Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optional output field? #370

Closed
pirxthepilot opened this issue Oct 12, 2022 · 9 comments
Closed

Optional output field? #370

pirxthepilot opened this issue Oct 12, 2022 · 9 comments
Labels
kind/feature New feature or request
Milestone
2.29.0

Comments

@pirxthepilot
Copy link

pirxthepilot commented Oct 12, 2022
edited
Loading

Motivation

In an effort to make events coming from Falco as compact as possible, I would like to set json_include_output_property to false. However, it looks like falcosidekick does not accept events that do not have the output field (here and here).

Feature

Would it be possible for falcosidekick to accept events that do not have the output field? Thanks!
@pirxthepilot pirxthepilot added the kind/feature New feature or request label Oct 12, 2022
@Issif
Copy link
Member

Issif commented Oct 12, 2022

You're right, these fields are mandatory, what's your use case exactly? Even with them, the size of the payload is quite small and these fields are really useful for a lot of systems (eg response engine)

@pirxthepilot
Copy link
Author

Hi Thomas, our falco config is generating a lot of events (on purpose) and so every bit of savings in the message size helps. The messages ultimately end up in a SIEM where only output_fields is used, aside from the rule name, priority and timestamp, so we really do not need output. We also have a few rules where we collect a lot of fields so the output can get quite big. And if falco itself supports not having the output field, I'm hoping sidekick can support it too.

Thanks!

@Issif Issif mentioned this issue Oct 18, 2022
Merged
@poiana
Copy link

poiana commented Jan 11, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Issif
Copy link
Member

Issif commented Jan 11, 2023

/remove-lifecycle stale

@Issif Issif added this to the 2.28.0 milestone Feb 27, 2023
@poiana
Copy link

poiana commented May 28, 2023

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link

poiana commented Jun 27, 2023

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

@Issif Issif modified the milestones: 2.28.0, 2.29.0 Jul 12, 2023
@poiana
Copy link

poiana commented Aug 11, 2023

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

@poiana poiana closed this as completed Aug 11, 2023
@poiana
Copy link

poiana commented Aug 11, 2023

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Issif
Copy link
Member

Issif commented Aug 27, 2023

reopen
/remove-lifecycle rotten

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature New feature or request
Projects
None yet
Milestone
2.29.0
Development

No branches or pull requests
3 participants
@Issif @pirxthepilot @poiana