Capture API Traffic with eBPF Logger

Graylog API Security provides an eBPF logger that allows you to log encrypted API calls to your own security data lake. The eBPF logger is an open-source agent that logs API requests and responses to Graylog API Security for analysis and storage. This logger captures encrypted API calls without configuring any encryption keys or making any changes to client or server applications.

This article shows you how to set up eBPF logger in your environment so that it can begin capturing traffic for Graylog API Security.

Warning: The eBPF logger is currently released as beta software and not intended for production environments! It should be used only for testing purposes in non-production environments.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • A valid Graylog API Security license.

  • 64-bit Intel or AMD CPU.

  • Linux kernel v5.8 or higher.

  • OpenSSL v1.0 or higher.

  • Root user or sudo privileges.

  • Network access to the Kubernetes cluster where Graylog API Security is running.

Limitations and Additional Considerations

The eBPF logger is beta software and subject to ongoing development. While we report these current limitations, check back for future developments:

  • ARM64 chipsets are not supported.

  • API calls made via HTTP are not logged. Only HTTPS calls are currently supported.

  • Only applications using OpenSSL are supported.

  • HTTP v3, UDP, and streaming protocols are not supported.

Download and Install eBPF Logger

Run the following commands to install the eBPF logger on Linux hardware or a Linux VM.

  1. Download the logger binary:

    Copy 
    wget https://github.com/resurfaceio/logger-ebpf/releases/download/v1.1.1/ebpf-logger-amd64 && chmod +x ebpf-logger-amd64

  2. Run the logger binary:

    Copy 
    sudo USAGE_LOGGERS_EBPF_EXPATH="/lib/x86_64-linux-gnu/libssl.so.3" USAGE_LOGGERS_RULES="include debug" USAGE_LOGGERS_URL="https://GL_APISECURITY_HOST/fluke/message" ./ebpf-logger-amd64

    Be sure to update the environment variable values in the above command for your environment, if required, as show in the following table:

    Variable

    Description

    USAGE_LOGGERS_EBPF_EXPATH

    A path to the OpenSSL shared library. Run ldconfig -p | grep ssl to find this value.

    USAGE_LOGGERS_RULES

    The logging rules used to mask or remove specific details. Use include debug to log the entire request and response.

    USAGE_LOGGERS_URL

    The capture URL for the Graylog API Security instance., which looks like https://GL_APISECURITY_HOST/fluke/message.

    Hint: These environment variables are set with this command. Installation fails if you set the values beforehand.

When this process is complete, configured traffic should begin to appear in your Graylog API Security dashboard.

Use CTRL-C if you need to stop the logger.