You are viewing documentation for Falco version: v0.30.0

Falco v0.30.0 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Supported Fields for Conditions and Outputs

Here are the fields supported by Falco. These fields can be used in the condition key of a Falco rule and well as the output key. Any fields included in the output key of a rule will also be included in the alert's output_fields object when json_output is set to true.

You can also see this set of fields via falco --list=<source>, with <source> being one of the supported sources:

System Calls (source syscall)

syscall event source fields are provided by the Falco Drivers.

# System Kernel Fields
$ falco --list=syscall

Field Class: evt

Generic event fields. Note that for syscall events you can access the individual arguments/parameters of each syscall via evt.arg, e.g. evt.arg.filename.

NameTypeDescription
evt.numUINT64event number.
evt.timeCHARBUFevent timestamp as a time string that includes the nanosecond part.
evt.time.sCHARBUFevent timestamp as a time string with no nanoseconds.
evt.time.iso8601CHARBUFevent timestamp in ISO 8601 format, including nanoseconds and time zone offset (in UTC).
evt.datetimeCHARBUFevent timestamp as a time string that includes the date.
evt.rawtimeABSTIMEabsolute event timestamp, i.e. nanoseconds from epoch.
evt.rawtime.sABSTIMEinteger part of the event timestamp (e.g. seconds since epoch).
evt.rawtime.nsABSTIMEfractional part of the absolute event timestamp.
evt.reltimeRELTIMEnumber of nanoseconds from the beginning of the capture.
evt.reltime.sRELTIMEnumber of seconds from the beginning of the capture.
evt.reltime.nsRELTIMEfractional part (in ns) of the time from the beginning of the capture.
evt.latencyRELTIMEdelta between an exit event and the correspondent enter event, in nanoseconds.
evt.latency.sRELTIMEinteger part of the event latency delta.
evt.latency.nsRELTIMEfractional part of the event latency delta.
evt.latency.humanCHARBUFdelta between an exit event and the correspondent enter event, as a human readable string (e.g. 10.3ms).
evt.deltatimeRELTIMEdelta between this event and the previous event, in nanoseconds.
evt.deltatime.sRELTIMEinteger part of the delta between this event and the previous event.
evt.deltatime.nsRELTIMEfractional part of the delta between this event and the previous event.
evt.outputtimeCHARBUFthis depends on -t param, default is %evt.time ('h').
evt.dirCHARBUFevent direction can be either '>' for enter events or '<' for exit events.
evt.typeCHARBUFThe name of the event (e.g. 'open').
evt.type.isUINT32allows one to specify an event type, and returns 1 for events that are of that type. For example, evt.type.is.open returns 1 for open events, 0 for any other event.
syscall.typeCHARBUFFor system call events, the name of the system call (e.g. 'open'). Unset for other events (e.g. switch or internal events). Use this field instead of evt.type if you need to make sure that the filtered/printed value is actually a system call.
evt.categoryCHARBUFThe event category. Example values are 'file' (for file operations like open and close), 'net' (for network operations like socket and bind), memory (for things like brk or mmap), and so on.
evt.cpuINT16number of the CPU where this event happened.
evt.argsCHARBUFall the event arguments, aggregated into a single string.
evt.argCHARBUFone of the event arguments specified by name or by number. Some events (e.g. return codes or FDs) will be converted into a text representation when possible. E.g. 'evt.arg.fd' or 'evt.arg[0]'.
evt.rawargDYNAMICone of the event arguments specified by name. E.g. 'evt.rawarg.fd'.
evt.infoCHARBUFfor most events, this field returns the same value as evt.args. However, for some events (like writes to /dev/log) it provides higher level information coming from decoding the arguments.
evt.bufferBYTEBUFthe binary data buffer for events that have one, like read(), recvfrom(), etc. Use this field in filters with 'contains' to search into I/O data buffers.
evt.buflenUINT64the length of the binary data buffer for events that have one, like read(), recvfrom(), etc.
evt.resCHARBUFevent return value, as a string. If the event failed, the result is an error code string (e.g. 'ENOENT'), otherwise the result is the string 'SUCCESS'.
evt.rawresINT64event return value, as a number (e.g. -2). Useful for range comparisons.
evt.failedBOOL'true' for events that returned an error status.
evt.is_ioBOOL'true' for events that read or write to FDs, like read(), send, recvfrom(), etc.
evt.is_io_readBOOL'true' for events that read from FDs, like read(), recv(), recvfrom(), etc.
evt.is_io_writeBOOL'true' for events that write to FDs, like write(), send(), etc.
evt.io_dirCHARBUF'r' for events that read from FDs, like read(); 'w' for events that write to FDs, like write().
evt.is_waitBOOL'true' for events that make the thread wait, e.g. sleep(), select(), poll().
evt.wait_latencyRELTIMEfor events that make the thread wait (e.g. sleep(), select(), poll()), this is the time spent waiting for the event to return, in nanoseconds.
evt.is_syslogBOOL'true' for events that are writes to /dev/log.
evt.countUINT32This filter field always returns 1 and can be used to count events from inside chisels.
evt.count.errorUINT32This filter field returns 1 for events that returned with an error, and can be used to count event failures from inside chisels.
evt.count.error.fileUINT32This filter field returns 1 for events that returned with an error and are related to file I/O, and can be used to count event failures from inside chisels.
evt.count.error.netUINT32This filter field returns 1 for events that returned with an error and are related to network I/O, and can be used to count event failures from inside chisels.
evt.count.error.memoryUINT32This filter field returns 1 for events that returned with an error and are related to memory allocation, and can be used to count event failures from inside chisels.
evt.count.error.otherUINT32This filter field returns 1 for events that returned with an error and are related to none of the previous categories, and can be used to count event failures from inside chisels.
evt.count.exitUINT32This filter field returns 1 for exit events, and can be used to count single events from inside chisels.
evt.aroundUINT64Accepts the event if it's around the specified time interval. The syntax is evt.around[T]=D, where T is the value returned by %evt.rawtime for the event and D is a delta in milliseconds. For example, evt.around[1404996934793590564]=1000 will return the events with timestamp with one second before the timestamp and one second after it, for a total of two seconds of capture.
evt.abspathCHARBUFAbsolute path calculated from dirfd and name during syscalls like renameat and symlinkat. Use 'evt.abspath.src' or 'evt.abspath.dst' for syscalls that support multiple paths.
evt.is_open_readBOOL'true' for open/openat events where the path was opened for reading
evt.is_open_writeBOOL'true' for open/openat events where the path was opened for writing
evt.is_open_execBOOL'true' for open/openat or creat events where a file is created with execute permissions

