Merge pull request #31 from Issif/v2.5.0

## 2.5.0 - 2019-08-12 #### New - New output : **AWS Lambda** - New output : **AWS SQS** ([issue #5](https://github.com/Issif/falcosidekick/issues/5)) - New output : **Teams** ([issue #30](https://github.com/Issif/falcosidekick/issues/30)) - A github page has been created : https://issif.github.io/falcosidekick/ #### Enhancement - Slack tests are now consistant (order of fields in JSON output wasn't always the same, tests failed sometimes for that) - README : clean up of several typos
falcosecurity · Aug 12, 2019 · 9d32b56 · 9d32b56
2 parents ce74bb7 + dbf83a6
commit 9d32b56
Show file tree

Hide file tree

Showing 22 changed files with 640 additions and 70 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog
 
+## 2.5.0 - 2019-08-12
+#### New
+- New output : **AWS Lambda**
+- New output : **AWS SQS** ([issue #5](https://github.com/Issif/falcosidekick/issues/5))
+- New output : **Teams** ([issue #30](https://github.com/Issif/falcosidekick/issues/30))
+- A github page has been created : https://issif.github.io/falcosidekick/
+
+#### Enhancement
+- Slack tests are now consistant (order of fields in JSON output wasn't always the same, tests failed sometimes for that)
+- README : clean up of several typos
+
 ## 2.4.0 - 2019-06-26
 #### Enhancement
 - Elasticsearch : An index suffix can be set for rotation (see [README](https://github.com/Issif/falcosidekick/blob/master/README.md)) ([issue #27](https://github.com/Issif/falcosidekick/issues/27) thanks to [@ariguillegp](https://github.com/ariguillegp))

diff --git a/README.md b/README.md
@@ -17,6 +17,8 @@ Currently available outputs are :
 * **AlertManager**
 * **Elasticsearch**
 * **Influxdb**
+* **AWS Lambda**
+* **AWS SQS**
 
 ## Usage
 
@@ -59,45 +61,61 @@ Configuration is made by *file (yaml)* and *env vars*, both can be used but *env
 See **config_example.yaml** :
 
 ```yaml
-#listenport: 2801 #port to listen for daemon (default: 2801)
-debug: false #if true all outputs will print in stdout the payload they send (default: false)
-customfields: #custom fields are added to falco events
+#listenport: 2801 # port to listen for daemon (default: 2801)
+debug: false # if true all outputs will print in stdout the payload they send (default: false)
+customfields: # custom fields are added to falco events
   Akey: "AValue"
   Bkey: "BValue"
   Ckey: "CValue"
 
 slack:
-  webhookurl: "" #Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled
-  #footer: "" #Slack footer
-  #icon: "" #Slack icon (avatar)
-  outputformat: "text" #all (default), text, fields
-  minimumpriority: "debug" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  webhookurl: "" # Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled
+  #footer: "" # Slack footer
+  #icon: "" # Slack icon (avatar)
+  outputformat: "text" # all (default), text, fields
+  minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+
+teams:
+  webhookurl: "" # Teams WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Teams output is enabled
+  #activityimage: "" # Image for message section
+  outputformat: "text" # all (default), text, facts
+  minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
 
 datadog:
-  #apikey: ""  #Datadog API Key, if not empty, Datadog output is enabled
-  # minimumpriority: "" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  #apikey: ""  # Datadog API Key, if not empty, Datadog output is enabled
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
 
 alertmanager:
   # hostport: "" # http://{domain or ip}:{port}, if not empty, Alertmanager output is enabled
-  # minimumpriority: "" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
 
 elasticsearch:
   # hostport: "" # http://{domain or ip}:{port}, if not empty, Elasticsearch output is enabled
   # index: "falco" # index (default: falco)
   # type: "event"
-  # minimumpriority: "" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-  # suffix: "daily" #date suffix for index rotation : daily (default), monthly, annually, none 
-
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none
 
 influxdb:
   # hostport: "" # http://{domain or ip}:{port}, if not empty, Influxdb output is enabled
   # database: "falco" # Influxdb database (default: falco)
   # user: "" # user to use if auth is enabled in Influxdb
   # password: "" # pasword to use if auth is enabled in Influxdb
-  # minimumpriority: "" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+
+aws:
+  # accesskeyid: "" # aws access key (optionnal if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optionnal if you use EC2 Instance Profile)
+  # region : "" # aws region (optionnal if you use EC2 Instance Profile)
+  lambda:
+    # functionname : "" # Lambda function name, if not empty, AWS Lambda output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  sqs:
+    # url : "" # SQS Queue URL, if not empty, AWS SQS output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
 ```
 
