This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Configuration

Configuration file

    Configuration

    The static configuration of Falco Talon is set with a .yaml file (default: ./config.yaml) or with environment variables.

    SettingEnv varDefaultDescription
    listen_addressLISTEN_ADDRESS0.0.0.0Listten Address
    listen_portLISTEN_PORT2803Listten Port
    rules_filesRULES_FILESn/aFile with rules
    watch_rulesWATCH_RULEStrueReload rules if they change
    print_all_eventsPRINT_ALL_EVENTStruePrint in logs all received events, not only those which matches
    kubeconfigKUBECONFIGn/aKube config file, only if Falco Talon runs outside Kubernetes
    log_formatLOG_FORMATcolorLog Format: text, color, json
    otel.traces_enabledOTEL_TRACES_ENABLEDfalseEnable traces
    otel.metrics_enabledOTEL_METRICS_ENABLEDfalseEnable metrics
    otel.collector_endpointOTEL_COLLECTOR_ENDPOINTlocalhostListen address of the OTEL Collector
    otel.collector_portOTEL_COLLECTOR_PORTlocalhostListen port of the OTEL Collector
    otel.use_insecure_grpcOTEL_USE_INSECURE_GRPCfalseEnable insecure gRPC connection
    otel.timeoutOTEL_TIMEOUT10Timeout in seconds
    deduplication.leader_electionDEDUPLICATION_LEADER_ELECTIONtrueenable the leader election for cluster mode (in k8s only)
    deduplication.time_window_secondsDEDUPLICATION_TIME_WINDOW_SECONDS5Duration in seconds for the deduplication time window
    default_notifiersDEFAULT_NOTIFIERSn/aList of notifiers which are enabled for all rules
    notifiers_xNOTIFIERS_Xn/aList of notifiers with their settings
    aws.role_arnAWS_ROLE_ARNn/aAWS Role ARN to use with AWS actions
    aws.external_idAWS_ROLE_EXTERNAL_IDn/aAWS External ID used to assume roles with AWS actions. This field is ignored if aws.role_arn is not set
    aws.regionAWS_REGIONn/aAWS Region to use, it should be specified along aws.access_key and aws.secret_key
    aws.access_keyAWS_ACCESS_KEYn/aAWS Access Key to use, it should be specified along aws.region and aws.secret_key
    aws.secret_keyAWS_SECRET_KEYn/aAWS Secret Key to use, it should be specified along aws.region and aws.access_key
    minio.endpointMINIO_ENDPOINTn/aMinio endpoint address
    minio.access_keyMINIO_ACCESS_KEYn/aAccess Key to use, it should be specified along minio.secret_key
    minio.secret_keyMINIO_SECRET_KEYn/aSecret Key to use, it should be specified along minio.access_key
    minio.use_sslMINIO_USE_SSLfalseUse SSL

    Example

    listen_address: "0.0.0.0" # default: "0.0.0.0"
    listen_port: "2803" # default: "2803"
    rules_file:
      - "./rules.yaml" # default: "./rules.yaml"
    # kubeConfig: "~/.kube/config" # only if Falco Talon is running outside Kubernetes
    log_format: "color" # log format: text, color, json (default: color)
    watch_rules: true # reload if the rules file changes (default: true)
    print_all_events: true # print in logs all received events, not only those which match
    
    otel: # OTEL
      traces_enabled: true # enable the traces
      metrics_enabled: true # enables the metrics
      collector_endpoint: localhost # listen address of the OTEL Collector
      collector_port: 4317 # listen port of the OTEL Collector
      collector_use_insecure_grpc: false # enable insecure gRPC connection
      timeout: 10 # timeout in seconds
    
    deduplication:
      leader_election: true # enable the leader election for cluster mode (in k8s only)
      time_window_seconds: 5 # duration in seconds for the deduplication time window (default: 5)
    
    default_notifiers: # these notifiers will be enabled for all rules
      - k8sevents
    
    aws:
      role_arn: arn:aws:iam::<account_number>:role/<role_name> # role to assume
      external_id: <external_id> # external id
      region: <region> # if not specified, default region from provider credential chain will be used
      access_key: <access_key> # if not specified, default access_key from provider credential chain will be used
      secret_key: <secret_key> # if not specified, default secret_key from provider credential chain will be used
    
    minio:
      endpoint: <endpoint> # endpoint
      access_key: <access_key> # access key
      secret_key: <secret_key> # secret key
      use_ssl: false # use SSL
    
    notifiers:
      slack:
        webhook_url: "https://hooks.slack.com/services/XXXX" # Slack webhook
        icon: "" # default: "https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg"
        username: "" # default: "Falco Talon"
        footer: "" # default: "https://github.com/falco-talon/falco-talon"
        format: long # default: long
      webhook:
        url: "" # address of the webhook endpoint
      smtp:
        host_port: "" # host:port of the SMTP server
        from: "" # from header
        to: "" # to
        user: "" # user
        password: "" # password
        format: "html" # format: html or text
    

    See here for the settings of the notifers.