Ebpf
The in_ebpf input plugin uses eBPF (extended Berkeley Packet Filter) to capture low-level system events. This plugin lets Fluent Bit monitor kernel-level activities such as process executions, file accesses, memory allocations, network connections, and signal handling. It provides valuable insights into system behavior for debugging, monitoring, and security analysis.
The in_ebpf plugin leverages eBPF to trace kernel events in real-time. By specifying trace points, users can collect targeted system-level metrics and events, giving visibility into operating system interactions and performance characteristics.
System dependencies
To enable in_ebpf, ensure the following dependencies are installed on your system:
Kernel version: 4.18 or greater, with eBPF support enabled.
Required packages:
bpftool: Used to manage and debug eBPF programs.libbpf-dev: Provides thelibbpflibrary for loading and interacting with eBPF programs.CMake 3.13 or higher: Required for building the plugin.
Installing dependencies on Ubuntu
Building Fluent Bit with in_ebpf
in_ebpfTo enable the in_ebpf plugin, follow these steps to build Fluent Bit from source:
Clone the Fluent Bit repository:
Configure the build with
in_ebpf:Create a build directory and run
cmakewith the-DFLB_IN_EBPF=Onflag to enable thein_ebpfplugin:Compile the source:
Run Fluent Bit:
Run Fluent Bit with elevated permissions (for example,
sudo). Loading eBPF programs requires root access or appropriate privileges.
Configuration example
Here's a basic example of how to configure the plugin:
The configuration enables tracing for:
Signal handling events (
trace_signal)Memory allocation events (
trace_malloc)Network bind operations (
trace_bind)
Last updated
Was this helpful?