Tracee now supports sending all events to any compatible Fluent Forward receiver, primarily the CNCF Graduated Fluentd or Fluent Bit projects.
This change allows Tracee users to take advantage of all the existing filtering, processing and output options available.
It will also integrate with existing deployments that already provide Fluent Bit (or Fluentd) very easily, this includes most cloud providers for example, and is just another input to the existing pipelines there.
Not only do we get the benefit of output support but also all the aggregation and filtering options available to Fluent Bit or Fluentd or any other Fluent Forward receiver.
To enable this just use the forward flag for output:
sudo tracee --output forward:tcp://127.0.0.1:24224?tag=mytestConfiguration is via a standard URI so can include basic authentication as well as any other additional parameters.
The example above will send to a Fluent Forward receiver on 127.0.0.1:24224 using the tag mytest.
To receive this data, a Fluent Bit container can be used - for full details refer to the Fluent Bit documentation:
docker run --rm -it --network=host fluent/fluent-bit -i forward -o stdout -m '*'This will just receive the data and output it to the console as an example. Typically this would be part of a larger logging pipeline possibly sending data to Elasticsearch, Loki or any of the other supported targets.
The Fluent Bit documentation includes full examples and sandbox training courses on using it.