FEAT(falco): add loki output to falcosidekick

- Send Falco events directly to Loki - Enables viewing detailed events in Grafana with all fields - Same data as Falco UI but queryable in Grafana
2026-01-04 13:06:23 +09:00
parent 76c5fd8343
commit c66801a166
1 changed files with 10 additions and 0 deletions
--- a/falco/helm-values.yaml
+++ b/falco/helm-values.yaml
@@ -35,6 +35,10 @@ falco:
  # Performance tuning
  buffered_outputs: true

+  # Rate limiting - reduce duplicate alerts
+  outputs_rate: 1        # Max 1 alert per second per rule
+  outputs_max_burst: 10  # Allow burst of 10 alerts
+
  # Rules configuration
  rules_files:
    - /etc/falco/falco_rules.yaml
@@ -130,6 +134,12 @@ falcosidekick:
    # Output to stdout/logs
    debug: false

+    # Loki integration - send events directly to Loki
+    loki:
+      hostport: "http://loki.loki.svc.cluster.local:3100"
+      minimumpriority: ""  # Send all priorities
+      format: "json"  # JSON format for easier parsing in Grafana
+
    # Slack integration (optional)
    # slack:
    #   webhookurl: ""