diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index bbc5d13ec176..20c319389199 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -376,6 +376,7 @@ /packages/teleport @elastic/security-service-integrations /packages/tenable_io @elastic/security-service-integrations /packages/tenable_sc @elastic/security-service-integrations +/packages/tetragon @elastic/sec-deployment-and-devices /packages/thycotic_ss @elastic/security-service-integrations /packages/ti_abusech @elastic/security-service-integrations /packages/ti_anomali @elastic/security-service-integrations diff --git a/packages/tetragon/_dev/build/build.yml b/packages/tetragon/_dev/build/build.yml new file mode 100644 index 000000000000..7ca27a12b886 --- /dev/null +++ b/packages/tetragon/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: "git@v8.11.0" \ No newline at end of file diff --git a/packages/tetragon/_dev/build/docs/README.md b/packages/tetragon/_dev/build/docs/README.md new file mode 100644 index 000000000000..05f92bee153a --- /dev/null +++ b/packages/tetragon/_dev/build/docs/README.md @@ -0,0 +1,137 @@ +# Cilium Tetragon + +## Overview + +The **Cilium Tetragon** integration enables you to monitor and analyze events from [Tetragon](https://tetragon.io/), a Kubernetes-aware security observability and runtime enforcement tool supported by the CNCF. This integration provides insight into Tetragon's security event logs, allowing you to visualize data in Kibana, set up alerts, and quickly respond to security events within your Kubernetes environment. + +## Datastreams + +The Cilium Tetragon integration collects security event logs from Tetragon into a **logs** datastream in Elasticsearch. + +## Requirements + +To use the Cilium Tetragon integration, ensure the following: + +- **Elastic Stack**: Elasticsearch and Kibana are required for data storage, search, and visualization. You can use the hosted **Elasticsearch Service on Elastic Cloud** (recommended) or deploy the Elastic Stack on your own hardware. +- **Kubernetes Environment**: Tetragon must be running in a Kubernetes cluster. + +## Setup + +### Step 1: Install Integration Assets + +Before collecting data from Tetragon, install the required assets for this integration in Kibana: + +1. In Kibana, navigate to **Settings** > **Install Cilium Tetragon Integration**. +2. Alternatively, go to **⊕ Add Cilium Tetragon** > **Add Integration Only** (skip Elastic Agent installation, which is unsupported for this integration). + +### Step 2: Configure Tetragon for JSON Export + +Tetragon needs to be configured to export its event data as JSON logs. You’ll then use **Filebeat** to send these logs to Elasticsearch. The simplest approach is to use the Tetragon Helm chart along with a Helm values file. + +Refer to the [Tetragon Documentation](https://tetragon.io/docs/installation/kubernetes/) for general Helm installation guidance. + +#### 2.1: Set Up Filebeat Config Map + +First, create a ConfigMap with Filebeat configuration in the `kube-system` namespace. Update the Elasticsearch username and password in the provided configuration file. + +Save the following as `filebeat-cfgmap.yaml`: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: filebeat-configmap + namespace: kube-system +data: + filebeat.yml: | + filebeat.inputs: + - type: filestream + id: tetragon-log + enabled: true + paths: + - /var/run/cilium/tetragon/*.log + path.data: /usr/share/filebeat/data + processors: + - timestamp: + field: "time" + layouts: + - '2006-01-02T15:04:05Z' + - '2006-01-02T15:04:05.999Z' + - '2006-01-02T15:04:05.999-07:00' + test: + - '2019-06-22T16:33:51Z' + - '2019-11-18T04:59:51.123Z' + - '2020-08-03T07:10:20.123456+02:00' + setup.template.name: logs + setup.template.pattern: "logs-cilium_tetragon.*" + output.elasticsearch: + hosts: ["https://"] + username: "" + password: "" + index: logs-cilium_tetragon.log-default +``` + +To apply this configuration, run: + +```shell +kubectl create -f filebeat-cfgmap.yaml +``` + +#### 2.2: Install Tetragon with Filebeat Sidecar + +Next, install Tetragon with Helm, using an override file to configure a Filebeat sidecar to export logs. Save the following configuration as `filebeat-helm-values.yaml`: + +```yaml +export: + securityContext: + runAsUser: 0 + runAsGroup: 0 + stdout: + enabledCommand: false + enabledArgs: false + image: + override: "docker.elastic.co/beats/filebeat:8.15.3" + extraVolumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + subPath: filebeat.yml + - name: filebeat-data + mountPath: /usr/share/filebeat/data +extraVolumes: + - name: filebeat-data + hostPath: + path: /var/run/cilium/tetragon/filebeat + type: DirectoryOrCreate + - name: filebeat-config + configMap: + name: filebeat-configmap + items: + - key: filebeat.yml + path: filebeat.yml +``` + +Then, install Tetragon with: + +```shell +helm repo add cilium https://helm.cilium.io +helm repo update +helm install tetragon -f filebeat-helm-values.yaml ${EXTRA_HELM_FLAGS[@]} cilium/tetragon -n kube-system +``` + +## Troubleshooting + +If expected events are not appearing in Elasticsearch, ensure that Tetragon is configured to export the right events: + +- Check the `tetragon.exportAllowList` and `tetragon.exportDenyList` Helm values. These can be adjusted by adding them to `filebeat-helm-values.yaml` to control which events are included in the JSON export. + +## Reference + +For additional guidance on installing or configuring Tetragon, visit the [Tetragon documentation](https://tetragon.io/docs/). + +## Logs + +### Log Datastream + +The `log` datastream captures event logs from Tetragon. These events are indexed as `logs-cilium_tetragon.log-default` in Elasticsearch. + +{{fields "log"}} \ No newline at end of file diff --git a/packages/tetragon/changelog.yml b/packages/tetragon/changelog.yml new file mode 100644 index 000000000000..091cfd8f6693 --- /dev/null +++ b/packages/tetragon/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: 0.1.0 + changes: + - description: Initial Version + type: enhancement + link: https://github.com/elastic/integrations/pull/999999 diff --git a/packages/tetragon/data_stream/log/_dev/test/pipeline/test-cilium-tetragon-log.log b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-cilium-tetragon-log.log new file mode 100644 index 000000000000..b9a477b206a7 --- /dev/null +++ b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-cilium-tetragon-log.log @@ -0,0 +1,12 @@ +{"process_exec":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5NjM5MjAwMDAwMDAwOjIyNDM5NQ==","pid":224395,"uid":0,"cwd":"/","binary":"/usr/local/bin/local-path-provisioner","arguments":"--debug start --helper-image docker.io/kindest/local-path-helper:v20230510-486859a6 --config /etc/config/config.json","flags":"procFS auid rootcwd","start_time":"2024-10-18T22:12:37.150989227Z","auid":4294967295,"pod":{"namespace":"local-path-storage","name":"local-path-provisioner-57c5987fd4-vd668","container":{"id":"containerd://aac7662884b96b0351a3529cf7c38311a48b74681a632135c91879f43da12d61","name":"local-path-provisioner","image":{"id":"sha256:282f619d10d4dda6c93fe329249dca6155c9deff5e96eef4420b6f6c30ff5a83","name":"docker.io/kindest/local-path-provisioner:v20240813-c6f155d6"},"start_time":"2024-10-18T22:12:37Z","pid":1},"pod_labels":{"app":"local-path-provisioner","pod-template-hash":"57c5987fd4"},"workload":"local-path-provisioner","workload_kind":"Deployment"},"docker":"aac7662884b96b0351a3529cf7c3831","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==","tid":224395},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==","pid":223965,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9","binary":"/usr/local/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9 -address /run/containerd/containerd.sock","flags":"procFS auid","start_time":"2024-10-18T22:12:35.110989185Z","auid":4294967295,"parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5NjA0NjAwMDAwMDAwOjIyMTU3NQ==","tid":223965}},"node_name":"kind-control-plane","time":"2024-10-18T22:12:37.150989102Z"} +{"process_exec":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5NjM5MjAwMDAwMDAwOjIyNDM5NQ==","pid":224395,"uid":0,"cwd":"/","binary":"/usr/local/bin/local-path-provisioner","arguments":"--debug start --helper-image docker.io/kindest/local-path-helper:v20230510-486859a6 --config /etc/config/config.json","flags":"procFS auid rootcwd","start_time":"2024-10-18T22:12:37.150989227Z","auid":4294967295,"pod":{"namespace":"local-path-storage","name":"local-path-provisioner-57c5987fd4-vd668","container":{"id":"containerd://aac7662884b96b0351a3529cf7c38311a48b74681a632135c91879f43da12d61","name":"local-path-provisioner","image":{"id":"sha256:282f619d10d4dda6c93fe329249dca6155c9deff5e96eef4420b6f6c30ff5a83","name":"docker.io/kindest/local-path-provisioner:v20240813-c6f155d6"},"start_time":"2024-10-18T22:12:37Z","pid":1},"pod_labels":{"app":"local-path-provisioner","pod-template-hash":"57c5987fd4"},"workload":"local-path-provisioner","workload_kind":"Deployment"},"docker":"aac7662884b96b0351a3529cf7c3831","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==","tid":224395},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==","pid":223965,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9","binary":"/usr/local/bin/containerd-shim-runc-v2","arguments":"-namespace k8s.io -id 6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9 -address /run/containerd/containerd.sock","flags":"procFS auid","start_time":"2024-10-18T22:12:35.110989185Z","auid":4294967295,"parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5NjA0NjAwMDAwMDAwOjIyMTU3NQ==","tid":223965}},"node_name":"kind-control-plane","time":"2024-10-18T22:12:37.150989102Z"} +{"process_exec":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjcwMDAwMDAwOjIzMjQ0OA==","pid":232448,"uid":0,"cwd":"/","binary":"/usr/local/bin/node","arguments":"/usr/local/bin/json-server --host --port 80 --watch /default.json --middlewares /middleware.js","flags":"procFS auid rootcwd","start_time":"2024-10-22T05:46:41.135309727Z","auid":4294967295,"pod":{"namespace":"default","name":"tiefighter","container":{"id":"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:34Z","pid":12},"pod_labels":{"app.kubernetes.io/name":"tiefighter","class":"tiefighter","org":"empire"},"workload":"tiefighter","workload_kind":"Pod"},"docker":"28fabceb4c8364252c022a8ccd310f2","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTYwMDAwMDAwOjIzMjQzMQ==","tid":232448},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTYwMDAwMDAwOjIzMjQzMQ==","pid":232431,"uid":0,"cwd":"/","binary":"/usr/bin/tini","arguments":"-- /usr/local/bin/json-server --host --port 80 --watch /default.json --middlewares /middleware.js","flags":"procFS auid rootcwd","start_time":"2024-10-22T05:46:41.025309810Z","auid":4294967295,"pod":{"namespace":"default","name":"tiefighter","container":{"id":"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:34Z","pid":1},"pod_labels":{"app.kubernetes.io/name":"tiefighter","class":"tiefighter","org":"empire"},"workload":"tiefighter","workload_kind":"Pod"},"docker":"28fabceb4c8364252c022a8ccd310f2","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTg0NzQwMDAwMDAwOjIzMTkzOA==","tid":232431}},"node_name":"kind-control-plane","time":"2024-10-22T05:46:41.135309685Z"} +{"process_exec":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNTE4NjYwNDIzOjIzMjU1OA==","pid":232558,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs","binary":"/usr/bin/mount","arguments":"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs/product_name /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs/sys/class/dmi/id/product_name","flags":"execve clone","start_time":"2024-10-18T22:18:38.469649900Z","auid":4294967295,"pod":{"namespace":"default","name":"deathstar-bf77cddc9-ffqfk","container":{"id":"containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e","name":"deathstar","image":{"id":"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8","name":"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42"},"start_time":"2024-10-18T22:18:38Z","pid":10},"pod_labels":{"app.kubernetes.io/name":"deathstar","class":"deathstar","org":"empire","pod-template-hash":"bf77cddc9"},"workload":"deathstar","workload_kind":"Deployment"},"docker":"3ed83b82842d7a33bf57fdbd8b9e6c5","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==","tid":232558},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==","pid":232555,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs","binary":"/kind/bin/mount-product-files.sh","arguments":"/kind/bin/mount-product-files.sh","flags":"execve clone","start_time":"2024-10-18T22:18:38.435249979Z","auid":4294967295,"pod":{"namespace":"default","name":"deathstar-bf77cddc9-ffqfk","container":{"id":"containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e","name":"deathstar","image":{"id":"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8","name":"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42"},"start_time":"2024-10-18T22:18:38Z","pid":7},"pod_labels":{"app.kubernetes.io/name":"deathstar","class":"deathstar","org":"empire","pod-template-hash":"bf77cddc9"},"workload":"deathstar","workload_kind":"Deployment"},"docker":"3ed83b82842d7a33bf57fdbd8b9e6c5","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==","tid":232555}},"node_name":"kind-control-plane","time":"2024-10-18T22:18:38.469649608Z"} +{"process_exit":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTA2MzUwMDI1OjIzMjUwOQ==","pid":232509,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs","binary":"/usr/bin/jq","arguments":"-r .bundle","flags":"execve clone","start_time":"2024-10-18T22:18:38.057339543Z","auid":4294967295,"pod":{"namespace":"default","name":"deathstar-bf77cddc9-wgvrg","container":{"id":"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c","name":"deathstar","image":{"id":"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8","name":"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42"},"start_time":"2024-10-18T22:18:38Z","pid":7},"pod_labels":{"app.kubernetes.io/name":"deathstar","class":"deathstar","org":"empire","pod-template-hash":"bf77cddc9"},"workload":"deathstar","workload_kind":"Deployment"},"docker":"8d5d9f5c53d931cc7c1419ae7aeeca3","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==","tid":232509},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==","pid":232508,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs","binary":"/kind/bin/mount-product-files.sh","arguments":"/kind/bin/mount-product-files.sh","flags":"execve clone","start_time":"2024-10-18T22:18:38.051558807Z","auid":4294967295,"pod":{"namespace":"default","name":"deathstar-bf77cddc9-wgvrg","container":{"id":"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c","name":"deathstar","image":{"id":"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8","name":"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42"},"start_time":"2024-10-18T22:18:38Z","pid":6},"pod_labels":{"app.kubernetes.io/name":"deathstar","class":"deathstar","org":"empire","pod-template-hash":"bf77cddc9"},"workload":"deathstar","workload_kind":"Deployment"},"docker":"8d5d9f5c53d931cc7c1419ae7aeeca3","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMDg2NTA2NjUzOjIzMjUwMw==","tid":232508},"time":"2024-10-18T22:18:38.083885859Z"},"node_name":"kind-control-plane","time":"2024-10-18T22:18:38.083885900Z"} +{"process_exit":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDA0MzM2ODk3MjoxMTI0MDg4","pid":1124088,"uid":0,"cwd":"/","binary":"/usr/bin/bash","flags":"execve rootcwd","start_time":"2024-10-22T18:00:28.908679907Z","auid":4294967295,"pod":{"namespace":"default","name":"xwing","container":{"id":"containerd://b6edfbfcaff9879076789c46ebaa26c819a89fc519b2afd5f1035497261b3f6b","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:39Z","pid":24},"pod_labels":{"app.kubernetes.io/name":"xwing","class":"xwing","org":"alliance"},"workload":"xwing","workload_kind":"Pod"},"docker":"b6edfbfcaff9879076789c46ebaa26c","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDAyNzYzMTMyMjoxMTI0MDg4","tid":1124088},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDAyNzYzMTMyMjoxMTI0MDg4","pid":1124088,"uid":0,"cwd":"/","binary":"/usr/bin/sh","arguments":"-c \"command -v bash >/dev/null && exec bash || exec sh\"","flags":"execve rootcwd clone","start_time":"2024-10-22T18:00:28.892941507Z","auid":4294967295,"pod":{"namespace":"default","name":"xwing","container":{"id":"containerd://b6edfbfcaff9879076789c46ebaa26c819a89fc519b2afd5f1035497261b3f6b","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:39Z","pid":24},"pod_labels":{"app.kubernetes.io/name":"xwing","class":"xwing","org":"alliance"},"workload":"xwing","workload_kind":"Pod"},"docker":"b6edfbfcaff9879076789c46ebaa26c","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTg0NzQwMDAwMDAwOjIzMTkzOQ==","tid":1124088},"status":1,"time":"2024-10-22T18:01:47.556515715Z"},"node_name":"kind-control-plane","time":"2024-10-22T18:01:47.556515381Z"} +{"process_exit":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjMzNzY4NzI4OjIzMjQzOQ==","pid":232439,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs","binary":"/usr/bin/mount","arguments":"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/product_name /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/sys/class/dmi/id/product_name","flags":"execve