-Usage : 
+Usage :
 
 ```bash
 usage: falcosidekick [<flags>]
@@ -116,11 +134,15 @@ The *env vars* "match" field names in *yaml file with this structure (**take car
 * **LISTENPORT** : port to listen for daemon (default: 2801)
 * **DEBUG** : if *true* all outputs will print in stdout the payload they send (default: false)
 * **CUSTOMFIELDS** : a list of comma separated custom fields to add to falco events, syntax is "key:value,key:value"
-* **SLACK_WEBHOOKURL** : Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not `empty`, Slack output is *enabled*
+* **SLACK_WEBHOOKURL** : Slack Webhook URL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not `empty`, Slack output is *enabled*
 * **SLACK_FOOTER** : Slack footer
 * **SLACK_ICON** : Slack icon (avatar)
 * **SLACK_OUTPUTFORMAT** : `all` (default), `text` (only text is displayed in Slack), `fields` (only fields are displayed in Slack)
 * **SLACK_MINIMUMPRIORITY** : minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
+* **TEAMS_WEBHOOKURL** : Teams Webhook URL (ex: https://outlook.office.com/webhook/XXXXXX/IncomingWebhook/YYYYYY"), if not `empty`, Teams output is *enabled*
+* **TEAMS_ACTIVITYIMAGE** : Teams section image
+* **TEAMS_OUTPUTFORMAT** : `all` (default), `text` (only text is displayed in Teams), `facts` (only facts are displayed in Teams)
+* **TEAMS_MINIMUMPRIORITY** : minimum priority of event for using use this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
 * **DATADOG_APIKEY** : Datadog API Key, if not `empty`, Datadog output is *enabled*
 * **DATADOG_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
 * **ALERTMANAGER_HOSTPORT** : AlertManager http://host:port, if not `empty`, AlertManager is *enabled*
@@ -135,6 +157,13 @@ The *env vars* "match" field names in *yaml file with this structure (**take car
 * **INFLUXDB_USER** : user to use if auth is enabled in Influxdb
 * **INFLUXDB_PASSWORD** : user to use if auth is enabled in Influxdb
 * **INFLUXDB_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
+* **AWS_ACCESSKEYID** : AWS Access Key Id (optionnal if you use EC2 Instance Profile)
+* **AWS_SECRETACCESSKEY** : AWS Secret Access Key (optionnal if you use EC2 Instance Profile)
+* **AWS_REGION** : AWS Region (optionnal if you use EC2 Instance Profile)
+* **AWS_LAMBDA_FUNCTIONNAME** : AWS Lambda Function Name, if not empty, AWS Lambda output is enabled
+* **AWS_LAMBDA_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
+* **AWS_SQS_URL** : AWS SQS Queue URL, if not empty, AWS SQS output is enabled
+* **AWS_SQS_MINIMUMPRIORITY** : minimum priority of event for using this output, order is `emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)`
 
 ## Handlers
 
@@ -143,7 +172,7 @@ Different URI (handlers) are available :
 * `/` : main and default handler, your falco config must be configured to use it
 * `/ping` : you will get a  `pong` as answer, useful to test if falcosidekick is running and its port is opened (for healthcheck purpose for example)
 * `/test` : (for debug only) send a test event to all enabled outputs.
-* `/debug/vars` : get statistics from daemon (in JSON format), it uses classic `expvar` package and some custom values are added 
+* `/debug/vars` : get statistics from daemon (in JSON format), it uses classic `expvar` package and some custom values are added
 
 ## Logs
 
@@ -172,11 +201,18 @@ You should get :
 
 ### Slack
 
-(SLACK_OUTPUT_FORMAT="all")
+(SLACK_OUTPUTFORMAT="**all**")
 ![slack example](https://github.com/Issif/falcosidekick/raw/master/imgs/slack.png)
-(SLACK_OUTPUT_FORMAT="fields")
+(SLACK_OUTPUTFORMAT="**text**")
 ![slack no fields example](https://github.com/Issif/falcosidekick/raw/master/imgs/slack_no_fields.png)
 
+### Teams
+
+(TEAMS_OUTPUTFORMAT="**all**")
+![teams example](https://github.com/Issif/falcosidekick/raw/master/imgs/teams.png)
+(TEAMS_OUTPUTFORMAT="**text**")
+![teams facts only](https://github.com/Issif/falcosidekick/raw/master/imgs/teams_facts_only.png)
+
 ### Datadog
 
 *(Tip: filter on `sources: falco`)*
@@ -192,7 +228,7 @@ You should get :
 
 ### Influxdb
 
-```
+```bash
 > use falco
 Using database falco
 > show series
@@ -208,6 +244,10 @@ time                akey    bkey    ckey    priority rule      value
 1560441359119741800 A_Value B_Value C_Value Debug    Test_rule This is a test from falcosidekick
 ```
 
