Logging

Configure log severity:

sudo ./dist/tracee --log debug

Redirect logs to a file if needed:

sudo ./dist/tracee --filter comm=bash --filter follow --filter event=openat --output json:/tmp/tracee.events --log file:/tmp/tracee.log

Logs can be aggregated for a given interval to delay its output:

sudo ./dist/tracee --log debug --log aggregate:5s

Filter logs which message contains specified words:

sudo ./dist/tracee --log filter:msg=foo,bar

Filter logs using regular expressions against messages:

sudo ./dist/tracee --log filter:regex='^foo'

Filter logs originating from a specific package:

sudo ./dist/tracee --log filter:pkg=core

Filter logs originating from a specific file:

sudo ./dist/tracee --log filter:file=/pkg/cmd/flags/logger.go

Filter logs based on their severity level:

sudo ./dist/tracee --log filter:lvl=error

Filter logs originating from libbpf:

sudo ./dist/tracee --log filter:libbpf

All --log filter options can also be used with --log filter-out for the opposite behavior. For more information, please refer to the --log help in the CLI.