title | description | linktitle | weight |
---|---|---|---|
Generating sample events |
Test your Falco deployment by generating sample events under controlled circumstances |
Generating sample events |
70 |
If you'd like to check if Falco is working properly, we have the {{< glossary_tooltip text="event-generator" term_id="event-generator" >}} tool that can perform an activity for both our {{< glossary_tooltip text="syscalls" term_id="syscalls" >}} and {{< glossary_tooltip text="k8s audit" term_id="kubernetes-audit-log" >}} related rules.
The tool provides a command to run either some or all sample events.
event-generator run [regexp]
Without arguments it runs all actions, otherwise only those actions matching the given regular expression.
The full command line documentation is here.
Artifacts | Version | |
---|---|---|
binaries | download link | |
container images | docker pull falcosecurity/event-generator:latest |
{{% pageinfo color="warning" %}} WARNING
Since some commands might alter your system, we strongly recommend that you run the program within a container (see below).
For example, some actions modify files and directories below /bin
, /etc
, /dev
, etc.
{{% /pageinfo %}}
The syscall
collection performs a variety of suspect actions that are detected by the default Falco ruleset.
docker run -it --rm falcosecurity/event-generator run syscall --loop
The above command loops forever, incessantly generating a sample event each second.
The k8saudit
collection generates activity that matches the k8s audit event ruleset.
event-generator run k8saudit --loop
The above command loops forever, creating resources in the current namespace and deleting them after each iteration. Use the --namespace
option to choose a different namespace.
We've also provided a helm chart that make it easy to run the event generator in K8s Clusters.
First thing, we need to add the falcosecurity
charts repository:
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
Once you have the helm repo configured, you can run the following to create the necessary objects in the event-generator
namespace and then generate events continuously:
helm install event-generator falcosecurity/event-generator \
--namespace event-generator \
--create-namespace \
--set config.loop=false \
--set config.actions=""
The above command applies to the event-generator
namespace. Use the --namespace
option to deploy in a different namespace. Events will be generated in the same namespace.
You can also find more examples in the event-generator and charts repositories.