Cilium Tetragon
| Version | 0.2.0 beta:[] (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher 9.0.0 or higher |
| Supported Serverless project types What's this? | Security Observability |
| Subscription level What's this? | Basic |
| Level of support What's this? | Elastic |
The Cilium Tetragon integration enables you to monitor and analyze events from Tetragon, a Kubernetes-aware security observability and runtime enforcement tool supported by the CNCF. This integration provides insight into Tetragon's security event logs, allowing you to visualize data in Kibana, set up alerts, and quickly respond to security events within your Kubernetes environment.
The Cilium Tetragon integration collects security event logs from Tetragon into a logs datastream in Elasticsearch.
To use the Cilium Tetragon integration, ensure the following:
- Elastic Stack: Elasticsearch and Kibana are required for data storage, search, and visualization. You can use the hosted Elasticsearch Service on Elastic Cloud (recommended) or deploy the Elastic Stack on your own hardware.
- Kubernetes Environment: Tetragon must be running in a Kubernetes cluster.
Before collecting data from Tetragon, install the required assets for this integration in Kibana:
- In Kibana, navigate to Settings > Install Cilium Tetragon Integration.
- Alternatively, go to ⊕ Add Cilium Tetragon > Add Integration Only (skip Elastic Agent installation, which is unsupported for this integration).
Tetragon needs to be configured to export its event data as JSON logs. You’ll then use Filebeat to send these logs to Elasticsearch. The simplest approach is to use the Tetragon Helm chart along with a Helm values file.
Refer to the Tetragon Documentation for general Helm installation guidance.
First, create a ConfigMap with Filebeat configuration in the kube-system namespace. Update the Elasticsearch username and password in the provided configuration file.
Save the following as filebeat-cfgmap.yaml:
apiVersion: v1 kind: ConfigMap metadata: name: filebeat-configmap namespace: kube-system data: filebeat.yml: | filebeat.inputs: - type: filestream id: tetragon-log enabled: true paths: - /var/run/cilium/tetragon/*.log path.data: /usr/share/filebeat/data processors: - timestamp: field: "time" layouts: - '2006-01-02T15:04:05Z' - '2006-01-02T15:04:05.999Z' - '2006-01-02T15:04:05.999-07:00' test: - '2019-06-22T16:33:51Z' - '2019-11-18T04:59:51.123Z' - '2020-08-03T07:10:20.123456+02:00' setup.template.name: logs setup.template.pattern: "logs-cilium_tetragon.*" output.elasticsearch: hosts: ["https://<elasticsearch host>"] username: "<elasticsearch username>" password: "<elasticsearch password>" index: logs-cilium_tetragon.log-default To apply this configuration, run:
kubectl create -f filebeat-cfgmap.yaml Next, install Tetragon with Helm, using an override file to configure a Filebeat sidecar to export logs. Save the following configuration as filebeat-helm-values.yaml:
export: securityContext: runAsUser: 0 runAsGroup: 0 stdout: enabledCommand: false enabledArgs: false image: override: "docker.elastic.co/beats/filebeat:8.15.3" extraVolumeMounts: - name: filebeat-config mountPath: /usr/share/filebeat/filebeat.yml subPath: filebeat.yml - name: filebeat-data mountPath: /usr/share/filebeat/data extraVolumes: - name: filebeat-data hostPath: path: /var/run/cilium/tetragon/filebeat type: DirectoryOrCreate - name: filebeat-config configMap: name: filebeat-configmap items: - key: filebeat.yml path: filebeat.yml Then, install Tetragon with:
helm repo add cilium https://helm.cilium.io helm repo update helm install tetragon -f filebeat-helm-values.yaml ${EXTRA_HELM_FLAGS[@]} cilium/tetragon -n kube-system If expected events are not appearing in Elasticsearch, ensure that Tetragon is configured to export the right events:
- Check the
tetragon.exportAllowListandtetragon.exportDenyListHelm values. These can be adjusted by adding them tofilebeat-helm-values.yamlto control which events are included in the JSON export.
For additional guidance on installing or configuring Tetragon, visit the Tetragon documentation.
The log datastream captures event logs from Tetragon. These events are indexed as logs-cilium_tetragon.log-default in Elasticsearch.
