Tracing Output Formats¶
The --output
flag controls where and how Tracee will output events, by specifying --output <format>:<destination>
. You can use the --output
flag multiple times to output events in multiple ways. To see all output options you can run tracee --output help
.
The following output formats are supported:
table[:/path/to/file]
- output events in table format (default). The default path to file is stdout.table-verbose[:/path/to/file]
- output events in table format with extra fields per event. The default path to file is stdout.json[:/path/to/file]
- output events in json format. The default path to file is stdout.gob[:/path/to/file]
- output events in gob format. The default path to file is stdout.gotemplate=/path/to/template[:/path/to/file]
- output events formatted using a given gotemplate file. The default path to file is stdout.forward:http://url/fluent
- send events in json format using the Forward protocol to a Fluent receiverwebhook:http://url/webhook
- send events in json format to the webhook urlnone
- ignore stream of events output, usually used with --capture
Examples¶
Table¶
$ sudo ./dist/tracee --output table --filter comm=bash --filter follow --filter event=openat
TIME UID COMM PID TID RET EVENT ARGS
11:21:51:254199 1000 exa 1639459 1639459 3 openat dirfd: -100, pathname: /etc/ld.so.cache, flags: O_RDONLY|O_CLOEXEC, mode: 0
11:21:51:254285 1000 exa 1639459 1639459 3 openat dirfd: -100, pathname: /lib/x86_64-linux-gnu/libgcc_s.so.1, flags: O_RDONLY|O_CLOEXEC, mode: 0
11:21:51:254418 1000 exa 1639459 1639459 3 openat dirfd: -100, pathname: /lib/x86_64-linux-gnu/libm.so.6, flags: O_RDONLY|O_CLOEXEC, mode: 0
End of events stream
Stats: {EventCount:3 EventsFiltered:0 NetCapCount:0 BPFLogsCount:0 ErrorCount:0 LostEvCount:0 LostWrCount:0 LostNtCapCount:0 LostBPFLogsCount:0}
Table (Verbose)¶
```text
$ sudo ./dist/tracee --output table-verbose --filter comm=bash --filter follow --filter event=openat
TIME UTS_NAME CONTAINER_ID MNT_NS PID_NS UID COMM PID TID PPID RET EVENT ARGS
11:22:16:970700 fujitsu 4026531840 4026531836 1000 exa 1643836 1643836 3795408 3 openat dirfd: -100, pathname: /etc/ld.so.cache, flags: 524288, mode: 0
11:22:16:970783 fujitsu 4026531840 4026531836 1000 exa 1643836 1643836 3795408 3 openat dirfd: -100, pathname: /lib/x86_64-linux-gnu/libgcc_s.so.1, flags: 524288, mode: 0
11:22:16:970913 fujitsu 4026531840 4026531836 1000 exa 1643836 1643836 3795408 3 openat dirfd: -100, pathname: /lib/x86_64-linux-gnu/libm.so.6, flags: 524288, mode: 0
End of events stream
Stats: {EventCount:3 EventsFiltered:0 NetCapCount:0 BPFLogsCount:0 ErrorCount:0 LostEvCount:0 LostWrCount:0 LostNtCapCount:0 LostBPFLogsCount:0}
```
JSON¶
$ sudo ./dist/tracee --output json --filter comm=bash --filter follow --filter event=openat
{"timestamp":1657290245020855990,"threadStartTime":615325807626168,"processorId":22,"processId":1664936,"cgroupId":1,"threadId":1664936,"parentProcessId":3795408,"hostProcessId":1664936,"hostThreadId":1664936,"hostParentProcessId":3795408,"userId":1000,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"exa","hostName":"fujitsu","containerId":"","containerImage":"","containerName":"","podName":"","podNamespace":"","podUID":"","eventId":"257","eventName":"openat","argsNum":4,"returnValue":3,"stackAddresses":null,"syscall":"openat","contextFlags":{"containerStarted":false,"isCompat":false},"args":[{"name":"dirfd","type":"int","value":-100},{"name":"pathname","type":"const char*","value":"/etc/ld.so.cache"},{"name":"flags","type":"int","value":524288},{"name":"mode","type":"mode_t","value":0}]}
{"timestamp":1657290245020940791,"threadStartTime":615325807626168,"processorId":22,"processId":1664936,"cgroupId":1,"threadId":1664936,"parentProcessId":3795408,"hostProcessId":1664936,"hostThreadId":1664936,"hostParentProcessId":3795408,"userId":1000,"mountNamespace":4026531840,"pidNamespace":4026531836,"processName":"exa","hostName":"fujitsu","containerId":"","containerImage":"","containerName":"","podName":"","podNamespace":"","podUID":"","eventId":"257","eventName":"openat","argsNum":4,"returnValue":3,"stackAddresses":null,"syscall":"openat","contextFlags":{"containerStarted":false,"isCompat":false},"args":[{"name":"dirfd","type":"int","value":-100},{"name":"pathname","type":"const char*","value":"/lib/x86_64-linux-gnu/libgcc_s.so.1"},{"name":"flags","type":"int","value":524288},{"name":"mode","type":"mode_t","value":0}]}
Tip
A good tip is to pipe tracee json output to jq tool, this way you can select fields, rename them, filter values, and many other things:
sudo ./dist/tracee -o json -o option:parse-arguments -trace comm=ping | jq -c '. | {eventId, hostName, processName, hostProcessId,UserId}'
GOB¶
$ sudo ./dist/tracee --output json --filter comm=bash --filter follow --filter event=openat
GOTEMPLATE¶
When authoring a Go template the data source is Tracee's trace.Event
struct, which is defined in https://github.com/aquasecurity/tracee/blob/main/types/trace/trace.go#L15
.
Go template can utilize helper functions from Sprig.
For example templates, see tracee/cmd/tracee-rules/templates.
Logging¶
Redirect logs to a file if needed:
$ sudo TRACEE_BPF_FILE=do-not-exist ./dist/tracee --filter comm=bash --filter follow --filter event=openat --output json:/tmp/tracee.events --output log-file:/tmp/tracee.log