Field Class: process

Additional information about the process and thread executing the syscall event.

NameTypeDescription
proc.pidINT64the id of the process generating the event.
proc.exeCHARBUFthe first command line argument (usually the executable name or a custom one).
proc.nameCHARBUFthe name (excluding the path) of the executable generating the event.
proc.argsCHARBUFthe arguments passed on the command line when starting the process generating the event.
proc.envCHARBUFthe environment variables of the process generating the event.
proc.cmdlineCHARBUFfull process command line, i.e. proc.name + proc.args.
proc.exelineCHARBUFfull process command line, with exe as first argument, i.e. proc.exe + proc.args.
proc.cwdCHARBUFthe current working directory of the event.
proc.nthreadsUINT32the number of threads that the process generating the event currently has, including the main process thread.
proc.nchildsUINT32the number of child threads that the process generating the event currently has. This excludes the main process thread.
proc.ppidINT64the pid of the parent of the process generating the event.
proc.pnameCHARBUFthe name (excluding the path) of the parent of the process generating the event.
proc.pcmdlineCHARBUFthe full command line (proc.name + proc.args) of the parent of the process generating the event.
proc.apidINT64the pid of one of the process ancestors. E.g. proc.apid[1] returns the parent pid, proc.apid[2] returns the grandparent pid, and so on. proc.apid[0] is the pid of the current process. proc.apid without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.apid=1234.
proc.anameCHARBUFthe name (excluding the path) of one of the process ancestors. E.g. proc.aname[1] returns the parent name, proc.aname[2] returns the grandparent name, and so on. proc.aname[0] is the name of the current process. proc.aname without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aname=bash.
proc.loginshellidINT64the pid of the oldest shell among the ancestors of the current process, if there is one. This field can be used to separate different user sessions, and is useful in conjunction with chisels like spy_user.
proc.durationRELTIMEnumber of nanoseconds since the process started.
proc.fdopencountUINT64number of open FDs for the process
proc.fdlimitINT64maximum number of FDs the process can open.
proc.fdusageDOUBLEthe ratio between open FDs and maximum available FDs for the process.
proc.vmsizeUINT64total virtual memory for the process (as kb).
proc.vmrssUINT64resident non-swapped memory for the process (as kb).
proc.vmswapUINT64swapped memory for the process (as kb).
thread.pfmajorUINT64number of major page faults since thread start.
thread.pfminorUINT64number of minor page faults since thread start.
thread.tidINT64the id of the thread generating the event.
thread.ismainBOOL'true' if the thread generating the event is the main one in the process.
thread.exectimeRELTIMECPU time spent by the last scheduled thread, in nanoseconds. Exported by switch events only.
thread.totexectimeRELTIMETotal CPU time, in nanoseconds since the beginning of the capture, for the current thread. Exported by switch events only.
thread.cgroupsCHARBUFall the cgroups the thread belongs to, aggregated into a single string.
thread.cgroupCHARBUFthe cgroup the thread belongs to, for a specific subsystem. E.g. thread.cgroup.cpuacct.
thread.vtidINT64the id of the thread generating the event as seen from its current PID namespace.
proc.vpidINT64the id of the process generating the event as seen from its current PID namespace.
thread.cpuDOUBLEthe CPU consumed by the thread in the last second.
thread.cpu.userDOUBLEthe user CPU consumed by the thread in the last second.
thread.cpu.systemDOUBLEthe system CPU consumed by the thread in the last second.
thread.vmsizeUINT64For the process main thread, this is the total virtual memory for the process (as kb). For the other threads, this field is zero.
thread.vmrssUINT64For the process main thread, this is the resident non-swapped memory for the process (as kb). For the other threads, this field is zero.