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cilium_tetragon.log.cluster_name | keyword | |
| cilium_tetragon.log.node_name | keyword | |
| cilium_tetragon.log.process_exec.parent.auid | long | |
| cilium_tetragon.log.process_exec.parent.docker | keyword | |
| cilium_tetragon.log.process_exec.parent.exec_id | keyword | |
| cilium_tetragon.log.process_exec.parent.flags | keyword | |
| cilium_tetragon.log.process_exec.parent.parent_exec_id | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.container.id | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.container.image.id | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.container.image.name | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.container.name | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.container.pid | long | |
| cilium_tetragon.log.process_exec.parent.pod.container.start_time | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.name | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.namespace | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.pod_labels.app.kubernetes.io/name | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.pod_labels.class | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.pod_labels.org | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.pod_labels.pod-template-hash | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.workload | keyword | |
| cilium_tetragon.log.process_exec.parent.pod.workload_kind | keyword | |
| cilium_tetragon.log.process_exec.parent.refcnt | long | |
| cilium_tetragon.log.process_exec.parent.start_time | keyword | |
| cilium_tetragon.log.process_exec.parent.tid | long | |
| cilium_tetragon.log.process_exec.process.auid | long | |
| cilium_tetragon.log.process_exec.process.docker | keyword | |
| cilium_tetragon.log.process_exec.process.exec_id | keyword | |
| cilium_tetragon.log.process_exec.process.flags | keyword | |
| cilium_tetragon.log.process_exec.process.parent_exec_id | keyword | |
| cilium_tetragon.log.process_exec.process.pod.container.image.id | keyword | |
| cilium_tetragon.log.process_exec.process.pod.container.pid | long | |
| cilium_tetragon.log.process_exec.process.pod.container.start_time | keyword | |
| cilium_tetragon.log.process_exec.process.pod.name | keyword | |
| cilium_tetragon.log.process_exec.process.pod.namespace | keyword | |
| cilium_tetragon.log.process_exec.process.pod.pod_labels.app | keyword | |
| cilium_tetragon.log.process_exec.process.pod.pod_labels.app.kubernetes.io/name | keyword | |
| cilium_tetragon.log.process_exec.process.pod.pod_labels.class | keyword | |
| cilium_tetragon.log.process_exec.process.pod.pod_labels.org | keyword | |
| cilium_tetragon.log.process_exec.process.pod.pod_labels.pod-template-hash | keyword | |
| cilium_tetragon.log.process_exec.process.pod.workload | keyword | |
| cilium_tetragon.log.process_exec.process.pod.workload_kind | keyword | |
| cilium_tetragon.log.process_exec.process.start_time | keyword | |
| cilium_tetragon.log.process_exec.process.uid | long | |
| cilium_tetragon.log.process_exit.parent.auid | long | |
| cilium_tetragon.log.process_exit.parent.docker | keyword | |
| cilium_tetragon.log.process_exit.parent.exec_id | keyword | |
| cilium_tetragon.log.process_exit.parent.flags | keyword | |
| cilium_tetragon.log.process_exit.parent.parent_exec_id | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.container.id | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.container.image.id | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.container.image.name | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.container.name | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.container.pid | long | |
| cilium_tetragon.log.process_exit.parent.pod.container.start_time | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.name | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.namespace | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.pod_labels.app.kubernetes.io/name | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.pod_labels.class | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.pod_labels.org | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.pod_labels.pod-template-hash | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.workload | keyword | |
| cilium_tetragon.log.process_exit.parent.pod.workload_kind | keyword | |
| cilium_tetragon.log.process_exit.parent.refcnt | long | |
| cilium_tetragon.log.process_exit.parent.start_time | keyword | |
| cilium_tetragon.log.process_exit.parent.tid | long | |
| cilium_tetragon.log.process_exit.process.auid | long | |
| cilium_tetragon.log.process_exit.process.docker | keyword | |
| cilium_tetragon.log.process_exit.process.exec_id | keyword | |
| cilium_tetragon.log.process_exit.process.flags | keyword | |
| cilium_tetragon.log.process_exit.process.parent_exec_id | keyword | |
| cilium_tetragon.log.process_exit.process.pod.container.image.id | keyword | |
| cilium_tetragon.log.process_exit.process.pod.container.pid | long | |
| cilium_tetragon.log.process_exit.process.pod.container.start_time | keyword | |
| cilium_tetragon.log.process_exit.process.pod.name | keyword | |
| cilium_tetragon.log.process_exit.process.pod.namespace | keyword | |
| cilium_tetragon.log.process_exit.process.pod.pod_labels.app.kubernetes.io/name | keyword | |
| cilium_tetragon.log.process_exit.process.pod.pod_labels.class | keyword | |
| cilium_tetragon.log.process_exit.process.pod.pod_labels.org | keyword | |
| cilium_tetragon.log.process_exit.process.pod.pod_labels.pod-template-hash | keyword | |
