Falcosidekick 2.27.0 and Falcosidekick-UI 2.1.0
So many good things happened for Falcosidekick and Falcosidekick UI this year. It's still incredible these projects became so beloved and useful for the community. To all contributors, promotors and users, a big big thank you.
The new year is there, it's time to release new versions and reach 10 million Docker pulls for Falcosidekick.
Falcosidekick v2.27.0
What a huge release! Never has a previous release gotten so many new features and outputs. You can read the full changelog here.
New outputs
This release brings a lot of new outputs thanks to our amazing contributors. Here you have a list of them.
Yandex Data Stream
Yandex is a Russian cloud provider that provides various services such as Data Streams. With this new output, we can connect Falco to one more cloud providers. Thank you, preved911.
MQTT and Node-Red
IoT is a whole new world for Falco. With these 2 new outputs, Falco can make its first steps in this ecosystem and we are sure more will come in 2023. Stay tuned.
Zincsearch
Do you want a full-text indexer lighter than Elasticsearch? Take a look at Zincsearch.
Gotify
By using Gotify and the new dedicated output, you can now push Falco events to your Android phone.
Spyderbat
Are you a user of Spyderbat and want to extend its sources of events? Now you can thank spyder-kyle.
Tekton
Do you remember the blog post how to create a Response Engine for Falco with Tekton? The proposed solution used the generic Webhook output. From now on, Tekton can use a dedicated one.
TimescaleDB
TimescaleDB is an OSS database made for time-series data, thanks to jagretti Falcosidekick can insert into it the Falco events.
AWS Security Lake
At re:Invent 2023, AWS announced a new data lake made for security data: AWS Security Lake. We worked with AWS teams to have Falco as a source partner from day one, making it the first OSS project that can be used with that service and strengthening once more the integration with the AWS ecosystem.
New features
The list of new outputs is already quite long, but the list of enhancements is even longer. The full list is here, but let's have a look at the major changes.
SASL auth mechanisms for SMTP and Kafka outputs
Improving security is our duty to all, and one key element is the authentication method. Thanks to Lowaiz, both SMTP and Kafka outputs can now use the benefits of SASL Auth mechanisms.
Environment variables for custom labels and templated labels
The ability to inject custom fields in the payloads is an important feature of Falcosidekick. The only drawback was these fields were previously static. That limitation is over. Now, you can use environment variables in your custom fields. A new kind of custom fields has become available: `templated fields.' They allow the reuse of the present fields to generate new ones following with Go template:
templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values
Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}'
Hostname field
Since Falco 0.33, a new field is present in Falco events: hostname
. Falcosidekick and all its current outputs are up to date and ready for it. Once again, thanks to Lowaiz.
Loki format and Grafana Cloud
The Loki format has been upgraded and credentials can be set. It allows you to use Grafana Cloud as a target.
K8S Policy Reports are binded to the namespaces
Policy Reports in K8S are still prototypes but Falcosidekick is already able to create them. Some improvements have been made to determine the target resource and the report is now created in the same namespace as the source pod.
More headers in SMTP payload
To avoid being flagged as spam by some anti-spam systems, some headers like From
, To
and Date
have been added to the emails created by Falcosidekick.
CEF format Syslog
For the Syslog output, you can choose between json
and CEF
as formats. It makes easier the integration with some services like Microsoft Sentinel or Splunk.
Fixes
Even if we do our best to avoid them, the community has lately faced some bugs that we have fixed in this release.
The most important one was a race condition when headers were added to the POST requests. Adopters with high rates of requests were occasionally facing authentication failures or missing headers. bc-sb solved this with a temporary solution, but we'll improve it in the future (Falcosidekick v3? Who knows...).
Falcosidekick UI v2.1.0
The new features for Falcosidekick UI, although lower in number, are still big improvements. The full changelog is here.
Env vars for settings
All settings to configure Falcosidekick UI can be passed as either CLI arguments or as env vars. Run falcosidekick-ui --help
for more details.
New logs
The logs were too verbose for production contexts. Now it's configurable via a log-level option:
-l string
Log level: "debug", "info", "warning", "error" (default "info", environment "FALCOSIDEKICK_UI_LOGLEVEL")
Auto refresh
Long-term adopters may remember the dashboard in Falcosidekick UI v1 was auto-refreshed. This feature is back, for all widgets, independently of the page.
Authentication
This is a major new feature. The interface is now protected by the Basic Auth method. More methods will be added in the future:
Set the FALCOSIDEKICK_UI_USER
env var to define the credentials.
Info page
The info page has been rewritten for a nicer look & feel.
Hostname
As for Falcosidekick, Falcosidekick UI supports the display of the new hostname
field.
TTL for keys
Falcosidekick UI can store a huge amount of events, leading to filling the disk of the Redis database. A TTL
for the entries can be set to avoid this situation.
-t int
TTL for keys (default "0", environment "FALCOSIDEKICK_UI_TTL")
Conclusion
The respective Helm charts are already updated to allow you to test on your own all these great new features. Run a helm upgrade --reuse-values -n falco
to do so.
Once again, thanks to all adopters and contributors who helped and contributed for years to create pieces of software useful to everybody. We hope 2023 will be amazing for Falco and its ecosystem.
As usual, if you have any feedback or need help, you can find us at any of the following locations.
- Get started in Falco.org
- Check out the Falcosidekick project on GitHub.
- Check out the Falcosidekick UI project on GitHub.
- Get involved in the Falco community.
- Meet the maintainers on the Falco Slack.
- Follow @falco_org on Twitter.