clone","start_time":"2024-10-18T22:18:34.184759080Z","auid":4294967295,"pod":{"namespace":"default","name":"tiefighter","container":{"id":"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:34Z","pid":9},"pod_labels":{"app.kubernetes.io/name":"tiefighter","class":"tiefighter","org":"empire"},"workload":"tiefighter","workload_kind":"Pod"},"docker":"28fabceb4c8364252c022a8ccd310f2","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==","tid":232439},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==","pid":232436,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs","binary":"/kind/bin/mount-product-files.sh","arguments":"/kind/bin/mount-product-files.sh","flags":"execve clone","start_time":"2024-10-18T22:18:34.137657603Z","auid":4294967295,"pod":{"namespace":"default","name":"tiefighter","container":{"id":"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:34Z","pid":6},"pod_labels":{"app.kubernetes.io/name":"tiefighter","class":"tiefighter","org":"empire"},"workload":"tiefighter","workload_kind":"Pod"},"docker":"28fabceb4c8364252c022a8ccd310f2","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTY3NzUyMjExOjIzMjQzMQ==","tid":232436},"time":"2024-10-18T22:18:34.188751196Z"},"node_name":"kind-control-plane","time":"2024-10-18T22:18:34.188750528Z"} +{"process_exec":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExMzE0OTg1OTU0NjE1OToxMTA1ODI3","pid":1105827,"uid":0,"cwd":"/","binary":"/usr/bin/nsenter","flags":"execve rootcwd clone","start_time":"2024-10-22T17:45:54.724856386Z","auid":4294967295,"pod":{"namespace":"default","name":"tiefighter","container":{"id":"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:34Z","pid":30},"pod_labels":{"app.kubernetes.io/name":"tiefighter","class":"tiefighter","org":"empire"},"workload":"tiefighter","workload_kind":"Pod"},"docker":"28fabceb4c8364252c022a8ccd310f2","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAzMjc5OTI3MToxMTA1NzAz","tid":1105827},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAzMjc5OTI3MToxMTA1NzAz","pid":1105703,"uid":0,"cwd":"/","binary":"/usr/bin/bash","flags":"execve rootcwd","start_time":"2024-10-22T17:45:46.898109415Z","auid":4294967295,"pod":{"namespace":"default","name":"tiefighter","container":{"id":"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:34Z","pid":23},"pod_labels":{"app.kubernetes.io/name":"tiefighter","class":"tiefighter","org":"empire"},"workload":"tiefighter","workload_kind":"Pod"},"docker":"28fabceb4c8364252c022a8ccd310f2","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAyMTgzMDY0OToxMTA1NzAz","tid":1105703}},"node_name":"kind-control-plane","time":"2024-10-22T17:45:54.724856635Z"} +{"process_exit":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==","pid":232555,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs","binary":"/kind/bin/mount-product-files.sh","arguments":"/kind/bin/mount-product-files.sh","flags":"execve clone","start_time":"2024-10-18T22:18:38.435249979Z","auid":4294967295,"pod":{"namespace":"default","name":"deathstar-bf77cddc9-ffqfk","container":{"id":"containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e","name":"deathstar","image":{"id":"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8","name":"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42"},"start_time":"2024-10-18T22:18:38Z","pid":7},"pod_labels":{"app.kubernetes.io/name":"deathstar","class":"deathstar","org":"empire","pod-template-hash":"bf77cddc9"},"workload":"deathstar","workload_kind":"Deployment"},"docker":"3ed83b82842d7a33bf57fdbd8b9e6c5","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==","refcnt":4294967291,"tid":232555},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==","pid":232547,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/4d549ac0c9a88b6c981391b5230c67ea88529e160ef1a5e118708cd6fd26daba","binary":"/usr/local/sbin/runc","arguments":"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/init.pid 3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e","flags":"execve","start_time":"2024-10-18T22:18:38.381814515Z","auid":4294967295,"parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMzIzMjU4NTMzOjIzMjUzNw==","refcnt":1,"tid":232547},"time":"2024-10-18T22:18:38.476210843Z"},"node_name":"kind-control-plane","time":"2024-10-18T22:18:38.476210426Z"} +{"process_exit":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTM2NjA4MDgxOjIzMjUxMQ==","pid":232511,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs","binary":"/usr/bin/mount","arguments":"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs/product_name /run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs/sys/class/dmi/id/product_name","flags":"execve clone","start_time":"2024-10-18T22:18:38.087597474Z","auid":4294967295,"pod":{"namespace":"default","name":"deathstar-bf77cddc9-wgvrg","container":{"id":"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c","name":"deathstar","image":{"id":"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8","name":"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42"},"start_time":"2024-10-18T22:18:38Z","pid":9},"pod_labels":{"app.kubernetes.io/name":"deathstar","class":"deathstar","org":"empire","pod-template-hash":"bf77cddc9"},"workload":"deathstar","workload_kind":"Deployment"},"docker":"8d5d9f5c53d931cc7c1419ae7aeeca3","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==","tid":232511},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==","pid":232508,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs","binary":"/kind/bin/mount-product-files.sh","arguments":"/kind/bin/mount-product-files.sh","flags":"execve clone","start_time":"2024-10-18T22:18:38.051558807Z","auid":4294967295,"pod":{"namespace":"default","name":"deathstar-bf77cddc9-wgvrg","container":{"id":"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c","name":"deathstar","image":{"id":"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8","name":"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42"},"start_time":"2024-10-18T22:18:38Z","pid":6},"pod_labels":{"app.kubernetes.io/name":"deathstar","class":"deathstar","org":"empire","pod-template-hash":"bf77cddc9"},"workload":"deathstar","workload_kind":"Deployment"},"docker":"8d5d9f5c53d931cc7c1419ae7aeeca3","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMDg2NTA2NjUzOjIzMjUwMw==","tid":232508},"time":"2024-10-18T22:18:38.088677890Z"},"node_name":"kind-control-plane","time":"2024-10-18T22:18:38.088677639Z"} +{"process_exec":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjM5OTc0Nzk3OjIzMjQ0MQ==","pid":232441,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs","binary":"/usr/bin/mount","arguments":"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/product_uuid /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/sys/devices/virtual/dmi/id/product_uuid","flags":"execve clone","start_time":"2024-10-18T22:18:34.190965191Z","auid":4294967295,"pod":{"namespace":"default","name":"tiefighter","container":{"id":"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:34Z","pid":11},"pod_labels":{"app.kubernetes.io/name":"tiefighter","class":"tiefighter","org":"empire"},"workload":"tiefighter","workload_kind":"Pod"},"docker":"28fabceb4c8364252c022a8ccd310f2","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==","tid":232441},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==","pid":232436,"uid":0,"cwd":"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs","binary":"/kind/bin/mount-product-files.sh","arguments":"/kind/bin/mount-product-files.sh","flags":"execve clone","start_time":"2024-10-18T22:18:34.137657603Z","auid":4294967295,"pod":{"namespace":"default","name":"tiefighter","container":{"id":"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab","name":"spaceship","image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603","name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"},"start_time":"2024-10-18T22:18:34Z","pid":6},"pod_labels":{"app.kubernetes.io/name":"tiefighter","class":"tiefighter","org":"empire"},"workload":"tiefighter","workload_kind":"Pod"},"docker":"28fabceb4c8364252c022a8ccd310f2","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTY3NzUyMjExOjIzMjQzMQ==","tid":232436}},"node_name":"kind-control-plane","time":"2024-10-18T22:18:34.190963940Z"} +{"process_exit":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTA1NTk5NTUwOjE5Njg5OA==", "pid":196898, "uid":0, "cwd":"/", "binary":"/usr/bin/bash", "flags":"execve rootcwd", "start_time":"2024-10-31T18:24:19.824473079Z", "auid":4294967295, "pod":{"namespace":"default", "name":"xwing", "container":{"id":"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc", "name":"spaceship", "image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", "name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"}, "start_time":"2024-10-31T17:28:56Z", "pid":32}, "pod_labels":{"app.kubernetes.io/name":"xwing", "class":"xwing", "org":"alliance"}, "workload":"xwing", "workload_kind":"Pod"}, "docker":"457e815e26920e424637320f8b969cc", "parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==", "tid":196898}, "parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==", "pid":196898, "uid":0, "cwd":"/", "binary":"/usr/bin/sh", "arguments":"-c \"command -v bash >/dev/null && exec bash || exec sh\"", "flags":"execve rootcwd clone", "start_time":"2024-10-31T18:24:19.821308747Z", "auid":4294967295, "pod":{"namespace":"default", "name":"xwing", "container":{"id":"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc", "name":"spaceship", "image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", "name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"}, "start_time":"2024-10-31T17:28:56Z", "pid":32}, "pod_labels":{"app.kubernetes.io/name":"xwing", "class":"xwing", "org":"alliance"}, "workload":"xwing", "workload_kind":"Pod"}, "docker":"457e815e26920e424637320f8b969cc", "parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjg2MjU1NzYwNjEwOTI6MTE4MDA2", "tid":196898}, "signal":"SIGKILL", "time":"2024-10-31T18:24:39.619258988Z"}, "node_name":"kind-control-plane", "time":"2024-10-31T18:24:39.619258822Z"} diff --git a/packages/tetragon/data_stream/log/_dev/test/pipeline/test-cilium-tetragon-log.log-expected.json b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-cilium-tetragon-log.log-expected.json new file mode 100644 index 000000000000..8a350cefd7b4 --- /dev/null +++ b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-cilium-tetragon-log.log-expected.json @@ -0,0 +1,1462 @@ +{ + "expected": [ + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exec": { + "parent": { + "auid": 4294967295, + "flags": "procFS auid", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5NjA0NjAwMDAwMDAwOjIyMTU3NQ==" + }, + "process": { + "auid": 4294967295, + "docker": "aac7662884b96b0351a3529cf7c3831", + "flags": "procFS auid rootcwd", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==", + "pod": { + "container": { + "image": { + "id": "sha256:282f619d10d4dda6c93fe329249dca6155c9deff5e96eef4420b6f6c30ff5a83" + }, + "pid": 1, + "start_time": "2024-10-18T22:12:37Z" + }, + "pod_labels": { + "app": "local-path-provisioner", + "pod-template-hash": "57c5987fd4" + }, + "workload": "local-path-provisioner" + } + } + }, + "time": "2024-10-18T22:12:37.150989102Z" + } + }, + "container": { + "id": "containerd://aac7662884b96b0351a3529cf7c38311a48b74681a632135c91879f43da12d61", + "image": { + "name": "docker.io/kindest/local-path-provisioner:v20240813-c6f155d6" + }, + "name": "local-path-provisioner" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "executed", + "original": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM5MjAwMDAwMDAwOjIyNDM5NQ==\",\"pid\":224395,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/local/bin/local-path-provisioner\",\"arguments\":\"--debug start --helper-image docker.io/kindest/local-path-helper:v20230510-486859a6 --config /etc/config/config.json\",\"flags\":\"procFS auid rootcwd\",\"start_time\":\"2024-10-18T22:12:37.150989227Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"local-path-storage\",\"name\":\"local-path-provisioner-57c5987fd4-vd668\",\"container\":{\"id\":\"containerd://aac7662884b96b0351a3529cf7c38311a48b74681a632135c91879f43da12d61\",\"name\":\"local-path-provisioner\",\"image\":{\"id\":\"sha256:282f619d10d4dda6c93fe329249dca6155c9deff5e96eef4420b6f6c30ff5a83\",\"name\":\"docker.io/kindest/local-path-provisioner:v20240813-c6f155d6\"},\"start_time\":\"2024-10-18T22:12:37Z\",\"pid\":1},\"pod_labels\":{\"app\":\"local-path-provisioner\",\"pod-template-hash\":\"57c5987fd4\"},\"workload\":\"local-path-provisioner\",\"workload_kind\":\"Deployment\"},\"docker\":\"aac7662884b96b0351a3529cf7c3831\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==\",\"tid\":224395},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==\",\"pid\":223965,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9\",\"binary\":\"/usr/local/bin/containerd-shim-runc-v2\",\"arguments\":\"-namespace k8s.io -id 6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9 -address /run/containerd/containerd.sock\",\"flags\":\"procFS auid\",\"start_time\":\"2024-10-18T22:12:35.110989185Z\",\"auid\":4294967295,\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjA0NjAwMDAwMDAwOjIyMTU3NQ==\",\"tid\":223965}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:12:37.150989102Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM5MjAwMDAwMDAwOjIyNDM5NQ==\",\"pid\":224395,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/local/bin/local-path-provisioner\",\"arguments\":\"--debug start --helper-image docker.io/kindest/local-path-helper:v20230510-486859a6 --config /etc/config/config.json\",\"flags\":\"procFS auid rootcwd\",\"start_time\":\"2024-10-18T22:12:37.150989227Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"local-path-storage\",\"name\":\"local-path-provisioner-57c5987fd4-vd668\",\"container\":{\"id\":\"containerd://aac7662884b96b0351a3529cf7c38311a48b74681a632135c91879f43da12d61\",\"name\":\"local-path-provisioner\",\"image\":{\"id\":\"sha256:282f619d10d4dda6c93fe329249dca6155c9deff5e96eef4420b6f6c30ff5a83\",\"name\":\"docker.io/kindest/local-path-provisioner:v20240813-c6f155d6\"},\"start_time\":\"2024-10-18T22:12:37Z\",\"pid\":1},\"pod_labels\":{\"app\":\"local-path-provisioner\",\"pod-template-hash\":\"57c5987fd4\"},\"workload\":\"local-path-provisioner\",\"workload_kind\":\"Deployment\"},\"docker\":\"aac7662884b96b0351a3529cf7c3831\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==\",\"tid\":224395},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==\",\"pid\":223965,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9\",\"binary\":\"/usr/local/bin/containerd-shim-runc-v2\",\"arguments\":\"-namespace k8s.io -id 6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9 -address /run/containerd/containerd.sock\",\"flags\":\"procFS auid\",\"start_time\":\"2024-10-18T22:12:35.110989185Z\",\"auid\":4294967295,\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjA0NjAwMDAwMDAwOjIyMTU3NQ==\",\"tid\":223965}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:12:37.150989102Z\"}", + "orchestrator": { + "namespace": "local-path-storage", + "resource": { + "name": "local-path-provisioner-57c5987fd4-vd668", + "parent": { + "type": "Deployment" + } + } + }, + "process": { + "args": [ + "--debug", + "start", + "--helper-image", + "docker.io/kindest/local-path-helper:v20230510-486859a6", + "--config", + "/etc/config/config.json" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5NjM5MjAwMDAwMDAwOjIyNDM5NQ==", + "executable": "/usr/local/bin/local-path-provisioner", + "parent": { + "args": [ + "-namespace", + "k8s.io", + "-id", + "6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9", + "-address", + "/run/containerd/containerd.sock" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==", + "executable": "/usr/local/bin/containerd-shim-runc-v2", + "pid": 223965, + "start": "2024-10-18T22:12:35.110989185Z", + "thread": { + "id": 223965 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9" + }, + "pid": 224395, + "start": "2024-10-18T22:12:37.150989227Z", + "thread": { + "id": 224395 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exec": { + "parent": { + "auid": 4294967295, + "flags": "procFS auid", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5NjA0NjAwMDAwMDAwOjIyMTU3NQ==" + }, + "process": { + "auid": 4294967295, + "docker": "aac7662884b96b0351a3529cf7c3831", + "flags": "procFS auid rootcwd", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==", + "pod": { + "container": { + "image": { + "id": "sha256:282f619d10d4dda6c93fe329249dca6155c9deff5e96eef4420b6f6c30ff5a83" + }, + "pid": 1, + "start_time": "2024-10-18T22:12:37Z" + }, + "pod_labels": { + "app": "local-path-provisioner", + "pod-template-hash": "57c5987fd4" + }, + "workload": "local-path-provisioner" + } + } + }, + "time": "2024-10-18T22:12:37.150989102Z" + } + }, + "container": { + "id": "containerd://aac7662884b96b0351a3529cf7c38311a48b74681a632135c91879f43da12d61", + "image": { + "name": "docker.io/kindest/local-path-provisioner:v20240813-c6f155d6" + }, + "name": "local-path-provisioner" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "executed", + "original": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM5MjAwMDAwMDAwOjIyNDM5NQ==\",\"pid\":224395,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/local/bin/local-path-provisioner\",\"arguments\":\"--debug start --helper-image docker.io/kindest/local-path-helper:v20230510-486859a6 --config /etc/config/config.json\",\"flags\":\"procFS auid