https://github.com/nabokihms/syslogsrv-falco-plugin

Receive and analyze Syslog events with Falco
https://github.com/nabokihms/syslogsrv-falco-plugin

falco plugin

Last synced: 7 months ago
JSON representation

Receive and analyze Syslog events with Falco

• Host: GitHub
• URL: https://github.com/nabokihms/syslogsrv-falco-plugin
• Owner: nabokihms
• Created: 2023-08-01T14:32:58.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2023-08-01T14:47:16.000Z (about 2 years ago)
• Last Synced: 2025-01-25T06:43:33.763Z (8 months ago)
• Topics: falco, plugin
• Language: Go
• Homepage:
• Size: 7.81 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Syslog Server Falco Plugin

## Introduction

The Syslog Server Falco Plugin is a powerful and essential tool designed to seamlessly make Falco, the cloud-native runtime security tool, accept events as a Syslog server.

This plugin allows security teams and system administrators to gain deeper insights into the security posture of their containerized environments by analyzing events usually sent to syslog, e.g., ssh auths events.

The plugin was tested with [Falco 0.35.1](https://github.com/falcosecurity/falco/releases/tag/0.35.1).

### Functionality

By using this plugin, Falco can pretend to be a syslog server and accept all events using the syslog protocol (RFC3164, RFC5424, and RFC6587 are supported).

## Capabilities

The `syslogsrv` plugin implements both the event sourcing and the field extraction capabilities of the Falco Plugin System.

### Event Source

The event source for Kubernetes Audit Events is `syslogsrv`.

### Supported Fields

| NAME                  | TYPE     | ARG  | DESCRIPTION                                                                       |

|-----------------------|----------|------|-----------------------------------------------------------------------------------|

| `syslogsrv.timestamp` | `string` | None | When the event occurred                                                           |

| `syslogsrv.hostname`  | `string` | None | Source host                                                                       |

| `syslogsrv.message`   | `string` | None | The actual syslog message                                                         |

| `syslogsrv.priority`  | `int`    | None | How urgent is the event                                                           |

| `syslogsrv.facility`  | `int`    | None | A facility code is used to specify the type of system that is logging the message |

| `syslogsrv.severity`  | `int`    | None | An impact that the event can cause                                                |

## Usage

### Configuration

Here's an example of configuration of `falco.yaml`:

```yaml

plugins:

  - name: syslogsrv

    library_path: libsyslogsrv.so

    init_config:

      sslCertificate: /etc/falco/falco.pem

      format: "RFC6587"

    open_params: "udp://127.0.0.1:30514"

load_plugins: [syslogsrv]

```

**Initialization Config**:

- `sslCertificate`: The SSL Certificate to be used with the HTTPS Webhook endpoint (Default: /etc/falco/falco.pem)

- `maxEventSize`: Maximum size of single audit event (Default: 262144)

- `format`: Which syslog format to use to parse messages (Default: RFC3164)

- `useAsync`: If true then async extraction optimization is enabled (Default: true)

**Open Parameters**:

- `udp://:`: Opens a UDP syslog server

- `tcp://:`: Opens a TCP syslog server

- `unixgram://socket.path`: Open a syslog server and accept events using the unixgram file socket

### Rules

TODO