Detections: Output Format¶
Configuring¶
When a detection is made by any of the loaded signatures, it will always be printed to stdout. You can customize this output format using a go template.
$ ./dist/tracee-rules --output-template /path/to/my.tmpl
Go-templates
The following Go templates are included in the Tracee container image and are
available for use under the /tracee/templates/
directory in the container:
File name | Description | Content-Type | Source |
---|---|---|---|
rawjson.tmpl | Dumps the Finding object as raw JSON | application/json |
source |
falcosidekick.tmpl | For compatibility with [falcosidekick] | application/json |
source |
-
Basic Example: Raw JSON stdout
The following example configures Tracee to output detections to stdout as raw JSON:
$ docker run \ --name tracee --rm -it \ --pid=host --cgroupns=host --privileged \ -v /etc/os-release:/etc/os-release-host:ro \ -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \ aquasec/tracee:0.9.3 \ --output-template /tracee/templates/rawjson.tmpl
Postee
Tracee default delivery mechanism, using Helm, is through Postee and uses the
rawjson.tmpl
go template.
Authoring¶
When authoring a Go template for either stdout or webhook, you have Tracee's
types.Finding
struct as the data source:
// Finding is the main output of a signature. It represents a match result for
// the signature business logic.
type Finding struct {
SigMetadata SignatureMetadata // information about the signature that made the detection
Context Event // the raw event that triggered the detection
Data map[string]interface{} // detection specific information
}
The Go template can utilize helper functions from Sprig.
For example templates, see tracee/cmd/tracee-rules/templates.