You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

146 lines
4.6 KiB

= falcodump(1)
:doctype: manpage
:stylesheet: ws.css
:copycss: ../docbook/{stylesheet}
falcodump - Dump log data to a file using a Falco source plugin.
[ *--help* ]
[ *--version* ]
[ *--plugin-api-version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--extcap-capture-filter*=<capture filter> ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--plugin-source*=<source path or URL> ]
*falcodump* is an extcap tool that allows one to capture log messages from cloud providers.
Each plugin is listed as a separate interface.
For example, the AWS CloudTrail plugin is listed as “cloudtrail”.
Print program arguments.
This will also list the configuration arguments for each plugin.
Print the program version.
Print the Falco plugin API version.
List the available interfaces.
Use the specified interface.
List the DLTs of the specified interface.
List the configuration options of specified interface.
--extcap-capture-filter=<capture filter>::
The capture filter.
Must be a valid Sysdig / Falco filter.
Start capturing from the source specified by --plugin-source via the specified interface and write raw packet data to the location specified by --fifo.
--fifo=<path to file or pipe>::
Save captured packet to file or send it through pipe.
--plugin-source=<source path or URL>::
Capture from the specified location.
=== cloudtrail (AWS CloudTrail)
CloudTrail sources can be S3 buckets or SQS queue URLs. S3 bucket URLs have the form
The __region__, __year__, _month_, and __day__ components can be omitted in order to fetch more or less data.
For example, the source s3://mybucket/AWSLogs/012345678/CloudTrail/us-west-2/2023 will fetch all CloudWatch logs for the year 2023.
The cloudtrail plugin uses the AWS SDK for Go, which can obtain profile, region, and credential settings from a set of standard[environment variables and configuration files].
Falcodump will show a list of locally configured profiles and the current regions, and will let you supply a custom value as well.
To see program arguments:
falcodump --help
To see program version:
falcodump --version
To see interfaces:
falcodump --extcap-interfaces
Only one interface (falcodump) is supported.
.Example output
interface {value=cloudtrail}{display=Falco plugin}
To see interface DLTs:
falcodump --extcap-interface=cloudtrail --extcap-dlts
.Example output
dlt {number=147}{name=cloudtrail}{display=USER0}
To see interface configuration options:
falcodump --extcap-interface=cloudtrail --extcap-config
.Example output
arg {number=0}{call=--plugin-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL…}{required=true}{group=Capture}
arg {number=1}{call=cloudtrail-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture}
arg {number=2}{call=cloudtrail-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture}
arg {number=3}{call=cloudtrail-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture}
To capture AWS CloudTrail events from an S3 bucket:
falcodump --extcap-interface=cloudtrail --fifo=/tmp/cloudtrail.pcap --plugin-source=s3://aws-cloudtrail-logs.../CloudTrail/us-east-2/... --capture
NOTE: kbd:[CTRL+C] should be used to stop the capture in order to ensure clean termination.
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4)
//, xref:logray.html[logray](1)
*falcodump* is part of the *Logray* distribution.
The latest version of *Logray* can be found at
HTML versions of the Wireshark project man pages are available at
.Original Author
Gerald Combs <gerald[AT]>