Ever wished you could monitor your AWS load balancer logs in real-time? AWS ELB access logs are packed with security gold, but they’re usually just sitting in S3 as static files. Let’s fix that with a falco-plugin-aws-elb!
What is Falco 🦅?
Falco is your friendly neighborhood security watchdog. It’s an open-source tool that keeps an eye on your systems and barks when something suspicious happens. It uses eBPF to monitor system calls in real-time with super low overhead.
What are Falco Plugins?
Here’s where things get exciting! Falco plugins are game-changers that extend Falco way beyond traditional system call monitoring. They let you:
- Connect to any data source – cloud APIs, databases, log files, you name it
- Parse any format – JSON, CSV, or even your own custom formats
- Write rules once, use everywhere – the same Falco rule syntax works across all data sources
The best part? You can write plugins in multiple languages including Go, C++, and now Rust🦀! The Rust support was recently added and it’s been a fantastic addition to the ecosystem.
The Problem
ELB access logs are treasure troves of security data – client IPs, request patterns, suspicious user agents, and more. But here’s the catch: they’re stored as files in S3, which makes real-time monitoring a pain. By the time you notice something fishy, the attack might already be over!
Solution
So I built a Falco plugin in Rust that:
- Watches S3 buckets like a hawk for new ELB log files
- Automatically parses logs (even handles those pesky .gz files!)
- Feeds everything into Falco’s rule engine for instant alerts
It’s like having a direct pipeline from your load balancer logs to your security team!
Example Rule
Now for the fun part – let’s catch some bad guys!
- Detect Suspicious User Agents
- rule: ELB Suspicious User Agent
desc: Detect suspicious user agents accessing ELB
condition:
awselb.user_agent contains "sqlmap" or awselb.user_agent contains "nmap" or awselb.user_agent contains "nikto"
output:
Suspicious user agent detected in ELB access logs
(elb=%awselb.name client_ip=%awselb.client_ip user_agent=%awselb.user_agent)
priority: WARNING
Quick Start
Ready to give it a try? Here’s how (for detailed instructions, check out the README and contribution guide):
- Build the plugin:
git clone https://github.com/yukinakanaka/falco-plugin-aws-elb
cd falco-plugin-aws-elb
make
sudo mv libawselb.so /usr/share/falco/plugins/
2. Configure Falco (falco.yaml):
plugins:
- name: awselb
library_path: libawselb.so
init_config: '{"region": "us-west-2", "s3Bucket": "your-elb-logs-bucket", "s3Prefix": "elb-access-logs/"}'
open_params: '{}'
load_plugins: [awselb]
3. Run and watch the magic happen:
sudo falco -c falco.yaml -r awselb_rules.yaml
Why Rust 🦀?
I chose Rust for some pretty cool reasons:
- Memory safety: No crashes from those pesky memory bugs
- Zero-cost abstractions: Blazing fast log processing with no runtime overhead
- Excellent AWS SDK: First-class AWS integration with comprehensive S3 support
- Native async: Built-in async/await makes concurrent S3 operations effortless
Rust support in Falco plugins is relatively new and exciting. I get to be early adopters of this awesome tech!
Available Fields
The plugin exposes 30+ ELB log fields, so you can get creative with your rules:
awselb.client_ip,awselb.client_port– know who’s knockingawselb.request_verb,awselb.request_url– see what they wantawselb.user_agent,awselb.elb_status_code– catch the suspicious stuffawselb.target_processing_time– spot performance issues- And many more goodies…
Conclusion
This plugin makes ELB access log monitoring dead simple and real-time. You don’t need complex log processing pipelines or expensive tools. Just point Falco at your S3 bucket and start writing security rules!
It’s perfect for catching:
- Sneaky reconnaissance attempts 🕵️
- Suspicious user agents (looking at you,
sqlmap!) - Performance hiccups
- HTTP error tsunamis
Give it a shot and let us know what security insights you discover!
Want to contribute? Great! Check out our Contributing Guide to get started.
Yuki Nakamura's Blog 