update(userspace/falco): print out current time when a timeouts notif…

…ication gets emitted Also, print out the time of the last processed event in the output fields of the notification. Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
falcosecurity · Apr 19, 2021 · 0df18fd · 0df18fd
1 parent c1da6d2
commit 0df18fd
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/falco.yaml b/falco.yaml
@@ -110,6 +110,7 @@ syscall_event_drops:
 # Here you can configure the maximum number of consecutive timeouts without an event
 # after which you want Falco to alert.
 # By default this value is set to 1000 consecutive timeouts without an event at all.
+# How this value maps to a time interval depends on the CPU frequency.
 
 syscall_event_timeouts:
   max_consecutives: 1000

diff --git a/userspace/falco/falco.cpp b/userspace/falco/falco.cpp
@@ -23,6 +23,7 @@ limitations under the License.
 #include <vector>
 #include <algorithm>
 #include <string>
+#include <chrono>
 #include <functional>
 #include <signal.h>
 #include <fcntl.h>
@@ -253,7 +254,7 @@ uint64_t do_inspect(falco_engine *engine,
 	sinsp_evt* ev;
 	StatsFileWriter writer;
 	uint64_t duration_start = 0;
-	uint64_t timeouts_since_last_success_or_msg = 0;
+	uint32_t timeouts_since_last_success_or_msg = 0;
 
 	sdropmgr.init(inspector,
 		      outputs,
@@ -304,12 +305,17 @@ uint64_t do_inspect(falco_engine *engine,
 			if(unlikely(ev == nullptr))
 			{
 				timeouts_since_last_success_or_msg++;
-				if(timeouts_since_last_success_or_msg > 100)
+				if(timeouts_since_last_success_or_msg > config.m_syscall_evt_timeout_max_consecutives)
 				{
 					std::string rule = "Falco internal: timeouts notification";
-					std::string msg = rule + ". 100 consecutive timeouts without event.";
-					std::map<std::string, std::string> of;
-					outputs->handle_msg(duration_start, falco_common::PRIORITY_DEBUG, msg, rule, of);
+					std::string msg = rule + ". " + std::to_string(config.m_syscall_evt_timeout_max_consecutives) + " consecutive timeouts without event.";
+					std::string last_event_time_str;
+					sinsp_utils::ts_to_string(duration_start, &last_event_time_str, false, true);
+					std::map<std::string, std::string> o = {
+						{"last_event_time", last_event_time_str},
+					};
+					auto now = std::chrono::duration_cast<std::chrono::nanoseconds>(std::chrono::system_clock::now().time_since_epoch()).count();
+					outputs->handle_msg(now, falco_common::PRIORITY_DEBUG, msg, rule, o);
 					// Reset the timeouts counter, Falco alerted
 					timeouts_since_last_success_or_msg = 0;
 				}