osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
wireshark/doc/falcodump.adoc

146 lines
4.6 KiB
Raw Permalink Blame History

include::../docbook/attributes.adoc[]
= falcodump(1)
:doctype: manpage
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
== NAME
falcodump - Dump log data to a file using a Falco source plugin.
== SYNOPSIS
[manarg]
*falcodump*
[ *--help* ]
[ *--version* ]
[ *--plugin-api-version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--extcap-capture-filter*=<capture filter> ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--plugin-source*=<source path or URL> ]
== DESCRIPTION
*falcodump* is an extcap tool that allows one to capture log messages from cloud providers.
Each plugin is listed as a separate interface.
For example, the AWS CloudTrail plugin is listed as “cloudtrail”.
== OPTIONS
--help::
Print program arguments.
This will also list the configuration arguments for each plugin.
--version::
Print the program version.
--plugin-api-version::
Print the Falco plugin API version.
--extcap-interfaces::
List the available interfaces.
--extcap-interface=<interface>::
Use the specified interface.
--extcap-dlts::
List the DLTs of the specified interface.
--extcap-config::
List the configuration options of specified interface.
--extcap-capture-filter=<capture filter>::
The capture filter.
Must be a valid Sysdig / Falco filter.
--capture::
Start capturing from the source specified by --plugin-source via the specified interface and write raw packet data to the location specified by --fifo.
--fifo=<path to file or pipe>::
Save captured packet to file or send it through pipe.
--plugin-source=<source path or URL>::
Capture from the specified location.
== PLUGINS
=== cloudtrail (AWS CloudTrail)
CloudTrail sources can be S3 buckets or SQS queue URLs. S3 bucket URLs have the form
s3://__bucket_name__/AWSLogs/__id__/CloudTrail/__region__/__year__/_month_/__day__
The __region__, __year__, _month_, and __day__ components can be omitted in order to fetch more or less data.
For example, the source s3://mybucket/AWSLogs/012345678/CloudTrail/us-west-2/2023 will fetch all CloudWatch logs for the year 2023.
The cloudtrail plugin uses the AWS SDK for Go, which can obtain profile, region, and credential settings from a set of standard https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/[environment variables and configuration files].
Falcodump will show a list of locally configured profiles and the current regions, and will let you supply a custom value as well.
== EXAMPLES
To see program arguments:
falcodump --help
To see program version:
falcodump --version
To see interfaces:
falcodump --extcap-interfaces
Only one interface (falcodump) is supported.
.Example output
interface {value=cloudtrail}{display=Falco plugin}
To see interface DLTs:
falcodump --extcap-interface=cloudtrail --extcap-dlts
.Example output
dlt {number=147}{name=cloudtrail}{display=USER0}
To see interface configuration options:
falcodump --extcap-interface=cloudtrail --extcap-config
.Example output
arg {number=0}{call=--plugin-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL…}{required=true}{group=Capture}
arg {number=1}{call=cloudtrail-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture}
arg {number=2}{call=cloudtrail-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture}
arg {number=3}{call=cloudtrail-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture}
To capture AWS CloudTrail events from an S3 bucket:
falcodump --extcap-interface=cloudtrail --fifo=/tmp/cloudtrail.pcap --plugin-source=s3://aws-cloudtrail-logs.../CloudTrail/us-east-2/... --capture
NOTE: kbd:[CTRL+C] should be used to stop the capture in order to ensure clean termination.
== SEE ALSO
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4)
//, xref:logray.html[logray](1)
== NOTES
*falcodump* is part of the *Logray* distribution.
The latest version of *Logray* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at
https://www.wireshark.org/docs/man-pages.
== AUTHORS
.Original Author
[%hardbreaks]
Gerald Combs <gerald[AT]wireshark.org>
View Git Blame Copy Permalink