Skip to content

Commit

Permalink
ok, working
Browse files Browse the repository at this point in the history
  • Loading branch information
sween committed Nov 14, 2024
1 parent e50442e commit a74de19
Show file tree
Hide file tree
Showing 10 changed files with 143 additions and 117 deletions.
31 changes: 18 additions & 13 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,20 +1,25 @@
# Use an official Python runtime as a parent image
FROM python:3.9-slim
# Meh, could be better, but this is easy
FROM ubuntu:noble

# Set the working directory in the container
WORKDIR /src
WORKDIR /tetragon-crwd

# Copy the current directory contents into the container at /app
COPY . /src/
COPY src/. /tetragon-crwd

# Install any needed dependencies specified in requirements.txt
RUN pip install --no-cache-dir -r requirements.txt
# Envs
ENV PYTHONUNBUFFERED=1

# Make port 8080 available to the world outside this container
EXPOSE 8080
# Install kubectl and logscale python library, yadda yadda yadda

# Define environment variable
ENV NAME World

# Run app.py when the container launches
CMD ["python", "app.py"]
RUN chmod +x /tetragon-crwd/tetragon-crwd-logscale.py
RUN apt update -y
RUN apt install python3 python3-pip pipx curl -y
# RUN pipx install humiolib <---time suck
RUN pip3 install humiolib --break-system-packages
# RUN pipx ensurepath <---time suck
RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
RUN install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
RUN kubectl version --client
RUN curl -L https://github.com/cilium/tetragon/releases/latest/download/tetra-linux-amd64.tar.gz | tar -xz
RUN mv tetra /usr/local/bin
37 changes: 31 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,18 +1,43 @@
![Tetragon CRWD Logscale](assets/tetragon-crwd-logscale.png)

A Daemonset to send Tetragon Events to Crowdstrike Falcon LogScale NG-SIEM
A DaemonSet to tail and push Tetragon Events to Crowdstrike Falcon LogScale SIEM ingestion endpoint.

## Quick Start
To be performed in the style of an Isovalent Lab.


### Kind Cluster
```
kubectl create configmap tetra-crwd-config --from-file tetragon-crwd-logscale.py -n kube-system
```

### Cilium
If for nothing else, Cilium[link] is a CNI of bad assery.
```
```

### Build
### Tetragon
Defaults should get it done with Tetragon[link], the star of our show.
```
docker build -t tetragon-logscale .
docker image tag tetragon-logscale sween/tetragon-logscale:latest
docker push sween/tetragon-logscale:latest
```


### Crowdstrike LogScale Community


### Container

To Build the container...

```
docker build -t tetragon-crwd-logscale .
docker image tag tetragon-crwd-logscale sween/tetragon-crwd-logscale:latest
docker push sween/tetragon-crwd-logscale:latest # push wherever
```




8 changes: 8 additions & 0 deletions chart/tetragon-crwd-logscale/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
description: 'A Solution to send Tetragon Events to Crowdstrike Falcon LogScale SIEM'
name: tetragon-crwd-logscale
version: 0.0.1
appVersion: 0.0.1
maintainers:
- name: Ron Sweeney
email: [email protected]
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: tetragon-crwd-logscale
namespace: kube-system
labels:
k8s-app: tetragon-crwd-logscale
spec:
selector:
matchLabels:
name: app.kubernetes.io/name=tetragon
template:
metadata:
labels:
name: tetragon-crwd-logscale
spec:
containers:
- name: tetragon-crwd-logscale
image: sween/tetragon-crwd-logscale:latest
command: ["/usr/bin/python3"]
args: ["/tetragon-crwd/tetragon-crwd-logscale.py"]
env:
- name: CS_LOGSCALE_APIKEY
valueFrom:
secretKeyRef:
name: cs-logscale-apikey
key: apikey
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: varlog
mountPath: /var/log/tetragon
terminationGracePeriodSeconds: 30
volumes:
- name: varlog
hostPath:
path: /var/run/cilium/tetragon
55 changes: 0 additions & 55 deletions deploy/crwd.yaml

This file was deleted.

88 changes: 45 additions & 43 deletions src/tetragon-crwd-logscale.py
Original file line number Diff line number Diff line change
@@ -1,49 +1,51 @@
#!/usr/bin/env python

import json
import sys
import time
import json
import os
import sys
import requests
import socket
import subprocess
from datetime import datetime
from humiolib.HumioClient import HumioIngestClient


# Required for CRWD Data Source
today = datetime.now()
fqdn = socket.getfqdn()
input_string = sys.stdin.read()
input_json = json.loads(input_string)


payload = [
{
"tags": {
"host": fqdn,
"source": "irislogd"
},
"events": [
{
"timestamp": today.isoformat(sep='T',timespec='auto') + "Z",
"attributes": input_json
}
]
}
]

file1 = open('/tmp/log.log', 'w')


# Writing a string to file
file1.write(input_string)


client = HumioIngestClient(
base_url= "https://cloud.community.humio.com",
ingest_token= "6d8e981f-928c-4add-8acf-81c9a5dbb512" # os.environ["CS_LOGSCALE_APIKEY"]
)

ingest_response = client.ingest_json_data(payload)
print(ingest_response)

def send_siem(line):
# Do something with the line
print(line.decode())
# Required for CRWD Data Source
today = datetime.now()
fqdn = socket.getfqdn()
input_json = json.loads(line.decode())


payload = [
{
"tags": {
"host": fqdn,
"source": "tetragon"
},
"events": [
{
"timestamp": today.isoformat(sep='T',timespec='auto') + "Z",
"attributes": input_json
}
]
}
]


client = HumioIngestClient(
base_url= "https://cloud.community.humio.com",
ingest_token = os.environ["CS_LOGSCALE_APIKEY"])

ingest_response = client.ingest_json_data(payload)
print(ingest_response)


def tail_file(filename):
process = subprocess.Popen(["tail", "-f", filename], stdout=subprocess.PIPE)
while True:
line = process.stdout.readline()
if not line:
break
send_siem(line)

tail_file("/var/log/tetragon/tetragon.log")
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.

0 comments on commit a74de19

Please sign in to comment.