- New output: Webex (PR#979 thanks to @k0rventen)
- New output: OTLP Metrics (PR#1012 thanks to @ekoops)
- New output: Datadog Logs (PR#1052 thanks to @yohboy)
- Reuse of the http client for 3-4x increase of the throughput (PR#962 thanks to @alekmaus)
- Improve outputs throughput handling (PR#966 thanks to @alekmaus)
- Batching and gzip compression for the
Elastticsearch
output (PR#967 thanks to @alekmaus) - Use the same convention for the Prometheus metrics than Falco (PR#995)
- Add
APIKey
forElasticsearch
output (PR#980 thanks to @alekmaus) - Add
Pipeline
configuration forElasticsearch
output (PR#981 thanks to @alekmaus) - Add
MessageThreadID
configuration inTelegram
output (PR#1008 thanks to @vashian) - Support multi-architecture in build (PR#1024 thanks to @nickytd)
- Add
falco
as source for theDatadog Events
(PR#1043 thanks to @maxd-wttj) - Support
AlertManager
output in HA mode (PR#1051)
- Fix
PolicyReports
created in the same namespace than previous event (PR#978) - Fix missing
customFields/extraFields
in theElasticsearch
payload (PR#1033) - Fix incorrect key name for
CloudEvent
spec attribute (PR#1051)
Warning
Breaking change: The Prometheus metrics have different names from this release, it might break the queries for the dashboards and alerts.
- New output: Dynatrace (PR#575 thanks to @blu3r4y)
- New output: OTLP Traces (PR#613 thanks to @jjo)
- New output: Sumologic (PR#656 thanks to @mencarellic)
- New output: Quickwit (PR#736 thanks to @idrissneumann)
- New output: Falco Talon (PR#929)
- Add global TLS config (PR#588 thanks to @ibice)
- Add
source
as label forPrometheus
metrics (PR#665) - Better logs when TLS is enabled (PR#668)
- Add test for utils sorting function (PR#694 thanks to @stevemcquaid)
- Refactor of the
InitClient
(PR#765 thanks to @idrissneumann) - Allow to use alternative endpoints for the
AWS S3
output (PR#791 thanks to @gysel) - Consistent order for the
output_fields
andtags
(PR#802) - Allow to add custom headers for
AlertManager
output (PR#827 thanks to @Umaaz) - Add more checks for the
GCP Storage
output (PR#858) - Possibility to create an index template for the
Elasticsearch
output (PR#868) - Possibility to "flatten" the
output_fields
(replace.
by_
) for theElasticsearch
output to avoid mapping conflicts (PR#868) - Truncate the fields with a length > 512 chars to avoid rejection from some outputs (PR#871)
- Change the license to Apache 2.0 (PR#882 thanks to @leogr)
- Revamp the
PolicyReport
output (PR#899) - New parameter
outputFieldFormat
to modify on the fly the format of theoutput
field (PR#901)
- Fix missing root CA for the
Kafka
output (PR#581 thanks to @claviola) - Fix bug with the extension
source
in theCloudEvent
output (PR#587) - Fix panics in the
Prometheus
output whenhostname
field is missing (PR#628) - Remove refs to deprecated
ioutil
modules (PR#639 thanks to @testwill) - Fix locks in the
Loki
output (PR#647 thanks to @bsod90) - Split the docs for the outputs into multiple files (PR#648)
- Fix mTLS client verification failures due to missing ClientCAs (PR#666 thanks to @jgmartinez)
- Fix wrong env var for pagerduty output (PR#682)
- Remove hard settings for usernames in
Mattermost
andRocketchat
(PR#731) - Fix multi lines json in the error lines (PR#764 thanks to @idrissneumann)
