Go Client
Retrieve Falco events using the gRPC Go Client
The client-go Go library provides:
- type and service mappings for the Falco gRPC API. For more information, see output schema.
- Clientand- Configstructs that simplify the connection to the gRPC server. For more information, see documentation.
Refer to the fully-functional example to see how the Go client connects to the Falco gRPC Outputs API and displays the events in JSON.
Additional examples for various APIs are located in the examples directory of the client-go repository.
- Ensure that you have the certificates in the example's path at - /etc/falco/certs/{client.crt,client.key,ca.crt}.
- In the client-go root directory, run: - $ go run examples/output/main.go | jq- The output events start flowing in depending on the set of rules in the Falco instance. - { "time": { "seconds": 1570094449, "nanos": 259268899 }, "priority": 3, "rule": "Modify binary dirs", "output": "09:20:49.259268899: Error File below known binary directory renamed/removed (user=vagrant command=lua /home/vagrant/.dotfiles/zsh/.config/zsh/plugins/z.lua/z.lua --init zsh once enhanced pcmdline=zsh operation=rena me file=<NA> res=0 oldpath=/usr/bin/realpath newpath=/usr/bin/realpath container_id=host image=<NA>)", "output_fields": { "container.id": "host", "container.image.repository": "<NA>", "evt.args": "res=0 oldpath=/usr/bin/realpath newpath=/usr/bin/realpath ", "evt.time": "09:20:49.259268899", "evt.type": "rename", "fd.name": "<NA>", "proc.cmdline": "lua /home/vagrant/.dotfiles/zsh/.config/zsh/plugins/z.lua/z.lua --init zsh once enhanced", "proc.pcmdline": "zsh", "user.name": "vagrant" } } { "time": { "seconds": 1570094449, "nanos": 620298462 }, "priority": 4, "rule": "Delete or rename shell history", "output": "09:20:49.620298462: Warning Shell history had been deleted or renamed (user=vagrant type=unlink command=zsh fd.name=<NA> name=<NA> path=/home/vagrant/.zsh_history.LOCK oldpath=<NA> host (id=host))", "output_fields": { "container.id": "host", "container.name": "host", "evt.arg.name": "<NA>", "evt.arg.oldpath": "<NA>", "evt.arg.path": "/home/vagrant/.zsh_history.LOCK", "evt.time": "09:20:49.620298462", "evt.type": "unlink", "fd.name": "<NA>", "proc.cmdline": "zsh", "user.name": "vagrant" } }
Was this page helpful?
Let us know! You feedback will help us to improve the content and to stay in touch with our users.
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
