add printAllEvents parameter

Signed-off-by: Thomas Labarussias <[email protected]>

README.md

@@ -11,7 +11,7 @@
     - [`kubernetes:networkpolicy`](#kubernetesnetworkpolicy)
     - [`kubernetes:exec`](#kubernetesexec)
   - [Notifiers](#notifiers)
-    - [K8SEvents](#k8sevents)
+    - [K8s Events](#k8s-events)
     - [Slack](#slack)
     - [SMTP](#smtp)
     - [Webhook](#webhook)
@@ -21,6 +21,7 @@
   - [Images](#images)
   - [Deployment](#deployment)
     - [Helm](#helm)
+      - [Configure Falcosidekick](#configure-falcosidekick)
   - [License](#license)
   - [Author](#author)
 
@@ -45,7 +46,6 @@ or
 * `actionner`: defines what to do when the event matches the rule
 * `notifier`: defines what outputs to notify with the result of the action
 
-
 ## Actionners
 
 `Actionners` define actions to apply when an event matches a rule, they are named with pattern `category:action`.
@@ -95,7 +95,7 @@ Several rules can match same event, so several action can be triggered, except f
 
 `Notifiers` define which outputs to notify with result of actions.
 
-### K8SEvents
+### K8s Events
 
 This notifiers creates a [k8s event](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#event-v1-events-k8s-io) in the target resource namespace. No configuration is requested.
 
@@ -146,12 +146,13 @@ Results:
 
 The configuration of `Falco Talon` is set with a `.yaml` file (default: `./config.yaml`) or with environment variables.
 
-| Setting            | Env var            |  Default  | Description                                                     |
+|      Setting       |      Env var       |  Default  |                           Description                           |
 | ------------------ | ------------------ | :-------: | --------------------------------------------------------------- |
 | `listenAddress`    | `LISTENADDRESS`    | `0.0.0.0` | Listten Address                                                 |
 | `listenPort`       | `LISTENPORT`       |  `2803`   | Listten Port                                                    |
 | `rulesFile`        | `RULESFILE`        |    n/a    | File with rules                                                 |
-| `watchRules`       | `WATCHRULES`       |  `true`   | reload rules if they change                                     |
+| `watchRules`       | `WATCHRULES`       |  `true`   | Reload rules if they change                                     |
+| `printAllEvents`   | `PRINTALLEVENTS`   |  `true`   | Print in logs all received events, not only those which match   |
 | `kubeConfig`       | `KUBECONFIG`       |    n/a    | Kube config file, only if `Falco Talon` runs outside Kubernetes |
 | `logFormat`        | `LOGFORMAT`        |  `color`  | Log Format: text, color, json                                   |
 | `defaultNotifiers` | `DEFAULTNOTIFIERS` |    n/a    | List of `notifiers` which are enabled for all rules             |

config_example.yaml

@@ -4,9 +4,10 @@ rulesFile: "./rules.yaml" # default: "./rules.yaml"
 # kubeConfig: "~/.kube/config" # only if Falco Talon is running outside Kubernetes
 logFormat: "color" # Log Format: text, color, json (default: color)
 watchRules: true # reload if the rules file changes (default: true)
+printallEvents: true # print in logs all received events, not only those which match
 
 defaultNotifiers: # this notifiers will be enabled for all rules
-  - k8saudit
+  - k8sevents
 
 notifiers:
   slack:

configuration/configuration.go

@@ -12,10 +12,11 @@ import (
 )
 
 const (
-	defaultListenAddress string = "0.0.0.0"
-	defaultListPort      int    = 2803
-	DefaultRulesFile     string = "/etc/falco-talon/rules.yaml"
-	defaultWatchRules    bool   = true
+	defaultListenAddress  string = "0.0.0.0"
+	defaultListPort       int    = 2803
+	DefaultRulesFile      string = "/etc/falco-talon/rules.yaml"
+	defaultWatchRules     bool   = true
+	defaultPrintAllEvents bool   = true
 )
 
 // type Actionner interface {
@@ -38,6 +39,7 @@ type Configuration struct {
 	DefaultNotifiers []string
 	ListenPort       int
 	WatchRules       bool
+	PrintAllEvents   bool
 }
 
 var config *Configuration
@@ -55,6 +57,7 @@ func CreateConfiguration(configFile string) *Configuration {
 	v.SetDefault("Logformat", "color")
 	v.SetDefault("DefaultNotifiers", []string{})
 	v.SetDefault("WatchRules", defaultWatchRules)
+	v.SetDefault("PrintAllEvents", defaultPrintAllEvents)
 
 	v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
 	v.AutomaticEnv()

internal/handler/handler.go

@@ -33,14 +33,16 @@ func MainHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	utils.PrintLog("info", config.LogFormat, utils.LogLine{
-		Rule:     event.Rule,
-		Priority: event.Priority,
-		Output:   event.Output,
-		Source:   event.Source,
-		Message:  "event",
-		TraceID:  event.TraceID,
-	})
+	if config.PrintAllEvents {
+		utils.PrintLog("info", config.LogFormat, utils.LogLine{
+			Rule:     event.Rule,
+			Priority: event.Priority,
+			Output:   event.Output,
+			Source:   event.Source,
+			Message:  "event",
+			TraceID:  event.TraceID,
+		})
+	}
 
 	go func() {
 		enabledRules := rules.GetRules()
@@ -51,6 +53,21 @@ func MainHandler(w http.ResponseWriter, r *http.Request) {
 			}
 		}
 
+		if len(triggeredRules) == 0 {
+			return
+		}
+
+		if !config.PrintAllEvents {
+			utils.PrintLog("info", config.LogFormat, utils.LogLine{
+				Rule:     event.Rule,
+				Priority: event.Priority,
+				Output:   event.Output,
+				Source:   event.Source,
+				Message:  "event",
+				TraceID:  event.TraceID,
+			})
+		}
+
 		a := actionners.GetActionners()
 		// we trigger rules with before=true
 		for i, j := range triggeredRules {