- Fix duplicated custom headers in clients (PR#801, PR#857)
- Fix the labels for the
AlertManager
output (PR#870 thanks to @Umaaz)
- New output: Redis (PR#396 thanks to @pandyamarut)
- New output: Telegram (PR#431 thanks to @zufardhiyaulhaq)
- New output: N8N (PR#462)
- New output: Grafana OnCall (PR#470)
- New output: OpenObserve (PR#509)
- Add
output
in the description annotation forAlertManager
output (PR#341) - Allow to set the http method for
Webhook
output (PR#399) - Add
hostname
as prometheus label (PR#420 thanks to @Lowaiz) - Allow to replace the brackets (PR#421)
- Allow to set custom http headers for
Loki
,Elasticsearch
andGrafana
outputs (PR#428) - Add
hostname
,tags
,custom
andtemplated fields
forTimescaleDB
output (PR#438 thanks to @hileef) - Allow to set thresholds for the dropped events in
AlertManager
ouput (PR#439 thanks to @Lowaiz) - Match the
priority
withAlertManager
severity label (PR#440 thanks to @Lowaiz) - Add
rolearn
andexternalid
for the assume role forAWS
outputs (PR#494) - Allow to set the
region
forPagerDuty
output (PR#500) - Add TLS option + rewrite send method for the
SMTP
output (PR#502) - Add attributes to
GCP PubSub
messages (PR#505 thanks to @annadorottya) - Add option for TLS and mTLS for the server (PR#508 thanks to @annadorottya)
- Add setting to auto create the
Kafka
topic (PR#554) - Add option to deploy a HTTP only server for specific endpoints (PR#565 thanks to @annadorottya)
- Support multiple bootstrap servers for
Kafka
output (PR#571 thanks to @ibice) - Add option for TLS for
Kafka
output (PR#574)
- Fix error handling in
AWS Security Lake
output (PR#390) - Fix breaking brackets in
AWS SNS
messages (PR#419) - Fix setting name for the table of
TimescaleDB
output (PR#426 thanks to @alika) - Fix cardinality issue with prometheus labels (PR#427)
- Fix panic when assert output fields which are nil (PR#429)
- Fix dependencies for
Wavefront
output (PR#432) - Fix key pattern for
AWS Security Lake
output (PR#447) - Fix default settings for
Telegram
output (PR#495 thanks to @schfkt) - Fix URL generation for
Spyderbat
output (PR#506 thanks to @bc-sb) - Fix nil values in
Spyderbat
output (PR#527 thanks to @spider-guy) - Fix duplicated headers in
SMTP
output (PR#528 thanks to @apsega) - Fix missing trim for names and values of labels for
AlertManager
output (PR#563 thanks to @Lowaiz) - Fix missing returned errors for
Kafka
output (PR#573)
- New output: Yandex Data Streams (PR#336 thanks to @preved911)
- New output: Node-Red (PR#337)
- New output: MQTT (PR#338)
- Templated fields: custom fields generated with Go templates (PR#350)
- New output: Zincsearch (PR#360)
- New output: Gotify (PR#362)
- New output: Spyderbat (PR#368 thanks to @spyder-kyle)
- New output: Tekton (PR#371)
- New output: TimescaleDB (PR#378 thanks to @jagretti)
- New output: AWS Security Lake (PR#387)
SMTP
output now uses any SASL auth mechanism (PR#341 thanks to @Lowaiz)- Bind
Policy Reports
to Namespace byownerReference
(PR#346) - Add extra labels and annotations for
AlertManager
payloads (PR#347 thanks to @Lowaiz) - Update default type for
Elasticsearch
documents (PR#349) - Support env vars in custom fields (PR#353)
- Update format + default endpoint for
Loki
output (PR#356) - Determine resource names + owner ref for
Policy Reports
