New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log major Falco stages #1457

Open

erthalion opened this issue Dec 5, 2023 · 0 comments

Labels

optional

Contributor

erthalion commented Dec 5, 2023 •

edited

Loading

To help with troubleshooting make Falco more verbose if requested. This means:

Adding more logging with TRACE level when Falco combines information from
various sources into one entity. Normally we could get quite a good picture
about which events do we receive, but how those events are assembled is a
black box. The obvious parts are:
1. scap_linux_proc_get, where Falco reads information from procfs
2. ContainerEnginer::resolve, where we match a process with a container id
3. sinsp_threadinfo::add_child, where Falco establish dependencies between
  processes
4. sinsp_threadinfo::set_user, where Falco matches a process with uid/gid
5. set_ipv4/6_mapped_ipv6_addresses_and_ports, where Falco matches socket
  information with a file descriptor
This is of course subject to the overhead evaluation.
Adding more logging with DEBUG level to initialization actions
1. BPF program loading & attaching
2. Preparing tail calling prog array
3. Preparing & loading ringbuf, aux, settings and filter maps
Usually it's easy to figure out the actual place of an issue, but we lack
context and arguments, so add to the logging more details about maps & progs
(e.g. a frequent error after messing around with maps is loading one with
incorrect parameters, key size or such).

Part of #1320

erthalion added the optional label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment