How to stop discarding system calls before falco processing #102

zhiyuan-wan · 2016-07-28T07:49:08Z

Hi there,
As the wiki page https://github.com/draios/falco/wiki/Falco-Rules says, for performance consideration, the sysdig logs of a list of system calls are discarded before falco processing. However, I would like to collect the complete system call list of a running process.
I wonder how I can stop falco discard system calls before processing.

Thanks,
Zhiyuan

mstemm · 2016-08-04T21:58:11Z

That behavior isn't controllable by any command line option right now. If you can build from source, https://github.com/draios/falco/blob/dev/userspace/falco/falco.cpp#L405 is where the inspector sets EF_DROP_FALCO, which starts the dropping of nonessential system calls.

I'll see if I can make it configurable on the command line.

zhiyuan-wan changed the title ~~How to stop ignoring~~ How to stop discarding system calls before falco processing Jul 28, 2016

mstemm mentioned this issue Aug 4, 2016

Add ability to run on all events. #107

Merged

mstemm self-assigned this Aug 4, 2016

mstemm added the work-in-progress label Aug 4, 2016

mstemm closed this as completed in #107 Aug 5, 2016

mstemm removed the work-in-progress label Aug 5, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to stop discarding system calls before falco processing #102

How to stop discarding system calls before falco processing #102

zhiyuan-wan commented Jul 28, 2016 •

edited

Loading

mstemm commented Aug 4, 2016

How to stop discarding system calls before falco processing #102

How to stop discarding system calls before falco processing #102

Comments

zhiyuan-wan commented Jul 28, 2016 • edited Loading

mstemm commented Aug 4, 2016

zhiyuan-wan commented Jul 28, 2016 •

edited

Loading