update: add rule tags to metrics #65
Conversation
Signed-off-by: Jason Dellaluce <[email protected]>
poiana
added
do-not-merge/work-in-progress
kind/feature
|
Welcome @jasondellaluce! It looks like this is your first PR to falcosecurity/falco-exporter 🎉 |
|
This is still a WIP until the next release of https://github.com/falcosecurity/client-go, which will presumably happen after Falco's 0.30.0 release. Module dependencies will need to be updated to include the changes introduced in falcosecurity/client-go#55. |
Signed-off-by: Jason Dellaluce <[email protected]>
jasondellaluce
changed the title
|
This PR has been unblocked after the release of [email protected], so it is now ready for a review. |
| @@ -3,8 +3,8 @@ module github.com/falcosecurity/falco-exporter | |||
| go 1.14 | |||
|
|
|||
| require ( | |||
| github.com/falcosecurity/client-go v0.3.0 | |||
| github.com/prometheus/client_golang v1.9.0 | |||
| github.com/falcosecurity/client-go v0.4.0 | |||
There was a problem hiding this comment.
@jasondellaluce @leodido Thank you for making this happen! 🤗
|
/milestone 0.6.0 |
|
LGTM label has been added. Git tree hash: b26aba1f37e059b445e8f9f8f02c0dfd7c9d2f36
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jasondellaluce, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Jason Dellaluce [email protected]
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area pkg
What this PR does / why we need it:
After the recent merge of falcosecurity/falco#1714, Falco gRPC
outputservice now has a field containing rule tags. This PR follows up to those updates by including rule tags in the exported metrics too, which has been an open issue for a while (see #53).Which issue(s) this PR fixes:
Fixes #53
Additional notes:
Rule tags are implemented as a label inside the
falco_eventsmetric. The label is a simple concatenation of all the tags, separated by a comma (,). This has the benefit of not increasing the metric cardinality, which is a big concern in Prometheus. The tradeoff is that querying by rule tags requires the usage of a regex.A little optimization has been adopted by adding commas at the beginning and at the end of the concatenated string. In this way, the
tagslabel can be queried with a simpler regex like.*,tag,.*instead of(^|.*,)tag(,.*|$). This pattern is well explained here: https://www.robustperception.io/little-things-matter.An example of tag-based query is reported below: