Open Falco extension for arbitrary event storages and processors

[marwinski]

What would you like to be added:

Make Falco extension open for different means for storing and processing events.

Why is this needed:

Means for Falco event storage and processing are opinionated. Within our team and our stakeholder community we already have four different approaches for storing and processing events:

• Deliver events to a Splunk instance for further processing
• Use custom, user-controlled tools to scrape events from a Kubernetes node
• Use the Gardener provided logging- and monitoring stack to store and process events
• Use a central instance to store and process events

As our stakeholder community is still relatively small we expect more of the above.

In addition, there are at least two approaches for handling events:

• generally, treat events as an indication that there is a threat and react accordingly
• add rules to generate events on normal behavior and detect possible threats during
  post-processing

While today, the Falco extension can be configured to support all scenarios except using the Gardener logging- and monitoring stack, it is somewhat opinionated towards using the centrally provided storage.