Skip to main content

Falco + Prometheus + Grafana Setup on Minikube

This guide walks through setting up Falco for runtime security monitoring in a Minikube cluster, exporting Falco alerts to Prometheus, and visualizing them in Grafana. It includes steps to verify functionality using Falco’s event generator.

Prerequisites

  • Minikube cluster up and running
  • Helm installed
  • kubectl configured to use Minikube context

1. Install Falco with gRPC and gRPC Output Enabled

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

helm upgrade --install falco falcosecurity/falco \
  --set falco.grpc.enabled=true \
  --set falco.grpc_output.enabled=true \
  --set falco.grpc.unixSocketPath=/run/falco/falco.sock

2. Install Falco Exporter (anyone)

helm install falco-exporter falcosecurity/falco-exporter
---
kubectl apply -f https://raw.githubusercontent.com/falcosecurity/falco-exporter/main/deploy/kubernetes/falco-exporter.yaml
Make sure the exporter can access the Falco socket. If not, deploy exporter as a sidecar or mount /run/falco using a hostPath volume.

3. Verify Falco Exporter Metrics

kubectl port-forward svc/falco-exporter 9376:9376
curl http://localhost:9376/metrics
You should see Prometheus-formatted metrics like falco_alerts_total{...}.

4. Install Prometheus

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update

helm upgrade --install prometheus prometheus-community/prometheus

5. Configure Prometheus to Scrape Falco Exporter (optional)

Patch the Prometheus config: 
kubectl edit configmap prometheus-server
Add under scrape_configs:: 
  - job_name: 'falco'
    static_configs:
      - targets: ['falco-exporter:9376']
Then restart Prometheus: 
kubectl delete pod -l app=prometheus,component=server

6. Install Grafana

helm install grafana grafana/grafana
kubectl get secret --namespace default grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo
Expose Grafana: 
kubectl port-forward svc/grafana 3000:80
Login: admin / admin

7. Connect Grafana to Prometheus

  1. Go to Settings → Data Sources → Add data source
  2. Choose Prometheus
  3. Set URL: http://prometheus-server.default.svc.cluster.local
  4. Click Save & Test

8. Import Falco Dashboard

  1. Go to Dashboards → Import
  2. Use Dashboard ID: 11914 & 15310 (per-pod-filter)
  3. Select Prometheus as data source
  4. Click Import

9. Test with Falco Event Generator

Run a test event generator: 
docker run -it --rm falcosecurity/event-generator run syscall --loop
Within moments, Falco will detect the syscalls and trigger alerts. These alerts-metrics will appear in Prometheus and Grafana.
[IMP] If needed more Details of Logs We can add Loki which collect the logs of falco pod or use falco-sidekick (https://github.com/falcosecurity/falcosidekick) for more robust metrics and detailed view in dashboard.

✅ Completed Setup

You now have a full Falco security monitoring stack running on Minikube, integrated with Prometheus and Grafana for real-time alerting and visualization.