| cilium_tetragon.log.process_exit.process.pod.workload | keyword | |
| cilium_tetragon.log.process_exit.process.pod.workload_kind | keyword | |
| cilium_tetragon.log.process_exit.process.refcnt | long | |
| cilium_tetragon.log.process_exit.process.start_time | keyword | |
| cilium_tetragon.log.process_exit.process.uid | long | |
| cilium_tetragon.log.process_exit.signal | keyword | |
| cilium_tetragon.log.process_exit.status | float | |
| cilium_tetragon.log.process_exit.time | keyword | |
| cilium_tetragon.log.process_kprobe.action | keyword | |
| cilium_tetragon.log.process_kprobe.args.capability_arg.name | keyword | |
| cilium_tetragon.log.process_kprobe.args.capability_arg.value | long | |
| cilium_tetragon.log.process_kprobe.args.file_arg.path | keyword | |
| cilium_tetragon.log.process_kprobe.args.file_arg.permission | keyword | |
| cilium_tetragon.log.process_kprobe.args.int_arg | long | |
| cilium_tetragon.log.process_kprobe.args.user_ns_arg.gid | long | |
| cilium_tetragon.log.process_kprobe.args.user_ns_arg.level | long | |
| cilium_tetragon.log.process_kprobe.args.user_ns_arg.ns.inum | long | |
| cilium_tetragon.log.process_kprobe.args.user_ns_arg.ns.is_host | boolean | |
| cilium_tetragon.log.process_kprobe.args.user_ns_arg.uid | long | |
| cilium_tetragon.log.process_kprobe.function_name | keyword | |
| cilium_tetragon.log.process_kprobe.parent.auid | long | |
| cilium_tetragon.log.process_kprobe.parent.docker | keyword | |
| cilium_tetragon.log.process_kprobe.parent.flags | keyword | |
| cilium_tetragon.log.process_kprobe.parent.parent_exec_id | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.container.id | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.container.image.id | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.container.image.name | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.container.name | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.container.pid | long | |
| cilium_tetragon.log.process_kprobe.parent.pod.container.start_time | date | |
| cilium_tetragon.log.process_kprobe.parent.pod.name | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.namespace | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.pod_labels.app.kubernetes.io/name | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.pod_labels.class | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.pod_labels.org | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.workload | keyword | |
| cilium_tetragon.log.process_kprobe.parent.pod.workload_kind | keyword | |
| cilium_tetragon.log.process_kprobe.parent.refcnt | long | |
| cilium_tetragon.log.process_kprobe.policy_name | keyword | |
| cilium_tetragon.log.process_kprobe.process.auid | long | |
| cilium_tetragon.log.process_kprobe.process.docker | keyword | |
| cilium_tetragon.log.process_kprobe.process.flags | keyword | |
| cilium_tetragon.log.process_kprobe.process.ns.cgroup.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.ipc.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.mnt.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.net.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.pid.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.pid.pid_for_children.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.pid_for_children.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.time.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.time.is_host | boolean | |
| cilium_tetragon.log.process_kprobe.process.ns.time.time_for_children.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.time.time_for_children.is_host | boolean | |
| cilium_tetragon.log.process_kprobe.process.ns.time_for_children.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.time_for_children.is_host | boolean | |
| cilium_tetragon.log.process_kprobe.process.ns.user.inum | long | |
| cilium_tetragon.log.process_kprobe.process.ns.user.is_host | boolean | |
| cilium_tetragon.log.process_kprobe.process.ns.uts.inum | long | |
| cilium_tetragon.log.process_kprobe.process.parent_exec_id | keyword | |
| cilium_tetragon.log.process_kprobe.process.pod.container.image.id | keyword | |
| cilium_tetragon.log.process_kprobe.process.pod.container.pid | long | |
| cilium_tetragon.log.process_kprobe.process.pod.container.start_time | date | |
| cilium_tetragon.log.process_kprobe.process.pod.pod_labels.app.kubernetes.io/name | keyword | |
| cilium_tetragon.log.process_kprobe.process.pod.pod_labels.class | keyword | |
| cilium_tetragon.log.process_kprobe.process.pod.pod_labels.org | keyword | |
| cilium_tetragon.log.process_kprobe.process.pod.workload | keyword | |
| cilium_tetragon.log.process_kprobe.process.refcnt | long | |
| cilium_tetragon.log.process_kprobe.return.int_arg | long | |
| cilium_tetragon.log.process_kprobe.return_action | keyword | |
| cilium_tetragon.log.time | keyword | |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| container.labels | Image labels. | object |
| data_stream.dataset | Data stream dataset name. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword |
| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword |
| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword |
| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword |
| log.file.inode | Inode number of the log file. | keyword |
| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword |
| log.flags | Flags for the log file. | keyword |
| log.offset | Offset of the entry in the log file. | long |
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
| 0.2.0 | Enhancement (View pull request) Support stack version 9.0. | — |
| 0.1.0 | Enhancement (View pull request) Initial Version | — |