All Products
Search

This Product

    Simple Log Service:Deliver container runtime alerts generated by Falco to a Logstore

    Document Center

    Simple Log Service:Deliver container runtime alerts generated by Falco to a Logstore

    Last Updated:Aug 26, 2024

    Falco is a cloud-native security tool for Linux operating systems. Falco can monitor the runtime activities of applications in Kubernetes clusters. You can use Logtail to deliver container runtime alerts generated by Falco to a Logstore for query and analysis.

    Limits

    You can use Logtail to deliver container runtime alerts generated by Falco only in Kubernetes and Docker environments.

    1. Install Falco

    For more information about how to install Falco, see Falco installation documentation.

    2. Configure Logtail components

    2.1 Install Logtail components

    For more information about how to install Logtail components in Alibaba Cloud Kubernetes clusters and self-managed Kubernetes clusters, see Install Logtail components in an ACK cluster and Install Logtail components in a self-managed Kubernetes cluster.

    2.2 Create a Logtail configuration

    1. Log on to the Simple Log Service console. In the Log Application section, click the Audit & Security tab. Then, click Log Audit Service (New Version).

      image

    2. On the Log Audit Service (New Version) page, click an associated project. Alternatively, click Associate Project to associate a project with Log Audit Service.

      image

    3. In the left-side navigation pane, choose Data Collection > Runtime. On the page that appears, click Create Logtail Configuration and select Falco from the drop-down list.

      image

    4. In the Machine Group Configurations step of the Import Data wizard, select the machine group that you want to manage and click Next.

      image

    5. In the Logtail Configuration step of the Import Data wizard, use the default parameter settings and click Complete.

      Important

      By default, Falco exports container runtime alerts as container stdout and stderr. Simple Log Service allows you to collect container stdout and stderr in DaemonSet mode. For more information, see Use the Simple Log Service console to collect container stdout and stderr in DaemonSet mode. If Falco exports container runtime alerts to a fixed file, you can collect the alerts from the file in DaemonSet mode. For more information, see Use the Simple Log Service console to collect container text logs in DaemonSet mode.

    2.3 Verify configuration results

    After you configure the Logtail components, Simple Log Service automatically creates the following resources in the associated project:

    1. A Logtail configuration named falco-pipelineconfig.

      image

    2. A Logstore named falco-log.

      image

    3. Query and analyze container runtime alerts

    In the left-side navigation pane, choose Query and Analysis > Runtime. On the page that appears, click the Falco tab. For more information about the fields in container runtime alerts generated by Falco, see Fields in Falco runtime logs. For more information about the search syntax, see Search syntax.

    image

    References

    • For more information about the fields in container runtime alerts generated by Falco, see Fields in Falco runtime logs.

    • After Logtail delivers container runtime alerts generated by Falco to a Logstore, you can view the Runtime Events Alert Overview dashboard in the report center. For more information, see Report center.