Why would you choose to write sysdig rules to alert you about unexpected, suspicious behavior (e.g. mysql server spawns a process) when you could write apparmor or selinux policies that would alert you and block it?
This is nice, I can see myself using it instead of OSSEC and may have to look at making a clone for Windows, based on the equivalent APIs/tools in the ETW stack.
Interesting. The security facet of the rules turns it into some kind of HIDS (host intrusion detection system) - I would be curious to see the level of verbosity this get when scaling across hundreds of containers.
From what I get you also need to plug it to your own alerting system by hand.
Yes, this currently emits to file or syslog and you need to take care of the alerting. Of course, this is the very initial release and we plan to improve it. If you have a specific need or idea, feel free to open an issue or let us know on the mailing list.
Frankly, I'd leave it as is - I (and I'm sure lots of other opers) already have some kind of central log collection that we can alert off. Nothing more frustrating than all the various monitoring systems each with their own unique take on alerting ;) Just imho of course.
