Skip to content

resurfaceio/logger-ebpf

BranchesTags

Repository files navigation

logger-ebpf

Easily log encrypted API calls to your own security data lake.

This open-source eBPF agent logs API requests and responses to Graylog API Security for analysis and storage. This logger captures encrypted API calls without configuring any encryption keys or making any changes to client or server applications.

CodeFactor Contributing License

⚠️ Graylog API Security is licensed and installed separately, and runs as a remote service (on Kubernetes) that receives data from this logger.

Contents

System Requirements

  • 64-bit Intel or AMD CPU
  • Linux kernel v5.8 or higher
  • OpenSSL v1.0 or higher
  • Root user or sudo privileges
  • Network access to the Kubernetes cluster where Graylog API Security is running

Current Limitations

  • ⚠️ This is beta software and not ready for production environments
  • ARM64 chipsets are not yet supported
  • API calls made via HTTP are not logged yet (only HTTPS)
  • Only applications using OpenSSL are supported (additional encryption libraries coming soon)
  • HTTP v3, UDP, and streaming protocols are not supported

Environment Variables

These environment variables are required to configure the logger and to control what information is logged.

Variable Name Description
USAGE_LOGGERS_EBPF_EXPATH Path to OpenSSL shared library
Use ldconfig -p | grep ssl to find
USAGE_LOGGERS_RULES Logging rules used to mask or remove specific details
Use include debug to log entire request and response
USAGE_LOGGERS_URL Capture URL for Graylog API Security instance
Looks like https://GL_APISECURITY_HOST/fluke/message

Logging from Linux VM or Physical Machine

Download logger binary:

wget https://github.com/resurfaceio/logger-ebpf/releases/download/v1.1.1/ebpf-logger-amd64 && chmod +x ebpf-logger-amd64

Run logger binary, with your value for GL_APISECURITY_HOST:

sudo USAGE_LOGGERS_EBPF_EXPATH="/lib/x86_64-linux-gnu/libssl.so.3" USAGE_LOGGERS_RULES="include debug" USAGE_LOGGERS_URL="https://GL_APISECURITY_HOST/fluke/message" ./ebpf-logger-amd64

⚠️ Use CTRL-C to stop the logger.

Logging from Docker Container

coming soon!

Logging from Kubernetes

coming soon!

Protecting User Privacy

Loggers always have an active set of logging rules that control what data is logged and how sensitive data is masked. All of the examples above apply a predefined set of rules (include debug), but logging rules are easily customized to meet your privacy requirements.

© 2025 Graylog, Inc.

About

Log API calls with eBPF

Topics

tls ssl openssl https ebpf api-logger ebpf-go logger-ebpf

Resources

Readme

License

GPL-2.0 license
Activity
Custom properties

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 3

v1.1.1 Latest
Apr 23, 2025
+ 2 releases

Contributors 4

  •  
  •  
  •  
  •  

Languages