Configuration

Configuration file

Configuration

The static configuration of Falco Talon is set with a .yaml file (default: ./config.yaml) or with environment variables.

SettingEnv varDefaultDescription
listen_addressLISTEN_ADDRESS0.0.0.0Listten Address
listen_portLISTEN_PORT2803Listten Port
rules_filesRULES_FILESn/aFile with rules
watch_rulesWATCH_RULEStrueReload rules if they change
print_all_eventsPRINT_ALL_EVENTStruePrint in logs all received events, not only those which matches
kubeconfigKUBECONFIGn/aKube config file, only if Falco Talon runs outside Kubernetes
log_formatLOG_FORMATcolorLog Format: text, color, json
otel.traces_enabledOTEL_TRACES_ENABLEDfalseEnable traces
otel.metrics_enabledOTEL_METRICS_ENABLEDfalseEnable metrics
otel.collector_endpointOTEL_COLLECTOR_ENDPOINTlocalhostListen address of the OTEL Collector
otel.collector_portOTEL_COLLECTOR_PORTlocalhostListen port of the OTEL Collector
otel.use_insecure_grpcOTEL_USE_INSECURE_GRPCfalseEnable insecure gRPC connection
otel.timeoutOTEL_TIMEOUT10Timeout in seconds
deduplication.leader_electionDEDUPLICATION_LEADER_ELECTIONtrueenable the leader election for cluster mode (in k8s only)
deduplication.time_window_secondsDEDUPLICATION_TIME_WINDOW_SECONDS5Duration in seconds for the deduplication time window
default_notifiersDEFAULT_NOTIFIERSn/aList of notifiers which are enabled for all rules
notifiers_xNOTIFIERS_Xn/aList of notifiers with their settings
aws.role_arnAWS_ROLE_ARNn/aAWS Role ARN to use with AWS actions
aws.external_idAWS_ROLE_EXTERNAL_IDn/aAWS External ID used to assume roles with AWS actions. This field is ignored if aws.role_arn is not set
aws.regionAWS_REGIONn/aAWS Region to use, it should be specified along aws.access_key and aws.secret_key
aws.access_keyAWS_ACCESS_KEYn/aAWS Access Key to use, it should be specified along aws.region and aws.secret_key
aws.secret_keyAWS_SECRET_KEYn/aAWS Secret Key to use, it should be specified along aws.region and aws.access_key
minio.endpointMINIO_ENDPOINTn/aMinio endpoint address
minio.access_keyMINIO_ACCESS_KEYn/aAccess Key to use, it should be specified along minio.secret_key
minio.secret_keyMINIO_SECRET_KEYn/aSecret Key to use, it should be specified along minio.access_key
minio.use_sslMINIO_USE_SSLfalseUse SSL

Example

listen_address: "0.0.0.0" # default: "0.0.0.0"
listen_port: "2803" # default: "2803"
rules_file:
  - "./rules.yaml" # default: "./rules.yaml"
# kubeConfig: "~/.kube/config" # only if Falco Talon is running outside Kubernetes
log_format: "color" # log format: text, color, json (default: color)
watch_rules: true # reload if the rules file changes (default: true)
print_all_events: true # print in logs all received events, not only those which match

otel: # OTEL
  traces_enabled: true # enable the traces
  metrics_enabled: true # enables the metrics
  collector_endpoint: localhost # listen address of the OTEL Collector
  collector_port: 4317 # listen port of the OTEL Collector
  collector_use_insecure_grpc: false # enable insecure gRPC connection
  timeout: 10 # timeout in seconds

deduplication:
  leader_election: true # enable the leader election for cluster mode (in k8s only)
  time_window_seconds: 5 # duration in seconds for the deduplication time window (default: 5)

default_notifiers: # these notifiers will be enabled for all rules
  - k8sevents

aws:
  role_arn: arn:aws:iam::<account_number>:role/<role_name> # role to assume
  external_id: <external_id> # external id
  region: <region> # if not specified, default region from provider credential chain will be used
  access_key: <access_key> # if not specified, default access_key from provider credential chain will be used
  secret_key: <secret_key> # if not specified, default secret_key from provider credential chain will be used

minio:
  endpoint: <endpoint> # endpoint
  access_key: <access_key> # access key
  secret_key: <secret_key> # secret key
  use_ssl: false # use SSL

notifiers:
  slack:
    webhook_url: "https://hooks.slack.com/services/XXXX" # Slack webhook
    icon: "" # default: "https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg"
    username: "" # default: "Falco Talon"
    footer: "" # default: "https://github.com/falco-talon/falco-talon"
    format: long # default: long
  webhook:
    url: "" # address of the webhook endpoint
  smtp:
    host_port: "" # host:port of the SMTP server
    from: "" # from header
    to: "" # to
    user: "" # user
    password: "" # password
    format: "html" # format: html or text

See here for the settings of the notifers.

Last modified November 27, 2024: docs for v0.2.0 (#15) (9b5ae74)