(PR#358) - Update
Influxdb
output to use API Token and /api/v2 endpoint (PR#359) - Allow to override the
Slack
channel (PR#366) - Add From, To and Date headers in
SMTP
payload (PR#364) - Improve the check of the payload from
Falco
, it allows now to have an empty output (PR#372) - Allow to set user and api key for
Loki
output forGrafana Logs
(PR#379) - Add
hostname
in json payload for all outputs (PR#383 thanks to @Lowaiz) - Add SASL authentication for
Kafka
output (PR#385 thanks to @Lowaiz) and @lyoung-confluent) - Support CEF format for
Syslog
output (PR#386) - Allow to disable STS check for
AWS
output (PR#387)
- Fix
priority
label was replaced bysource
inAlertManager
payload (PR#340 thanks to @tks98) - Fix missing cert checks + fix inverted logic to use them in codebase (PR#345)
- Fix race condition when headers are added to POST requests (PR#380 thanks to @bc-sb)
- Add
expiresafter
for AlertManager output (PR#323 thanks to @anushkamittal20) - Add
extralabels
for Loki and Prometheus outputs which allow to set fields to use as labels additionally torule
,source
,priority
,tags
andcustomfields
(PR#327)
- Fix Panic for Prometheus metrics when
customfields
are set (PR#333)
- New output: Policy Report (PR#256 thanks to @anushkamittal20)
- New output: Syslog (PR#272 thanks to @bdluca)
- New output: AWS Kinesis (PR#277 thanks to @gauravgahlot)
- New output: Zoho Cliq (PR#301 thanks to @averni)
- Images and Binaries for arm and arm64 (PR#288)
- Sign artifacts with cosign (PR#302)
- Add CI steps to push images into AWS ECR (PR#270 thanks to @maxgio92)
- Allow to choose API endpoint for AlertManager (PR#282 thanks to @mathildeHermet)
- Add label
priority
in AlertManager events (PR#276) - Update Golang + GolangCI-Lint (PR#289 PR#292)
- Add version info (PR#290)
- Update image base to alpine 3.15 (PR#291)
- Increase CircleCI timeout (PR#293)
- Support IRSA for AWS authentication (PR#295 thanks to @VariableExp0rt)
- Add tenant for Loki output (PR#308 thanks to @JGodin-C2C)
- Upgrade endpoint for Loki (PR#309 thanks to @JGodin-C2C)
- Add
tags
andsource
in events for all outputs (PR#310) - Add
custom_fields
to Prometheus series (PR#314 thanks to @LyvingInSync) - Update CircleCI jobs (PR#316)
- Fix OpsGenie output when keys have "." (PR#287)
- Fix typo in README (PR#299 thanks to @oleg-nenashev)
- Fix GCS writer not closed (PR#312 thanks to @Milkshak3s)
- New output: Grafana (PR#254)
- New output: Fission (PR#255 thanks to @gauravgahlot)
- New output: Yandex Cloud S3 (PR#261 thanks to @nar3k)
- New output: Kafka REST (PR#263 thanks to @dirien)
- Set header
x-amz-acl
tobucket-owner-full-control
for outputAWS S3
(PR#264 thanks to @Kaizhe) - Docker image is now available on
AWS ECR Public Gallery
(PR#265 thanks to @maxgio92)
- Fix memory leak with
AddHeaders
method (PR#252 thanks to @distortedsignal)
- New output: Wavefront (PR#229 thanks to @rikatz)
- New output: GCP Cloud Functions (PR#241)
- New output: GCP Cloud Run (PR#243)
- Allow MutualTLS for some outputs (PR#231 thanks to @jasiam)
- Allow Workload identity for GCP output (PR#235 thanks to @cartyc)
- Add basic auth for Elasticsearch output (PR#245 thanks to @distortedsignal)
- Reorder fields in Slackt, RocketChat and Mattermost outputs + sort
customer_fields