+### AWS SQS
+
+![aws sqs example](https://github.com/Issif/falcosidekick/raw/master/imgs/aws_sqs.png)
+
 ## Development
 
 ### Build
@@ -224,4 +264,4 @@ go test ./outputs -count=1 -cover -v
 
 ## Author
 
-Thomas Labarussias (https://github.com/Issif)
+Thomas Labarussias (https://github.com/Issif)
diff --git a/config.go b/config.go
@@ -28,6 +28,10 @@ func getConfig() *types.Configuration {
 	v.SetDefault("Slack.Icon", "https://raw.githubusercontent.com/Issif/falcosidekick/master/imgs/falcosidekick.png")
 	v.SetDefault("Slack.OutputFormat", "all")
 	v.SetDefault("Slack.MinimumPriority", "")
+	v.SetDefault("Teams.WebhookURL", "")
+	v.SetDefault("Teams.ActivityImage", "https://raw.githubusercontent.com/Issif/falcosidekick/master/imgs/falcosidekick.png")
+	v.SetDefault("Teams.OutputFormat", "all")
+	v.SetDefault("Teams.MinimumPriority", "")
 	v.SetDefault("Datadog.APIKey", "")
 	v.SetDefault("Datadog.MinimumPriority", "")
 	v.SetDefault("Alertmanager.HostPort", "")
@@ -42,6 +46,15 @@ func getConfig() *types.Configuration {
 	v.SetDefault("Influxdb.User", "")
 	v.SetDefault("Influxdb.Password", "")
 	v.SetDefault("Influxdb.MinimumPriority", "")
+	v.SetDefault("AWS.AccessKeyID", "")
+	v.SetDefault("AWS.SecretAccessKey", "")
+	v.SetDefault("AWS.Region", "")
+	v.SetDefault("AWS.Lambda.FunctionName", "")
+	v.SetDefault("AWS.Lambda.InvocationType", "RequestResponse")
+	v.SetDefault("AWS.Lambda.Logtype", "Tail")
+	v.SetDefault("AWS.Lambda.MinimumPriority", "")
+	v.SetDefault("AWS.SQS.URL", "")
+	v.SetDefault("AWS.SQS.MinimumPriority", "")
 	v.SetDefault("Customfields", map[string]string{})
 
