Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PrometheusRule priority does not match metrics priority #678

Open
jkrusy opened this issue May 29, 2024 · 3 comments
Open

PrometheusRule priority does not match metrics priority #678

jkrusy opened this issue May 29, 2024 · 3 comments
Assignees
@Issif
Labels
kind/bug Something isn't working

Comments

@jkrusy
Copy link

jkrusy commented May 29, 2024

Describe the bug

The Falcosidekick metrics priority does not match with the priority in the PrometheusRule.
Metrics are provided and scraped like following:

falco_events{priority="Critical",rule="Drop and execute new binary in container"} 1

But the prometheusrule expects the priority to be a number:

        - alert: FalcoWarningEventsRateHigh
          annotations:
            description: A high rate of warning events are being detected by Falco
            summary: Falco is experiencing high rate of warning events
          expr: rate(falco_events{priority="4"}[5m]) > 0

With this combination, the rules will not work.

How to reproduce it

Here is the configuration we have

falco:
  priority: warning
  log_level: warning

falcosidekick:
  enabled: true
  serviceMonitor:
    enabled: true
  prometheusRules:
    enabled: true
    warning:
      enabled: true
    critical:
      enabled: true

Expected behaviour

The prometheus rules should match the metrics provided by Falcosidekick.

Screenshots

Environment

  • Falco version:
{"default_driver_version":"7.0.0+driver","driver_api_version":"8.0.0","driver_schema_version":"2.0.0","engine_version":"31","engine_version_semver":"0.31.0","falco_version":"0.37.1","libs_version":"0.14.3","plugin_api_version":"3.2.0"}
  • System info:
{
  "machine": "x86_64",
  "nodename": "falco-falco-lf2gq",
  "release": "5.10.215-203.850.amzn2.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP Tue Apr 23 20:32:19 UTC 2024"
}
  • Cloud provider or hardware configuration: AWS EKS
  • OS: linux (amd64) [Amazon Linux 2]
  • Kernel: 5.10.214-202.855.amzn2.x86_64
  • Installation method: Kubernetes Helm Chart
@jkrusy jkrusy added the kind/bug Something isn't working label May 29, 2024
@poiana
Copy link
Contributor

poiana commented Aug 27, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@leogr
Copy link
Member

leogr commented Aug 28, 2024

/remove-lifecycle stale

/assign @Issif
Could you take a look pls?

@Issif
Copy link
Member

Issif commented Sep 17, 2024

To have a consistency between the labels of the falco and falcosidekick metrics, I changed the format of the value for the priority label, it will fix the issue you face. This issue comes the fact I copied/pasted the rules from the exported and forgot to change the format of the values.
To wait til the release of falcosidekick with these changes, I'm preparing a PR to change the values used in the current rules for their string versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Issif Issif

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@leogr @Issif @jkrusy @poiana