You are viewing documentation for Falco version: v0.32.2

Falco v0.32.2 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Generating sample events

Last modified July 13, 2022

If you'd like to check if Falco is working properly, we have the event-generator tool that can perform an activity for both our syscall and k8s audit related rules.

The tool provides a command to run either some or all sample events.

event-generator run [regexp]

Without arguments it runs all actions, otherwise only those actions matching the given regular expression.

The full command line documentation is here.

Downloads

ArtifactsVersion
binariesdownload linkRelease
container imagesdocker pull falcosecurity/event-generator:latestDocker Image Version (latest semver)

Sample events

System Call Activity

Warning — We strongly recommend that you run the program within Docker (see below), since some commands might alter your system. For example, some actions modify files and directories below /bin, /etc, /dev, etc.

The syscall collection performs a variety of suspect actions that are detected by the default Falco ruleset.

docker run -it --rm falcosecurity/event-generator run syscall --loop

The above command loops forever, incessantly generating a sample event each second.

Kubernetes Auditing Activity

The k8saudit collection generates activity that matches the k8s audit event ruleset.

event-generator run k8saudit --loop

The above command loops forever, creating resources in the current namespace and deleting them after each iteration. Use the --namespace option to choose a different namespace.

Running the Event Generator in K8s

We've also provided a helm chart that make it easy to run the event generator in K8s Clusters.

First thing, we need to add the falcosecurity charts repository:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

Once you have the helm repo configured, you can run the following to create the necessary objects in the event-generator namespace and then generate events continuously:

helm install event-generator falcosecurity/event-generator \
  --namespace event-generator \
  --create-namespace \
  --set config.loop=false \
  --set config.actions=""

The above command applies to the event-generator namespace. Use the --namespace option to deploy in a different namespace. Events will be generated in the same namespace.

You can also find more examples in the event-generator and charts repositories.


Last modified July 13, 2022: update(content/en/docs): update event-generator docs (05ef03b)