 	v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
@@ -55,7 +68,7 @@ func getConfig() *types.Configuration {
 		v.AddConfigPath(d)
 		err := v.ReadInConfig()
 		if err != nil {
-			log.Printf("Error when reading config file: %v\n", err)
+			log.Printf("[ERROR] : Error when reading config file : %v\n", err)
 		}
 	}
 	v.GetStringMapString("customfields")

diff --git a/config_example.yaml b/config_example.yaml
@@ -1,35 +1,52 @@
-#listenport: 2801 #port to listen for daemon (default: 2801)
-debug: false #if true all outputs will print in stdout the payload they send (default: false)
-customfields: #custom fields are added to falco events
+#listenport: 2801 # port to listen for daemon (default: 2801)
+debug: false # if true all outputs will print in stdout the payload they send (default: false)
+customfields: # custom fields are added to falco events
   Akey: "AValue"
   Bkey: "BValue"
   Ckey: "CValue"
 
 slack:
-  webhookurl: "" #Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled
-  #footer: "" #Slack footer
-  #icon: "" #Slack icon (avatar)
-  outputformat: "text" #all (default), text, fields
-  minimumpriority: "debug" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  webhookurl: "" # Slack WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Slack output is enabled
+  #footer: "" # Slack footer
+  #icon: "" # Slack icon (avatar)
+  outputformat: "text" # all (default), text, fields
+  minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+
+teams:
+  webhookurl: "" # Teams WebhookURL (ex: https://hooks.slack.com/services/XXXX/YYYY/ZZZZ), if not empty, Teams output is enabled
+  #activityimage: "" # Image for message section
+  outputformat: "text" # all (default), text, facts
+  minimumpriority: "debug" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
 
 datadog:
-  #apikey: ""  #Datadog API Key, if not empty, Datadog output is enabled
-  # minimumpriority: "" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  #apikey: ""  # Datadog API Key, if not empty, Datadog output is enabled
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
 
 alertmanager:
   # hostport: "" # http://{domain or ip}:{port}, if not empty, Alertmanager output is enabled
-  # minimumpriority: "" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
 
 elasticsearch:
   # hostport: "" # http://{domain or ip}:{port}, if not empty, Elasticsearch output is enabled
   # index: "falco" # index (default: falco)
   # type: "event"
-  # minimumpriority: "" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
-  # suffix: "daily" #date suffix for index rotation : daily (default), monthly, annually, none 
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # suffix: "daily" # date suffix for index rotation : daily (default), monthly, annually, none 
 
 influxdb:
   # hostport: "" # http://{domain or ip}:{port}, if not empty, Influxdb output is enabled
   # database: "falco" # Influxdb database (default: falco)
   # user: "" # user to use if auth is enabled in Influxdb
   # password: "" # pasword to use if auth is enabled in Influxdb
-  # minimumpriority: "" #minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+
+aws:
+  # accesskeyid: "" # aws access key (optionnal if you use EC2 Instance Profile)
+  # secretaccesskey: "" # aws secret access key (optionnal if you use EC2 Instance Profile)
+  # region : "" # aws region (optionnal if you use EC2 Instance Profile)
+  lambda:
+    # functionname : "" # Lambda function name, if not empty, AWS Lambda output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
+  sqs:
+    # url : "" # SQS Queue URL, if not empty, AWS SQS output is enabled
+    # minimumpriority: "" # minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informationnal|debug or "" (default)
diff --git a/deploy/helm/falcosidekick/Chart.yaml b/deploy/helm/falcosidekick/Chart.yaml
@@ -1,8 +1,9 @@
 apiVersion: v1
-appVersion: "2.4.0"
+appVersion: "2.5.0"
 description: A simple daemon to help you with falco's outputs
 icon: https://raw.githubusercontent.com/Issif/falcosidekick/master/imgs/falcosidekick.png
 name: falcosidekick
-version: 0.1.0
+version: 0.1.1
 maintainers:
   - name: SweetOps
+  - name: Issif