|
| 1 | +[[ingest-falco]] |
| 2 | += Ingest Sysdig Falco data |
| 3 | + |
| 4 | +Sysdig Falco (Falco) is an open-source runtime security tool that detects anomalous activity in Linux hosts and containers. You can ingest Falco alerts into {es} to view them on {kib}'s Alerts page and incorporate them into your {elastic-sec} workflows. |
| 5 | + |
| 6 | +First, you'll need to configure {elastic-sec} to receive data from Falco, then you'll need to configure Falco and Falcosidekick to send data to {es}. |
| 7 | + |
| 8 | +[discrete] |
| 9 | +[[ingest-falco-setup-kibana]] |
| 10 | +== Configure {elastic-sec} to receive Falco data |
| 11 | + |
| 12 | +In {elastic-sec}: |
| 13 | + |
| 14 | +. Click **Add integrations**. |
| 15 | +. Search the Integrations page for `Falco`, then select it. |
| 16 | +. Go to the Falco integration's **Settings** tab. |
| 17 | +. Click **Install Falco**, then confirm by clicking **Install Falco** again. Installation should take less than a minute. |
| 18 | + |
| 19 | +image::images/falco-kibana-setup.gif[A gif showing the steps to set up Falco in Kibana] |
| 20 | + |
| 21 | +{elastic-sec} is now ready to receive data from Falco. The Falco integration page now has an **Assets** tab where you can inspect the newly installed assets that help to ingest Falco data. |
| 22 | + |
| 23 | +Next, to make alerts from Falco appear on {kib}'s Alerts page: |
| 24 | + |
| 25 | +. Find the **Rules** page in the main menu or by using the <<kibana-navigation-search,global search field>>. |
| 26 | +. Click **Detection rules (SIEM)**. |
| 27 | +. Search for a rule called `External Alerts`. Enable it using the **Enabled** toggle on the right. |
| 28 | + |
| 29 | +image::images/falco-external-alerts-rule.gif[A gif showing the steps to enable the External Alerts rule] |
| 30 | + |
| 31 | +[discrete] |
| 32 | +[[ingest-falco-setup-falco]] |
| 33 | +== Configure Falco and Falcosidekick |
| 34 | + |
| 35 | +Multiple methods for configuring Falco to send data to {es} are available. This guide uses the https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/elasticsearch.md[Falco sidekick on Docker using environment variables] method. (Falcosidekick is a proxy forwarder which can send alerts from your Falco deployments to {es}.) |
| 36 | + |
| 37 | +[discrete] |
| 38 | +=== Configure Falco: |
| 39 | + |
| 40 | +. Refer to Falco's documentation to https://falco.org/docs/setup/packages/[install Falco on the Linux VMs you wish to monitor]. |
| 41 | +. Once Falco is installed, update its configuration `.yaml` as follows: |
| 42 | +.. Enable JSON output: `json_output=TRUE` |
| 43 | +.. Enable HTTP output: `http_output=TRUE` |
| 44 | +.. In the `http_output` section, for the `url` value, enter the port where Falcosidekick will listen. |
| 45 | + |
| 46 | +[discrete] |
| 47 | +=== Configure Falcosidekick: |
| 48 | + |
| 49 | +. Refer to Falcosidekick's documentation to https://github.com/falcosecurity/falcosidekick?tab=readme-ov-file#installation[install Falcosidekick]. |
| 50 | +. Use the https://github.com/falcosecurity/falcosidekick?tab=readme-ov-file#installation[Falcosidekick on Docker using environment variables] method and set your environment variables as follows: |
| 51 | +.. `ELASTICSEARCH_HOSTPORT`: your {es} endpoint URL, which can be found under **Connection details** on the upper right of the **Integrations** page in {kib}. |
| 52 | +.. `ELASTICSEARCH_INDEX`: the {es} index where you want to store Falco logs. |
| 53 | +.. `ELASTICSEARCH_SUFFIX`: The frequency with which you want the {es} index suffix to change. Either `daily`, `monthly`, `annually`, or `none`. |
| 54 | +.. `ELASTICSEARCH_USERNAME` and `ELASTICSEARCH_PASSWORD`: the username and password for an account on your {es} instance, with at least the following permissions: Which permissions, Nick? |
| 55 | + |
| 56 | +After installing and configuring Falcosidekick, restart docker with `sudo systemctl restart falco`. Falcosidekick should start sending alerts to {es}. |
| 57 | + |
| 58 | + |
0 commit comments