Tracee Now Natively Supports Fluent Bit and Fluentd

Easily add eBPF data to your telemetry pipeline

The newest version of Aquasec’s Tracee tool (v0.12.0) now supports sending all events directly to Fluent Bit or Fluentd via the Fluent Forward receiver. This enables Tracee users to take advantage of the Fluent projects’ powerful in-stream processing and filtering capabilities before forwarding the output to any of the dozens of backends supported by the projects. Users familiar with the Fluentd logging driver for Docker will recognize a similar approach.

Last summer, we demonstrated a way to integrate Tracee and Fluent Bit, but that process required us to output the eBPF from Tracee as JSON and forward it to a log file that the Fluent Bit service could then read. With support for the Fluent Forward receiver now native with Tracee, the millions of Fluent users can now easily add eBPF data into their observability efforts, allowing kernel layer insights. You could, for example, send eBPF data through Fluent Bit to Grafana Loki, or even Loki, Elasticsearch, and Splunk all at the same time.

The support for Fluent Forward receiver was made possible by a PR from Calyptia’s senior software engineer Patrick Stephens (@patrick-stephens).

For information on how to configure Tracee to send data to Fluent, check out the Tracee docs. Be aware that Tracee v0.12 includes some breaking changes, so exercise appropriate caution as you begin to explore this new feature.