Tetragon is an open-source project of Cilium that provides runtime security, deep observability, and kernel-level transparency using eBPF. Tetragon monitors processes, syscalls, file and network activity in the kernel, correlating threats with network data to identify responsible binaries. It shares insights via JSON logs and a gRPC endpoint.
This Document will walkthrough how to set up Tetragon Connector to extract eBPF logs on Parseable using Vector. It is used to build observability pipelines that collect, transform, and route logs, metrics, and traces.
Prerequisites:
-
A Kubernetes with admin accesss.
-
Kubectl installed on your machine.
Step 1: Deploy Tetragon
You can deploy Tetragon using Helm on your Kubernetes cluster using the commands:
helm repo add cilium https://helm.cilium.io
helm repo update
helm install tetragon cilium/tetragon -n kube-system
Optional
For a better event format, you can install Tetra CLI:
curl -L https://github.com/cilium/tetragon/releases/latest/download/tetra-linux-amd64.tar.gz | tar -xz
sudo mv tetra /usr/local/bin
Step 2: Deploy Vector
You can deploy Vector using Helm on your Kubernetes cluster. We have created a vector-tetragon-values.yaml file to configure Vector to collect logs from Tetragon and send them to Parseable.
helm repo add vector https://helm.vector.dev
wget https://www.parseable.com/blog/vector/vector-tetragon-values.yaml
helm install vector vector/vector --namespace vector --create-namespace --values vector-tetragon-values.yaml
It will take some time to deploy Vector. You can check the status using the command:
kubectl get pods -n vector
Now Vector is ready to send the events stored in /var/run/cilium/tetragon/tetragon.log file to the Parseable tetrademo log stream. Once this is done, you can verify the log events in Parseable UI.
We have a blog post which guides you through the process of tracking sensitive file access using Tetragon and Parseable. You can read it here.