https://github.com/resurfaceio/logger-ebpf

Log API calls with eBPF
https://github.com/resurfaceio/logger-ebpf

api-logger ebpf ebpf-go https logger-ebpf openssl ssl tls

Last synced: 26 days ago
JSON representation

Log API calls with eBPF

• Host: GitHub
• URL: https://github.com/resurfaceio/logger-ebpf
• Owner: resurfaceio
• License: gpl-2.0
• Created: 2024-09-12T14:37:55.000Z (almost 2 years ago)
• Default Branch: master
• Last Pushed: 2025-06-10T11:44:46.000Z (about 1 year ago)
• Last Synced: 2025-06-10T12:39:19.528Z (about 1 year ago)
• Topics: api-logger, ebpf, ebpf-go, https, logger-ebpf, openssl, ssl, tls
• Language: C
• Homepage:
• Size: 253 KB
• Stars: 2
• Watchers: 1
• Forks: 1
• Open Issues: 7
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# logger-ebpf

Easily log **encrypted** API calls to your own security data lake.

This open-source [eBPF](https://ebpf.io/) agent logs API requests and responses to [Graylog API Security](https://graylog.org/products/api-security/)

for analysis and storage. This logger captures encrypted API calls without configuring any encryption keys or making any changes to client or server applications. 

[![CodeFactor](https://www.codefactor.io/repository/github/resurfaceio/logger-ebpf/badge?s=1edfaf41d674519709d3abb9c1836e84b4c3a20f)](https://www.codefactor.io/repository/github/resurfaceio/logger-ebpf)

[![Contributing](https://img.shields.io/badge/contributions-welcome-green.svg)](https://github.com/resurfaceio/logger-ebpf/blob/master/CONTRIBUTING.md)

[![License](https://img.shields.io/github/license/resurfaceio/logger-ebpf?s=1edfaf41d674519709d3abb9c1836e84b4c3a20f)](https://github.com/resurfaceio/logger-ebpf/blob/master/LICENSE)

⚠️ [Graylog API Security](https://graylog.org/products/api-security/) is licensed and installed separately, and runs as a remote service (on Kubernetes) that receives data from this logger.

## Contents



System Requirements

Current Limitations

Environment Variables

Logging from Linux VM or Physical Machine

Logging from Docker Container

Logging from Kubernetes

Protecting User Privacy





## System Requirements

* 64-bit Intel or AMD CPU

* Linux kernel v5.8 or higher

* OpenSSL v1.0 or higher

* Root user or sudo privileges

* Network access to the Kubernetes cluster where [Graylog API Security](https://graylog.org/products/api-security/) is running



## Current Limitations

* ⚠️ This is beta software and not ready for production environments

* ARM64 chipsets are not yet supported

* API calls made via HTTP are not logged yet (only HTTPS)

* Only applications using OpenSSL are supported (additional encryption libraries coming soon)

* HTTP v3, UDP, and streaming protocols are not supported



## Environment Variables

These environment variables are required to configure the logger and to control what information is logged.

| Variable Name             | Description                                                                                                                                                                                        |

|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

| USAGE_LOGGERS_EBPF_EXPATH | Path to OpenSSL shared library
Use `ldconfig -p \| grep ssl` to find                                                                                                                            |

| USAGE_LOGGERS_RULES       | [Logging rules](https://go2docs.graylog.org/apisecurity-current/logging_rules/logging_rules.htm) used to mask or remove specific details
Use `include debug` to log entire request and response |

| USAGE_LOGGERS_URL         | [Capture URL](https://go2docs.graylog.org/apisecurity-current/capture_api_calls/capture_api_calls.htm) for Graylog API Security instance
Looks like `https://GL_APISECURITY_HOST/fluke/message` |



## Logging from Linux VM or Physical Machine

Download logger binary:

```bash

wget https://github.com/resurfaceio/logger-ebpf/releases/download/v1.1.1/ebpf-logger-amd64 && chmod +x ebpf-logger-amd64

```

Run logger binary, with your value for `GL_APISECURITY_HOST`:

```bash

sudo USAGE_LOGGERS_EBPF_EXPATH="/lib/x86_64-linux-gnu/libssl.so.3" USAGE_LOGGERS_RULES="include debug" USAGE_LOGGERS_URL="https://GL_APISECURITY_HOST/fluke/message" ./ebpf-logger-amd64

```

⚠️ Use `CTRL-C` to stop the logger.



## Logging from Docker Container

coming soon!



## Logging from Kubernetes

coming soon!



## Protecting User Privacy

Loggers always have an active set of [logging rules](https://go2docs.graylog.org/apisecurity-current/logging_rules/logging_rules.htm)

that control what data is logged and how sensitive data is masked. All of the examples above apply a predefined set of rules (`include debug`),

but logging rules are easily customized to meet your privacy requirements.

---

© 2025 Graylog, Inc.