Project

General

Profile

Actions
Copy link

Task #7382

closed
PB PB

Monitoring at a different level (BPF/Suricata/Cilium)

Task #7382: Monitoring at a different level (BPF/Suricata/Cilium)

Added by Philipp Buehler about 6 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philipp Buehler
Start date:
11/29/2019
Due date:
% Done:

0%

Estimated time:
PM Check date:

Description

Traditional pull based monitoring (nagios et al) is DEAD>
Push based (partly Prometheus, Riemann) is cooler.

But it's still somewhat superficial requests.. how about
monitoring directly "from the wire".

Reasearch on gathering data on an app-level without
app-internal instrumentation (eg. haproxy/suricata).

PB Updated by Philipp Buehler about 6 years ago Actions
Copy link
 #2

The idea is to tproxy chain haproxy traffic and let suricata "inspect" the traffic.
Pull the eve.json output into ELG or so.

haproxy:
listen inbound
bind public-ip:80
server moni 172.23.42.1:80 send-proxy # lives on a loopback if (e.g. lo1)
frontend monitor-in
bind 172.23.42.1:80 accept-proxy name monitor-in

suricata makes traffic analysis on lo1

PB Updated by Philipp Buehler about 6 years ago Actions
Copy link
 #3

  • Status changed from New to Waiting

Time ran out, VM too slow to install all necessary toolchain

NS Updated by Nico Schottelius about 2 years ago Actions
Copy link
 #4

  • Status changed from Waiting to Closed
Actions
Copy link

Also available in: PDF Atom