Skip to content

Commit 4125b9c

Browse files
LucaGuerraLucaGuerra
committed
new(falco): add append_output explanation to falco.yaml
Signed-off-by: Luca Guerra <[email protected]>
1 parent c6e0c2e commit 4125b9c

File tree

1 file changed

+36
-0
lines changed

1 file changed

+36
-0
lines changed

Diff for: falco.yaml

+36
Original file line numberDiff line numberDiff line change
@@ -576,6 +576,42 @@ rule_matching: first
576576
outputs_queue:
577577
capacity: 0
578578

579+
# [Sandbox] `append_output`
580+
#
581+
# Add information to the Falco output.
582+
# With this setting you can add more information to the Falco output message, customizable by
583+
# rule, tag or source.
584+
# In addition, you can add additional data that will appear in the output_fields property
585+
# of JSON formatted messages or gRPC output but will not be part of the regular output message.
586+
# This allows you to add custom fields that can help you filter your Falco events without
587+
# polluting the message text.
588+
#
589+
# Each append_output entry has optional fields (ANDed together) to filter events:
590+
# `rule`: append output only to a specific rule
591+
# `source`: append output only to a specific source
592+
# `tag`: append output only to a specific tag
593+
# If none of the above are specified output is appended to all events, if more than one is
594+
# specified output will be appended to events that match all the conditions.
595+
# And several options to add output:
596+
# `format`: add output to the Falco message
597+
# `fields`: add new fields to the JSON output and structured output, which will not
598+
# affect the regular Falco message in any way. These can be specified as a
599+
# custom name with a custom format or as any supported field
600+
# (see: https://falco.org/docs/reference/rules/supported-fields/)
601+
#
602+
# Example:
603+
#
604+
# - source: syscall
605+
# format: "on CPU %evt.cpu"
606+
# fields:
607+
# - home_directory: "${HOME}"
608+
# - evt.hostname
609+
#
610+
# In the example above every event coming from the syscall source will get an extra message
611+
# at the end saying the CPU number. In addition, if `json_output` is true under output_fields
612+
# we will find three new ones: "evt.cpu", "home_directory" which will contain the value of the
613+
# environment variable $HOME, and "evt.hostname" which will contain the hostname.
614+
579615

580616
##########################
581617
# Falco outputs channels #

0 commit comments

Comments
 (0)