exporters

package
v0.3.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 30, 2025 License: Apache-2.0 Imports: 29 Imported by: 0

README

KubeCop exporters package

This package contains the exporters for the KubeCop project.

Exporters

The following exporters are available:

Alertmanager

The Alertmanager exporter is used to send alerts to the Alertmanager. The Alertmanager will then send the alerts to the configured receivers. This exporter supports multiple Alertmanagers. The alerts will be sent to all configured Alertmanagers. To enable the Alertmanager exporter, set the following environment variables:

  • ALERTMANAGER_URLS: The URLs of the Alertmanagers. Example: localhost:9093 or localhost:9093,localhost:9094
STD OUT

The STD OUT exporter is used to print the alerts to the standard output. This exporter is enabled by default. To disable the STD OUT exporter, set the following environment variable:

  • STDOUT_ENABLED: Set to false to disable the STD OUT exporter.
SYSLOG

The SYSLOG exporter is used to send the alerts to a syslog server. This exporter is disabled by default. NOTE: The SYSLOG messages format is RFC 5424. To enable the SYSLOG exporter, set the following environment variables:

  • SYSLOG_HOST: The host of the syslog server. Example: localhost:514
  • SYSLOG_PROTOCOL: The protocol of the syslog server. Example: tcp or udp
CSV

The CSV exporter is used to write the alerts to a CSV file. This exporter is disabled by default. To enable the CSV exporter, set the following environment variables:

  • EXPORTER_CSV_RULE_PATH: The path to the CSV file of the failed rules. Example: /tmp/alerts.csv
  • EXPORTER_CSV_MALWARE_PATH: The path to the CSV file of the malwares found. Example: /tmp/malware.csv
HTTP endpoint

The HTTP endpoint exporter is used to send the alerts to an HTTP endpoint. This exporter is disabled by default. To enable the HTTP endpoint exporter, set the following environment variables:

  • HTTP_ENDPOINT_URL: The URL of the HTTP endpoint. Example: http://localhost:8080/alerts This will send a POST request to the specified URL with the alerts as the body. The alerts are limited to 10000 per minute. If the limit is reached, the exporter will stop sending alerts for the rest of the minute and will send a system alert to the configured HTTP endpoint.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AlertBulkManager added in v0.2.405 

type AlertBulkManager struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

AlertBulkManager manages alert bulks per container

func NewAlertBulkManager added in v0.2.405 

func NewAlertBulkManager(
	bulkMaxAlerts int,
	bulkTimeoutSeconds int,
	sendQueueSize int,
	maxRetries int,
	retryBaseDelayMs int,
	retryMaxDelayMs int,
	sendFunc func(containerID string, alerts []apitypes.RuntimeAlert, processTree apitypes.ProcessTree, cloudServices []string) error,
) *AlertBulkManager

NewAlertBulkManager creates a new alert bulk manager

func (*AlertBulkManager) AddAlert added in v0.2.405 

func (abm *AlertBulkManager) AddAlert(alert apitypes.RuntimeAlert, processTree apitypes.ProcessTree, cloudServices []string)

AddAlert adds an alert to the appropriate container bulk

func (*AlertBulkManager) FlushAll added in v0.2.405 

func (abm *AlertBulkManager) FlushAll()

FlushAll flushes all pending bulks

func (*AlertBulkManager) FlushContainer added in v0.2.405 

func (abm *AlertBulkManager) FlushContainer(containerID string)

FlushContainer immediately flushes and removes the bulk for a specific container This should be called when a container stops

func (*AlertBulkManager) GetBulkCount added in v0.2.405 

func (abm *AlertBulkManager) GetBulkCount() int

GetBulkCount returns the number of active bulks (for monitoring/testing)

func (*AlertBulkManager) Start added in v0.2.405 

func (abm *AlertBulkManager) Start()

Start begins the background flush goroutine and send workers

func (*AlertBulkManager) Stop added in v0.2.405 

func (abm *AlertBulkManager) Stop()

