Overview

This article explains how to ingest logs from Sysdig product into Hunters.

Once integrated, these logs will be used by Hunters in order to populate alerts by Sysdig, as well as to allow advanced investigation over you Container assets. All generated signals will be inserted into the Hunters' graph and correlated to other related signals.

Supported Data Types

  1. Sysdig Secure Events - Alerts by Sysdig, previously known as Sysdig Policy Events. For more details see here.

  2. Sysdig Activity Audit - Command - Audit logs by sysdig for command executions. For more details see here.

  3. Sysdig Activity Audit - File Access - Audit logs by sysdig for file access. For more details see here.

  4. Sysdig Activity Audit - Network - Audit logs by sysdig for network connections. For more details see here.

  5. Sysdig Activity Audit - Kubernetes - Audit logs by sysdig for Kubernetes executions. For more details see here.

Hunters Ingestion

For Hunters to integrate with your Sysdig logs, the log files should be collected to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters. Log files can be shared into the same prefix in the storage, or separated into different prefixes per data type.

Expected Format

In each log file, the events should be separated by a new-line, where each event has a JSON format.

Each of the above data types has a different format, as specified here:

  1. Secure Events Format

  2. Audit Command

  3. Audit File Access

  4. Audit Network

  5. Audit Kubernetes

Example for Audit Command events in an NDJSON file:

{"id":"164806c17885b5615ba513135ea13d79","agentId":32212,"cmdline":"calico-node-felix-ready-bird-ready","comm":"calico-node","containerId":"a407fb17332b","count":1,"cwd":"/","hostname":"qa-k8smetrics","loginShellDistance":0,"loginShellId":0,"pid":29278,"ppid":29275,"rxTimestamp":1605540695537513500,"timestamp":1605540695178065200,"type":"command","tty":0,"uid":0}
{"id":"164806c17885b5615ba513135ea13d780,"agentId":32213,"cmdline":"calico-node-felix-ready-bird-not-ready","comm":"calico-node","containerId":"a407fb17332c","count":5,"cwd":"/temp/","hostname":"qa-test123","loginShellDistance":0,"loginShellId":0,"pid":29271,"ppid":29273,"rxTimestamp":1605540695537513500,"timestamp":1605550695178065200,"type":"command","tty":0,"uid":0}
CODE