is 0.24.0
  • if using Helm, the minimum required version of the Falco Chart is v1.2.0

make
./falco-exporter

Then check the metrics endpoint at http://localhost:9376/metrics

Command line usage:

$ ./falco-exporter --help
Usage of ./falco-exporter:
      --client-ca string                CA root file path for connecting to a Falco gRPC server (default "/etc/falco/certs/ca.crt")
      --client-cert string              cert file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.crt")
      --client-hostname string          hostname for connecting to a Falco gRPC server, if set, takes precedence over --client-socket
      --client-key string               key file path for connecting to a Falco gRPC server (default "/etc/falco/certs/client.key")
      --client-port uint16              port for connecting to a Falco gRPC server (default 5060)
      --client-socket string            unix socket path for connecting to a Falco gRPC server (default "unix:///var/run/falco.sock")
      --listen-address string           address on which to expose the Prometheus metrics (default ":9376")
      --probes-listen-address string    address on which to expose readiness/liveness probes endpoints (default ":19376")
      --server-ca string                CA root file path for metrics https server
      --server-cert string              cert file path for metrics https server
      --server-key string               key file path for metrics https server
      --timeout duration                timeout for initial gRPC connection (default 2m0s)

To run falco-exporter in a container using Docker:

docker run -v /path/to/falco.sock:/var/run/falco.sock falcosecurity/falco-exporter

Using the falco-exporter Helm Chart is the easiest way to deploy falco-exporter.

Before installing the chart, add the falcosecurity charts repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Finally, to install the chart with the release name falco-exporter and default configuration values:

helm install falco-exporter falcosecurity/falco-exporter

The full documentation of the Helm Chart is here.

Alternatively, it is possible to deploy falco-exporter without using Helm. Templates for manual installation are here.

The Falco dashboard can be imported into Grafana by copy-paste the provided grafana/dashboard.json or by getting it from the Grafana Dashboards website.

You can find detailed Grafana importing instructions here.

Falco events have a priority value, as defined here. The exported metrics will include a priority label that uses a numeric index. The meaning of these indices is reported in the following table.

falco-exporter uses gRPC over a Unix socket by default.

You may change this behavior by setting --client-hostname. Note that the Falco gRPC server over the network works only with mutual TLS by design. Therefore, when --client-hostname is set you also need valid certificate files to configure falco-exporter properly (see the Command line usage above).