proc.sidINT64the session id of the process generating the event.
proc.snameCHARBUFthe name of the current process's session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process.
proc.ttyINT32The controlling terminal of the process. 0 for processes without a terminal.
proc.exepathCHARBUFThe full executable path of the process.
proc.vpgidINT64the process group id of the process generating the event, as seen from its current PID namespace.
proc.is_container_healthcheckBOOLtrue if this process is running as a part of the container's health check.
proc.is_container_liveness_probeBOOLtrue if this process is running as a part of the container's liveness probe.
proc.is_container_readiness_probeBOOLtrue if this process is running as a part of the container's readiness probe.

Field Class: user

Information about the user executing the specific event.

NameTypeDescription
user.uidUINT32user ID.
user.nameCHARBUFuser name.
user.homedirCHARBUFhome directory of the user.
user.shellCHARBUFuser's shell.
user.loginuidINT32audit user id (auid).
user.loginnameCHARBUFaudit user name (auid).

Field Class: group

Information about the user group.

NameTypeDescription
group.gidUINT64group ID.
group.nameCHARBUFgroup name.

Field Class: container

Container information. If the event is not happening inside a container, both id and name will be set to 'host'.

NameTypeDescription
container.idCHARBUFthe container id.
container.nameCHARBUFthe container name.
container.imageCHARBUFthe container image name (e.g. falcosecurity/falco:latest for docker).
container.image.idCHARBUFthe container image id (e.g. 6f7e2741b66b).
container.typeCHARBUFthe container type, eg: docker or rkt
container.privilegedBOOLtrue for containers running as privileged, false otherwise
container.mountsCHARBUFA space-separated list of mount information. Each item in the list has the format ::::
container.mountCHARBUFInformation about a single mount, specified by number (e.g. container.mount[0]) or mount source (container.mount[/usr/local]). The pathname can be a glob (container.mount[/usr/local/*]), in which case the first matching mount will be returned. The information has the format ::::. If there is no mount with the specified index or matching the provided source, returns the string "none" instead of a NULL value.
container.mount.sourceCHARBUFthe mount source, specified by number (e.g. container.mount.source[0]) or mount destination (container.mount.source[/host/lib/modules]). The pathname can be a glob.
container.mount.destCHARBUFthe mount destination, specified by number (e.g. container.mount.dest[0]) or mount source (container.mount.dest[/lib/modules]). The pathname can be a glob.
container.mount.modeCHARBUFthe mount mode, specified by number (e.g. container.mount.mode[0]) or mount source (container.mount.mode[/usr/local]). The pathname can be a glob.
container.mount.rdwrCHARBUFthe mount rdwr value, specified by number (e.g. container.mount.rdwr[0]) or mount source (container.mount.rdwr[/usr/local]). The pathname can be a glob.
container.mount.propagationCHARBUFthe mount propagation value, specified by number (e.g. container.mount.propagation[0]) or mount source (container.mount.propagation[/usr/local]). The pathname can be a glob.
container.image.repositoryCHARBUFthe container image repository (e.g. falcosecurity/falco).
container.image.tagCHARBUFthe container image tag (e.g. stable, latest).
container.image.digestCHARBUFthe container image registry digest (e.g. sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27).
container.healthcheckCHARBUFThe container's health check. Will be the null value ("N/A") if no healthcheck configured, "NONE" if configured but explicitly not created, and the healthcheck command line otherwise
container.liveness_probeCHARBUFThe container's liveness probe. Will be the null value ("N/A") if no liveness probe configured, the liveness probe command line otherwise
container.readiness_probeCHARBUFThe container's readiness probe. Will be the null value ("N/A") if no readiness probe configured, the readiness probe command line otherwise