alphabetically (PR#226) - Set default values for OpenFaas output (PR#232)
- Re-use session for AWS output instead of deprecated
session.New()
(PR#238 thanks to @dchoy) - Reorganize management of headers for outputs (PR#245 thanks to @distortedsignal)
- Fix init of DogstatsD output (PR#227)
- Remove duplicated logs + fix some of prefixes (PR#228)
- Fif S3 output when "Default encryption" setting is disabled (PR#242 thanks to @Kaizhe)
- New output: AWS S3 (PR#195 thanks to @evalsocket)
- New output: GCP Storage (PR#202 thanks to @evalsocket)
- New output: RabbitMQ (PR#210 thanks to @evalsocket)
- New output: OpenFaas (PR#208 thanks to @developper-guy)
- Use higher level Writer api for Kafka (PR#206 thanks to @zemek)
- Reorder imports to follow good practices (PR#205)
- Prevent misleading error message when CUSTOMFIELDS env var is set (PR#201 thanks to @zemek)
- Use Events v2 API for PagerDuty output (PR#200 thanks to @caWhite)
- Fix outputformat when using fields or text in Slack output (PR#204)
- Fix HTML template for SMTP output (PR#199)
- Include numeric values for
Alertmanager
outputs (PR#177 thanks to to @alsm) - Add
listenaddress
option (PR#187 thanks to to @alsm)
- Fix spelling typos in README (PR#175 thanks to to @princespaghetti)
- Fix several
gosec
issues (PR#179 thanks to to @alsm) - Fix label values with quotes for
Loki
(PR#182)
- New output: STAN (NATS Streaming) (PR#135)
- New output: PagerDuty (PR#164)
- New output: Kubeless (PR#170)
- CI: clean filters (PR#138)
- Replace library for
Kafka
(PR#139) - Re-align code for
NATS
output (PR#159) - Add new endpoint
/healthz
(PR#167) - Change the way to manage Priority (PR#171 thanks to @n3wscott)
- Fix missing metrics for various outputs (PR#145, PR#146, PR#147, PR#148, PR#149, PR#150, PR#151, PR#152, PR#153, PR#154, PR#155, PR#156, PR#157, PR#158)
- New output: Apache Kafka (PR#124 thanks to @KeisukeYamashita)
- New output: Cloudwatch Logs (PR#127 thanks to @cpanato)
- Bump Golang version to
1.15
(PR#128 thanks to @KeisukeYamashita) - Add a contributing document (PR#123 thanks to @cpanato)
- Add a
.dockerignore
for small images (PR#126 thanks to @KeisukeYamashita) - Refactor HTTP server handler (PR#116 thanks to @KeisukeYamashita)
- Add test for
Discord
(PR#117 thanks to @KeisukeYamashita)
- Fix Discord output's Prometheus metrics (PR#118 thanks to @KeisukeYamashita)
- Fix
nil pointer
whenGCP
configuration is incorrect (PR#130)
- New output: Google Chat (PR#107 thanks to @KeisukeYamashita)
- Add test for
Mattermost
(PR#99 thanks to @cpanato) - Add golangci lint (PR#100 thanks to @cpanato)
- Dependecies: update several deps (PR#103 thanks to @cpanato)
- clean a bit the
Circleci
config (PR#106 thanks to @cpanato) - Use
testify
to check the test results (PR#108 PR#112 thanks to @cpanato) - Refactor type assertion in output (PR#110 thanks to @KeisukeYamashita)
- Add test for
Rocketchat
(PR#113 thanks to @cpanato)
- New output: GCP PubSub (PR#97 thanks to @IanRobertson-wpe)
- Custom Headers can be set for
Webhook
output (PR#92)
- Enable of
CircleCI
for unit tests
- New output: AWS SNS (PR#84)
- A
prometheus
exporter is now available for all metrics
The Helm chart has been migrated to falcosecurity/charts, the official repository chart of falco
organization. You can now install it from artifacthub.io.
