https://github.com/bhanuprakasheagala/eTraceGen-eBPFEventTelemetryEngine

A Linux telemetry engine built with eBPF and Modern C++ that captures kernel-level events for processes, files, system calls, and network with a modular pipeline for decoding, enrichment, filtering, and JSON output. It is designed for portability across modern kernels using libbpf/CO-RE with graceful fallback behaviour.
https://github.com/bhanuprakasheagala/eTraceGen-eBPFEventTelemetryEngine

cpp20 ebpf event-logger filesystem linux linux-kernel malware-analysis moderncpp network operating-systems systemcalls systemprogramming

Last synced: about 1 month ago
JSON representation

A Linux telemetry engine built with eBPF and Modern C++ that captures kernel-level events for processes, files, system calls, and network with a modular pipeline for decoding, enrichment, filtering, and JSON output. It is designed for portability across modern kernels using libbpf/CO-RE with graceful fallback behaviour.

• Host: GitHub
• URL: https://github.com/bhanuprakasheagala/eTraceGen-eBPFEventTelemetryEngine
• Owner: bhanuprakasheagala
• Created: 2026-02-18T00:32:08.000Z (2 months ago)
• Default Branch: bhanuprakash_eagala
• Last Pushed: 2026-03-22T13:36:28.000Z (about 1 month ago)
• Last Synced: 2026-03-23T01:12:45.976Z (about 1 month ago)
• Topics: cpp20, ebpf, event-logger, filesystem, linux, linux-kernel, malware-analysis, moderncpp, network, operating-systems, systemcalls, systemprogramming
• Language: C++
• Homepage:
• Size: 67.4 KB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-ebpf - eTraceGen - eTraceGen is a Linux telemetry engine built with eBPF and Modern C++ that captures kernel-level events for processes, files, system calls, and network with a modular pipeline for decoding, enrichment, filtering, and JSON output. (Projects Related to eBPF / Observability)

README

          
# eTraceGen: eBPF Event Telemetry Engine

`eTraceGen` is a Linux-only event telemetry engine built with eBPF (kernel space) and Modern C++ (user space).

It captures runtime telemetry for sandbox and malware-analysis workflows:

- process lifecycle activity

- file operations (paired enter/exit with syscall outcomes)

- broad syscall telemetry (`raw_syscalls/sys_enter` + `sys_exit`)

- network socket lifecycle metadata

## Linux-Only Scope

- Linux distributions with kernel eBPF + BTF support.

- libbpf backend only.

- single operational script: `./scripts/linux.sh`.

## Dependencies (Linux)

- gcc/g++ (userspace build)

- clang/llvm (BPF object build)

- libbpf

- bpftool

- kernel BTF at `/sys/kernel/btf/vmlinux`

## Single Script Workflow

```bash

./scripts/linux.sh help

```

Core commands:

- `./scripts/linux.sh build`

- `./scripts/linux.sh bpf`

- `./scripts/linux.sh all`

- `./scripts/linux.sh check`

- `./scripts/linux.sh preflight`

- `./scripts/linux.sh smoke`

- `./scripts/linux.sh validate`

- `./scripts/linux.sh verify`

- `./scripts/linux.sh run`

## Quick Start (Linux)

```bash

cmake -S . -B build

cmake --build build -j

./scripts/linux.sh bpf

./scripts/linux.sh run

```

Optional runtime overrides:

```bash

ETRACEGEN_BPF_OBJECT=/absolute/path/to/event_logger.bpf.o ./build/etracegen

ETRACEGEN_CONFIG=/absolute/path/to/config.yaml ./build/etracegen

```

## Current v1 Coverage

- process: `exec`, `fork`, `exit`, `clone`, `clone3`, `vfork`

- file: `openat`, `unlinkat`, `renameat2`

- syscall: broad capture (no syscall allowlist gating)

- network: metadata-only socket lifecycle for `socket`, `connect`, `accept4`, `bind`, `listen`, `close`, `sendto`, `recvfrom`, `shutdown`

## Default Runtime Mode

- capture-first configuration in `config/default.yaml`

- no PID/UID/syscall/network allowlist filtering in active flow

- domain toggles remain available (`domains.process`, `domains.file`, `domains.syscall`, `domains.network_socket`)