This feature is available in Enterprise Edition only.
This feature is actively developed. It might significantly change in the future.

Enabling debugging logs


By default, the log level for Falco is set to debug.


By default, the debug logging for Falcosidekick is disabled.

To enable debugging logging set the spec.settings.debugLogging parameter to true:

kind: ModuleConfig
  name: runtime-audit-engine
  enabled: true
    debugLogging: true

Viewing metrics

You can use the PromQL query falco_events{} to get metrics:

kubectl -n d8-monitoring exec -it prometheus-main-0 prometheus -- \
  curl -s\?query\=falco_events | jq

We will add Grafana dashboard in the future for viewing metrics.

Emulating a Falco event

You can use the event-generator CLI utility to generate a Falco events.

event-generator can generate a variety of suspect actions(syscalls, k8s audit events, …).

Use the following command to run all events with the Pod in Kubernetes cluster:

kubectl run falco-event-generator --image=falcosecurity/event-generator run

If you need to implement an action, use this guide.

Emulating a Falcosidekick event

You can use the Falcosidekick /test HTTP endpoint to send a test event to all enabled outputs.

  • Get a list of Pods in d8-runtime-audit-engine namespace:

    kubectl -n d8-runtime-audit-engine get pods

    Example of the output:

    NAME                         READY   STATUS    RESTARTS   AGE
    runtime-audit-engine-4cpjc   4/4     Running   0          3d12h
    runtime-audit-engine-rn7nj   4/4     Running   0          3d12h
  • Get runtime-audit-engine-4cpjc Pod IP address:

    export POD_IP=$(kubectl -n d8-runtime-audit-engine get pod runtime-audit-engine-4cpjc --template '{{.status.podIP}}')
  • Create a debug event, by making a query:

    kubectl run curl --image=curlimages/curl curl -X POST -H "Content-Type: application/json" -H "Accept: application/json" $POD_IP:2801/test
  • Check a debug event metric:

    kubectl -n d8-monitoring exec -it prometheus-main-0 prometheus --  \
      curl -s\?query\=falco_events | jq
  • Example of the output part:

      "metric": {
        "__name__": "falco_events",
        "container": "kube-rbac-proxy",
        "instance": "",
        "job": "runtime-audit-engine",
        "node": "dev-master-0",
        "priority": "Debug",
        "rule": "Test rule",
        "tier": "cluster"
      "value": [