-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Events disappear after a few hours #146
Comments
Hi, |
It's fairly non-deterministic but somewhere between 4<->12h. I was hoping that DEBUG level logs would give more info as to what is actually being searched for so I could inspect what is happening in both containers. Let me know if I can help in anyway |
I'll do some tests on my side too, redis is the root cause for sure, just don't know how. |
On my end: I've added a volume mount to the redis container, for persistance (if that was the cause?). I'll update the ticket with those findings if they will be relevant. |
you can write root cause this problem, i have same issue. |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
Talked to sysdig on aws re:invent to get this on the radar as well. Hopefully it will move things along |
I've a lot of issues with the redis, I'm thinking to rewrite totally the UI in 2025, with a different backend. I still don't know the root cause of this specific issue because it's hard to reproduce. |
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
Describe the bug
This is a simple setup: falco(systemd) -> falcosidekick(docker) -> falcosidekick-ui(docker) + redis(docker). We run falco on all machines while the sidekick/ui/redis stack lives inside a docker swarm stack on the same host.
Now this setup works, we can see events in the UI, however after a certain time interval the events disappear.
These are the logs from facosidekick-ui container (debug level logs):
These are the redis logs (from the time the errors started:
Now I think something happens in the redis container to invalidate the index. If I restart falcosidekick-ui container then the events appear again.
I have tried manipulating the
since
parameter, with the same result.How to reproduce it
Run the following docker-compose stack, emit some test events and wait. Please note that this is not a production ready stack, deploy section omitted:
Expected behaviour
Falco events persist longer than X hours, or with TTL definition.
Screenshots
After X hours:
After UI container restart:
Environment
falcosidekick:
/app $ ./falcosidekick --version
GitVersion: bce6b79
GitCommit: bce6b79ca5e0bc130649a4dae5d31ce7e33e6cae
GitTreeState: clean
BuildDate: '2024-06-04T08:44:13Z'
GoVersion: go1.22.0
Compiler: gc
Platform: linux/amd64
falcosidekick-ui:
/app $ ./falcosidekick-ui -v
GitVersion: 01947af
GitCommit: 01947af
GitTreeState: clean
BuildDate: '2024-04-30T14:11:51Z'
GoVersion: go1.20.14
Compiler: gc
Platform: linux/amd64
Cloud provider or hardware configuration:
Hetzner bare-metal
OS:
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
Kernel:
Linux worker-0 6.1.0-21-amd64 UI updates #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64 GNU/Linux
Installation method:
Docker swarm
Additional context
n/a
The text was updated successfully, but these errors were encountered: