Читать книгу Cloud Native Security - Chris Binnie - Страница 37

In addition to the standard Unix-like syslog log forwarding, there are other ways to receive alerts from Falco. To use syslog, you can simply tweak your configuration this way:

syslog_output: enabled: true

But to use ChatOps alerts, via Slack, for example, Sysdig has created a repository in GitHub (github.com/falcosecurity/falcosidekick) to assist with just that.

The documentation describes the service that the code will provide as “a simple daemon for enhancing available outputs for Falco.” The list of compatible recipients is lengthy and includes most of the usual suspects, such as Slack, Datadog, AWS Lambda, Opsgenie, Rocketchat, and SMTP for email.

A nice touch is that you can even spawn it as another container; to do that, you would use syntax such as this:

$ docker run -d -p 2801:2801 -e SLACK_WEBHOOKURL=XXXXX \ falcosecurity/falcosidekick

Additionally, the documentation provides lots of pointers on how to tweak each of the webhook outputs to your needs and enjoy real-time messaging as you want in order to set off emergency pagers at 4 a.m. or just report innocuous events to a chat channel.