Ever wished you could monitor your AWS load balancer logs in real-time? AWS ELB access logs are packed with security gold, but they're usually just sitting in S3 as static files. Let's fix that with a falco-plugin-aws-elb! What is Falco π¦ ?What are Falco Plugins?The ProblemSolutionExample RuleQuick StartWhy Rust π¦?Available FieldsConclusion What is Falco π¦ ? Falco… Continue reading Built a Falco Plugin for AWS ELB Access Logs
On June 16, 2025, I gave a Lightning Talk at KubeCon + CloudNativeCon Japan 2025. The title of my talk was: βFrom Kernel To Kubernetes: Mapping eBPF-Detected Processes To Pods!β In this session, I explored how Tetragon connects the Linux kernel to Kubernetes by enriching eBPF-detected process data with Kubernetes metadata. You can check out… Continue reading From Kernel to Kubernetes: KubeCon + CloudNativeCon Japan 2025
On Mar 15, 2025, I had the pleasure of presenting at the Cloud Native Community Japan - eBPF Japan Meetup #3, where I introduced Tetragon's implementation of eBPF-based Process Lifecycle Monitoring. I'd like to share a brief overview of my talk in this blog post. About TetragonProcess Lifecycle MonitoringTechnical Deep DiveLooking Forward You can access… Continue reading Inside Tetragon: How eBPF Powers Process Lifecycle Monitoring
When working with eBPF, retrieving process and thread information is essential for monitoring and observability. One commonly used helper function for this purpose is bpf_get_current_pid_tgid(). It provides both Thread Group ID (TGID) and the Process ID (PID). But what exactly are TDID and PID, and how do they differπ€? Extracting TGID and PID with eBPFUnderstanding TGID… Continue reading Getting to Know TGID and PID in eBPF: Essential for Observability
TL;DR; I created eBPF-based software in Rust that can monitor the Process lifecycle.π¦π π process 101708: root: /usr/sbin/iptables π₯ exit 101708: root: /usr/sbin/iptables π process 101705: yukinakamura: /usr/bin/cat π₯ exit 101705: yukinakamura: /usr/bin/cat π process 101758: yukinakamura: /usr/bin/sed π₯ exit 101758: yukinakamura: /usr/bin/sed MotivationScopeArchitecture OverviewHow to RunPrerequisitesClone the RepositoryGenerate Struct codesBuild and Run eBPF Programs… Continue reading Tetragon-mini by Rust: eBPF-based process monitoring
TL;DR This guide demonstrates how to implement eBPF Tail Calls using Rust's Aya. π¦π Introduction: Tail CallsRun eBPF Tail Calls programPrerequisitesClone the RepositoryGenerate Struct codesBuildRunCheck logsCheck eBPF Programs and Maps in the KerneleBPF ProgramsLoaded eBPF ProgramsAttached eBPF ProgramseBPF Map for tail callsRust Code HighlightsProgramArray SetupTail CallsState Sharing with PerCpuArrayReferencesWrap up Introduction: Tail Calls Tail calls… Continue reading eBPF Tail Calls with Rust Aya
TL;DR In this post, Iβll walk you through an example of an eBPF Kprobe program using Aya with Rust. π¦π Introduction: KprobesRun eBPF Kprobe tracing programPrerequisitesCheck available KprobesClone the RepositoryGenerate Structs codesBuildRunTestCheck eBPF Program in the KernelCheck with bpftool(Optional) Check with bpftopArgument Handling in KprobesHow to Identify Argument TypesGenerate Struct Codes by aya-toolRead values from… Continue reading Writing eBPF Kprobe Program with Rust Aya
TL;DR In this post, Iβll walk you through an example of an eBPF RawTracepoint program using Aya with Rust. π¦π Introduction: RawTracepoints vs TracepointsArgument HandlingPerformanceRun eBPF RawTracepoint tracing programPrerequisitesCheck available TracepointsClone the RepositoryGenerate Structs codesBuild and RunCheck eBPF Program in the KerneleBPF ProgramAttachment to RawTracepointArgument Handling in RawTracepointsHow to Identify Argument TypesGenerate Struct Codes by… Continue reading Writing eBPF RawTracepoint Program with Rust Aya
TL;DR In this post, I explain how the Tetragon Agent reads process lifecycle data from the eBPF Map and sends it to clients.π Process lifecycle data flow IntroductionObserver Reading Process Lifecycle Data from eBPF MapRead data from eBPF MapDeserialization of Process Lifecycle DataEvent type (operation types)DeserializationNotify Events to ListenersProcessManager Passes Data to server.ListenersProcess Lifecycle Data… Continue reading Tetragon Process Lifecycle Observation: Tetragon Agent Part
TL;DR In this post, I explain how Tetragon detects process creation and termination using eBPF.π IntroductionOverviewkprobes and tracepointseBPF ProgramseBPF MapsTetragon AgentProcess creationeBPF program attached to tracepointWrite data to eBPF MapProcess terminationeBPF program attached to tracepointWrite data to eBPF MapWrap upNext stepRelated posts Introduction I was really impressed when I used Tetragon for the first time.… Continue reading Tetragon Process Lifecycle Observation: eBPF Part
Yuki Nakamura's Blog 