Sysdig Simplifies Log Management for Falco Users With AWS FireLens Integration

Sysdig Simplifies Log Management for Falco Users With AWS FireLens Integration

November 1, 2019 Off By David

Sysdig, Inc., the secure DevOps leader, today announced the availability of a Falco integration with Fluent Bit. This integration enables Amazon Web Services (AWS) users to stream Falco security data into AWS FireLens for a simplified log management experience. Falco is the open source Kubernetes runtime security project started by Sysdig and donated to the CNCF. AWS asked Sysdig to write the Falco integration and to join the FireLens preview program. AWS announced the general availability of FireLens today, which collects logs across all AWS container services – Amazon Elastic Container Service (ECS), Amazon Elastic Kubernetes Service (EKS), and self-managed Kubernetes on Amazon Elastic Compute Cloud (EC2) – and consolidates them into a single log stream for unified management. Together with Falco, FireLens facilitates the centralization of all security events, which enables cluster operations, incident response, DevOps, and security teams to spend less time wading through data, enabling them to draw conclusions about security risks faster.

Falco, the open source project, is the defacto Kubernetes runtime security tool. Falco detects abnormal application behavior and alerts on intrusions for containers and cloud-native applications. In the event of abnormal behavior, Falco will generate security events defined by a customizable set of rules. Falco was created by Sysdig in 2016, and the project joined the CNCF as a Sandbox project in October 2018. Over the last year, Falco adoption has increased by more than 240 percent.

The FireLens integration with Falco is made possible using Fluent Bit, an open source log processor, which is also a CNCF project. With Fluent Bit, FireLens is able to automatically collect Falco event logs from any cluster and route them to Amazon CloudWatch, the monitoring and observability service for AWS environments. CloudWatch takes the collected data and consolidates everything to provide one centralized log stream to track the security of all clusters from.

Key benefits

  • Simplified log management: The Falco integration with FireLens enables DevOps teams to easily set up security event consolidation across all container services. By using two open source tools – Falco and Fluent Bit – the barrier to entry for adopting log management is lowered.
  • Accelerated incident response: By consolidating all logs into one feed, security teams are able to set alert policies based on importance to reduce alert fatigue. By alerting to only the most important abnormalities, DevOps teams are able to evaluate risk posture faster and expedite incident response.
  • Compliance records: CloudWatch consolidates all container security events, including Falco alerts, in one place for log retention over time for compliance and audit purposes.

“We are in the final frontier when it comes to Kubernetes innovation. Security is the last area that still requires work from the community. Falco is leading the charge in standardizing Kubernetes security,” said Kris Nova, Chief Open Source Advocate at Sysdig. “AWS asked Sysdig to join the FireLens preview program because AWS values Falco’s ability to secure cloud-native environments. By integrating with FireLens, we hope to make it easier for all organizations to develop in the cloud, secure in the cloud, audit in the cloud, no matter their approach.”