diff --git a/falco.yaml b/falco.yaml index e052a441109..e9e0da6e937 100644 --- a/falco.yaml +++ b/falco.yaml @@ -1259,8 +1259,15 @@ base_syscalls: # `metrics.state_counters_enabled` to measure how the internal state handling is performing, # and the fields called `n_drops_full_threadtable` or `n_store_evts_drops` will inform you # if you should increase this value for optimal performance. +# +# `snaplen` +# +# Set how many bytes are collected of each I/O buffer for 'syscall' events. +# Use this option with caution since it can have a strong performance impact. +# falco_libs: thread_table_size: 262144 + snaplen: 80 # [Incubating] `container_engines` # diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp index cf3e3849d6c..e5de933b579 100644 --- a/userspace/falco/app/actions/init_inspectors.cpp +++ b/userspace/falco/app/actions/init_inspectors.cpp @@ -87,8 +87,12 @@ static void init_syscall_inspector(falco::app::state& s, std::shared_ptr } // - // If required, set the snaplen + // If required, set the snaplen. + // In case both config and CLI options are specified, CLI takes precedence. // + if(s.config->m_falco_libs_snaplen != 0) { + inspector->set_snaplen(s.config->m_falco_libs_snaplen); + } if(s.options.snaplen != 0) { inspector->set_snaplen(s.options.snaplen); } diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h index ba6419e72b3..31c42e288d1 100644 --- a/userspace/falco/config_json_schema.h +++ b/userspace/falco/config_json_schema.h @@ -403,6 +403,9 @@ const char config_schema_string[] = LONG_STRING_CONST( "properties": { "thread_table_size": { "type": "integer" + }, + "syscall_snaplen": { + "type": "integer" } }, "minProperties": 1, diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 8673f37924a..fe8e217ba59 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -84,6 +84,7 @@ falco_configuration::falco_configuration(): m_syscall_evt_simulate_drops(false), m_syscall_evt_timeout_max_consecutives(1000), m_falco_libs_thread_table_size(DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE), + m_falco_libs_snaplen(0), m_base_syscalls_repair(false), m_metrics_enabled(false), m_metrics_interval_str("5000"), @@ -569,6 +570,9 @@ void falco_configuration::load_yaml(const std::string &config_name) { m_config.get_scalar("falco_libs.thread_table_size", DEFAULT_FALCO_LIBS_THREAD_TABLE_SIZE); + // if falco_libs.snaplen is not set we'll let libs configure it + m_falco_libs_snaplen = m_config.get_scalar("falco_libs.snaplen", 0); + m_base_syscalls_custom_set.clear(); m_config.get_sequence>(m_base_syscalls_custom_set, std::string("base_syscalls.custom_set")); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index d0b9e4a6018..02e6bf24db6 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -175,6 +175,7 @@ class falco_configuration { uint32_t m_syscall_evt_timeout_max_consecutives; uint32_t m_falco_libs_thread_table_size; + uint64_t m_falco_libs_snaplen; // User supplied base_syscalls, overrides any Falco state engine enforcement. std::unordered_set m_base_syscalls_custom_set;