Field Class: fd

Every syscall that has a file descriptor in its arguments has these fields set with information related to the file.

NameTypeDescription
fd.numINT64the unique number identifying the file descriptor.
fd.typeCHARBUFtype of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix', 'pipe', 'event', 'signalfd', 'eventpoll', 'inotify' or 'signalfd'.
fd.typecharCHARBUFtype of FD as a single character. Can be 'f' for file, 4 for IPv4 socket, 6 for IPv6 socket, 'u' for unix socket, p for pipe, 'e' for eventfd, 's' for signalfd, 'l' for eventpoll, 'i' for inotify, 'o' for unknown.
fd.nameCHARBUFFD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple.
fd.directoryCHARBUFIf the fd is a file, the directory that contains it.
fd.filenameCHARBUFIf the fd is a file, the filename without the path.
fd.ipIPADDRmatches the ip address (client or server) of the fd.
fd.cipIPADDRclient IP address.
fd.sipIPADDRserver IP address.
fd.lipIPADDRlocal IP address.
fd.ripIPADDRremote IP address.
fd.portPORTmatches the port (either client or server) of the fd.
fd.cportPORTfor TCP/UDP FDs, the client port.
fd.sportPORTfor TCP/UDP FDs, server port.
fd.lportPORTfor TCP/UDP FDs, the local port.
fd.rportPORTfor TCP/UDP FDs, the remote port.
fd.l4protoCHARBUFthe IP protocol of a socket. Can be 'tcp', 'udp', 'icmp' or 'raw'.
fd.sockfamilyCHARBUFthe socket family for socket events. Can be 'ip' or 'unix'.
fd.is_serverBOOL'true' if the process owning this FD is the server endpoint in the connection.
fd.uidCHARBUFa unique identifier for the FD, created by chaining the FD number and the thread ID.
fd.containernameCHARBUFchaining of the container ID and the FD name. Useful when trying to identify which container an FD belongs to.
fd.containerdirectoryCHARBUFchaining of the container ID and the directory name. Useful when trying to identify which container a directory belongs to.
fd.protoPORTmatches the protocol (either client or server) of the fd.
fd.cprotoCHARBUFfor TCP/UDP FDs, the client protocol.
fd.sprotoCHARBUFfor TCP/UDP FDs, server protocol.
fd.lprotoCHARBUFfor TCP/UDP FDs, the local protocol.
fd.rprotoCHARBUFfor TCP/UDP FDs, the remote protocol.
fd.netIPNETmatches the IP network (client or server) of the fd.
fd.cnetIPNETmatches the client IP network of the fd.
fd.snetIPNETmatches the server IP network of the fd.
fd.lnetIPNETmatches the local IP network of the fd.
fd.rnetIPNETmatches the remote IP network of the fd.
fd.connectedBOOLfor TCP/UDP FDs, 'true' if the socket is connected.
fd.name_changedBOOLTrue when an event changes the name of an fd used by this event. This can occur in some cases such as udp connections where the connection tuple changes.
fd.cip.nameCHARBUFDomain name associated with the client IP address.
fd.sip.nameCHARBUFDomain name associated with the server IP address.
fd.lip.nameCHARBUFDomain name associated with the local IP address.
fd.rip.nameCHARBUFDomain name associated with the remote IP address.
fd.devINT32device number (major/minor) containing the referenced file
fd.dev.majorINT32major device number containing the referenced file
fd.dev.minorINT32minor device number containing the referenced file

Field Class: syslog

Content of Syslog messages.