rootcwd\",\"start_time\":\"2024-10-18T22:12:37.150989227Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"local-path-storage\",\"name\":\"local-path-provisioner-57c5987fd4-vd668\",\"container\":{\"id\":\"containerd://aac7662884b96b0351a3529cf7c38311a48b74681a632135c91879f43da12d61\",\"name\":\"local-path-provisioner\",\"image\":{\"id\":\"sha256:282f619d10d4dda6c93fe329249dca6155c9deff5e96eef4420b6f6c30ff5a83\",\"name\":\"docker.io/kindest/local-path-provisioner:v20240813-c6f155d6\"},\"start_time\":\"2024-10-18T22:12:37Z\",\"pid\":1},\"pod_labels\":{\"app\":\"local-path-provisioner\",\"pod-template-hash\":\"57c5987fd4\"},\"workload\":\"local-path-provisioner\",\"workload_kind\":\"Deployment\"},\"docker\":\"aac7662884b96b0351a3529cf7c3831\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==\",\"tid\":224395},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==\",\"pid\":223965,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9\",\"binary\":\"/usr/local/bin/containerd-shim-runc-v2\",\"arguments\":\"-namespace k8s.io -id 6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9 -address /run/containerd/containerd.sock\",\"flags\":\"procFS auid\",\"start_time\":\"2024-10-18T22:12:35.110989185Z\",\"auid\":4294967295,\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjA0NjAwMDAwMDAwOjIyMTU3NQ==\",\"tid\":223965}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:12:37.150989102Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM5MjAwMDAwMDAwOjIyNDM5NQ==\",\"pid\":224395,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/local/bin/local-path-provisioner\",\"arguments\":\"--debug start --helper-image docker.io/kindest/local-path-helper:v20230510-486859a6 --config /etc/config/config.json\",\"flags\":\"procFS auid rootcwd\",\"start_time\":\"2024-10-18T22:12:37.150989227Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"local-path-storage\",\"name\":\"local-path-provisioner-57c5987fd4-vd668\",\"container\":{\"id\":\"containerd://aac7662884b96b0351a3529cf7c38311a48b74681a632135c91879f43da12d61\",\"name\":\"local-path-provisioner\",\"image\":{\"id\":\"sha256:282f619d10d4dda6c93fe329249dca6155c9deff5e96eef4420b6f6c30ff5a83\",\"name\":\"docker.io/kindest/local-path-provisioner:v20240813-c6f155d6\"},\"start_time\":\"2024-10-18T22:12:37Z\",\"pid\":1},\"pod_labels\":{\"app\":\"local-path-provisioner\",\"pod-template-hash\":\"57c5987fd4\"},\"workload\":\"local-path-provisioner\",\"workload_kind\":\"Deployment\"},\"docker\":\"aac7662884b96b0351a3529cf7c3831\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==\",\"tid\":224395},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==\",\"pid\":223965,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9\",\"binary\":\"/usr/local/bin/containerd-shim-runc-v2\",\"arguments\":\"-namespace k8s.io -id 6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9 -address /run/containerd/containerd.sock\",\"flags\":\"procFS auid\",\"start_time\":\"2024-10-18T22:12:35.110989185Z\",\"auid\":4294967295,\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5NjA0NjAwMDAwMDAwOjIyMTU3NQ==\",\"tid\":223965}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:12:37.150989102Z\"}", + "orchestrator": { + "namespace": "local-path-storage", + "resource": { + "name": "local-path-provisioner-57c5987fd4-vd668", + "parent": { + "type": "Deployment" + } + } + }, + "process": { + "args": [ + "--debug", + "start", + "--helper-image", + "docker.io/kindest/local-path-helper:v20230510-486859a6", + "--config", + "/etc/config/config.json" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5NjM5MjAwMDAwMDAwOjIyNDM5NQ==", + "executable": "/usr/local/bin/local-path-provisioner", + "parent": { + "args": [ + "-namespace", + "k8s.io", + "-id", + "6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9", + "-address", + "/run/containerd/containerd.sock" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5NjM3MTYwMDAwMDAwOjIyMzk2NQ==", + "executable": "/usr/local/bin/containerd-shim-runc-v2", + "pid": 223965, + "start": "2024-10-18T22:12:35.110989185Z", + "thread": { + "id": 223965 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/6aa99f632d557da37af7aac66e6508ebe966cda09fcff83b080e5764432a75d9" + }, + "pid": 224395, + "start": "2024-10-18T22:12:37.150989227Z", + "thread": { + "id": 224395 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exec": { + "parent": { + "auid": 4294967295, + "docker": "28fabceb4c8364252c022a8ccd310f2", + "flags": "procFS auid rootcwd", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTg0NzQwMDAwMDAwOjIzMTkzOA==", + "pod": { + "container": { + "id": "containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab", + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship", + "pid": 1, + "start_time": "2024-10-18T22:18:34Z" + }, + "name": "tiefighter", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "tiefighter", + "class": "tiefighter", + "org": "empire" + }, + "workload": "tiefighter", + "workload_kind": "Pod" + } + }, + "process": { + "auid": 4294967295, + "docker": "28fabceb4c8364252c022a8ccd310f2", + "flags": "procFS auid rootcwd", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTYwMDAwMDAwOjIzMjQzMQ==", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603" + }, + "pid": 12, + "start_time": "2024-10-18T22:18:34Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "tiefighter", + "class": "tiefighter", + "org": "empire" + }, + "workload": "tiefighter" + } + } + }, + "time": "2024-10-22T05:46:41.135309685Z" + } + }, + "container": { + "id": "containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab", + "image": { + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "executed", + "original": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjcwMDAwMDAwOjIzMjQ0OA==\",\"pid\":232448,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/local/bin/node\",\"arguments\":\"/usr/local/bin/json-server --host --port 80 --watch /default.json --middlewares /middleware.js\",\"flags\":\"procFS auid rootcwd\",\"start_time\":\"2024-10-22T05:46:41.135309727Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":12},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTYwMDAwMDAwOjIzMjQzMQ==\",\"tid\":232448},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTYwMDAwMDAwOjIzMjQzMQ==\",\"pid\":232431,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/tini\",\"arguments\":\"-- /usr/local/bin/json-server --host --port 80 --watch /default.json --middlewares /middleware.js\",\"flags\":\"procFS auid rootcwd\",\"start_time\":\"2024-10-22T05:46:41.025309810Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":1},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTg0NzQwMDAwMDAwOjIzMTkzOA==\",\"tid\":232431}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-22T05:46:41.135309685Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjcwMDAwMDAwOjIzMjQ0OA==\",\"pid\":232448,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/local/bin/node\",\"arguments\":\"/usr/local/bin/json-server --host --port 80 --watch /default.json --middlewares /middleware.js\",\"flags\":\"procFS auid rootcwd\",\"start_time\":\"2024-10-22T05:46:41.135309727Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":12},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTYwMDAwMDAwOjIzMjQzMQ==\",\"tid\":232448},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTYwMDAwMDAwOjIzMjQzMQ==\",\"pid\":232431,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/tini\",\"arguments\":\"-- /usr/local/bin/json-server --host --port 80 --watch /default.json --middlewares /middleware.js\",\"flags\":\"procFS auid rootcwd\",\"start_time\":\"2024-10-22T05:46:41.025309810Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":1},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTg0NzQwMDAwMDAwOjIzMTkzOA==\",\"tid\":232431}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-22T05:46:41.135309685Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "tiefighter", + "parent": { + "type": "Pod" + } + } + }, + "process": { + "args": [ + "/usr/local/bin/json-server", + "--host", + "--port", + "80", + "--watch", + "/default.json", + "--middlewares", + "/middleware.js" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjcwMDAwMDAwOjIzMjQ0OA==", + "executable": "/usr/local/bin/node", + "parent": { + "args": [ + "--", + "/usr/local/bin/json-server", + "--host", + "--port", + "80", + "--watch", + "/default.json", + "--middlewares", + "/middleware.js" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTYwMDAwMDAwOjIzMjQzMQ==", + "executable": "/usr/bin/tini", + "pid": 232431, + "start": "2024-10-22T05:46:41.025309810Z", + "thread": { + "id": 232431 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "pid": 232448, + "start": "2024-10-22T05:46:41.135309727Z", + "thread": { + "id": 232448 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exec": { + "parent": { + "auid": 4294967295, + "docker": "3ed83b82842d7a33bf57fdbd8b9e6c5", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==", + "pod": { + "container": { + "id": "containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e", + "image": { + "id": "quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8", + "name": "sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42" + }, + "name": "deathstar", + "pid": 7, + "start_time": "2024-10-18T22:18:38Z" + }, + "name": "deathstar-bf77cddc9-ffqfk", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "deathstar", + "class": "deathstar", + "org": "empire", + "pod-template-hash": "bf77cddc9" + }, + "workload": "deathstar", + "workload_kind": "Deployment" + } + }, + "process": { + "auid": 4294967295, + "docker": "3ed83b82842d7a33bf57fdbd8b9e6c5", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8" + }, + "pid": 10, + "start_time": "2024-10-18T22:18:38Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "deathstar", + "class": "deathstar", + "org": "empire", + "pod-template-hash": "bf77cddc9" + }, + "workload": "deathstar" + } + } + }, + "time": "2024-10-18T22:18:38.469649608Z" + } + }, + "container": { + "id": "containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e", + "image": { + "name": "sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42" + }, + "name": "deathstar" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "executed", + "original": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNTE4NjYwNDIzOjIzMjU1OA==\",\"pid\":232558,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs\",\"binary\":\"/usr/bin/mount\",\"arguments\":\"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs/product_name /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs/sys/class/dmi/id/product_name\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.469649900Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-ffqfk\",\"container\":{\"id\":\"containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":10},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"3ed83b82842d7a33bf57fdbd8b9e6c5\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==\",\"tid\":232558},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==\",\"pid\":232555,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.435249979Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-ffqfk\",\"container\":{\"id\":\"containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":7},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"3ed83b82842d7a33bf57fdbd8b9e6c5\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==\",\"tid\":232555}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:38.469649608Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNTE4NjYwNDIzOjIzMjU1OA==\",\"pid\":232558,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs\",\"binary\":\"/usr/bin/mount\",\"arguments\":\"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs/product_name /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs/sys/class/dmi/id/product_name\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.469649900Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-ffqfk\",\"container\":{\"id\":\"containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":10},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"3ed83b82842d7a33bf57fdbd8b9e6c5\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==\",\"tid\":232558},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==\",\"pid\":232555,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.435249979Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-ffqfk\",\"container\":{\"id\":\"containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":7},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"3ed83b82842d7a33bf57fdbd8b9e6c5\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==\",\"tid\":232555}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:38.469649608Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "deathstar-bf77cddc9-ffqfk", + "parent": { + "type": "Deployment" + } + } + }, + "process": { + "args": [ + "-o", + "ro,bind", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs/product_name", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs/sys/class/dmi/id/product_name" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNTE4NjYwNDIzOjIzMjU1OA==", + "executable": "/usr/bin/mount", + "parent": { + "args": [ + "/kind/bin/mount-product-files.sh" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==", + "executable": "/kind/bin/mount-product-files.sh", + "pid": 232555, + "start": "2024-10-18T22:18:38.435249979Z", + "thread": { + "id": 232555 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs" + }, + "pid": 232558, + "start": "2024-10-18T22:18:38.469649900Z", + "thread": { + "id": 232558 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exit": { + "parent": { + "auid": 4294967295, + "docker": "8d5d9f5c53d931cc7c1419ae7aeeca3", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMDg2NTA2NjUzOjIzMjUwMw==", + "pod": { + "container": { + "id": "containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c", + "image": { + "id": "quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8", + "name": "sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42" + }, + "name": "deathstar", + "pid": 6, + "start_time": "2024-10-18T22:18:38Z" + }, + "name": "deathstar-bf77cddc9-wgvrg", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "deathstar", + "class": "deathstar", + "org": "empire", + "pod-template-hash": "bf77cddc9" + }, + "workload": "deathstar", + "workload_kind": "Deployment" + } + }, + "process": { + "auid": 4294967295, + "docker": "8d5d9f5c53d931cc7c1419ae7aeeca3", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8" + }, + "pid": 7, + "start_time": "2024-10-18T22:18:38Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "deathstar", + "class": "deathstar", + "org": "empire", + "pod-template-hash": "bf77cddc9" + }, + "workload": "deathstar" + } + }, + "time": "2024-10-18T22:18:38.083885859Z" + }, + "time": "2024-10-18T22:18:38.083885900Z" + } + }, + "container": { + "id": "containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c", + "image": { + "name": "sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42" + }, + "name": "deathstar" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "end", + "original": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTA2MzUwMDI1OjIzMjUwOQ==\",\"pid\":232509,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs\",\"binary\":\"/usr/bin/jq\",\"arguments\":\"-r .bundle\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.057339543Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-wgvrg\",\"container\":{\"id\":\"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":7},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"8d5d9f5c53d931cc7c1419ae7aeeca3\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==\",\"tid\":232509},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==\",\"pid\":232508,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.051558807Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-wgvrg\",\"container\":{\"id\":\"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":6},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"8d5d9f5c53d931cc7c1419ae7aeeca3\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMDg2NTA2NjUzOjIzMjUwMw==\",\"tid\":232508},\"time\":\"2024-10-18T22:18:38.083885859Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:38.083885900Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTA2MzUwMDI1OjIzMjUwOQ==\",\"pid\":232509,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs\",\"binary\":\"/usr/bin/jq\",\"arguments\":\"-r .bundle\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.057339543Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-wgvrg\",\"container\":{\"id\":\"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":7},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"8d5d9f5c53d931cc7c1419ae7aeeca3\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==\",\"tid\":232509},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==\",\"pid\":232508,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.051558807Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-wgvrg\",\"container\":{\"id\":\"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":6},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"8d5d9f5c53d931cc7c1419ae7aeeca3\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMDg2NTA2NjUzOjIzMjUwMw==\",\"tid\":232508},\"time\":\"2024-10-18T22:18:38.083885859Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:38.083885900Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "deathstar-bf77cddc9-wgvrg", + "parent": { + "type": "Deployment" + } + } + }, + "process": { + "args": [ + "-r", + ".bundle" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTA2MzUwMDI1OjIzMjUwOQ==", + "executable": "/usr/bin/jq", + "parent": { + "args": [ + "/kind/bin/mount-product-files.sh" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==", + "executable": "/kind/bin/mount-product-files.sh", + "pid": 