diff --git a/README.md b/README.md index f8128b1cc..c9386ef4d 100644 --- a/README.md +++ b/README.md @@ -329,6 +329,9 @@ customfields: # custom fields are added to falco events, if the value starts wit # Ckey: "CValue" templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values # Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}' +customtags: # custom tags are added to the falco events, if the value starts with % the relative env var is used + # - tagA + # - tagB # bracketreplacer: "_" # if not empty, replace the brackets in keys of Output Fields outputFieldFormat: ": " # if not empty, allow to change the format of the output field. (default: ": ") mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs") diff --git a/config.go b/config.go index ee610c8ad..d2ba750c6 100644 --- a/config.go +++ b/config.go @@ -509,6 +509,8 @@ func getConfig() *types.Configuration { v.SetDefault("AWS.Kinesis.StreamName", "") v.SetDefault("AWS.Kinesis.MinimumPriority", "") + v.SetDefault("Alertmanager.MinimumPriority", "") + v.SetDefault("Prometheus.ExtraLabels", "") v.SetDefault("Azure.eventHub.Namespace", "") @@ -576,6 +578,7 @@ func getConfig() *types.Configuration { } v.GetStringSlice("TLSServer.NoTLSPaths") + v.GetStringSlice("Customtags") v.GetStringMapString("Customfields") v.GetStringMapString("Templatedfields") @@ -594,6 +597,10 @@ func getConfig() *types.Configuration { c.TLSServer.NoTLSPaths = strings.Split(value, ",") } + if value, present := os.LookupEnv("CUSTOMTAGS"); present { + c.Customtags = strings.Split(strings.ReplaceAll(value, " ", ""), ",") + } + if value, present := os.LookupEnv("CUSTOMFIELDS"); present { customfields := strings.Split(value, ",") for _, label := range customfields { @@ -791,11 +798,11 @@ func getConfig() *types.Configuration { log.Printf("[ERROR] : AlertManager - Fail to parse threshold - Atoi fail %v", threshold) continue } - priority := types.Priority(strings.TrimSpace(values[1])) - if priority == types.Default { - log.Printf("[ERROR] : AlertManager - Priority '%v' is not a valid falco priority level", priority.String()) + if p := strings.TrimSpace(values[1]); p == "" { + log.Printf("[ERROR] : AlertManager - Priority '%v' is not a valid falco priority level", p) continue } + priority := types.Priority(strings.TrimSpace(values[1])) c.Alertmanager.DropEventThresholdsList = append(c.Alertmanager.DropEventThresholdsList, types.ThresholdConfig{Priority: priority, Value: valueInt}) } } diff --git a/config_example.yaml b/config_example.yaml index 55c7b62be..dd2514a7f 100644 --- a/config_example.yaml +++ b/config_example.yaml @@ -8,6 +8,9 @@ customfields: # custom fields are added to falco events and metrics, if the valu templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values # Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}' # bracketreplacer: "_" # if not empty, the brackets in keys of Output Fields are replaced +customtags: # custom tags are added to the falco events, if the value starts with % the relative env var is used + - tagA + - tagB outputFieldFormat: ": " # if not empty, allow to change the format of the output field. (default: ": ") mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs") mutualtlsclient: # takes priority over mutualtlsfilespath if not emtpy diff --git a/handlers.go b/handlers.go index bd3b6bef4..b5669393c 100644 --- a/handlers.go +++ b/handlers.go @@ -106,6 +106,8 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) { } } + falcopayload.Tags = append(falcopayload.Tags, config.Customtags...) + if falcopayload.Rule == "Test rule" { falcopayload.Source = "internal" } @@ -202,6 +204,7 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) { n = strings.ReplaceAll(n, "", o) n = strings.ReplaceAll(n, "", strings.TrimSuffix(customFields, " ")) n = strings.ReplaceAll(n, "", strings.TrimSuffix(templatedFields, " ")) + n = strings.ReplaceAll(n, "", strings.Join(falcopayload.Tags, ",")) n = strings.TrimSuffix(n, " ") n = strings.TrimSuffix(n, "( )") n = strings.TrimSuffix(n, "()") @@ -212,9 +215,9 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) { if len(falcopayload.String()) > 4096 { for i, j := range falcopayload.OutputFields { - switch j.(type) { + switch l := j.(type) { case string: - if len(j.(string)) > 512 { + if len(l) > 512 { k := j.(string)[:507] + "[...]" falcopayload.Output = strings.ReplaceAll(falcopayload.Output, j.(string), k) falcopayload.OutputFields[i] = k diff --git a/types/types.go b/types/types.go index 840ed817d..88b1fc00c 100644 --- a/types/types.go +++ b/types/types.go @@ -60,6 +60,7 @@ type Configuration struct { BracketReplacer string OutputFieldFormat string Customfields map[string]string + Customtags []string Templatedfields map[string]string Prometheus prometheusOutputConfig Slack SlackOutputConfig