allow to specify custom tags to append

README.md

@@ -329,6 +329,9 @@ customfields: # custom fields are added to falco events, if the value starts wit
   # Ckey: "CValue"
 templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values
   # Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}'
+customtags: # custom tags are added to the falco events, if the value starts with % the relative env var is used
+  # - tagA
+  # - tagB
 # bracketreplacer: "_" # if not empty, replace the brackets in keys of Output Fields
 outputFieldFormat: "<timestamp>: <priority> <output> <custom_fields> <templated_fields>" # if not empty, allow to change the format of the output field. (default: "<timestamp>: <priority> <output>")
 mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs")

config.go

@@ -509,6 +509,8 @@ func getConfig() *types.Configuration {
 	v.SetDefault("AWS.Kinesis.StreamName", "")
 	v.SetDefault("AWS.Kinesis.MinimumPriority", "")
 
+	v.SetDefault("Alertmanager.MinimumPriority", "")
+
 	v.SetDefault("Prometheus.ExtraLabels", "")
 
 	v.SetDefault("Azure.eventHub.Namespace", "")
@@ -576,6 +578,7 @@ func getConfig() *types.Configuration {
 	}
 
 	v.GetStringSlice("TLSServer.NoTLSPaths")
+	v.GetStringSlice("Customtags")
 
 	v.GetStringMapString("Customfields")
 	v.GetStringMapString("Templatedfields")
@@ -594,6 +597,10 @@ func getConfig() *types.Configuration {
 		c.TLSServer.NoTLSPaths = strings.Split(value, ",")
 	}
 
+	if value, present := os.LookupEnv("CUSTOMTAGS"); present {
+		c.Customtags = strings.Split(strings.ReplaceAll(value, " ", ""), ",")
+	}
+
 	if value, present := os.LookupEnv("CUSTOMFIELDS"); present {
 		customfields := strings.Split(value, ",")
 		for _, label := range customfields {
@@ -791,11 +798,11 @@ func getConfig() *types.Configuration {
 				log.Printf("[ERROR] : AlertManager - Fail to parse threshold - Atoi fail %v", threshold)
 				continue
 			}
-			priority := types.Priority(strings.TrimSpace(values[1]))
-			if priority == types.Default {
-				log.Printf("[ERROR] : AlertManager - Priority '%v' is not a valid falco priority level", priority.String())
+			if p := strings.TrimSpace(values[1]); p == "" {
+				log.Printf("[ERROR] : AlertManager - Priority '%v' is not a valid falco priority level", p)
 				continue
 			}
+			priority := types.Priority(strings.TrimSpace(values[1]))
 			c.Alertmanager.DropEventThresholdsList = append(c.Alertmanager.DropEventThresholdsList, types.ThresholdConfig{Priority: priority, Value: valueInt})
 		}
 	}

config_example.yaml

@@ -8,6 +8,9 @@ customfields: # custom fields are added to falco events and metrics, if the valu
 templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values
   # Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}'
 # bracketreplacer: "_" # if not empty, the brackets in keys of Output Fields are replaced
+customtags: # custom tags are added to the falco events, if the value starts with % the relative env var is used
+  - tagA
+  - tagB
 outputFieldFormat: "<timestamp>: <priority> <output> <custom_fields> <templated_fields>" # if not empty, allow to change the format of the output field. (default: "<timestamp>: <priority> <output>")
 mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls for outputs, will be deprecated in the future (default: "/etc/certs")
 mutualtlsclient: # takes priority over mutualtlsfilespath if not emtpy

handlers.go

@@ -106,6 +106,8 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) {
 		}
 	}
 
+	falcopayload.Tags = append(falcopayload.Tags, config.Customtags...)
+
 	if falcopayload.Rule == "Test rule" {
 		falcopayload.Source = "internal"
 	}
@@ -202,6 +204,7 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) {
 			n = strings.ReplaceAll(n, "<output>", o)
 			n = strings.ReplaceAll(n, "<custom_fields>", strings.TrimSuffix(customFields, " "))
 			n = strings.ReplaceAll(n, "<templated_fields>", strings.TrimSuffix(templatedFields, " "))
+			n = strings.ReplaceAll(n, "<tags>", strings.Join(falcopayload.Tags, ","))
 			n = strings.TrimSuffix(n, " ")
 			n = strings.TrimSuffix(n, "( )")
 			n = strings.TrimSuffix(n, "()")
@@ -212,9 +215,9 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) {
 
 	if len(falcopayload.String()) > 4096 {
 		for i, j := range falcopayload.OutputFields {
-			switch j.(type) {
+			switch l := j.(type) {
 			case string:
-				if len(j.(string)) > 512 {
+				if len(l) > 512 {
 					k := j.(string)[:507] + "[...]"
 					falcopayload.Output = strings.ReplaceAll(falcopayload.Output, j.(string), k)
 					falcopayload.OutputFields[i] = k

types/types.go

@@ -60,6 +60,7 @@ type Configuration struct {
 	BracketReplacer    string
 	OutputFieldFormat  string
 	Customfields       map[string]string
+	Customtags         []string
 	Templatedfields    map[string]string
 	Prometheus         prometheusOutputConfig
 	Slack              SlackOutputConfig