232508, + "start": "2024-10-18T22:18:38.051558807Z", + "thread": { + "id": 232508 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs" + }, + "pid": 232509, + "start": "2024-10-18T22:18:38.057339543Z", + "thread": { + "id": 232509 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exit": { + "parent": { + "auid": 4294967295, + "docker": "b6edfbfcaff9879076789c46ebaa26c", + "flags": "execve rootcwd clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTg0NzQwMDAwMDAwOjIzMTkzOQ==", + "pod": { + "container": { + "id": "containerd://b6edfbfcaff9879076789c46ebaa26c819a89fc519b2afd5f1035497261b3f6b", + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship", + "pid": 24, + "start_time": "2024-10-18T22:18:39Z" + }, + "name": "xwing", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "xwing", + "class": "xwing", + "org": "alliance" + }, + "workload": "xwing", + "workload_kind": "Pod" + } + }, + "process": { + "auid": 4294967295, + "docker": "b6edfbfcaff9879076789c46ebaa26c", + "flags": "execve rootcwd", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDAyNzYzMTMyMjoxMTI0MDg4", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603" + }, + "pid": 24, + "start_time": "2024-10-18T22:18:39Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "xwing", + "class": "xwing", + "org": "alliance" + }, + "workload": "xwing" + } + }, + "status": 1, + "time": "2024-10-22T18:01:47.556515715Z" + }, + "time": "2024-10-22T18:01:47.556515381Z" + } + }, + "container": { + "id": "containerd://b6edfbfcaff9879076789c46ebaa26c819a89fc519b2afd5f1035497261b3f6b", + "image": { + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "end", + "original": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDA0MzM2ODk3MjoxMTI0MDg4\",\"pid\":1124088,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/bash\",\"flags\":\"execve rootcwd\",\"start_time\":\"2024-10-22T18:00:28.908679907Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"xwing\",\"container\":{\"id\":\"containerd://b6edfbfcaff9879076789c46ebaa26c819a89fc519b2afd5f1035497261b3f6b\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:39Z\",\"pid\":24},\"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\",\"class\":\"xwing\",\"org\":\"alliance\"},\"workload\":\"xwing\",\"workload_kind\":\"Pod\"},\"docker\":\"b6edfbfcaff9879076789c46ebaa26c\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDAyNzYzMTMyMjoxMTI0MDg4\",\"tid\":1124088},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDAyNzYzMTMyMjoxMTI0MDg4\",\"pid\":1124088,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/sh\",\"arguments\":\"-c \\\"command -v bash >/dev/null && exec bash || exec sh\\\"\",\"flags\":\"execve rootcwd clone\",\"start_time\":\"2024-10-22T18:00:28.892941507Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"xwing\",\"container\":{\"id\":\"containerd://b6edfbfcaff9879076789c46ebaa26c819a89fc519b2afd5f1035497261b3f6b\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:39Z\",\"pid\":24},\"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\",\"class\":\"xwing\",\"org\":\"alliance\"},\"workload\":\"xwing\",\"workload_kind\":\"Pod\"},\"docker\":\"b6edfbfcaff9879076789c46ebaa26c\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTg0NzQwMDAwMDAwOjIzMTkzOQ==\",\"tid\":1124088},\"status\":1,\"time\":\"2024-10-22T18:01:47.556515715Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-22T18:01:47.556515381Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDA0MzM2ODk3MjoxMTI0MDg4\",\"pid\":1124088,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/bash\",\"flags\":\"execve rootcwd\",\"start_time\":\"2024-10-22T18:00:28.908679907Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"xwing\",\"container\":{\"id\":\"containerd://b6edfbfcaff9879076789c46ebaa26c819a89fc519b2afd5f1035497261b3f6b\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:39Z\",\"pid\":24},\"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\",\"class\":\"xwing\",\"org\":\"alliance\"},\"workload\":\"xwing\",\"workload_kind\":\"Pod\"},\"docker\":\"b6edfbfcaff9879076789c46ebaa26c\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDAyNzYzMTMyMjoxMTI0MDg4\",\"tid\":1124088},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDAyNzYzMTMyMjoxMTI0MDg4\",\"pid\":1124088,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/sh\",\"arguments\":\"-c \\\"command -v bash >/dev/null && exec bash || exec sh\\\"\",\"flags\":\"execve rootcwd clone\",\"start_time\":\"2024-10-22T18:00:28.892941507Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"xwing\",\"container\":{\"id\":\"containerd://b6edfbfcaff9879076789c46ebaa26c819a89fc519b2afd5f1035497261b3f6b\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:39Z\",\"pid\":24},\"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\",\"class\":\"xwing\",\"org\":\"alliance\"},\"workload\":\"xwing\",\"workload_kind\":\"Pod\"},\"docker\":\"b6edfbfcaff9879076789c46ebaa26c\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTg0NzQwMDAwMDAwOjIzMTkzOQ==\",\"tid\":1124088},\"status\":1,\"time\":\"2024-10-22T18:01:47.556515715Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-22T18:01:47.556515381Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "xwing", + "parent": { + "type": "Pod" + } + } + }, + "process": { + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDA0MzM2ODk3MjoxMTI0MDg4", + "executable": "/usr/bin/bash", + "exit_code": 1, + "parent": { + "args": [ + "-c", + "\"command", + "-v", + "bash", + ">/dev/null", + "&&", + "exec", + "bash", + "||", + "exec", + "sh\"" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjExNDAyNDAyNzYzMTMyMjoxMTI0MDg4", + "executable": "/usr/bin/sh", + "pid": 1124088, + "start": "2024-10-22T18:00:28.892941507Z", + "thread": { + "id": 1124088 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "pid": 1124088, + "start": "2024-10-22T18:00:28.908679907Z", + "thread": { + "id": 1124088 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exit": { + "parent": { + "auid": 4294967295, + "docker": "28fabceb4c8364252c022a8ccd310f2", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTY3NzUyMjExOjIzMjQzMQ==", + "pod": { + "container": { + "id": "containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab", + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship", + "pid": 6, + "start_time": "2024-10-18T22:18:34Z" + }, + "name": "tiefighter", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "tiefighter", + "class": "tiefighter", + "org": "empire" + }, + "workload": "tiefighter", + "workload_kind": "Pod" + } + }, + "process": { + "auid": 4294967295, + "docker": "28fabceb4c8364252c022a8ccd310f2", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603" + }, + "pid": 9, + "start_time": "2024-10-18T22:18:34Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "tiefighter", + "class": "tiefighter", + "org": "empire" + }, + "workload": "tiefighter" + } + }, + "time": "2024-10-18T22:18:34.188751196Z" + }, + "time": "2024-10-18T22:18:34.188750528Z" + } + }, + "container": { + "id": "containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab", + "image": { + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "end", + "original": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjMzNzY4NzI4OjIzMjQzOQ==\",\"pid\":232439,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs\",\"binary\":\"/usr/bin/mount\",\"arguments\":\"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/product_name /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/sys/class/dmi/id/product_name\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:34.184759080Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":9},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==\",\"tid\":232439},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==\",\"pid\":232436,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:34.137657603Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":6},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTY3NzUyMjExOjIzMjQzMQ==\",\"tid\":232436},\"time\":\"2024-10-18T22:18:34.188751196Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:34.188750528Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjMzNzY4NzI4OjIzMjQzOQ==\",\"pid\":232439,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs\",\"binary\":\"/usr/bin/mount\",\"arguments\":\"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/product_name /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/sys/class/dmi/id/product_name\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:34.184759080Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":9},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==\",\"tid\":232439},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==\",\"pid\":232436,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:34.137657603Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":6},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTY3NzUyMjExOjIzMjQzMQ==\",\"tid\":232436},\"time\":\"2024-10-18T22:18:34.188751196Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:34.188750528Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "tiefighter", + "parent": { + "type": "Pod" + } + } + }, + "process": { + "args": [ + "-o", + "ro,bind", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/product_name", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/sys/class/dmi/id/product_name" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjMzNzY4NzI4OjIzMjQzOQ==", + "executable": "/usr/bin/mount", + "parent": { + "args": [ + "/kind/bin/mount-product-files.sh" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==", + "executable": "/kind/bin/mount-product-files.sh", + "pid": 232436, + "start": "2024-10-18T22:18:34.137657603Z", + "thread": { + "id": 232436 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs" + }, + "pid": 232439, + "start": "2024-10-18T22:18:34.184759080Z", + "thread": { + "id": 232439 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exec": { + "parent": { + "auid": 4294967295, + "docker": "28fabceb4c8364252c022a8ccd310f2", + "flags": "execve rootcwd", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAyMTgzMDY0OToxMTA1NzAz", + "pod": { + "container": { + "id": "containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab", + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship", + "pid": 23, + "start_time": "2024-10-18T22:18:34Z" + }, + "name": "tiefighter", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "tiefighter", + "class": "tiefighter", + "org": "empire" + }, + "workload": "tiefighter", + "workload_kind": "Pod" + } + }, + "process": { + "auid": 4294967295, + "docker": "28fabceb4c8364252c022a8ccd310f2", + "flags": "execve rootcwd clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAzMjc5OTI3MToxMTA1NzAz", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603" + }, + "pid": 30, + "start_time": "2024-10-18T22:18:34Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "tiefighter", + "class": "tiefighter", + "org": "empire" + }, + "workload": "tiefighter" + } + } + }, + "time": "2024-10-22T17:45:54.724856635Z" + } + }, + "container": { + "id": "containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab", + "image": { + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "executed", + "original": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExMzE0OTg1OTU0NjE1OToxMTA1ODI3\",\"pid\":1105827,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/nsenter\",\"flags\":\"execve rootcwd clone\",\"start_time\":\"2024-10-22T17:45:54.724856386Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":30},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAzMjc5OTI3MToxMTA1NzAz\",\"tid\":1105827},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAzMjc5OTI3MToxMTA1NzAz\",\"pid\":1105703,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/bash\",\"flags\":\"execve rootcwd\",\"start_time\":\"2024-10-22T17:45:46.898109415Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":23},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAyMTgzMDY0OToxMTA1NzAz\",\"tid\":1105703}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-22T17:45:54.724856635Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExMzE0OTg1OTU0NjE1OToxMTA1ODI3\",\"pid\":1105827,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/nsenter\",\"flags\":\"execve rootcwd clone\",\"start_time\":\"2024-10-22T17:45:54.724856386Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":30},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAzMjc5OTI3MToxMTA1NzAz\",\"tid\":1105827},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAzMjc5OTI3MToxMTA1NzAz\",\"pid\":1105703,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/usr/bin/bash\",\"flags\":\"execve rootcwd\",\"start_time\":\"2024-10-22T17:45:46.898109415Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":23},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAyMTgzMDY0OToxMTA1NzAz\",\"tid\":1105703}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-22T17:45:54.724856635Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "tiefighter", + "parent": { + "type": "Pod" + } + } + }, + "process": { + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjExMzE0OTg1OTU0NjE1OToxMTA1ODI3", + "executable": "/usr/bin/nsenter", + "parent": { + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjExMzE0MjAzMjc5OTI3MToxMTA1NzAz", + "executable": "/usr/bin/bash", + "pid": 1105703, + "start": "2024-10-22T17:45:46.898109415Z", + "thread": { + "id": 1105703 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "pid": 1105827, + "start": "2024-10-22T17:45:54.724856386Z", + "thread": { + "id": 1105827 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exit": { + "parent": { + "auid": 4294967295, + "flags": "execve", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMzIzMjU4NTMzOjIzMjUzNw==", + "refcnt": 1 + }, + "process": { + "auid": 4294967295, + "docker": "3ed83b82842d7a33bf57fdbd8b9e6c5", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8" + }, + "pid": 7, + "start_time": "2024-10-18T22:18:38Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "deathstar", + "class": "deathstar", + "org": "empire", + "pod-template-hash": "bf77cddc9" + }, + "workload": "deathstar" + }, + "refcnt": 4294967291 + }, + "time": "2024-10-18T22:18:38.476210843Z" + }, + "time": "2024-10-18T22:18:38.476210426Z" + } + }, + "container": { + "id": "containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e", + "image": { + "name": "sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42" + }, + "name": "deathstar" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "end", + "original": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==\",\"pid\":232555,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.435249979Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-ffqfk\",\"container\":{\"id\":\"containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":7},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"3ed83b82842d7a33bf57fdbd8b9e6c5\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==\",\"refcnt\":4294967291,\"tid\":232555},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==\",\"pid\":232547,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/4d549ac0c9a88b6c981391b5230c67ea88529e160ef1a5e118708cd6fd26daba\",\"binary\":\"/usr/local/sbin/runc\",\"arguments\":\"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/init.pid 3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e\",\"flags\":\"execve\",\"start_time\":\"2024-10-18T22:18:38.381814515Z\",\"auid\":4294967295,\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMzIzMjU4NTMzOjIzMjUzNw==\",\"refcnt\":1,\"tid\":232547},\"time\":\"2024-10-18T22:18:38.476210843Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:38.476210426Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==\",\"pid\":232555,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.435249979Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-ffqfk\",\"container\":{\"id\":\"containerd://3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":7},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"3ed83b82842d7a33bf57fdbd8b9e6c5\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==\",\"refcnt\":4294967291,\"tid\":232555},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==\",\"pid\":232547,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/4d549ac0c9a88b6c981391b5230c67ea88529e160ef1a5e118708cd6fd26daba\",\"binary\":\"/usr/local/sbin/runc\",\"arguments\":\"--root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/init.pid 3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e\",\"flags\":\"execve\",\"start_time\":\"2024-10-18T22:18:38.381814515Z\",\"auid\":4294967295,\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMzIzMjU4NTMzOjIzMjUzNw==\",\"refcnt\":1,\"tid\":232547},\"time\":\"2024-10-18T22:18:38.476210843Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:38.476210426Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "deathstar-bf77cddc9-ffqfk", + "parent": { + "type": "Deployment" + } + } + }, + "process": { + "args": [ + "/kind/bin/mount-product-files.sh" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDg0MjYwMDQzOjIzMjU1NQ==", + "executable": "/kind/bin/mount-product-files.sh", + "parent": { + "args": [ + "--root", + "/run/containerd/runc/k8s.io", + "--log", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/log.json", + "--log-format", + "json", + "--systemd-cgroup", + "create", + "--bundle", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e", + "--pid-file", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/init.pid", + "3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwNDMwODI0OTU1OjIzMjU0Nw==", + "executable": "/usr/local/sbin/runc", + "pid": 