file_output not working when falco is running as a service

[pabloopez]

Using the default falco.yaml file and applying changes to the file_output option as follows:

file_output:
  enabled: true
  keep_alive: true
  filename: /path/to/my/file.txt

Alerts are written to the file if falco is executed with:

falco

but when executed as a service, no alerts are outputted to the file (but I can see alerts in the logs of the service):

systemctl start falco

Expected behaviour

The expected behaviour is alerts being printed into the file, same behavior as observed when running falco manually from the cli.

Environment

• Falco version:

Falco version: 0.30.0
Driver version: 3aa7a83bf7b9e6229a3824e3fd1f4452d1e95cb4

• System info:

{
  "machine": "x86_64",
  "nodename": "host",
  "release": "5.4.0-1040-gcp",
  "sysname": "Linux",
  "version": "#43-Ubuntu SMP Fri Mar 19 17:49:48 UTC 2021"
}

• OS:

NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

• Kernel:

Linux host 5.4.0-1040-gcp #43-Ubuntu SMP Fri Mar 19 17:49:48 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

• Installation method:

apt

[FedeDP]

Hi! Thanks for opening this bug report!
Is filename: /path/to/my/file.txtplaced in your home?
Note the ProtectHome=read-only in the falco service file: you are not able to open a log file in any /home/ subdir.

I just opened a PR (#1773) to at least give user a clue if output_file failed to be created.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.