NameTypeDescription
syslog.facility.strCHARBUFfacility as a string.
syslog.facilityUINT32facility as a number (0-23).
syslog.severity.strCHARBUFseverity as a string. Can have one of these values: emerg, alert, crit, err, warn, notice, info, debug
syslog.severityUINT32severity as a number (0-7).
syslog.messageCHARBUFmessage sent to syslog.

Field Class: fdlist

Poll event related fields.

NameTypeDescription
fdlist.numsCHARBUFfor poll events, this is a comma-separated list of the FD numbers in the 'fds' argument, returned as a string.
fdlist.namesCHARBUFfor poll events, this is a comma-separated list of the FD names in the 'fds' argument, returned as a string.
fdlist.cipsCHARBUFfor poll events, this is a comma-separated list of the client IP addresses in the 'fds' argument, returned as a string.
fdlist.sipsCHARBUFfor poll events, this is a comma-separated list of the server IP addresses in the 'fds' argument, returned as a string.
fdlist.cportsCHARBUFfor TCP/UDP FDs, for poll events, this is a comma-separated list of the client TCP/UDP ports in the 'fds' argument, returned as a string.
fdlist.sportsCHARBUFfor poll events, this is a comma-separated list of the server TCP/UDP ports in the 'fds' argument, returned as a string.

Field Class: k8s

Kubernetes related context.

NameTypeDescription
k8s.pod.nameCHARBUFKubernetes pod name.
k8s.pod.idCHARBUFKubernetes pod id.
k8s.pod.labelCHARBUFKubernetes pod label. E.g. 'k8s.pod.label.foo'.
k8s.pod.labelsCHARBUFKubernetes pod comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'.
k8s.rc.nameCHARBUFKubernetes replication controller name.
k8s.rc.idCHARBUFKubernetes replication controller id.
k8s.rc.labelCHARBUFKubernetes replication controller label. E.g. 'k8s.rc.label.foo'.
k8s.rc.labelsCHARBUFKubernetes replication controller comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'.
k8s.svc.nameCHARBUFKubernetes service name (can return more than one value, concatenated).
k8s.svc.idCHARBUFKubernetes service id (can return more than one value, concatenated).
k8s.svc.labelCHARBUFKubernetes service label. E.g. 'k8s.svc.label.foo' (can return more than one value, concatenated).
k8s.svc.labelsCHARBUFKubernetes service comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'.
k8s.ns.nameCHARBUFKubernetes namespace name.
k8s.ns.idCHARBUFKubernetes namespace id.
k8s.ns.labelCHARBUFKubernetes namespace label. E.g. 'k8s.ns.label.foo'.
k8s.ns.labelsCHARBUFKubernetes namespace comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'.
k8s.rs.nameCHARBUFKubernetes replica set name.
k8s.rs.idCHARBUFKubernetes replica set id.
k8s.rs.labelCHARBUFKubernetes replica set label. E.g. 'k8s.rs.label.foo'.
k8s.rs.labelsCHARBUFKubernetes replica set comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'.
k8s.deployment.nameCHARBUFKubernetes deployment name.
k8s.deployment.idCHARBUFKubernetes deployment id.
k8s.deployment.labelCHARBUFKubernetes deployment label. E.g. 'k8s.rs.label.foo'.
k8s.deployment.labelsCHARBUFKubernetes deployment comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'.

Field Class: mesos

Mesos related context.

NameTypeDescription
mesos.task.nameCHARBUFMesos task name.
mesos.task.idCHARBUFMesos task id.
mesos.task.labelCHARBUFMesos task label. E.g. 'mesos.task.label.foo'.
mesos.task.labelsCHARBUFMesos task comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'.
mesos.framework.nameCHARBUFMesos framework name.
mesos.framework.idCHARBUFMesos framework id.
marathon.app.nameCHARBUFMarathon app name.
marathon.app.idCHARBUFMarathon app id.
marathon.app.labelCHARBUFMarathon app label. E.g. 'marathon.app.label.foo'.
marathon.app.labelsCHARBUFMarathon app comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'.
marathon.group.nameCHARBUFMarathon group name.
marathon.group.idCHARBUFMarathon group id.

Field Class: span

Fields used if information about distributed tracing is available.

