Skip to content

feat(k8saudit): file watching#1167

Open
RichardoC wants to merge 8 commits intofalcosecurity:mainfrom
RichardoC:feature/k8saudit-file-watching
Open

feat(k8saudit): file watching#1167
RichardoC wants to merge 8 commits intofalcosecurity:mainfrom
RichardoC:feature/k8saudit-file-watching

Conversation

@RichardoC
Copy link
Contributor

@RichardoC RichardoC commented Jan 22, 2026

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area plugins

What this PR does / why we need it:
Add continuous file watching capability for audit logs using the
tail:// URL scheme. This allows monitoring files for new entries
and handles log rotation via inode detection and file truncation.

Which issue(s) this PR fixes:

Fixes #191

Special notes for your reviewer: Generated with Claude Code. Full transcript attached
claude-log.txt

RichardoC and others added 3 commits January 22, 2026 16:59
@RichardoC @claude
feat(k8saudit): add file watching support via tail:// scheme
b50b7b1 
Add continuous file watching capability for audit logs using the
tail:// URL scheme. This allows monitoring files for new entries
and handles log rotation via inode detection and file truncation.

Closes falcosecurity#191

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
@RichardoC @claude
docs(k8saudit): document tail:// file watching scheme
b9c7cfd 
Add documentation for the new tail:// URL scheme and
watchPollIntervalMs configuration option.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
@RichardoC
docs(k8saudit): correct documentation for default file read
b4696a6 
Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
@poiana
Copy link
Contributor

poiana commented Jan 22, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: RichardoC
Once this PR has been reviewed and has the lgtm label, please assign leogr for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana requested review from irozzo-1A and leogr January 22, 2026 17:14
@poiana poiana added the size/L label Jan 22, 2026
@RichardoC RichardoC changed the title Feature/k8saudit file watching feat(k8saudit): file watching Jan 22, 2026
@github-actions
Copy link

github-actions bot commented Jan 22, 2026

Rules files suggestions

rules

Comparing b4696a614148482909f4e483c2906685abfe2151 with latest tag plugins/k8saudit/v0.16.0

No changes detected

irozzo-1A
irozzo-1A reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

@irozzo-1A irozzo-1A left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @RichardoC, thanks for your contribution. I suggest using file instead of tail to have a more standard URI, and using an event based approach instead of polling.

irozzo-1A
irozzo-1A reviewed Jan 23, 2026
View reviewed changes
@RichardoC @irozzo-1A
Update plugins/k8saudit/pkg/k8saudit/tail/tail_test.go
2b7e054 
Co-authored-by: Iacopo Rozzo <iacopo@sysdig.com>
Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
@RichardoC
Copy link
Contributor Author

RichardoC commented Jan 26, 2026

Hi @RichardoC, thanks for your contribution. I suggest using file instead of tail to have a more standard URI, and using an event based approach instead of polling.

Thank you for the thorough review @irozzo-1A , making those changes now

@RichardoC
Copy link
Contributor Author

RichardoC commented Jan 26, 2026

Claude log for the changes
Uploading claude-log-1.txt…

@RichardoC @claude
refactor(k8saudit): use event-driven file watching with fsnotify
c12e1e0 
Replace polling-based file watching with fsnotify for better efficiency.

- Use fsnotify to watch parent directory (per maintainer recommendation)
- Rename scheme from tail:// to file://
- Remove watchPollIntervalMs config (no longer needed)
- Rename test package from tail to filewatch

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
@RichardoC RichardoC force-pushed the feature/k8saudit-file-watching branch from 0613d65 to c12e1e0 Compare January 26, 2026 17:26
@RichardoC
Copy link
Contributor Author

RichardoC commented Jan 26, 2026

The cargo install issue in ci seems unrelated to my changes

leogr
leogr reviewed Feb 2, 2026
View reviewed changes
@RichardoC @claude
fix(k8saudit): restore truncation handling and relocate watch tests
d55af3c 
Move tests from orphaned filewatch/ package into k8saudit alongside
the code they test, and restore truncation detection that was lost
in the fsnotify refactor.

- Detect file truncation via size check before seeking (copytruncate)
- Move filewatch/filewatch_test.go to watch_test.go in k8saudit package
- Restore TestOpenFileWatch_HandlesTruncation test
- Remove empty filewatch/ directory
- Mark fsnotify as direct dependency in go.mod

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Feb 5, 2026

Rules files suggestions

rules

Comparing d55af3c756e061542b4a99366285a3c18c94a2d4 with latest tag plugins/k8saudit/v0.16.0

No changes detected

@RichardoC @claude
fix(k8saudit): improve error handling and test assertions for file wa…
16ded85 
…tcher

- Align scanner buffer with MaxEventSize to avoid silently dropping large events
- Log scanner errors instead of swallowing them
- Log fsnotify watcher errors instead of discarding them
- Add real assertions to watch tests using sentinel-based content verification

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
@poiana poiana added size/XL and removed size/L labels Feb 5, 2026
@github-actions
Copy link

github-actions bot commented Feb 5, 2026

Rules files suggestions

rules

Comparing 16ded85295827763a0da74e4e7c179c66aa72262 with latest tag plugins/k8saudit/v0.16.0

No changes detected

leogr
leogr reviewed Mar 10, 2026
View reviewed changes
@RichardoC
fix(k8saudit): fix file watcher offset overshoot when last line lacks…
7715826 
… trailing newline

bufio.ScanLines returns the last non-empty line even without a trailing
newline, but the offset tracking unconditionally added +1 for the
delimiter. This caused the watcher to seek one byte past the actual end
of content, skipping the first byte of subsequently appended data.
Replace the manual offset arithmetic with file.Seek(0, io.SeekCurrent)
after the scan loop to read the file descriptor's actual position, which
is always exact regardless of trailing newlines. Also switch from
scanner.Text() to scanner.Bytes() to avoid an unnecessary string
allocation per line.
Additionally fix a pre-existing build failure in extract_test.go caused
by missing methods in the sdk.ExtractRequest interface stub.
- edited by Opus 4.6 via cursor

Signed-off-by: Richard Tweed <RichardoC@users.noreply.github.com>
@RichardoC RichardoC force-pushed the feature/k8saudit-file-watching branch from 68ef8be to 7715826 Compare March 10, 2026 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leogr leogr leogr left review comments

@irozzo-1A irozzo-1A irozzo-1A left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/plugins dco-signoff: yes kind/feature New feature or request size/XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: Let K8saudit plugin watch/tail file and parse new lines.

4 participants

@RichardoC @poiana @leogr @irozzo-1A