search

solo-io / bumblebee

Get eBPF programs running from the cloud to the kernel in 1 line of bash
Apache License 2.0
1.26k stars 78 forks source link

Add an option to output results as logs (preferably in a structured format like json) #77

Open jibanes opened 2 years ago

jibanes commented 2 years ago

Version

0.0.12

Linux Version

5.15.x

Is your feature request related to a problem? Please describe.

No response

Describe the solution you'd like

Much like Sysdig's Falco, it would be useful, for security instrumentation to format the output as json events, such as: {"time":"2022-06-11T09:53:40.734542-0700","bpf":"opensnoop.o","event":"/proc/123/env"} Then this output can be piped to fluentd or else.

Additionally, for instrumentation in general, event sampling (at the source) might also be valuable, i.e.: define rate: -r 0.50 will drop every other log event. this might be useful if you only want a sample of logs, i.e. if instrumenting TCP payloads, one could only care about the "ratio" of SYN packets over SYN+ACK.

Describe alternatives you've considered

No response

Additional Context

No response

krisztianfekete commented 2 years ago

Hey @jibanes, Thanks for the PR, this is now on the Roadmap. Issue https://github.com/solo-io/bumblebee/issues/11 is basically about this, although this is hard to tell without further clarification. :)

jerome-ibanes commented 2 years ago

great thanks, looking forward to it, as you understand I'd like to run probes and send the output to fluentbit essentially.