falcodump - Dump log data to a file using a Falco source plugin.
== SYNOPSIS
[manarg]
*falcodump*
[ *--help* ]
[ *--version* ]
[ *--plugin-api-version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--extcap-capture-filter*=<capture filter> ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--plugin-source*=<source path or URL> ]
== DESCRIPTION
*falcodump* is an extcap tool that allows one to capture log messages from cloud providers.
Each plugin is listed as a separate interface.
For example, the AWS CloudTrail plugin is listed as “cloudtrail”.
== OPTIONS
--help::
Print program arguments.
This will also list the configuration arguments for each plugin.
--version::
Print the program version.
--plugin-api-version::
Print the Falco plugin API version.
--extcap-interfaces::
List the available interfaces.
--extcap-interface=<interface>::
Use the specified interface.
--extcap-dlts::
List the DLTs of the specified interface.
--extcap-config::
List the configuration options of specified interface.
--extcap-capture-filter=<capture filter>::
The capture filter.
Must be a valid Sysdig / Falco filter.
--capture::
Start capturing from the source specified by --plugin-source via the specified interface and write raw packet data to the location specified by --fifo.
--fifo=<path to file or pipe>::
Save captured packet to file or send it through pipe.
The cloudtrail plugin uses the AWS SDK for Go, which can obtain profile, region, and credential settings from a set of standard https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/[environment variables and configuration files].
Falcodump will show a list of locally configured profiles and the current regions, and will let you supply a custom value as well.
arg {number=0}{call=--plugin-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL…}{required=true}{group=Capture}
arg {number=1}{call=cloudtrail-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture}
arg {number=2}{call=cloudtrail-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture}
arg {number=3}{call=cloudtrail-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture}
To capture AWS CloudTrail events from an S3 bucket: