This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Configuration

Configuration file

    Configuration

    The static configuration of Falco Talon is set with a .yaml file (default: ./config.yaml) or with environment variables.

    SettingEnv varDefaultDescription
    listen_addressLISTEN_ADDRESS0.0.0.0Listten Address
    listen_portLISTEN_PORT2803Listten Port
    rules_filesRULES_FILESn/aFile with rules
    watch_rulesWATCH_RULEStrueReload rules if they change
    print_all_eventsPRINT_ALL_EVENTStruePrint in logs all received events, not only those which matches
    kubeconfigKUBECONFIGn/aKube config file, only if Falco Talon runs outside Kubernetes
    log_formatLOG_FORMATcolorLog Format: text, color, json
    otel.traces_enabledOTEL_TRACES_ENABLEDfalseEnable traces
    otel.metrics_enabledOTEL_METRICS_ENABLEDfalseEnable metrics
    otel.collector_endpointOTEL_COLLECTOR_ENDPOINTlocalhostListen address of the OTEL Collector
    otel.collector_portOTEL_COLLECTOR_PORTlocalhostListen port of the OTEL Collector
    otel.use_insecure_grpcOTEL_USE_INSECURE_GRPCfalseEnable insecure gRPC connection
    otel.timeoutOTEL_TIMEOUT10Timeout in seconds
    deduplication.leader_electionDEDUPLICATION_LEADER_ELECTIONtrueenable the leader election for cluster mode (in k8s only)
    deduplication.time_window_secondsDEDUPLICATION_TIME_WINDOW_SECONDS5Duration in seconds for the deduplication time window
    default_notifiersDEFAULT_NOTIFIERSn/aList of notifiers which are enabled for all rules
    notifiers_xNOTIFIERS_Xn/aList of notifiers with their settings
    aws.role_arnAWS_ROLE_ARNn/aAWS Role ARN to use with AWS actions
    aws.external_idAWS_ROLE_EXTERNAL_IDn/aAWS External ID used to assume roles with AWS actions. This field is ignored if aws.role_arn is not set
    aws.regionAWS_REGIONn/aAWS Region to use, it should be specified along aws.access_key and aws.secret_key
    aws.access_keyAWS_ACCESS_KEYn/aAWS Access Key to use, it should be specified along aws.region and aws.secret_key
    aws.secret_keyAWS_SECRET_KEYn/aAWS Secret Key to use, it should be specified along aws.region and aws.access_key
    minio.endpointMINIO_ENDPOINTn/aMinio endpoint address
    minio.access_keyMINIO_ACCESS_KEYn/aAccess Key to use, it should be specified along minio.secret_key
    minio.secret_keyMINIO_SECRET_KEYn/aSecret Key to use, it should be specified along minio.access_key
    minio.use_sslMINIO_USE_SSLfalseUse SSL

    Example

    listen_address: "0.0.0.0" # default: "0.0.0.0"
listen_port: "2803" # default: "2803"
rules_file:
  - "./rules.yaml" # default: "./rules.yaml"
# kubeConfig: "~/.kube/config" # only if Falco Talon is running outside Kubernetes
log_format: "color" # log format: text, color, json (default: color)
watch_rules: true # reload if the rules file changes (default: true)
print_all_events: true # print in logs all received events, not only those which match

otel: # OTEL
  traces_enabled: true # enable the traces
  metrics_enabled: true # enables the metrics
  collector_endpoint: localhost # listen address of the OTEL Collector
  collector_port: 4317 # listen port of the OTEL Collector
  collector_use_insecure_grpc: false # enable insecure gRPC connection
  timeout: 10 # timeout in seconds

deduplication:
  leader_election: true # enable the leader election for cluster mode (in k8s only)
  time_window_seconds: 5 # duration in seconds for the deduplication time window (default: 5)

default_notifiers: # these notifiers will be enabled for all rules
  - k8sevents

aws:
  role_arn: arn:aws:iam::<account_number>:role/<role_name> # role to assume
  external_id: <external_id> # external id
  region: <region> # if not specified, default region from provider credential chain will be used
  access_key: <access_key> # if not specified, default access_key from provider credential chain will be used
  secret_key: <secret_key> # if not specified, default secret_key from provider credential chain will be used

minio:
  endpoint: <endpoint> # endpoint
  access_key: <access_key> # access key
  secret_key: <secret_key> # secret key
  use_ssl: false # use SSL

notifiers:
  slack:
    webhook_url: "https://hooks.slack.com/services/XXXX" # Slack webhook
    icon: "" # default: "https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg"
    username: "" # default: "Falco Talon"
    footer: "" # default: "https://github.com/falco-talon/falco-talon"
    format: long # default: long
  webhook:
    url: "" # address of the webhook endpoint
  smtp:
    host_port: "" # host:port of the SMTP server
    from: "" # from header
    to: "" # to
    user: "" # user
    password: "" # password
    format: "html" # format: html or text

    See here for the settings of the notifers.