Skip to content

Detections: Output Format

Configuring

When a detection is made by any of the loaded signatures, it will always be printed to stdout. You can customize this output format using a go template.

$ ./dist/tracee-rules --output-template /path/to/my.tmpl

Go-templates

The following Go templates are included in the Tracee container image and are available for use under the /tracee/templates/ directory in the container:

File name Description Content-Type Source
rawjson.tmpl Dumps the Finding object as raw JSON application/json source
falcosidekick.tmpl For compatibility with [falcosidekick] application/json source
  1. Basic Example: Raw JSON stdout

    The following example configures Tracee to output detections to stdout as raw JSON:

    $ docker run \
        --name tracee --rm -it \
        --pid=host --cgroupns=host --privileged \
        -v /etc/os-release:/etc/os-release-host:ro \
        -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
        aquasec/tracee:0.9.3 \
        --output-template /tracee/templates/rawjson.tmpl
    

    Postee

    Tracee default delivery mechanism, using Helm, is through Postee and uses the rawjson.tmpl go template.

  2. Deliver using a Webhook

  3. Deliver using Postee

  4. Deliver using Falcosidekick

Authoring

When authoring a Go template for either stdout or webhook, you have Tracee's types.Finding struct as the data source:

// Finding is the main output of a signature. It represents a match result for
// the signature business logic.

type Finding struct {
    SigMetadata SignatureMetadata // information about the signature that made the detection
    Context     Event // the raw event that triggered the detection
    Data        map[string]interface{} // detection specific information
}

The Go template can utilize helper functions from Sprig.

For example templates, see tracee/cmd/tracee-rules/templates.