232547, + "start": "2024-10-18T22:18:38.381814515Z", + "thread": { + "id": 232547 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/4d549ac0c9a88b6c981391b5230c67ea88529e160ef1a5e118708cd6fd26daba" + }, + "pid": 232555, + "start": "2024-10-18T22:18:38.435249979Z", + "thread": { + "id": 232555 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/3ed83b82842d7a33bf57fdbd8b9e6c5a2cb8b30a47dc43562410bdfd9a74918e/rootfs" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exit": { + "parent": { + "auid": 4294967295, + "docker": "8d5d9f5c53d931cc7c1419ae7aeeca3", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMDg2NTA2NjUzOjIzMjUwMw==", + "pod": { + "container": { + "id": "containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c", + "image": { + "id": "quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8", + "name": "sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42" + }, + "name": "deathstar", + "pid": 6, + "start_time": "2024-10-18T22:18:38Z" + }, + "name": "deathstar-bf77cddc9-wgvrg", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "deathstar", + "class": "deathstar", + "org": "empire", + "pod-template-hash": "bf77cddc9" + }, + "workload": "deathstar", + "workload_kind": "Deployment" + } + }, + "process": { + "auid": 4294967295, + "docker": "8d5d9f5c53d931cc7c1419ae7aeeca3", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8" + }, + "pid": 9, + "start_time": "2024-10-18T22:18:38Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "deathstar", + "class": "deathstar", + "org": "empire", + "pod-template-hash": "bf77cddc9" + }, + "workload": "deathstar" + } + }, + "time": "2024-10-18T22:18:38.088677890Z" + }, + "time": "2024-10-18T22:18:38.088677639Z" + } + }, + "container": { + "id": "containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c", + "image": { + "name": "sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42" + }, + "name": "deathstar" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "end", + "original": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTM2NjA4MDgxOjIzMjUxMQ==\",\"pid\":232511,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs\",\"binary\":\"/usr/bin/mount\",\"arguments\":\"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs/product_name /run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs/sys/class/dmi/id/product_name\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.087597474Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-wgvrg\",\"container\":{\"id\":\"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":9},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"8d5d9f5c53d931cc7c1419ae7aeeca3\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==\",\"tid\":232511},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==\",\"pid\":232508,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.051558807Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-wgvrg\",\"container\":{\"id\":\"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":6},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"8d5d9f5c53d931cc7c1419ae7aeeca3\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMDg2NTA2NjUzOjIzMjUwMw==\",\"tid\":232508},\"time\":\"2024-10-18T22:18:38.088677890Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:38.088677639Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTM2NjA4MDgxOjIzMjUxMQ==\",\"pid\":232511,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs\",\"binary\":\"/usr/bin/mount\",\"arguments\":\"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs/product_name /run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs/sys/class/dmi/id/product_name\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.087597474Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-wgvrg\",\"container\":{\"id\":\"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":9},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"8d5d9f5c53d931cc7c1419ae7aeeca3\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==\",\"tid\":232511},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==\",\"pid\":232508,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:38.051558807Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"deathstar-bf77cddc9-wgvrg\",\"container\":{\"id\":\"containerd://8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c\",\"name\":\"deathstar\",\"image\":{\"id\":\"quay.io/cilium/starwars@sha256:833d915ec68fca3ce83668fc5dae97c455b2134d8f23ef96586f55b894cfb1e8\",\"name\":\"sha256:d2fa218cb2c2f9d2c149f202bf0a9dfbb550f7b79c251490523b0d0f0d4fbc42\"},\"start_time\":\"2024-10-18T22:18:38Z\",\"pid\":6},\"pod_labels\":{\"app.kubernetes.io/name\":\"deathstar\",\"class\":\"deathstar\",\"org\":\"empire\",\"pod-template-hash\":\"bf77cddc9\"},\"workload\":\"deathstar\",\"workload_kind\":\"Deployment\"},\"docker\":\"8d5d9f5c53d931cc7c1419ae7aeeca3\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMDg2NTA2NjUzOjIzMjUwMw==\",\"tid\":232508},\"time\":\"2024-10-18T22:18:38.088677890Z\"},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:38.088677639Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "deathstar-bf77cddc9-wgvrg", + "parent": { + "type": "Deployment" + } + } + }, + "process": { + "args": [ + "-o", + "ro,bind", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs/product_name", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs/sys/class/dmi/id/product_name" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTM2NjA4MDgxOjIzMjUxMQ==", + "executable": "/usr/bin/mount", + "parent": { + "args": [ + "/kind/bin/mount-product-files.sh" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjcwMDAwMTAwNTY5MzMwOjIzMjUwOA==", + "executable": "/kind/bin/mount-product-files.sh", + "pid": 232508, + "start": "2024-10-18T22:18:38.051558807Z", + "thread": { + "id": 232508 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs" + }, + "pid": 232511, + "start": "2024-10-18T22:18:38.087597474Z", + "thread": { + "id": 232511 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/8d5d9f5c53d931cc7c1419ae7aeeca301018a96609aa63150585ca679e76bd0c/rootfs" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exec": { + "parent": { + "auid": 4294967295, + "docker": "28fabceb4c8364252c022a8ccd310f2", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTY3NzUyMjExOjIzMjQzMQ==", + "pod": { + "container": { + "id": "containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab", + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship", + "pid": 6, + "start_time": "2024-10-18T22:18:34Z" + }, + "name": "tiefighter", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "tiefighter", + "class": "tiefighter", + "org": "empire" + }, + "workload": "tiefighter", + "workload_kind": "Pod" + } + }, + "process": { + "auid": 4294967295, + "docker": "28fabceb4c8364252c022a8ccd310f2", + "flags": "execve clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603" + }, + "pid": 11, + "start_time": "2024-10-18T22:18:34Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "tiefighter", + "class": "tiefighter", + "org": "empire" + }, + "workload": "tiefighter" + } + } + }, + "time": "2024-10-18T22:18:34.190963940Z" + } + }, + "container": { + "id": "containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab", + "image": { + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "executed", + "original": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjM5OTc0Nzk3OjIzMjQ0MQ==\",\"pid\":232441,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs\",\"binary\":\"/usr/bin/mount\",\"arguments\":\"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/product_uuid /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/sys/devices/virtual/dmi/id/product_uuid\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:34.190965191Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":11},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==\",\"tid\":232441},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==\",\"pid\":232436,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:34.137657603Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":6},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTY3NzUyMjExOjIzMjQzMQ==\",\"tid\":232436}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:34.190963940Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exec\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjM5OTc0Nzk3OjIzMjQ0MQ==\",\"pid\":232441,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs\",\"binary\":\"/usr/bin/mount\",\"arguments\":\"-o ro,bind /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/product_uuid /run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/sys/devices/virtual/dmi/id/product_uuid\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:34.190965191Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":11},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==\",\"tid\":232441},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==\",\"pid\":232436,\"uid\":0,\"cwd\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs\",\"binary\":\"/kind/bin/mount-product-files.sh\",\"arguments\":\"/kind/bin/mount-product-files.sh\",\"flags\":\"execve clone\",\"start_time\":\"2024-10-18T22:18:34.137657603Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"tiefighter\",\"container\":{\"id\":\"containerd://28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab\",\"name\":\"spaceship\",\"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\",\"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"},\"start_time\":\"2024-10-18T22:18:34Z\",\"pid\":6},\"pod_labels\":{\"app.kubernetes.io/name\":\"tiefighter\",\"class\":\"tiefighter\",\"org\":\"empire\"},\"workload\":\"tiefighter\",\"workload_kind\":\"Pod\"},\"docker\":\"28fabceb4c8364252c022a8ccd310f2\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTY3NzUyMjExOjIzMjQzMQ==\",\"tid\":232436}},\"node_name\":\"kind-control-plane\",\"time\":\"2024-10-18T22:18:34.190963940Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "tiefighter", + "parent": { + "type": "Pod" + } + } + }, + "process": { + "args": [ + "-o", + "ro,bind", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/product_uuid", + "/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs/sys/devices/virtual/dmi/id/product_uuid" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MjM5OTc0Nzk3OjIzMjQ0MQ==", + "executable": "/usr/bin/mount", + "parent": { + "args": [ + "/kind/bin/mount-product-files.sh" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjY5OTk2MTg2NjY3NjY4OjIzMjQzNg==", + "executable": "/kind/bin/mount-product-files.sh", + "pid": 232436, + "start": "2024-10-18T22:18:34.137657603Z", + "thread": { + "id": 232436 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs" + }, + "pid": 232441, + "start": "2024-10-18T22:18:34.190965191Z", + "thread": { + "id": 232441 + }, + "user": { + "id": "0" + }, + "working_directory": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/28fabceb4c8364252c022a8ccd310f22f8b735e5a490219800edf7e12b211cab/rootfs" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_exit": { + "parent": { + "auid": 4294967295, + "docker": "457e815e26920e424637320f8b969cc", + "flags": "execve rootcwd clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjg2MjU1NzYwNjEwOTI6MTE4MDA2", + "pod": { + "container": { + "id": "containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc", + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship", + "pid": 32, + "start_time": "2024-10-31T17:28:56Z" + }, + "name": "xwing", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "xwing", + "class": "xwing", + "org": "alliance" + }, + "workload": "xwing", + "workload_kind": "Pod" + } + }, + "process": { + "auid": 4294967295, + "docker": "457e815e26920e424637320f8b969cc", + "flags": "execve rootcwd", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603" + }, + "pid": 32, + "start_time": "2024-10-31T17:28:56Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "xwing", + "class": "xwing", + "org": "alliance" + }, + "workload": "xwing" + } + }, + "signal": "SIGKILL", + "time": "2024-10-31T18:24:39.619258988Z" + }, + "time": "2024-10-31T18:24:39.619258822Z" + } + }, + "container": { + "id": "containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc", + "image": { + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "end", + "original": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTA1NTk5NTUwOjE5Njg5OA==\", \"pid\":196898, \"uid\":0, \"cwd\":\"/\", \"binary\":\"/usr/bin/bash\", \"flags\":\"execve rootcwd\", \"start_time\":\"2024-10-31T18:24:19.824473079Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"default\", \"name\":\"xwing\", \"container\":{\"id\":\"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc\", \"name\":\"spaceship\", \"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\", \"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"}, \"start_time\":\"2024-10-31T17:28:56Z\", \"pid\":32}, \"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\", \"class\":\"xwing\", \"org\":\"alliance\"}, \"workload\":\"xwing\", \"workload_kind\":\"Pod\"}, \"docker\":\"457e815e26920e424637320f8b969cc\", \"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==\", \"tid\":196898}, \"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==\", \"pid\":196898, \"uid\":0, \"cwd\":\"/\", \"binary\":\"/usr/bin/sh\", \"arguments\":\"-c \\\"command -v bash >/dev/null && exec bash || exec sh\\\"\", \"flags\":\"execve rootcwd clone\", \"start_time\":\"2024-10-31T18:24:19.821308747Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"default\", \"name\":\"xwing\", \"container\":{\"id\":\"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc\", \"name\":\"spaceship\", \"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\", \"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"}, \"start_time\":\"2024-10-31T17:28:56Z\", \"pid\":32}, \"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\", \"class\":\"xwing\", \"org\":\"alliance\"}, \"workload\":\"xwing\", \"workload_kind\":\"Pod\"}, \"docker\":\"457e815e26920e424637320f8b969cc\", \"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjg2MjU1NzYwNjEwOTI6MTE4MDA2\", \"tid\":196898}, \"signal\":\"SIGKILL\", \"time\":\"2024-10-31T18:24:39.619258988Z\"}, \"node_name\":\"kind-control-plane\", \"time\":\"2024-10-31T18:24:39.619258822Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_exit\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTA1NTk5NTUwOjE5Njg5OA==\", \"pid\":196898, \"uid\":0, \"cwd\":\"/\", \"binary\":\"/usr/bin/bash\", \"flags\":\"execve rootcwd\", \"start_time\":\"2024-10-31T18:24:19.824473079Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"default\", \"name\":\"xwing\", \"container\":{\"id\":\"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc\", \"name\":\"spaceship\", \"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\", \"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"}, \"start_time\":\"2024-10-31T17:28:56Z\", \"pid\":32}, \"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\", \"class\":\"xwing\", \"org\":\"alliance\"}, \"workload\":\"xwing\", \"workload_kind\":\"Pod\"}, \"docker\":\"457e815e26920e424637320f8b969cc\", \"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==\", \"tid\":196898}, \"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==\", \"pid\":196898, \"uid\":0, \"cwd\":\"/\", \"binary\":\"/usr/bin/sh\", \"arguments\":\"-c \\\"command -v bash >/dev/null && exec bash || exec sh\\\"\", \"flags\":\"execve rootcwd clone\", \"start_time\":\"2024-10-31T18:24:19.821308747Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"default\", \"name\":\"xwing\", \"container\":{\"id\":\"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc\", \"name\":\"spaceship\", \"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\", \"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"}, \"start_time\":\"2024-10-31T17:28:56Z\", \"pid\":32}, \"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\", \"class\":\"xwing\", \"org\":\"alliance\"}, \"workload\":\"xwing\", \"workload_kind\":\"Pod\"}, \"docker\":\"457e815e26920e424637320f8b969cc\", \"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjg2MjU1NzYwNjEwOTI6MTE4MDA2\", \"tid\":196898}, \"signal\":\"SIGKILL\", \"time\":\"2024-10-31T18:24:39.619258988Z\"}, \"node_name\":\"kind-control-plane\", \"time\":\"2024-10-31T18:24:39.619258822Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "xwing", + "parent": { + "type": "Pod" + } + } + }, + "process": { + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTA1NTk5NTUwOjE5Njg5OA==", + "executable": "/usr/bin/bash", + "parent": { + "args": [ + "-c", + "\"command", + "-v", + "bash", + ">/dev/null", + "&&", + "exec", + "bash", + "||", + "exec", + "sh\"" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==", + "executable": "/usr/bin/sh", + "pid": 196898, + "start": "2024-10-31T18:24:19.821308747Z", + "thread": { + "id": 196898 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "pid": 196898, + "start": "2024-10-31T18:24:19.824473079Z", + "thread": { + "id": 196898 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} diff --git a/packages/tetragon/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 000000000000..772cb4058780 --- /dev/null +++ b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event \ No newline at end of file diff --git a/packages/tetragon/data_stream/log/_dev/test/pipeline/test-execkprobe-log.log b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-execkprobe-log.log new file mode 100644 index 