- New output: Azure Event Hubs (PR#66 thanks to @arminc)
- New output: Discord (PR#61 thanks to @nibalizer)
- Cert validity of outputs can be disabled (PR#74)
- Golang 1.14 is now used for building the Docker image
- Displayed username can be override for Slack, Mattermost and Rocketchat (PR#72)
- Wrong port name was displayed as output of Helm chart
This release is the last one with an Helm chart, the next ones will be in Falco Charts repo
- New output: Rocketchat
- New output: Mattermost
- Allow using Datadog EU site by specifying new variable datadog.host/DATADOG_HOST (PR#59 thanks to @DrPhil)
- Docker Image is based now on last Golang and Alpine images
- Wrong value reference for Elasticsearch output in deployment.yaml
- New output: Webhook
- New output: DogStatsD
- New metrics : running goroutines, number of used CPU
- 💥 Standardization of metric names (to be consistent between expar and (Dog)StatsD)
- 💥 New namespace for metrics (inputs), will be used for future inputs (fifo, gRPC)
- StatsD implementation worked only with DogStatsD (issue #49)
- Fix panic when payload from Falco is empty
- New output: StatsD (PR#43 thanks to @actgardner)
- Fix typo in priority check (PR#42 thanks to @palmerabollo)
- Fix Opgenie config in helm template (PR#41 thanks to @kamirendawkins)
- Add formatted Text in Slack message (PR#40 thanks to @actgardner)
- New output: Opsgenie
- New avatar : with colors and squared
- Duplicated entries when events have non-string fields (PR#38 thanks to @actgardner)
- New output: NATS
- All referencies to previous repository are replaced, falcosidekick is now in falcosecurity organization
- Update of Dockerfile : golang 1.12 + alpine 3.10
- New output: Loki
- New output: SMTP (email)
- New output: AWS Lambda
- New output: AWS SQS (issue #5)
- New output: Teams (issue #30)
- A github page has been created : https://falcosecurity.github.io/falcosidekick/
- Slack tests are now consistant (order of fields in JSON output wasn't always the same, tests failed sometimes for that)
- README : clean up of several typos
- Elasticsearch : An index suffix can be set for rotation (see README) (issue #27 thanks to @ariguillegp)
- A minimum priority for each output can be set
- New output: Influxdb (issue #4)
- Panic happened when trying to add
customfields
but falco event hadn't
- New output: Elasticsearch (issue #14)
- New configuration method : we can now use a config file in YAML and/or env vars (see README) (issue #17)
- New endpoint :
/debug/vars
gives access to Golang + Custom metrics (see README) (issue #17)
- Add a lot of unit tests for code coverage (issue #17)
- Some log outputs have been reformated
- 💥 Some env variables have been renamed again to match fields in YAML config files (see README)
- Panic are now catched to avoid crashes
- All outputs use new generic methods (
NewClient()
+Post()
), new output integration will be easier - 💥 some variables have been renamed to be relevant with their real names in API docs of Outputs
DATADOG_TOKEN
->DATADOG_API_KEY
SLACK_TOKEN
->SLACK_WEBHOOK_URL
/test
sends an event with a timestamp set at now
- Change
SLACK_HIDE_FIELDS
forSLACK_OUTPUT_FORMAT
, you can now choose how events are displayed in Slack
- Add
SLACK_HIDE_FIELDS
env var, to enable concise output in Slack (fields are not displayed) (issue #15)
- Remove
/checkPayload
endpoint, not usefull anymore - Change of how enabled/disabled outputs are printed in log (more concise view)
- Falco's payload is printed in log if
DEBUG=true
- Add a
/test
endpoint which sends a fake event to all enabled outputs - Add a
DEBUG
env var, if enabled, payload for enabled outputs will be printed in stdout
- Reformate some logs outputs to be nicer
- Add a check on payload's body from falco to avoid to send empty's ones to outputs
- Use of go mod is Dockerfile for build (PR#1 thanks to @perriea)
- Add email maintener in Dockerfile (PR#1 thanks to @perriea)
- New output: Alert Manager
- Add status of posts to Outputs in logs (stdout)
- Update changelog
- Update README with new Slack Options + more info
- New Slack Options :
SLACK_FOOTER
,SLACK_ICON
- New Slack Options :
SLACK_FOOTER
,SLACK_ICON
- Add output status in log to get those which are enabled
- Check of
LISTEN_PORT
ininit()
: port must be an integer between 1 and 65535 - Long string in slack field values are not splitten anymore
- Some log level tags were missing
- Fix cert errors in alpine (PR#1 thanks to @palmerabollo)
- First tagged release