Bret and his co-host, Matt, are joined by Jason Dellaluce and Luca Guerra from Sysdig to talk about Falco, a tool I recommend for production clusters and knowing about any bad behavior on your servers.

Falco is a security tool I've mentioned multiple times on this show, because I mostly think that a low level security focused logging product is something that every production server needs. The ability to log unexpected events and behaviors on your Linux host is powerful and necessary to be able to audit what's really happening on your infrastructure outside of your app itself.

Falco has been a CNCF incubating project for over four years, and I was immediately drawn to it in its early days, because it was container and Kubernetes aware and it could log and alert with default rules for everything, from someone starting a shell inside a container, to a bash history file being deleted, to a container trying to talk to the Kubernetes API.

This episode will be useful for those of you new to tools like Falco and for those familiar with its basics, but also wanting to learn about newer features and use cases, which I did some learning on myself in this episode.

Live recording of the complete show from April 6, 2023 is on YouTube (Ep. #210).

★Topics★Falco websiteFalco on CNCF

You can also support my free material by subscribing to my YouTube channel and my weekly newsletter at bret.news!

Grab the best coupons for my Docker and Kubernetes courses.Join my cloud native DevOps community on Discord.Grab some merch at Bret's Loot BoxHomepage bretfisher.com

• Bret Fisher - Host
• Cristi Cotovan - Editor
• Beth Fisher - Producer
• Matt Williams - Host
• Jason Dellaluce - Guest
• Luca Guerra - Guest

• (00:00) - Intro
• (02:24) - Introducing the guests
• (05:25) - What is Falco? Why do we need it?
• (08:00) - What can Falco monitor?
• (17:11) - How are events logged?
• (30:59) - Does Falco classify alerts by severity?