-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing event metadata #3246
Comments
This is expected as Falco builds up internal state to serve you all the information (see the source code https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/parsers.cpp). If we drop too many events kernel side, the state engine is not working. Perhaps the adaptive syscalls blog post (https://falco.org/blog/adaptive-syscalls-selection/) can provide more insights, and the
Have you explored the internal automatic drop alerts or Falco metrics https://falco.org/docs/metrics/falco-metrics/ as alternative? Both expose drop counters from which you can infer how the buffer is holding up. Some more general info: Btw, in your example log is shows re user names and group names, is the host /etc dir mounted and available? We have had issues in the past with minikube support in general as some mounts or setup is not like on actual Kubernetes. Perhaps some of it is also because of that. |
Thanks, I will check the blog post regarding adaptive syscalls. driver: I think it isn't a minikube compatibility issue because as you can see in the table above. Majority of the events are perfectly enriched like:
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
Hi 👋
We have some false positive alerts on empty events, similar to #3234, #2700 (hope I can help in these cases as well)
Missing event metadata
null
,-1
or4294967295
Based on my local tests, the root cause is the too small bufSizePreset parameter. This buffer is crucial when Falco has to a handle a "process flood" (e.g. a process makes hundreds of child processes).
To simulate a "process flood" I created a small golang script which triggers the rule 1000 times in different child processes (on the host).
Test env
t3.small
) with minikube4.3.0
Results
bufSizePreset
As you can see above as we increase the buffer, the number of the events without metadata is decreasing. When we use a buffer with appropriate size the issue disappears, Falco logs will contain only appropriately enriched events.
Ideas
bufSizePreset
bufferbufSizePreset
specific debug message (with a logic which can measure the buffer utilisation) would be very usefulThe text was updated successfully, but these errors were encountered: