falcosidekick to grafana loki: hostname label - need additional details
jodanpotasu opened this issue · 9 comments
I tried lurk the sidekick code athough it didn't help much..
I have a problem with the hostname. I have a couple of servers running where each one has falco running in the docker. Of course I have changed the hostname in each docker, but still I am being sent a string of characters that I cannot decrypt.
What i have on machine: ansible-test
What i have in docker container: ansible-test-docker
What sidekick sends as hostname: ff5809b3eaba
Could someone please tell me how to change the hostname that sidekick sends or how to decrypt it?
Hi,
The hostname field is not filled by Falcosidekick but by Falco itself, it's the name of host/container where Falco is running. I guess you could make Falcosidekick override the value with the custom fields
falcosidekick/config_example.yaml
Line 4 in 2ffcd83
@Issif thank you for the answer!
Unfortunately I need to know which node the request comes from, overriding in this case will not work, or maybe I do not see the idea :(
i saw falco prints correct hostname, anyway i will try again to deep into source code
{"hostname":"ansible-test-docker","output":"2023-05-02T15:54:07.575735479+0000: Error File below / or /root opened for writing (user= user_loginuid=-1 command=postgres -D /var/lib/postgresql/14/main
What kind of installation do you have? In K8s? Direct on host?
@Issif that is on host direct (VM but it shouldn't be problem as i know) //edit typo
If falco run at host level, the hostname field should be the hostname of your host, except you run falco in a container. Can you check the hostname is correctly set?
that's hostname directly in vm
Second one is from docker
Root level hostname
I don't understand why falco doesn't use that values.
Question: I see you're in fluent-bit folder, are you using it to forward the falco events to loki? if true, why are you using falcosidekick?
@Issif I would like to really apologize to you. Totally stupid mistake resulted.
I have two nodes, only one should work, but unfortunately the other one was launched by cron and all the logs I saw on grafana came from the other one (with an invalid hostname).
I don't use fluent-bit to send events to loki. Falcosidekick gives me more flexibility. This folder was already open in the tab ;)
No problem, as long we figured out how to fix your issue, it's ok 👍