Ingest CNCF Falco data
editIngest CNCF Falco data
editCNCF Falco is an open-source runtime security tool that detects anomalous activity in Linux hosts, containers, Kubernetes, and cloud environments. You can ingest Falco alerts into Elasticsearch to view them on Elastic Security’s Alerts page and incorporate them into your security workflows by using Falcosidekick, a proxy forwarder which can send alerts from your Falco deployments to Elasticsearch.
First, you’ll need to configure Elastic Security to receive data from Falco, then you’ll need to configure Falco and Falcosidekick to send data to Elasticsearch.
Configure Elastic Security to receive Falco data
editIn Elastic Security:
- Click Add integrations.
-
Search the Integrations page for
Falco
, then select it. - Go to the Falco integration’s Settings tab.
- Click Install Falco, then confirm by clicking Install Falco again. Installation should take less than a minute.
Elastic Security is now ready to receive data from Falco. The Falco integration page now has an Assets tab where you can inspect the newly installed assets that help to ingest Falco data.
Next, to make alerts from Falco appear on Elastic Security’s Alerts page:
- Find the Rules page in the navigation menu or by using the global search field.
- Click Detection rules (SIEM).
-
Search for a rule called
External Alerts
. Install it if necessary, and enable it.
Configure Falco and Falcosidekick
editYou can either:
Configure Falco and Falcosidekick for VMs
editMultiple methods for configuring Falco to send data from VMs to Elasticsearch are available. This guide uses the Falco sidekick on Docker using environment variables method.
Configure Falco for VMs:
edit- Refer to Falco’s documentation to install Falco on the Linux VMs you wish to monitor.
-
Once Falco is installed, update
/etc/falco/falco.yaml
as follows:-
Enable JSON output:
json_output: true
-
Enable HTTP output: under
http_output
, for theurl
value, enter theurl:port
where Falcosidekick will listen. For example, if Falcosidekick is running on localhost:http_output: enabled: true url: "http://0.0.0.0:2801/"
-
Enable JSON output:
Configure Falcosidekick for VMs:
edit- Refer to Falcosidekick’s documentation to install Falcosidekick.
-
Use the Falcosidekick on Docker using environment variables method and set your environment variables as follows:
-
ELASTICSEARCH_HOSTPORT
: Your Elasticsearch endpoint URL, which can be found under Connection details on the upper right of the Integrations page in Kibana. -
ELASTICSEARCH_INDEX
: The Elasticsearch index where you want to store Falco logs.Your
ELASTICSEARCH_INDEX
value must matchlogs-falco.alerts-*
. -
ELASTICSEARCH_SUFFIX
: The frequency with which you want the Elasticsearch index suffix to change. Eitherdaily
,monthly
,annually
, ornone
. -
ELASTICSEARCH_APIKEY
: The recommended way to authenticate to Elasticsearch, by providing an API key. Note that support for this environment variable starts with Falcosidekick version 2.30. You can access the latest version on Falcosidekick’s Docker Hub. -
ELASTICSEARCH_USERNAME
andELASTICSEARCH_PASSWORD
: The username and password for an account on your Elasticsearch instance. Authentication using these environment variables is not supported on Elastic Cloud Serverless. -
ELASTICSEARCH_MUTUALTLS
andELASTICSEARCH_CHECKCERT
: For security reasons, we recommend setting these totrue
.
-
For example:
docker run -d -p 2801:2801 -e ELASTICSEARCH_HOSTPORT=https://test-falco.es.us-west2.gcp.elastic-cloud.com -e ELASTICSEARCH_INDEX=logs-falco.alerts-all -e ELASTICSEARCH_SUFFIX=none -e ELASTICSEARCH_APIKEY=XXXXXXXXXXXXX -e ELASTICSEARCH_MUTUALTLS=true -e ELASTICSEARCH_CHECKCERT=true falcosecurity/falcosidekick
The Elasticsearch account used to authenticate Falcosidekick only needs sufficient privileges to create and write to new indices. We recommend following the principle of least privilege when provisioning this account.
After installing and configuring Falcosidekick, restart Falco with sudo systemctl restart falco
. Falcosidekick should start sending alerts to Elasticsearch.
Configure Falco and Falcosidekick for Kubernetes
edit-
Add the Falco Helm charts:
helm repo add falcosecurity https://falcosecurity.github.io/charts helm repo update
-
Next, install Falco and Falcosidekick using the
falcosecurity/falco
Helm chart with appropriate values for each of thefalcosidekick.config.elasticsearch.*
fields:helm install falco falcosecurity/falco \ --set falcosidekick.enabled=true \ --set tty=true \ --set driver.kind=modern_ebpf \ --set collectors.kubernetes.enabled=true \ --set falcosidekick.config.elasticsearch.hostport="https://<ES host>" \ --set falcosidekick.config.elasticsearch.username="<elastic>" \ --set falcosidekick.config.elasticsearch.password="<password>" \ --set falcosidekick.config.elasticsearch.index="logs-falco.alerts-all" \ --set falcosidekick.config.elasticsearch.suffix="none"