This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Event Enrichment with Agent Labels

    Labels are default fields collected by the Sysdig Agent, on top of those specified in rule output. The agent will pull them out by default and they will be shown in the events feed and in your events forwarder destination.


    You can decide to enable or disable this feature. It is enabled by default.

      enabled: true/false

    Adding Custom Labels

    The agent is set to have a set of default labels. It’s possible to both include additional labels and exclude labels from the default set.


    Example of an enriched event being sent to Splunk

       agentId: 1658033
       category: runtime
       containerId: d9f5e4a9aedd
       content: {
         falsePositive: false
         fields: {
           container.image.repository: sysdiglabs/example-voting-app-voter
           evt.category: process
           falco.rule: Launch Root User Container
           fd.rport: <NA>
           proc.cmdline: container:d9f5e4a9aedd
           proc.pname: <NA>
           proc.ppid: -1
         matchedOnDefault: false
         output: Outbound connection to IP/Port flagged by container:d9f5e4a9aedd (command=container:d9f5e4a9aedd port=<NA> ip=<NA> container=k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603 (id=d9f5e4a9aedd) image=sysdiglabs/example-voting-app-voter) extra fields = (<NA> -1 process -1 container:d9f5e4a9aeddproc.aname container:d9f5e4a9aedd -1proc.apid )
         policyId: 10009837
         policyOrigin: Sysdig
         policyVersion: 37
         ruleName: Launch Root User Container
         ruleTags: [
         ruleType: RULE_TYPE_FALCO
       description: This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.
       id: 1726f87daaaee3960301e17f9b06c3cf
       labels: {
         agent.tag.role: demo-kube-eks
         aws.accountId: 845151661675
         aws.instanceId: i-0b767c5bc9b2f89aa
         aws.region: us-east-1
         container.image.digest: sha256:4cde188c9b43d02197662b5d5323ea0ba8f40efdacf672fe9bd1eb010ad207de 27f385e91e79
         container.image.repo: sysdiglabs/example-voting-app-voter
         container.image.tag: 0.1 voter voter-77d98548bc-hmkpc example-voting-app k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603
         host.hostName: ip-192-168-22-221.ec2.internal
         host.mac: 0a:a2:c4:d3:fd:ef demo-kube-eks voter example-voting-app ip-192-168-22-221.ec2.internal voter-77d98548bc-hmkpc voter-77d98548bc
       machineId: 0a:a2:c4:d3:fd:ef
       name: Sysdig Runtime Notable Events
       originator: policy
       severity: 4
       source: syscall
       timestamp: 1668293930605536300
       timestampRFC3339Nano: 2022-11-12T22:58:50.60553615Z
       type: policy