👋 Hey friend! Got questions while reading? Just ask me — I'm your AI buddy here to explain anything that seems confusing! 💬✨
0-Home
Github
TraceMyPodsOfficial
TMP-docs
Falco

Falco + Prometheus + Grafana Setup on Minikube

This guide walks through setting up Falco for runtime security monitoring in a Minikube cluster, exporting Falco alerts to Prometheus, and visualizing them in Grafana. It includes steps to verify functionality using Falco's event generator.

Prerequisites

  • Minikube cluster up and running
  • Helm installed
  • kubectl configured to use Minikube context

1. Install Falco with gRPC and gRPC Output Enabled

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
 
helm upgrade --install falco falcosecurity/falco \
  --set falco.grpc.enabled=true \
  --set falco.grpc_output.enabled=true \
  --set falco.grpc.unixSocketPath=/run/falco/falco.sock

2. Install Falco Exporter (anyone)

helm install falco-exporter falcosecurity/falco-exporter
---
kubectl apply -f https://raw.githubusercontent.com/falcosecurity/falco-exporter/main/deploy/kubernetes/falco-exporter.yaml

Make sure the exporter can access the Falco socket. If not, deploy exporter as a sidecar or mount /run/falco using a hostPath volume.

3. Verify Falco Exporter Metrics

kubectl port-forward svc/falco-exporter 9376:9376
curl http://localhost:9376/metrics

You should see Prometheus-formatted metrics like falco_alerts_total{...}.

4. Install Prometheus

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
 
helm upgrade --install prometheus prometheus-community/prometheus

5. Configure Prometheus to Scrape Falco Exporter (optional)

Patch the Prometheus config:

kubectl edit configmap prometheus-server

Add under scrape_configs::

  - job_name: 'falco'
    static_configs:
      - targets: ['falco-exporter:9376']

Then restart Prometheus:

kubectl delete pod -l app=prometheus,component=server

6. Install Grafana

helm install grafana grafana/grafana
kubectl get secret --namespace default grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo

Expose Grafana:

kubectl port-forward svc/grafana 3000:80

Login: admin / admin

7. Connect Grafana to Prometheus

  1. Go to Settings → Data Sources → Add data source
  2. Choose Prometheus
  3. Set URL: http://prometheus-server.default.svc.cluster.local
  4. Click Save & Test

8. Import Falco Dashboard

  1. Go to Dashboards → Import
  2. Use Dashboard ID: 11914 & 15310 (per-pod-filter)
  3. Select Prometheus as data source
  4. Click Import

9. Test with Falco Event Generator

Run a test event generator:

docker run -it --rm falcosecurity/event-generator run syscall --loop

Within moments, Falco will detect the syscalls and trigger alerts. These alerts-metrics will appear in Prometheus and Grafana.

[IMP] If needed more Details of Logs We can add Loki which collect the logs of falco pod or use falco-sidekick (https://github.com/falcosecurity/falcosidekick (opens in a new tab)) for more robust metrics and detailed view in dashboard.

✅ Completed Setup

You now have a full Falco security monitoring stack running on Minikube, integrated with Prometheus and Grafana for real-time alerting and visualization.

CloudwatchgpuIstiod
💬 Need a Quick Summary?

Hey! Don't have time to read everything? I get it. 😊
Click below and I'll give you the main points and what matters most on this page.
Takes about 5 seconds • Uses Perplexity AI