NameTypeDescription
span.idINT64ID of the span. This is a unique identifier that is used to match the enter and exit tracer events for this span. It can also be used to match different spans belonging to a trace.
span.timeCHARBUFtime of the span's enter tracer as a human readable string that includes the nanosecond part.
span.ntagsUINT32number of tags that this span has.
span.nargsUINT32number of arguments that this span has.
span.tagsCHARBUFdot-separated list of all of the span's tags.
span.tagCHARBUFone of the span's tags, specified by 0-based offset, e.g. 'span.tag[1]'. You can use a negative offset to pick elements from the end of the tag list. For example, 'span.tag[-1]' returns the last tag.
span.argsCHARBUFcomma-separated list of the span's arguments.
span.argCHARBUFone of the span arguments, specified by name or by 0-based offset. E.g. 'span.arg.xxx' or 'span.arg[1]'. You can use a negative offset to pick elements from the end of the tag list. For example, 'span.arg[-1]' returns the last argument.
span.enterargsCHARBUFcomma-separated list of the span's enter tracer event arguments. For enter tracers, this is the same as evt.args. For exit tracers, this is the evt.args of the corresponding enter tracer.
span.enterargCHARBUFone of the span's enter arguments, specified by name or by 0-based offset. For enter tracer events, this is the same as evt.arg. For exit tracer events, this is the evt.arg of the corresponding enter event.
span.durationRELTIMEdelta between this span's exit tracer event and the enter tracer event.
span.duration.humanCHARBUFdelta between this span's exit tracer event and the enter event, as a human readable string (e.g. 10.3ms).

Field Class: evtin

Fields used if information about distributed tracing is available.

NameTypeDescription
evtin.span.idINT64accepts all the events that are between the enter and exit tracers of the spans with the given ID and are generated by the same thread that generated the tracers.
evtin.span.ntagsUINT32accepts all the events that are between the enter and exit tracers of the spans with the given number of tags and are generated by the same thread that generated the tracers.
evtin.span.nargsUINT32accepts all the events that are between the enter and exit tracers of the spans with the given number of arguments and are generated by the same thread that generated the tracers.
evtin.span.tagsCHARBUFaccepts all the events that are between the enter and exit tracers of the spans with the given tags and are generated by the same thread that generated the tracers.
evtin.span.tagCHARBUFaccepts all the events that are between the enter and exit tracers of the spans with the given tag and are generated by the same thread that generated the tracers. See the description of span.tag for information about the syntax accepted by this field.
evtin.span.argsCHARBUFaccepts all the events that are between the enter and exit tracers of the spans with the given arguments and are generated by the same thread that generated the tracers.
evtin.span.argCHARBUFaccepts all the events that are between the enter and exit tracers of the spans with the given argument and are generated by the same thread that generated the tracers. See the description of span.arg for information about the syntax accepted by this field.
evtin.span.p.idINT64same as evtin.span.id, but also accepts events generated by other threads in the same process that produced the span.
evtin.span.p.ntagsUINT32same as evtin.span.ntags, but also accepts events generated by other threads in the same process that produced the span.
evtin.span.p.nargsUINT32same as evtin.span.nargs, but also accepts events generated by other threads in the same process that produced the span.
evtin.span.p.tagsCHARBUFsame as evtin.span.tags, but also accepts events generated by other threads in the same process that produced the span.
evtin.span.p.tagCHARBUFsame as evtin.span.tag, but also accepts events generated by other threads in the same process that produced the span.
evtin.span.p.argsCHARBUFsame as evtin.span.args, but also accepts events generated by other threads in the same process that produced the span.
evtin.span.p.argCHARBUFsame as evtin.span.arg, but also accepts events generated by other threads in the same process that produced the span.
evtin.span.s.idINT64same as evtin.span.id, but also accepts events generated by the script that produced the span, i.e. by the processes whose parent PID is the same as the one of the process generating the span.
evtin.span.s.ntagsUINT32same as evtin.span.id, but also accepts events generated by the script that produced the span, i.e. by the processes whose parent PID is the same as the one of the process generating the span.
evtin.span.s.nargsUINT32same as evtin.span.id, but also accepts events generated by the script that produced the span, i.e. by the processes whose parent PID is the same as the one of the process generating the span.
evtin.span.s.tagsCHARBUFsame as evtin.span.id, but also accepts events generated by the script that produced the span, i.e. by the processes whose parent PID is the same as the one of the process generating the span.
evtin.span.s.tagCHARBUFsame as evtin.span.id, but also accepts events generated by the script that produced the span, i.e. by the processes whose parent PID is the same as the one of the process generating the span.
evtin.span.s.argsCHARBUFsame as evtin.span.id, but also accepts events generated by the script that produced the span, i.e. by the processes whose parent PID is the same as the one of the process generating the span.
evtin.span.s.argCHARBUFsame as evtin.span.id, but also accepts events generated by the script that produced the span, i.e. by the processes whose parent PID is the same as the one of the process generating the span.
evtin.span.m.idINT64same as evtin.span.id, but accepts all the events generated on the machine during the span, including other threads and other processes.
evtin.span.m.ntagsUINT32same as evtin.span.id, but accepts all the events generated on the machine during the span, including other threads and other processes.
evtin.span.m.nargsUINT32same as evtin.span.id, but accepts all the events generated on the machine during the span, including other threads and other processes.
evtin.span.m.tagsCHARBUFsame as evtin.span.id, but accepts all the events generated on the machine during the span, including other threads and other processes.
evtin.span.m.tagCHARBUFsame as evtin.span.id, but accepts all the events generated on the machine during the span, including other threads and other processes.
evtin.span.m.argsCHARBUFsame as evtin.span.id, but accepts all the events generated on the machine during the span, including other threads and other processes.
evtin.span.m.argCHARBUFsame as evtin.span.id, but accepts all the events generated on the machine during the span, including other threads and other processes.