000000000000..411a9e1ccdc2 --- /dev/null +++ b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-execkprobe-log.log @@ -0,0 +1,2 @@ +{"process_kprobe":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjEyODQyNzgzMzUwNjg0OjczODYw","pid":73860,"uid":0,"cwd":"/","binary":"/bin/dmesg","flags":"execve rootcwd clone","start_time":"2023-07-06T10:13:33.834390020Z","auid":4294967295,"pod":{"namespace":"default","name":"xwing","container":{"id":"containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7","name":"spaceship","image":{"id":"docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6","name":"docker.io/tgraf/netperf:latest"},"start_time":"2023-07-06T08:07:30Z","pid":171},"pod_labels":{"app.kubernetes.io/name":"xwing","class":"xwing","org":"alliance"}},"docker":"cfb961400ff25811d22d139a10f6a62","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw","refcnt":1,"ns":{"uts":{"inum":4026534655},"ipc":{"inum":4026534656},"mnt":{"inum":4026534731},"pid":{"inum":4026534732},"pid_for_children":{"inum":4026534732},"net":{"inum":4026534512},"time":{"inum":4026531834,"is_host":true},"time_for_children":{"inum":4026531834,"is_host":true},"cgroup":{"inum":4026534733},"user":{"inum":4026531837,"is_host":true}},"tid":73860},"parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw","pid":73850,"uid":0,"cwd":"/","binary":"/bin/bash","flags":"execve rootcwd clone","start_time":"2023-07-06T10:13:33.178160018Z","auid":4294967295,"pod":{"namespace":"default","name":"xwing","container":{"id":"containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7","name":"spaceship","image":{"id":"docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6","name":"docker.io/tgraf/netperf:latest"},"start_time":"2023-07-06T08:07:30Z","pid":165},"pod_labels":{"app.kubernetes.io/name":"xwing","class":"xwing","org":"alliance"}},"docker":"cfb961400ff25811d22d139a10f6a62","parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjEyODQyMDgxNTA3MzUzOjczODQx","refcnt":2,"tid":73850},"function_name":"cap_capable","args":[{"user_ns_arg":{"level":0,"uid":0,"gid":0,"ns":{"inum":4026531837,"is_host":true}}},{"capability_arg":{"value":34,"name":"CAP_SYSLOG"}}],"return":{"int_arg":-1},"action":"KPROBE_ACTION_POST"},"node_name":"kind-control-plane","time":"2023-07-06T10:13:33.834882128Z"} +{"process_kprobe":{"process":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTA1NTk5NTUwOjE5Njg5OA==", "pid":196898, "uid":0, "cwd":"/", "binary":"/usr/bin/bash", "flags":"execve rootcwd", "start_time":"2024-10-31T18:24:19.824473079Z", "auid":4294967295, "pod":{"namespace":"default", "name":"xwing", "container":{"id":"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc", "name":"spaceship", "image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", "name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"}, "start_time":"2024-10-31T17:28:56Z", "pid":32}, "pod_labels":{"app.kubernetes.io/name":"xwing", "class":"xwing", "org":"alliance"}, "workload":"xwing", "workload_kind":"Pod"}, "docker":"457e815e26920e424637320f8b969cc", "parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==", "refcnt":1, "tid":196898}, "parent":{"exec_id":"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==", "pid":196898, "uid":0, "cwd":"/", "binary":"/usr/bin/sh", "arguments":"-c \"command -v bash >/dev/null && exec bash || exec sh\"", "flags":"execve rootcwd clone", "start_time":"2024-10-31T18:24:19.821308747Z", "auid":4294967295, "pod":{"namespace":"default", "name":"xwing", "container":{"id":"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc", "name":"spaceship", "image":{"id":"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", "name":"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991"}, "start_time":"2024-10-31T17:28:56Z", "pid":32}, "pod_labels":{"app.kubernetes.io/name":"xwing", "class":"xwing", "org":"alliance"}, "workload":"xwing", "workload_kind":"Pod"}, "docker":"457e815e26920e424637320f8b969cc", "parent_exec_id":"a2luZC1jb250cm9sLXBsYW5lOjg2MjU1NzYwNjEwOTI6MTE4MDA2", "tid":196898}, "function_name":"fd_install", "args":[{"int_arg":3}, {"file_arg":{"path":"/tmp/tetragon", "permission":"-rw-r--r--"}}], "action":"KPROBE_ACTION_SIGKILL", "policy_name":"fd-install", "return_action":"KPROBE_ACTION_POST"}, "node_name":"kind-control-plane", "time":"2024-10-31T18:24:39.618644196Z"} diff --git a/packages/tetragon/data_stream/log/_dev/test/pipeline/test-execkprobe-log.log-expected.json b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-execkprobe-log.log-expected.json new file mode 100644 index 000000000000..4e90622b33c1 --- /dev/null +++ b/packages/tetragon/data_stream/log/_dev/test/pipeline/test-execkprobe-log.log-expected.json @@ -0,0 +1,314 @@ +{ + "expected": [ + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_kprobe": { + "action": "KPROBE_ACTION_POST", + "args": [ + { + "user_ns_arg": { + "gid": 0, + "level": 0, + "ns": { + "inum": 4026531837, + "is_host": true + }, + "uid": 0 + } + }, + { + "capability_arg": { + "name": "CAP_SYSLOG", + "value": 34 + } + } + ], + "function_name": "cap_capable", + "parent": { + "auid": 4294967295, + "docker": "cfb961400ff25811d22d139a10f6a62", + "flags": "execve rootcwd clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjEyODQyMDgxNTA3MzUzOjczODQx", + "pod": { + "container": { + "id": "containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7", + "image": { + "id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6", + "name": "docker.io/tgraf/netperf:latest" + }, + "name": "spaceship", + "pid": 165, + "start_time": "2023-07-06T08:07:30Z" + }, + "name": "xwing", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "xwing", + "class": "xwing", + "org": "alliance" + } + }, + "refcnt": 2 + }, + "process": { + "auid": 4294967295, + "docker": "cfb961400ff25811d22d139a10f6a62", + "flags": "execve rootcwd clone", + "ns": { + "cgroup": { + "inum": 4026534733 + }, + "ipc": { + "inum": 4026534656 + }, + "mnt": { + "inum": 4026534731 + }, + "net": { + "inum": 4026534512 + }, + "pid": { + "inum": 4026534732 + }, + "pid_for_children": { + "inum": 4026534732 + }, + "time": { + "inum": 4026531834, + "is_host": true + }, + "time_for_children": { + "inum": 4026531834, + "is_host": true + }, + "user": { + "inum": 4026531837, + "is_host": true + }, + "uts": { + "inum": 4026534655 + } + }, + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw", + "pod": { + "container": { + "image": { + "id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6" + }, + "pid": 171, + "start_time": "2023-07-06T08:07:30Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "xwing", + "class": "xwing", + "org": "alliance" + } + }, + "refcnt": 1 + }, + "return": { + "int_arg": -1 + } + }, + "time": "2023-07-06T10:13:33.834882128Z" + } + }, + "container": { + "id": "containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7", + "image": { + "name": "docker.io/tgraf/netperf:latest" + }, + "name": "spaceship" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "original": "{\"process_kprobe\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjEyODQyNzgzMzUwNjg0OjczODYw\",\"pid\":73860,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/bin/dmesg\",\"flags\":\"execve rootcwd clone\",\"start_time\":\"2023-07-06T10:13:33.834390020Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"xwing\",\"container\":{\"id\":\"containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7\",\"name\":\"spaceship\",\"image\":{\"id\":\"docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6\",\"name\":\"docker.io/tgraf/netperf:latest\"},\"start_time\":\"2023-07-06T08:07:30Z\",\"pid\":171},\"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\",\"class\":\"xwing\",\"org\":\"alliance\"}},\"docker\":\"cfb961400ff25811d22d139a10f6a62\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw\",\"refcnt\":1,\"ns\":{\"uts\":{\"inum\":4026534655},\"ipc\":{\"inum\":4026534656},\"mnt\":{\"inum\":4026534731},\"pid\":{\"inum\":4026534732},\"pid_for_children\":{\"inum\":4026534732},\"net\":{\"inum\":4026534512},\"time\":{\"inum\":4026531834,\"is_host\":true},\"time_for_children\":{\"inum\":4026531834,\"is_host\":true},\"cgroup\":{\"inum\":4026534733},\"user\":{\"inum\":4026531837,\"is_host\":true}},\"tid\":73860},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw\",\"pid\":73850,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/bin/bash\",\"flags\":\"execve rootcwd clone\",\"start_time\":\"2023-07-06T10:13:33.178160018Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"xwing\",\"container\":{\"id\":\"containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7\",\"name\":\"spaceship\",\"image\":{\"id\":\"docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6\",\"name\":\"docker.io/tgraf/netperf:latest\"},\"start_time\":\"2023-07-06T08:07:30Z\",\"pid\":165},\"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\",\"class\":\"xwing\",\"org\":\"alliance\"}},\"docker\":\"cfb961400ff25811d22d139a10f6a62\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjEyODQyMDgxNTA3MzUzOjczODQx\",\"refcnt\":2,\"tid\":73850},\"function_name\":\"cap_capable\",\"args\":[{\"user_ns_arg\":{\"level\":0,\"uid\":0,\"gid\":0,\"ns\":{\"inum\":4026531837,\"is_host\":true}}},{\"capability_arg\":{\"value\":34,\"name\":\"CAP_SYSLOG\"}}],\"return\":{\"int_arg\":-1},\"action\":\"KPROBE_ACTION_POST\"},\"node_name\":\"kind-control-plane\",\"time\":\"2023-07-06T10:13:33.834882128Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_kprobe\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjEyODQyNzgzMzUwNjg0OjczODYw\",\"pid\":73860,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/bin/dmesg\",\"flags\":\"execve rootcwd clone\",\"start_time\":\"2023-07-06T10:13:33.834390020Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"xwing\",\"container\":{\"id\":\"containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7\",\"name\":\"spaceship\",\"image\":{\"id\":\"docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6\",\"name\":\"docker.io/tgraf/netperf:latest\"},\"start_time\":\"2023-07-06T08:07:30Z\",\"pid\":171},\"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\",\"class\":\"xwing\",\"org\":\"alliance\"}},\"docker\":\"cfb961400ff25811d22d139a10f6a62\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw\",\"refcnt\":1,\"ns\":{\"uts\":{\"inum\":4026534655},\"ipc\":{\"inum\":4026534656},\"mnt\":{\"inum\":4026534731},\"pid\":{\"inum\":4026534732},\"pid_for_children\":{\"inum\":4026534732},\"net\":{\"inum\":4026534512},\"time\":{\"inum\":4026531834,\"is_host\":true},\"time_for_children\":{\"inum\":4026531834,\"is_host\":true},\"cgroup\":{\"inum\":4026534733},\"user\":{\"inum\":4026531837,\"is_host\":true}},\"tid\":73860},\"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw\",\"pid\":73850,\"uid\":0,\"cwd\":\"/\",\"binary\":\"/bin/bash\",\"flags\":\"execve rootcwd clone\",\"start_time\":\"2023-07-06T10:13:33.178160018Z\",\"auid\":4294967295,\"pod\":{\"namespace\":\"default\",\"name\":\"xwing\",\"container\":{\"id\":\"containerd://cfb961400ff25811d22d139a10f6a62efef53c2ecc11af47bc911a7f9a2ac1f7\",\"name\":\"spaceship\",\"image\":{\"id\":\"docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6\",\"name\":\"docker.io/tgraf/netperf:latest\"},\"start_time\":\"2023-07-06T08:07:30Z\",\"pid\":165},\"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\",\"class\":\"xwing\",\"org\":\"alliance\"}},\"docker\":\"cfb961400ff25811d22d139a10f6a62\",\"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjEyODQyMDgxNTA3MzUzOjczODQx\",\"refcnt\":2,\"tid\":73850},\"function_name\":\"cap_capable\",\"args\":[{\"user_ns_arg\":{\"level\":0,\"uid\":0,\"gid\":0,\"ns\":{\"inum\":4026531837,\"is_host\":true}}},{\"capability_arg\":{\"value\":34,\"name\":\"CAP_SYSLOG\"}}],\"return\":{\"int_arg\":-1},\"action\":\"KPROBE_ACTION_POST\"},\"node_name\":\"kind-control-plane\",\"time\":\"2023-07-06T10:13:33.834882128Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "xwing" + } + }, + "process": { + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjEyODQyNzgzMzUwNjg0OjczODYw", + "executable": "/bin/dmesg", + "parent": { + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjEyODQyMTI3MTIwOTcyOjczODUw", + "executable": "/bin/bash", + "pid": 73850, + "start": "2023-07-06T10:13:33.178160018Z", + "thread": { + "id": 73850 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "pid": 73860, + "start": "2023-07-06T10:13:33.834390020Z", + "thread": { + "id": 73860 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "cilium_tetragon": { + "log": { + "node_name": "kind-control-plane", + "process_kprobe": { + "action": "KPROBE_ACTION_SIGKILL", + "args": [ + { + "int_arg": 3 + }, + { + "file_arg": { + "path": "/tmp/tetragon", + "permission": "-rw-r--r--" + } + } + ], + "function_name": "fd_install", + "parent": { + "auid": 4294967295, + "docker": "457e815e26920e424637320f8b969cc", + "flags": "execve rootcwd clone", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjg2MjU1NzYwNjEwOTI6MTE4MDA2", + "pod": { + "container": { + "id": "containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc", + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603", + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship", + "pid": 32, + "start_time": "2024-10-31T17:28:56Z" + }, + "name": "xwing", + "namespace": "default", + "pod_labels": { + "app.kubernetes.io/name": "xwing", + "class": "xwing", + "org": "alliance" + }, + "workload": "xwing", + "workload_kind": "Pod" + } + }, + "policy_name": "fd-install", + "process": { + "auid": 4294967295, + "docker": "457e815e26920e424637320f8b969cc", + "flags": "execve rootcwd", + "parent_exec_id": "a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==", + "pod": { + "container": { + "image": { + "id": "quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603" + }, + "pid": 32, + "start_time": "2024-10-31T17:28:56Z" + }, + "pod_labels": { + "app.kubernetes.io/name": "xwing", + "class": "xwing", + "org": "alliance" + }, + "workload": "xwing" + }, + "refcnt": 1 + }, + "return_action": "KPROBE_ACTION_POST" + }, + "time": "2024-10-31T18:24:39.618644196Z" + } + }, + "container": { + "id": "containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc", + "image": { + "name": "sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991" + }, + "name": "spaceship" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "original": "{\"process_kprobe\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTA1NTk5NTUwOjE5Njg5OA==\", \"pid\":196898, \"uid\":0, \"cwd\":\"/\", \"binary\":\"/usr/bin/bash\", \"flags\":\"execve rootcwd\", \"start_time\":\"2024-10-31T18:24:19.824473079Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"default\", \"name\":\"xwing\", \"container\":{\"id\":\"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc\", \"name\":\"spaceship\", \"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\", \"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"}, \"start_time\":\"2024-10-31T17:28:56Z\", \"pid\":32}, \"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\", \"class\":\"xwing\", \"org\":\"alliance\"}, \"workload\":\"xwing\", \"workload_kind\":\"Pod\"}, \"docker\":\"457e815e26920e424637320f8b969cc\", \"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==\", \"refcnt\":1, \"tid\":196898}, \"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==\", \"pid\":196898, \"uid\":0, \"cwd\":\"/\", \"binary\":\"/usr/bin/sh\", \"arguments\":\"-c \\\"command -v bash >/dev/null && exec bash || exec sh\\\"\", \"flags\":\"execve rootcwd clone\", \"start_time\":\"2024-10-31T18:24:19.821308747Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"default\", \"name\":\"xwing\", \"container\":{\"id\":\"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc\", \"name\":\"spaceship\", \"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\", \"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"}, \"start_time\":\"2024-10-31T17:28:56Z\", \"pid\":32}, \"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\", \"class\":\"xwing\", \"org\":\"alliance\"}, \"workload\":\"xwing\", \"workload_kind\":\"Pod\"}, \"docker\":\"457e815e26920e424637320f8b969cc\", \"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjg2MjU1NzYwNjEwOTI6MTE4MDA2\", \"tid\":196898}, \"function_name\":\"fd_install\", \"args\":[{\"int_arg\":3}, {\"file_arg\":{\"path\":\"/tmp/tetragon\", \"permission\":\"-rw-r--r--\"}}], \"action\":\"KPROBE_ACTION_SIGKILL\", \"policy_name\":\"fd-install\", \"return_action\":\"KPROBE_ACTION_POST\"}, \"node_name\":\"kind-control-plane\", \"time\":\"2024-10-31T18:24:39.618644196Z\"}" + }, + "host": { + "name": "kind-control-plane" + }, + "message": "{\"process_kprobe\":{\"process\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTA1NTk5NTUwOjE5Njg5OA==\", \"pid\":196898, \"uid\":0, \"cwd\":\"/\", \"binary\":\"/usr/bin/bash\", \"flags\":\"execve rootcwd\", \"start_time\":\"2024-10-31T18:24:19.824473079Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"default\", \"name\":\"xwing\", \"container\":{\"id\":\"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc\", \"name\":\"spaceship\", \"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\", \"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"}, \"start_time\":\"2024-10-31T17:28:56Z\", \"pid\":32}, \"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\", \"class\":\"xwing\", \"org\":\"alliance\"}, \"workload\":\"xwing\", \"workload_kind\":\"Pod\"}, \"docker\":\"457e815e26920e424637320f8b969cc\", \"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==\", \"refcnt\":1, \"tid\":196898}, \"parent\":{\"exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==\", \"pid\":196898, \"uid\":0, \"cwd\":\"/\", \"binary\":\"/usr/bin/sh\", \"arguments\":\"-c \\\"command -v bash >/dev/null && exec bash || exec sh\\\"\", \"flags\":\"execve rootcwd clone\", \"start_time\":\"2024-10-31T18:24:19.821308747Z\", \"auid\":4294967295, \"pod\":{\"namespace\":\"default\", \"name\":\"xwing\", \"container\":{\"id\":\"containerd://457e815e26920e424637320f8b969ccb43848ca812a44839624aefb34fcf1ccc\", \"name\":\"spaceship\", \"image\":{\"id\":\"quay.io/cilium/json-mock@sha256:5aad04835eda9025fe4561ad31be77fd55309af8158ca8663a72f6abb78c2603\", \"name\":\"sha256:56b43d7e51feffe637c2837a8c70da02be98a51099533f288c78fa369f5c6991\"}, \"start_time\":\"2024-10-31T17:28:56Z\", \"pid\":32}, \"pod_labels\":{\"app.kubernetes.io/name\":\"xwing\", \"class\":\"xwing\", \"org\":\"alliance\"}, \"workload\":\"xwing\", \"workload_kind\":\"Pod\"}, \"docker\":\"457e815e26920e424637320f8b969cc\", \"parent_exec_id\":\"a2luZC1jb250cm9sLXBsYW5lOjg2MjU1NzYwNjEwOTI6MTE4MDA2\", \"tid\":196898}, \"function_name\":\"fd_install\", \"args\":[{\"int_arg\":3}, {\"file_arg\":{\"path\":\"/tmp/tetragon\", \"permission\":\"-rw-r--r--\"}}], \"action\":\"KPROBE_ACTION_SIGKILL\", \"policy_name\":\"fd-install\", \"return_action\":\"KPROBE_ACTION_POST\"}, \"node_name\":\"kind-control-plane\", \"time\":\"2024-10-31T18:24:39.618644196Z\"}", + "orchestrator": { + "namespace": "default", + "resource": { + "name": "xwing", + "parent": { + "type": "Pod" + } + } + }, + "process": { + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTA1NTk5NTUwOjE5Njg5OA==", + "executable": "/usr/bin/bash", + "parent": { + "args": [ + "-c", + "\"command", + "-v", + "bash", + ">/dev/null", + "&&", + "exec", + "bash", + "||", + "exec", + "sh\"" + ], + "entity_id": "a2luZC1jb250cm9sLXBsYW5lOjExOTQ4OTAyNDM1NTA5OjE5Njg5OA==", + "executable": "/usr/bin/sh", + "pid": 196898, + "start": "2024-10-31T18:24:19.821308747Z", + "thread": { + "id": 196898 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "pid": 196898, + "start": "2024-10-31T18:24:19.824473079Z", + "thread": { + "id": 196898 + }, + "user": { + "id": "0" + }, + "working_directory": "/" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} diff --git a/packages/tetragon/data_stream/log/agent/stream/filestream.yml.hbs b/packages/tetragon/data_stream/log/agent/stream/filestream.yml.hbs new file mode 100644 index 000000000000..28b814a98884 --- /dev/null +++ b/packages/tetragon/data_stream/log/agent/stream/filestream.yml.hbs @@ -0,0 +1,34 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +{{#if exclude_files}} +prospector.scanner.exclude_files: +{{#each exclude_files as |pattern f|}} + - {{pattern}} +{{/each}} +{{/if}} +{{#if multiline_json}} +multiline.pattern: '^{' +multiline.negate: true +multiline.match: after +multiline.max_lines: 5000 +multiline.timeout: 10 +{{/if}} +{{#if custom}} +{{custom}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/tetragon/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/tetragon/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000000..418606eaadd7 --- /dev/null +++ b/packages/tetragon/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,270 @@ +--- +description: Pipeline to process cilium_tetragon log logs + +# Refer to Tetrogon API to see log and object definitions: https://github.com/cilium/tetragon/tree/main/api/v1 +processors: + - set: + tag: set_ecs_version + field: ecs.version + value: 8.11.0 + - set: + tag: copy_original_message + field: originalMessage + copy_from: message + - rename: + ignore_missing: true + if: ctx.event?.original == null + tag: rename_message + field: originalMessage + target_field: event.original + - json: + tag: json_original + field: event.original + target_field: cilium_tetragon.log + # This object is torn apart to create ECS, so a 2nd temp copy is used + # Doing deep copying of the original json doc had very poor performace, creating a 2nd copy of the entire message is better + - json: + tag: json_tmp + field: event.original + target_field: _tmp_ + + # "process" objects exist in multiple types of other objects. + # Move these to a common location, to simplify later renames + - script: + tag: copy_processes + description: Parse process data into ECS. + lang: painless + source: | + void run(Map map) { + for (def k : map?.cilium_tetragon?.log?.keySet()) { + /* these tetragon objects have "process" */ + if (k == "process_exec" || + k == "process_exit" || + k == "process_kprobe" || + k == "process_tracepoint" || + k == "process_loader" || + k == "process_lsm" || + k == "process_uprobe") { + if (map?._tmp_ == null) { + map["_tmp_"] = new HashMap(); + } + map["_tmp_"]["process"] = map.cilium_tetragon.log[k].process; + } + + /* these tetragon objects have "parent" */ + if (k == "process_exec" || + k == "process_exit" || + k == "process_kprobe" || + k == "process_tracepoint" || + k == "process_lsm" || + k == "process_uprobe") { + if (map?._tmp_ == null) { + map["_tmp_"] = new HashMap(); + } + map["_tmp_"]["parent"] = map.cilium_tetragon.log[k].parent; + } + } + } + + run(ctx); + + ### Map tetragon fields to ECS + ## Map Process + - rename: + ignore_missing: true + field: "_tmp_.process.arguments" + target_field: "process.args" + + - split: + ignore_missing: true + field: process.args + separator: "\\s+" + + - rename: + ignore_missing: true + field: "_tmp_.process.binary" + target_field: "process.executable" + + - rename: + ignore_missing: true + field: "_tmp_.process.cwd" + target_field: "process.working_directory" + + - rename: + ignore_missing: true + field: "_tmp_.process.pid" + target_field: "process.pid" + + - rename: + ignore_missing: true + field: "_tmp_.process.exec_id" + target_field: "process.entity_id" + + - rename: + ignore_missing: true + field: "_tmp_.process.tid" + target_field: "process.thread.id" + + - rename: + ignore_missing: true + field: "_tmp_.process.uid" + target_field: "process.user.id" + + - convert: + ignore_missing: true + field: "process.user.id" + type: string + + - rename: + ignore_missing: true + field: "_tmp_.process.start_time" + target_field: "process.start" + + - set: + if: 'ctx.cilium_tetragon?.log?.process_exec != null' + field: event.action + value: "executed" + + - set: + if: 'ctx.cilium_tetragon?.log?.process_exit != null' + field: event.action + value: "end" + + - set: + if: 'ctx.cilium_tetragon?.log?.process_exit?.status != null' + field: process.exit_code + copy_from: "cilium_tetragon.log.process_exit.status" + + # Map Parent + - rename: + ignore_missing: true + field: "_tmp_.parent.arguments" + target_field: "process.parent.args" + + - split: + ignore_missing: true + field: process.parent.args + separator: "\\s+" + + - rename: + ignore_missing: true + field: "_tmp_.parent.binary" + target_field: "process.parent.executable" + + - rename: + ignore_missing: true + field: "_tmp_.parent.cwd" + target_field: "process.parent.working_directory" + + - rename: + ignore_missing: true + field: "_tmp_.parent.pid" + target_field: "process.parent.pid" + + - rename: + ignore_missing: true + field: "_tmp_.parent.exec_id" + target_field: "process.parent.entity_id" + + - rename: + ignore_missing: true + field: "_tmp_.parent.tid" + target_field: "process.parent.thread.id" + + - rename: + ignore_missing: true + field: "_tmp_.parent.uid" + target_field: "process.parent.user.id" + + - convert: + ignore_missing: true + field: "process.parent.user.id" + type: string + + - rename: + ignore_missing: true + field: "_tmp_.parent.start_time" + target_field: "process.parent.start" + + # Map container + - rename: + ignore_missing: true + field: "_tmp_.process.pod.container.name" + target_field: "container.name" + + - rename: + ignore_missing: true + field: "_tmp_.process.pod.container.id" + target_field: "container.id" + + - rename: + ignore_missing: true + field: "_tmp_.process.pod.container.image.name" + target_field: "container.image.name" + + # Map orchestrator + - rename: + ignore_missing: true + field: "_tmp_.process.pod.name" + target_field: "orchestrator.resource.name" + + - rename: + ignore_missing: true + field: "_tmp_.process.pod.namespace" + target_field: "orchestrator.namespace" + # - rename: + # ignore_missing: true + # field: "_tmp_.process.pod.pod_labels" + # target_field: "orchestrator.resource.label" + + - rename: + ignore_missing: true + field: "_tmp_.process.pod.workload_kind" + target_field: "orchestrator.resource.parent.type" + + # Other response properties + - set: + field: "host.name" + copy_from: "cilium_tetragon.log.node_name" + if: 'ctx.cilium_tetragon?.log?.node_name != null' + + - set: + field: "orchestrator.cluster.name" + copy_from: "cilium_tetragon.log.cluster_name" + if: 'ctx.cilium_tetragon?.log?.cluster_name != null' + + - remove: + field: "_tmp_" + + - script: + tag: script_drop_null_empty_values + description: Drops null/empty values recursively. + lang: painless + source: | + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - append: + field: error.message + value: >- + Processor {{{_ingest.on_failure_processor_type}}} with tag + {{{_ingest.on_failure_processor_tag}}} in pipeline + {{{_ingest.on_failure_pipeline}}} failed with message: + {{{_ingest.on_failure_message}}} + - set: + field: event.kind + value: pipeline_error + - remove: + field: "_tmp_" + diff --git a/packages/tetragon/data_stream/log/fields/agent.yml b/packages/tetragon/data_stream/log/fields/agent.yml new file mode 100644 index 000000000000..d815b78d95fc --- /dev/null +++ b/packages/tetragon/data_stream/log/fields/agent.yml @@ -0,0 +1,44 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: containerized + type: boolean + description: > + If the host is a container. + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/tetragon/data_stream/log/fields/base-fields.yml b/packages/tetragon/data_stream/log/fields/base-fields.yml new file mode 100644 index 000000000000..8524f77f8d8d --- /dev/null +++ b/packages/tetragon/data_stream/log/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cilium_tetragon +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cilium_tetragon.log +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/tetragon/data_stream/log/fields/beats.yml b/packages/tetragon/data_stream/log/fields/beats.yml new file mode 100644 index 000000000000..9bcba659d84c --- /dev/null +++ b/packages/tetragon/data_stream/log/fields/beats.yml @@ -0,0 +1,30 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) \ No newline at end of file diff --git a/packages/tetragon/data_stream/log/fields/fields.yml b/packages/tetragon/data_stream/log/fields/fields.yml new file mode 100644 index 000000000000..38f818e421cc --- /dev/null +++ b/packages/tetragon/data_stream/log/fields/fields.yml @@ -0,0 +1,460 @@ +- name: cilium_tetragon + type: group + fields: + - name: log + type: group + fields: + - name: process_exec + type: group + fields: + - name: parent + type: group + fields: + - name: exec_id + type: keyword + - name: start_time + type: keyword + - name: auid + type: long + - name: flags + type: keyword + - name: parent_exec_id + type: keyword + - name: tid + type: long + - name: pod + type: group + fields: + - name: container + type: group + fields: + - name: name + type: keyword + - name: image + type: group + fields: + - name: name + type: keyword + - name: id + type: keyword + - name: start_time + type: keyword + - name: pid + type: long + - name: id + type: keyword + - name: namespace + type: keyword + - name: name + type: keyword + - name: workload + type: keyword + - name: pod_labels + type: group + fields: + - name: app.kubernetes.io/name + type: keyword + - name: org + type: keyword + - name: class + type: keyword + - name: pod-template-hash + type: keyword + - name: workload_kind + type: keyword + - name: docker + type: keyword + - name: refcnt + type: long + - name: process + type: group + fields: + - name: exec_id + type: keyword + - name: uid + type: long + - name: start_time + type: keyword + - name: auid + type: long + - name: pod + type: group + fields: + - name: container + type: group + fields: + - name: image + type: group + fields: + - name: id + type: keyword + - name: start_time + type: keyword + - name: pid + type: long + - name: namespace + type: keyword + - name: name + type: keyword + - name: workload + type: keyword + - name: pod_labels + type: group + fields: + - name: app + type: keyword + - name: pod-template-hash + type: keyword + - name: app.kubernetes.io/name + type: keyword + - name: org + type: keyword + - name: class + type: keyword + - name: workload_kind + type: keyword + - name: flags + type: keyword + - name: parent_exec_id + type: keyword + - name: docker + type: keyword + - name: time + type: keyword + - name: node_name + type: keyword + - name: cluster_name + type: keyword + - name: process_exit + type: group + fields: + - name: signal + type: keyword + - name: status + type: float + - name: parent + type: group + fields: + - name: exec_id + type: keyword + - name: start_time + type: keyword + - name: auid + type: long + - name: pod + type: group + fields: + - name: container + type: group + fields: + - name: name + type: keyword + - name: image + type: group + fields: + - name: name + type: keyword + - name: id + type: keyword + - name: start_time + type: keyword + - name: pid + type: long + - name: id + type: keyword + - name: namespace + type: keyword + - name: name + type: keyword + - name: workload + type: keyword + - name: pod_labels + type: group + fields: + - name: pod-template-hash + type: keyword + - name: app.kubernetes.io/name + type: keyword + - name: org + type: keyword + - name: class + type: keyword + - name: workload_kind + type: keyword + - name: flags + type: keyword + - name: parent_exec_id + type: keyword + - name: tid + type: long + - name: docker + type: keyword + - name: refcnt + type: long + - name: process + type: group + fields: + - name: exec_id + type: keyword + - name: uid + type: long + - name: start_time + type: keyword + - name: auid + type: long + - name: pod + type: group + fields: + - name: container + type: group + fields: + - name: image + type: group + fields: + - name: id + type: keyword + - name: start_time + type: keyword + - name: pid + type: long + - name: namespace + type: keyword + - name: name + type: keyword + - name: workload + type: keyword + - name: pod_labels + type: group + fields: + - name: pod-template-hash + type: keyword + - name: app.kubernetes.io/name + type: keyword + - name: org + type: keyword + - name: class + type: keyword + - name: workload_kind + type: keyword + - name: flags + type: keyword + - name: parent_exec_id + type: keyword + - name: docker + type: keyword + - name: refcnt + type: long + - name: time + type: keyword + - name: process_kprobe + type: group + fields: + - name: action + type: keyword + - name: policy_name + type: keyword + - name: args + type: nested + fields: + - name: user_ns_arg + type: group + fields: + - name: uid + type: long + - name: level + type: long + - name: gid + type: long + - name: ns + type: group + fields: + - name: inum + type: long + - name: is_host + type: boolean + - name: capability_arg + type: group + fields: + - name: name + type: keyword + - name: value + type: long + - name: int_arg + type: long + - name: file_arg + type: group + fields: + - name: path + type: keyword + - name: permission + type: keyword + - name: function_name + type: keyword + - name: parent + type: group + fields: + - name: auid + type: long + - name: docker + type: keyword + - name: flags + type: keyword + - name: parent_exec_id + type: keyword + - name: pod + type: group + fields: + - name: container + type: group + fields: + - name: id + type: keyword + - name: image + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: name + type: keyword + - name: pid + type: long + - name: start_time + type: date + - name: name + type: keyword + - name: namespace + type: keyword + - name: workload + type: keyword + - name: workload_kind + type: keyword + - name: pod_labels + type: group + fields: + - name: app.kubernetes.io/name + type: keyword + - name: class + type: keyword + - name: org + type: keyword + - name: refcnt + type: long + - name: process + type: group + fields: + - name: auid + type: long + - name: docker + type: keyword + - name: flags + type: keyword + - name: ns + type: group + fields: + - name: cgroup + type: group + fields: + - name: inum + type: long + - name: ipc + type: group + fields: + - name: inum + type: long + - name: mnt + type: group + fields: + - name: inum + type: long + - name: net + type: group + fields: + - name: inum + type: long + - name: pid + type: group + fields: + - name: inum + type: long + - name: pid_for_children + type: group + fields: + - name: inum + type: long + - name: time + type: group + fields: + - name: inum + type: long + - name: is_host + type: boolean + - name: time_for_children + type: group + fields: + - name: inum + type: long + - name: is_host + type: boolean + - name: user + type: group + fields: + - name: inum + type: long + - name: is_host + type: boolean + - name: uts + type: group + fields: + - name: inum + type: long + - name: pid_for_children + type: group + fields: + - name: inum + type: keyword + - name: time_for_children + type: group + fields: + - name: inum + type: keyword + - name: is_host + type: boolean + - name: parent_exec_id + type: keyword + - name: pod + type: group + fields: + - name: workload + type: keyword + - name: container + type: group + fields: + - name: image + type: group + fields: + - name: id + type: keyword + - name: pid + type: long + - name: start_time + type: date + - name: pod_labels + type: group + fields: + - name: app.kubernetes.io/name + type: keyword + - name: class + type: keyword + - name: org + type: keyword + - name: refcnt + type: long + - name: return + type: group + fields: + - name: int_arg + type: long + - name: return_action + type: keyword diff --git a/packages/tetragon/data_stream/log/manifest.yml b/packages/tetragon/data_stream/log/manifest.yml new file mode 100644 index 000000000000..a31c94240380 --- /dev/null +++ b/packages/tetragon/data_stream/log/manifest.yml @@ -0,0 +1,3 @@ +title: | + log +type: logs diff --git a/packages/tetragon/docs/README.md b/packages/tetragon/docs/README.md new file mode 100644 index 000000000000..8cf6b7faba59 --- /dev/null +++ b/packages/tetragon/docs/README.md @@ -0,0 +1,309 @@ +# Cilium Tetragon + +## Overview + +The **Cilium Tetragon** integration enables you to monitor and analyze events from [Tetragon](https://tetragon.io/), a Kubernetes-aware security observability and runtime enforcement tool supported by the CNCF. This integration provides insight into Tetragon's security event logs, allowing you to visualize data in Kibana, set up alerts, and quickly respond to security events within your Kubernetes environment. + +## Datastreams + +The Cilium Tetragon integration collects security event logs from Tetragon into a **logs** datastream in Elasticsearch. + +## Requirements + +To use the Cilium Tetragon integration, ensure the following: + +- **Elastic Stack**: Elasticsearch and Kibana are required for data storage, search, and visualization. You can use the hosted **Elasticsearch Service on Elastic Cloud** (recommended) or deploy the Elastic Stack on your own hardware. +- **Kubernetes Environment**: Tetragon must be running in a Kubernetes cluster. + +## Setup + +### Step 1: Install Integration Assets + +Before collecting data from Tetragon, install the required assets for this integration in Kibana: + +1. In Kibana, navigate to **Settings** > **Install Cilium Tetragon Integration**. +2. Alternatively, go to **⊕ Add Cilium Tetragon** > **Add Integration Only** (skip Elastic Agent installation, which is unsupported for this integration). + +### Step 2: Configure Tetragon for JSON Export + +Tetragon needs to be configured to export its event data as JSON logs. You’ll then use **Filebeat** to send these logs to Elasticsearch. The simplest approach is to use the Tetragon Helm chart along with a Helm values file. + +Refer to the [Tetragon Documentation](https://tetragon.io/docs/installation/kubernetes/) for general Helm installation guidance. + +#### 2.1: Set Up Filebeat Config Map + +First, create a ConfigMap with Filebeat configuration in the `kube-system` namespace. Update the Elasticsearch username and password in the provided configuration file. + +Save the following as `filebeat-cfgmap.yaml`: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: filebeat-configmap + namespace: kube-system +data: + filebeat.yml: | + filebeat.inputs: + - type: filestream + id: tetragon-log + enabled: true + paths: + - /var/run/cilium/tetragon/*.log + path.data: /usr/share/filebeat/data + processors: + - timestamp: + field: "time" + layouts: + - '2006-01-02T15:04:05Z' + - '2006-01-02T15:04:05.999Z' + - '2006-01-02T15:04:05.999-07:00' + test: + - '2019-06-22T16:33:51Z' + - '2019-11-18T04:59:51.123Z' + - '2020-08-03T07:10:20.123456+02:00' + setup.template.name: logs + setup.template.pattern: "logs-cilium_tetragon.*" + output.elasticsearch: + hosts: ["https://"] + username: "" + password: "" + index: logs-cilium_tetragon.log-default +``` + +To apply this configuration, run: + +```shell +kubectl create -f filebeat-cfgmap.yaml +``` + +#### 2.2: Install Tetragon with Filebeat Sidecar + +Next, install Tetragon with Helm, using an override file to configure a Filebeat sidecar to export logs. Save the following configuration as `filebeat-helm-values.yaml`: + +```yaml +export: + securityContext: + runAsUser: 0 + runAsGroup: 0 + stdout: + enabledCommand: false + enabledArgs: false + image: + override: "docker.elastic.co/beats/filebeat:8.15.3" + extraVolumeMounts: + - name: filebeat-config + mountPath: /usr/share/filebeat/filebeat.yml + subPath: filebeat.yml + - name: filebeat-data + mountPath: /usr/share/filebeat/data +extraVolumes: + - name: filebeat-data + hostPath: + path: /var/run/cilium/tetragon/filebeat + type: DirectoryOrCreate + - name: filebeat-config + configMap: + name: filebeat-configmap + items: + - key: filebeat.yml + path: filebeat.yml +``` + +Then, install Tetragon with: + +```shell +helm repo add cilium https://helm.cilium.io +helm repo update +helm install tetragon -f filebeat-helm-values.yaml ${EXTRA_HELM_FLAGS[@]} cilium/tetragon -n kube-system +``` + +## Troubleshooting + +If expected events are not appearing in Elasticsearch, ensure that Tetragon is configured to export the right events: + +- Check the `tetragon.exportAllowList` and `tetragon.exportDenyList` Helm values. These can be adjusted by adding them to `filebeat-helm-values.yaml` to control which events are included in the JSON export. + +## Reference + +For additional guidance on installing or configuring Tetragon, visit the [Tetragon documentation](https://tetragon.io/docs/). + +## Logs + +### Log Datastream + +The `log` datastream captures event logs from Tetragon. These events are indexed as `logs-cilium_tetragon.log-default` in Elasticsearch. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cilium_tetragon.log.cluster_name | | keyword | +| cilium_tetragon.log.node_name | | keyword | +| cilium_tetragon.log.process_exec.parent.auid | | long | +| cilium_tetragon.log.process_exec.parent.docker | | keyword | +| cilium_tetragon.log.process_exec.parent.exec_id | | keyword | +| cilium_tetragon.log.process_exec.parent.flags | | keyword | +| cilium_tetragon.log.process_exec.parent.parent_exec_id | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.container.id | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.container.image.id | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.container.image.name | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.container.name | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.container.pid | | long | +| cilium_tetragon.log.process_exec.parent.pod.container.start_time | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.name | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.namespace | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.pod_labels.app.kubernetes.io/name | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.pod_labels.class | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.pod_labels.org | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.pod_labels.pod-template-hash | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.workload | | keyword | +| cilium_tetragon.log.process_exec.parent.pod.workload_kind | | keyword | +| cilium_tetragon.log.process_exec.parent.refcnt | | long | +| cilium_tetragon.log.process_exec.parent.start_time | | keyword | +| cilium_tetragon.log.process_exec.parent.tid | | long | +| cilium_tetragon.log.process_exec.process.auid | | long | +| cilium_tetragon.log.process_exec.process.docker | | keyword | +| cilium_tetragon.log.process_exec.process.exec_id | | keyword | +| cilium_tetragon.log.process_exec.process.flags | | keyword | +| cilium_tetragon.log.process_exec.process.parent_exec_id | | keyword | +| cilium_tetragon.log.process_exec.process.pod.container.image.id | | keyword | +| cilium_tetragon.log.process_exec.process.pod.container.pid | | long | +| cilium_tetragon.log.process_exec.process.pod.container.start_time | | keyword | +| cilium_tetragon.log.process_exec.process.pod.name | | keyword | +| cilium_tetragon.log.process_exec.process.pod.namespace | | keyword | +| cilium_tetragon.log.process_exec.process.pod.pod_labels.app | | keyword | +| cilium_tetragon.log.process_exec.process.pod.pod_labels.app.kubernetes.io/name | | keyword | +| cilium_tetragon.log.process_exec.process.pod.pod_labels.class | | keyword | +| cilium_tetragon.log.process_exec.process.pod.pod_labels.org | | keyword | +| cilium_tetragon.log.process_exec.process.pod.pod_labels.pod-template-hash | | keyword | +| cilium_tetragon.log.process_exec.process.pod.workload | | keyword | +| cilium_tetragon.log.process_exec.process.pod.workload_kind | | keyword | +| cilium_tetragon.log.process_exec.process.start_time | | keyword | +| cilium_tetragon.log.process_exec.process.uid | | long | +| cilium_tetragon.log.process_exit.parent.auid | | long | +| cilium_tetragon.log.process_exit.parent.docker | | keyword | +| cilium_tetragon.log.process_exit.parent.exec_id | | keyword | +| cilium_tetragon.log.process_exit.parent.flags | | keyword | +| cilium_tetragon.log.process_exit.parent.parent_exec_id | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.container.id | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.container.image.id | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.container.image.name | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.container.name | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.container.pid | | long | +| cilium_tetragon.log.process_exit.parent.pod.container.start_time | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.name | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.namespace | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.pod_labels.app.kubernetes.io/name | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.pod_labels.class | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.pod_labels.org | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.pod_labels.pod-template-hash | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.workload | | keyword | +| cilium_tetragon.log.process_exit.parent.pod.workload_kind | | keyword | +| cilium_tetragon.log.process_exit.parent.refcnt | | long | +| cilium_tetragon.log.process_exit.parent.start_time | | keyword | +| cilium_tetragon.log.process_exit.parent.tid | | long | +| cilium_tetragon.log.process_exit.process.auid | | long | +| cilium_tetragon.log.process_exit.process.docker | | keyword | +| cilium_tetragon.log.process_exit.process.exec_id | | keyword | +| cilium_tetragon.log.process_exit.process.flags | | keyword | +| cilium_tetragon.log.process_exit.process.parent_exec_id | | keyword | +| cilium_tetragon.log.process_exit.process.pod.container.image.id | | keyword | +| cilium_tetragon.log.process_exit.process.pod.container.pid | | long | +| cilium_tetragon.log.process_exit.process.pod.container.start_time | | keyword | +| cilium_tetragon.log.process_exit.process.pod.name | | keyword | +| cilium_tetragon.log.process_exit.process.pod.namespace | | keyword | +| cilium_tetragon.log.process_exit.process.pod.pod_labels.app.kubernetes.io/name | | keyword | +| cilium_tetragon.log.process_exit.process.pod.pod_labels.class | | keyword | +| cilium_tetragon.log.process_exit.process.pod.pod_labels.org | | keyword | +| cilium_tetragon.log.process_exit.process.pod.pod_labels.pod-template-hash | | keyword | +| cilium_tetragon.log.process_exit.process.pod.workload | | keyword | +| cilium_tetragon.log.process_exit.process.pod.workload_kind | | keyword | +| cilium_tetragon.log.process_exit.process.refcnt | | long | +| cilium_tetragon.log.process_exit.process.start_time | | keyword | +| cilium_tetragon.log.process_exit.process.uid | | long | +| cilium_tetragon.log.process_exit.signal | | keyword | +| cilium_tetragon.log.process_exit.status | | float | +| cilium_tetragon.log.process_exit.time | | keyword | +| cilium_tetragon.log.process_kprobe.action | | keyword | +| cilium_tetragon.log.process_kprobe.args.capability_arg.name | | keyword | +| cilium_tetragon.log.process_kprobe.args.capability_arg.value | | long | +| cilium_tetragon.log.process_kprobe.args.file_arg.path | | keyword | +| cilium_tetragon.log.process_kprobe.args.file_arg.permission | | keyword | +| cilium_tetragon.log.process_kprobe.args.int_arg | | long | +| cilium_tetragon.log.process_kprobe.args.user_ns_arg.gid | | long | +| cilium_tetragon.log.process_kprobe.args.user_ns_arg.level | | long | +| cilium_tetragon.log.process_kprobe.args.user_ns_arg.ns.inum | | long | +| cilium_tetragon.log.process_kprobe.args.user_ns_arg.ns.is_host | | boolean | +| cilium_tetragon.log.process_kprobe.args.user_ns_arg.uid | | long | +| cilium_tetragon.log.process_kprobe.function_name | | keyword | +| cilium_tetragon.log.process_kprobe.parent.auid | | long | +| cilium_tetragon.log.process_kprobe.parent.docker | | keyword | +| cilium_tetragon.log.process_kprobe.parent.flags | | keyword | +| cilium_tetragon.log.process_kprobe.parent.parent_exec_id | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.container.id | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.container.image.id | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.container.image.name | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.container.name | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.container.pid | | long | +| cilium_tetragon.log.process_kprobe.parent.pod.container.start_time | | date | +| cilium_tetragon.log.process_kprobe.parent.pod.name | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.namespace | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.pod_labels.app.kubernetes.io/name | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.pod_labels.class | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.pod_labels.org | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.workload | | keyword | +| cilium_tetragon.log.process_kprobe.parent.pod.workload_kind | | keyword | +| cilium_tetragon.log.process_kprobe.parent.refcnt | | long | +| cilium_tetragon.log.process_kprobe.policy_name | | keyword | +| cilium_tetragon.log.process_kprobe.process.auid | | long | +| cilium_tetragon.log.process_kprobe.process.docker | | keyword | +| cilium_tetragon.log.process_kprobe.process.flags | | keyword | +| cilium_tetragon.log.process_kprobe.process.ns.cgroup.inum | | long | +| cilium_tetragon.log.process_kprobe.process.ns.ipc.inum | | long | +| cilium_tetragon.log.process_kprobe.process.ns.mnt.inum | | long | +| cilium_tetragon.log.process_kprobe.process.ns.net.inum | | long | +| cilium_tetragon.log.process_kprobe.process.ns.pid.inum | | long | +| cilium_tetragon.log.process_kprobe.process.ns.pid.pid_for_children.inum | | long | +| cilium_tetragon.log.process_kprobe.process.ns.pid_for_children.inum | | keyword | +| cilium_tetragon.log.process_kprobe.process.ns.time.inum | | long | +| cilium_tetragon.log.process_kprobe.process.ns.time.is_host | | boolean | +| cilium_tetragon.log.process_kprobe.process.ns.time.time_for_children.inum | | long | +| cilium_tetragon.log.process_kprobe.process.ns.time.time_for_children.is_host | | boolean | +| cilium_tetragon.log.process_kprobe.process.ns.time_for_children.inum | | keyword | +| cilium_tetragon.log.process_kprobe.process.ns.time_for_children.is_host | | boolean | +| cilium_tetragon.log.process_kprobe.process.ns.user.inum | | long | +| cilium_tetragon.log.process_kprobe.process.ns.user.is_host | | boolean | +| cilium_tetragon.log.process_kprobe.process.ns.uts.inum | | long | +| cilium_tetragon.log.process_kprobe.process.parent_exec_id | | keyword | +| cilium_tetragon.log.process_kprobe.process.pod.container.image.id | | keyword | +| cilium_tetragon.log.process_kprobe.process.pod.container.pid | | long | +| cilium_tetragon.log.process_kprobe.process.pod.container.start_time | | date | +| cilium_tetragon.log.process_kprobe.process.pod.pod_labels.app.kubernetes.io/name | | keyword | +| cilium_tetragon.log.process_kprobe.process.pod.pod_labels.class | | keyword | +| cilium_tetragon.log.process_kprobe.process.pod.pod_labels.org | | keyword | +| cilium_tetragon.log.process_kprobe.process.pod.workload | | keyword | +| cilium_tetragon.log.process_kprobe.process.refcnt | | long | +| cilium_tetragon.log.process_kprobe.return.int_arg | | long | +| cilium_tetragon.log.process_kprobe.return_action | | keyword | +| cilium_tetragon.log.time | | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| container.labels | Image labels. | object | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.containerized | If the host is a container. | boolean | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | diff --git a/packages/tetragon/img/logo.svg b/packages/tetragon/img/logo.svg new file mode 100644 index 000000000000..89465a2b9387 --- /dev/null +++ b/packages/tetragon/img/logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/tetragon/manifest.yml b/packages/tetragon/manifest.yml new file mode 100644 index 000000000000..c61a15c68cba --- /dev/null +++ b/packages/tetragon/manifest.yml @@ -0,0 +1,38 @@ +format_version: 3.1.4 +name: cilium_tetragon +title: Cilium Tetragon +version: 0.1.0 +description: >- + Collect Cilium Tetragon logs from Kubernetes environments. +type: integration +source: + license: "Elastic-2.0" +categories: + - security + - cloud + - cloudsecurity_cdr + - kubernetes +conditions: + kibana: + version: ^8.13.0 + elastic: + subscription: "basic" +policy_templates: + - name: cilium_tetragon + title: Cilium Tetragon + description: >- + Cilium Tetragon is an open-source security observability tool that + leverages eBPF technology to provide real-time visibility and monitoring + for containerized applications. + inputs: + - type: filestream + title: 'log : filestream' + description: log +owner: + github: 'elastic/sec-deployment-and-devices' + type: elastic +icons: + - src: /img/logo.svg + title: Cilium Tetragon Logo + size: 32x32 + type: image/svg+xml