Skip to content

Commit

Permalink
in_ebpf: add documentation for experimental plugin
Browse files Browse the repository at this point in the history
Signed-off-by: Jorge Niedbalski <[email protected]>
  • Loading branch information
Jorge Niedbalski authored and edsiper committed Nov 12, 2024
1 parent bf90bf3 commit 38ac372
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 0 deletions.
1 change: 1 addition & 0 deletions SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@
* [Elasticsearch](pipeline/inputs/elasticsearch.md)
* [Exec](pipeline/inputs/exec.md)
* [Exec Wasi](pipeline/inputs/exec-wasi.md)
* [Ebpf](pipeline/inputs/ebpf.md)
* [Fluent Bit Metrics](pipeline/inputs/fluentbit-metrics.md)
* [Forward](pipeline/inputs/forward.md)
* [Head](pipeline/inputs/head.md)
Expand Down
76 changes: 76 additions & 0 deletions pipeline/inputs/ebpf.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# `in_ebpf` Input Plugin for Fluent Bit (Experimental)

> **Note:** This plugin is experimental and may be unstable. Use it in development or testing environments only, as its features and behavior are subject to change.
The `in_ebpf` input plugin is an **experimental** plugin for Fluent Bit that uses eBPF (extended Berkeley Packet Filter) to capture low-level system events. This plugin allows Fluent Bit to monitor kernel-level activities such as process executions, file accesses, memory allocations, network connections, and signal handling. It provides valuable insights into system behavior for debugging, monitoring, and security analysis.

## Overview

The `in_ebpf` plugin leverages eBPF to trace kernel events in real-time. By specifying trace points, users can collect targeted system-level metrics and events, which can be particularly useful for gaining visibility into operating system interactions and performance characteristics.

## System Dependencies

To enable `in_ebpf`, ensure the following dependencies are installed on your system:
- **Kernel Version**: 4.18 or higher with eBPF support enabled.
- **Required Packages**:
- `bpftool`: Used to manage and debug eBPF programs.
- `libbpf-dev`: Provides the `libbpf` library for loading and interacting with eBPF programs.
- **CMake** 3.13 or higher: Required for building the plugin.

### Installing Dependencies on Ubuntu
```bash
sudo apt update
sudo apt install libbpf-dev linux-tools-common cmake
```

## Building Fluent Bit with `in_ebpf`

To enable the `in_ebpf` plugin, follow these steps to build Fluent Bit from source:

1. **Clone the Fluent Bit Repository**
```bash
git clone https://github.com/fluent/fluent-bit.git
cd fluent-bit
```

2. **Configure the Build with `in_ebpf`**

Create a build directory and run `cmake` with the `-DFLB_IN_EBPF=On` flag to enable the `in_ebpf` plugin:
```bash
mkdir build
cd build
cmake .. -DFLB_IN_EBPF=On
```

3. **Compile the Source**
```bash
make
```

4. **Run Fluent Bit**

Run Fluent Bit with elevated permissions (e.g., `sudo`), as loading eBPF programs requires root access or appropriate privileges:
```bash
sudo ./bin/fluent-bit -c path/to/your_config.conf
```

## Configuration Example

Here's a basic example of how to configure the plugin:

```
[INPUT]
Name ebpf
Trace trace_signal
Trace trace_malloc
Trace trace_bind
```

The configuration above enables tracing for:
- Signal handling events (`trace_signal`)
- Memory allocation events (`trace_malloc`)
- Network bind operations (`trace_bind`)

You can enable multiple traces by adding multiple `Trace` directives in your configuration.
Full list of existing traces can be seen here: [Fluent Bit eBPF Traces](https://github.com/fluent/fluent-bit/tree/master/plugins/in_ebpf/traces)

0 comments on commit 38ac372

Please sign in to comment.