Webhook from Tracee-eBPF Directly? #732
-
It appears from the code and the high-level overview of Tracee's workflow that the webhook feature of Tracee's output is designed to attach to Tracee-Rules after events have been filtered from the Tracee-eBPF. Is it possible in Tracee's current state to post directly from a trace? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
Yes Tracee-eBPF doesn't can't call a webhook. This is by design, since raw trace is very verbose and an HTTP callback is not the best in this case, so Tracee-eBPF writes to a file which is a bit more suitable for the volume and velocity of events. Also, we consider Tracee-eBPF an internal component of Tracee, and the integration features (like webhook) are applied to Tracee and not that internal component. If you can't read from the file, here's a quick workaround that will help you achieve what you wanted: just create a new Tracee Rule that matches everything. The effect is that when you run Tracee it will "detect" every raw event and call the webhook.Let me know if that needs clarification or help. May I also ask about your use case? What are you trying to achieve? Perhaps we could suggest other solutions or learn about what we should fix in Tracee |
Beta Was this translation helpful? Give feedback.
Yes Tracee-eBPF doesn't can't call a webhook. This is by design, since raw trace is very verbose and an HTTP callback is not the best in this case, so Tracee-eBPF writes to a file which is a bit more suitable for the volume and velocity of events. Also, we consider Tracee-eBPF an internal component of Tracee, and the integration features (like webhook) are applied to Tracee and not that internal component.
If you can't read from the file, here's a quick workaround that will help you achieve what you wanted: just create a new Tracee Rule that matches everything. The effect is that when you run Tracee it will "detect" every raw event and call the webhook.Let me know if that needs clarificat…