Kubernetes Audit Events (source k8s_audit)

Kubernetes Audit event fields are supported by the Kubernetes Audit event source. For more information please refer to the Kubernetes Audit event source documentation.

# Kubernetes Audit event Fields
$ falco --list=k8s_audit

Field Class: jevt

generic ways to access json events

NameDescription
jevt.timejson event timestamp as a string that includes the nanosecond part
jevt.time.iso8601json event timestamp in ISO 8601 format, including nanoseconds and time zone offset (in UTC)
jevt.rawtimeabsolute event timestamp, i.e. nanoseconds from epoch.
jevt.valueGeneral way to access single property from json object. The syntax is []. The property is returned as a string (IDX_REQUIRED, IDX_KEY)
jevt.objThe entire json object, stringified

Field Class: ka

Access K8s Audit Log Events

Fields with an IDX_ALLOWED annotation can be indexed (e.g. ka.req.containers.image[k] returns the image for the kth container). The index is optional--without any index the field returns values for all items. The index must be numeric with an IDX_NUMERIC annotation, and can be any string with an IDX_KEY annotation. Fields with an IDX_REQUIRED annotation require an index.

NameDescription
ka.auditidThe unique id of the audit event
ka.stageStage of the request (e.g. RequestReceived, ResponseComplete, etc.)
ka.auth.decisionThe authorization decision
ka.auth.reasonThe authorization reason
ka.user.nameThe user name performing the request
ka.user.groupsThe groups to which the user belongs
ka.impuser.nameThe impersonated user name
ka.verbThe action being performed
ka.uriThe request URI as sent from client to server
ka.uri.paramThe value of a given query parameter in the uri (e.g. when uri=/foo?key=val, ka.uri.param[key] is val). (IDX_REQUIRED, IDX_KEY)
ka.target.nameThe target object name
ka.target.namespaceThe target object namespace
ka.target.resourceThe target object resource
ka.target.subresourceThe target object subresource
ka.req.binding.subjectsWhen the request object refers to a cluster role binding, the subject (e.g. account/users) being linked by the binding
ka.req.binding.roleWhen the request object refers to a cluster role binding, the role being linked by the binding
ka.req.binding.subject.has_nameDeprecated, always returns "N/A". Only provided for backwards compatibility (IDX_REQUIRED, IDX_KEY)
ka.req.configmap.nameIf the request object refers to a configmap, the configmap name
ka.req.configmap.objIf the request object refers to a configmap, the entire configmap object
ka.req.pod.containers.imageWhen the request object refers to a pod, the container's images. (IDX_ALLOWED, IDX_NUMERIC)
ka.req.container.imageDeprecated by ka.req.pod.containers.image. Returns the image of the first container only
ka.req.pod.containers.image.repositoryThe same as req.container.image, but only the repository part (e.g. falcosecurity/falco). (IDX_ALLOWED, IDX_NUMERIC)
ka.req.container.image.repositoryDeprecated by ka.req.pod.containers.image.repository. Returns the repository of the first container only
ka.req.pod.host_ipcWhen the request object refers to a pod, the value of the hostIPC flag.
ka.req.pod.host_networkWhen the request object refers to a pod, the value of the hostNetwork flag.
ka.req.container.host_networkDeprecated alias for ka.req.pod.host_network
ka.req.pod.host_pidWhen the request object refers to a pod, the value of the hostPID flag.
ka.req.pod.containers.host_portWhen the request object refers to a pod, all container's hostPort values. (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.containers.privilegedWhen the request object refers to a pod, the value of the privileged flag for all containers. (IDX_ALLOWED, IDX_NUMERIC)
ka.req.container.privilegedDeprecated by ka.req.pod.containers.privileged. Returns true if any container has privileged=true
