diff --git a/falco.yaml b/falco.yaml index 92d5e4dad1e..07d02abb501 100644 --- a/falco.yaml +++ b/falco.yaml @@ -1066,6 +1066,9 @@ syscall_event_drops: # counters reflect monotonic values since Falco's start and are exported at a # constant stats interval. # +# `kernel_event_counters_per_cpu_enabled`: Detailed kernel event and drop counters +# per CPU. typically used when debugging and not in production. +# # `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, # providing information such as the number of invocations of each BPF program # attached by Falco and the time spent in each program measured in nanoseconds. @@ -1104,6 +1107,8 @@ metrics: resource_utilization_enabled: true state_counters_enabled: true kernel_event_counters_enabled: true + # Enabling `kernel_event_counters_per_cpu_enabled` automatically enables `kernel_event_counters_enabled` + kernel_event_counters_per_cpu_enabled: false libbpf_stats_enabled: true plugins_metrics_enabled: true convert_memory_to_mb: true diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 74c98417ef6..401cff2801a 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -581,6 +581,10 @@ void falco_configuration::load_yaml(const std::string& config_name) { m_metrics_flags |= METRICS_V2_KERNEL_COUNTERS; } + if (m_config.get_scalar("metrics.kernel_event_counters_per_cpu_enabled", true)) + { + m_metrics_flags |= METRICS_V2_KERNEL_COUNTERS_PER_CPU; + } if (m_config.get_scalar("metrics.libbpf_stats_enabled", true)) { m_metrics_flags |= METRICS_V2_LIBBPF_STATS; diff --git a/userspace/falco/stats_writer.cpp b/userspace/falco/stats_writer.cpp index 34be5fc4372..7e2a6303ed1 100644 --- a/userspace/falco/stats_writer.cpp +++ b/userspace/falco/stats_writer.cpp @@ -470,7 +470,7 @@ void stats_writer::collector::get_metrics_output_fields_additional( m_writer->m_output_rule_metrics_converter->convert_metric_to_unit_convention(metric); } char metric_name[METRIC_NAME_MAX] = "falco."; - if((metric.flags & METRICS_V2_LIBBPF_STATS) || (metric.flags & METRICS_V2_KERNEL_COUNTERS) ) + if((metric.flags & METRICS_V2_LIBBPF_STATS) || (metric.flags & METRICS_V2_KERNEL_COUNTERS) || (metric.flags & METRICS_V2_KERNEL_COUNTERS_PER_CPU) ) { strlcpy(metric_name, "scap.", sizeof(metric_name)); } @@ -600,7 +600,7 @@ void stats_writer::collector::collect(const std::shared_ptr& inspector, c // Note: src is static for live captures if (src != falco_common::syscall_source) { - flags &= ~(METRICS_V2_KERNEL_COUNTERS | METRICS_V2_STATE_COUNTERS | METRICS_V2_LIBBPF_STATS); + flags &= ~(METRICS_V2_KERNEL_COUNTERS | METRICS_V2_KERNEL_COUNTERS_PER_CPU | METRICS_V2_STATE_COUNTERS | METRICS_V2_LIBBPF_STATS); } m_writer->m_libs_metrics_collector = std::make_unique(inspector.get(), flags);