From c66801a1662d8a4c0aaed2c85be393d6c2b89920 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Sun, 4 Jan 2026 13:06:23 +0900
Subject: [PATCH] FEAT(falco): add loki output to falcosidekick

- Send Falco events directly to Loki
- Enables viewing detailed events in Grafana with all fields
- Same data as Falco UI but queryable in Grafana
---
 falco/helm-values.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/falco/helm-values.yaml b/falco/helm-values.yaml
index bbcac07..38908ad 100644
--- a/falco/helm-values.yaml
+++ b/falco/helm-values.yaml
@@ -35,6 +35,10 @@ falco:
   # Performance tuning
   buffered_outputs: true
 
+  # Rate limiting - reduce duplicate alerts
+  outputs_rate: 1        # Max 1 alert per second per rule
+  outputs_max_burst: 10  # Allow burst of 10 alerts
+
   # Rules configuration
   rules_files:
     - /etc/falco/falco_rules.yaml
@@ -130,6 +134,12 @@ falcosidekick:
     # Output to stdout/logs
     debug: false
 
+    # Loki integration - send events directly to Loki
+    loki:
+      hostport: "http://loki.loki.svc.cluster.local:3100"
+      minimumpriority: ""  # Send all priorities
+      format: "json"  # JSON format for easier parsing in Grafana
+
     # Slack integration (optional)
     # slack:
     #   webhookurl: ""