ka.req.pod.containers.allow_privilege_escalationWhen the request object refers to a pod, the value of the allowPrivilegeEscalation flag for all containers (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.containers.read_only_fsWhen the request object refers to a pod, the value of the readOnlyRootFilesystem flag for all containers (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.run_as_userWhen the request object refers to a pod, the runAsUser uid specified in the security context for the pod. See ....containers.run_as_user for the runAsUser for individual containers
ka.req.pod.containers.run_as_userWhen the request object refers to a pod, the runAsUser uid for all containers (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.containers.eff_run_as_userWhen the request object refers to a pod, the initial uid that will be used for all containers. This combines information from both the pod and container security contexts and uses 0 if no uid is specified (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.run_as_groupWhen the request object refers to a pod, the runAsGroup gid specified in the security context for the pod. See ....containers.run_as_group for the runAsGroup for individual containers
ka.req.pod.containers.run_as_groupWhen the request object refers to a pod, the runAsGroup gid for all containers (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.containers.eff_run_as_groupWhen the request object refers to a pod, the initial gid that will be used for all containers. This combines information from both the pod and container security contexts and uses 0 if no gid is specified (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.containers.proc_mountWhen the request object refers to a pod, the procMount types for all containers (IDX_ALLOWED, IDX_NUMERIC)
ka.req.role.rulesWhen the request object refers to a role/cluster role, the rules associated with the role
ka.req.role.rules.apiGroupsWhen the request object refers to a role/cluster role, the api groups associated with the role's rules (IDX_ALLOWED, IDX_NUMERIC)
ka.req.role.rules.nonResourceURLsWhen the request object refers to a role/cluster role, the non resource urls associated with the role's rules (IDX_ALLOWED, IDX_NUMERIC)
ka.req.role.rules.verbsWhen the request object refers to a role/cluster role, the verbs associated with the role's rules (IDX_ALLOWED, IDX_NUMERIC)
ka.req.role.rules.resourcesWhen the request object refers to a role/cluster role, the resources associated with the role's rules (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.fs_groupWhen the request object refers to a pod, the fsGroup gid specified by the security context.
ka.req.pod.supplemental_groupsWhen the request object refers to a pod, the supplementalGroup gids specified by the security context.
ka.req.pod.containers.add_capabilitiesWhen the request object refers to a pod, all capabilities to add when running the container. (IDX_ALLOWED, IDX_NUMERIC)
ka.req.service.typeWhen the request object refers to a service, the service type
ka.req.service.portsWhen the request object refers to a service, the service's ports (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.volumes.hostpathWhen the request object refers to a pod, all hostPath paths specified for all volumes (IDX_ALLOWED, IDX_NUMERIC)
ka.req.volume.hostpathDeprecated by ka.req.pod.volumes.hostpath. Return true if the provided (host) path prefix is used by any volume (IDX_ALLOWED, IDX_KEY)
ka.req.pod.volumes.flexvolume_driverWhen the request object refers to a pod, all flexvolume drivers specified for all volumes (IDX_ALLOWED, IDX_NUMERIC)
ka.req.pod.volumes.volume_typeWhen the request object refers to a pod, all volume types for all volumes (IDX_ALLOWED, IDX_NUMERIC)
ka.resp.nameThe response object name
ka.response.codeThe response code
ka.response.reasonThe response reason (usually present only for failures)
ka.useragentThe useragent of the client who made the request to the apiserver