Stop stops the background flush goroutine and flushes all pending bulks

type AlertManagerExporter 

type AlertManagerExporter struct {
	Host     string
	NodeName string
	// contains filtered or unexported fields
}

func InitAlertManagerExporter 

func InitAlertManagerExporter(alertManagerURL string) *AlertManagerExporter

func (*AlertManagerExporter) SendFimAlerts added in v0.2.393 

func (ame *AlertManagerExporter) SendFimAlerts(fimEvents []hostfimsensor.FimEvent)

func (*AlertManagerExporter) SendMalwareAlert 

func (ame *AlertManagerExporter) SendMalwareAlert(malwareResult malwaremanager.MalwareResult)

func (*AlertManagerExporter) SendRuleAlert 

func (ame *AlertManagerExporter) SendRuleAlert(failedRule types.RuleFailure)

type AlertType added in v0.2.197 

type AlertType string
const (
	AlertTypeLimitReached AlertType = "AlertLimitReached"
)

type CsvExporter 

type CsvExporter struct {
	CsvRulePath    string
	CsvMalwarePath string
}

CsvExporter is an exporter that sends alerts to csv

func InitCsvExporter 

func InitCsvExporter(csvRulePath, csvMalwarePath string) *CsvExporter

InitCsvExporter initializes a new CsvExporter

func (*CsvExporter) SendFimAlerts added in v0.2.393 

func (ce *CsvExporter) SendFimAlerts(fimEvents []hostfimsensor.FimEvent)

func (*CsvExporter) SendMalwareAlert 

func (ce *CsvExporter) SendMalwareAlert(malwareResult malwaremanager.MalwareResult)

func (*CsvExporter) SendRuleAlert 

func (ce *CsvExporter) SendRuleAlert(failedRule types.RuleFailure)

SendRuleAlert sends an alert to csv

type Exporter 

type Exporter interface {
	// SendRuleAlert sends an alert on failed rule to the exporter
	SendRuleAlert(failedRule types.RuleFailure)
	// SendMalwareAlert sends an alert on malware detection to the exporter.
	SendMalwareAlert(malwareResult malwaremanager.MalwareResult)
	// SendFimAlert sends an alert on FIM detection to the exporter.
	SendFimAlerts(fimEvents []hostfimsensor.FimEvent)
}

generic exporter interface

type ExporterBus 

type ExporterBus struct {
	// contains filtered or unexported fields
}

This file will contain the single point of contact for all exporters, it will be used by the engine to send alerts to all exporters.

func InitExporters 

func InitExporters(exportersConfig ExportersConfig, clusterName string, nodeName string, cloudMetadata *armotypes.CloudMetadata) *ExporterBus

InitExporters initializes all exporters.

func (*ExporterBus) FlushContainerAlerts added in v0.2.405 

func (e *ExporterBus) FlushContainerAlerts(containerID string)

FlushContainerAlerts flushes all pending alerts for a specific container This should be called when a container is terminating

func (*ExporterBus) SendFimAlerts added in v0.2.393 

func (e *ExporterBus) SendFimAlerts(fimEvents []hostfimsensor.FimEvent)

func (*ExporterBus) SendMalwareAlert 

func (e *ExporterBus) SendMalwareAlert(malwareResult malwaremanager.MalwareResult)

func (*ExporterBus) SendRuleAlert 

func (e *ExporterBus) SendRuleAlert(failedRule types.RuleFailure)

type ExporterMock 

type ExporterMock struct{}

func (*ExporterMock) SendFimAlerts added in v0.2.393 

func (e *ExporterMock) SendFimAlerts(_ []hostfimsensor.FimEvent)

func (*ExporterMock) SendMalwareAlert 

func (e *ExporterMock) SendMalwareAlert(_ malwaremanager.MalwareResult)

func (*ExporterMock) SendRuleAlert 

func (e *ExporterMock) SendRuleAlert(_ types.RuleFailure)

type ExportersConfig 

type ExportersConfig struct {
	StdoutExporter           *bool               `mapstructure:"stdoutExporter"`
	HTTPExporterConfig       *HTTPExporterConfig `mapstructure:"httpExporterConfig"`
	SyslogExporter           string              `mapstructure:"syslogExporterURL"`
	CsvRuleExporterPath      string              `mapstructure:"CsvRuleExporterPath"`
	CsvMalwareExporterPath   string              `mapstructure:"CsvMalwareExporterPath"`
	AlertManagerExporterUrls []string            `mapstructure:"alertManagerExporterUrls"`
}

type FimEvent added in v0.2.393 

type FimEvent struct {
	EventType hostfimsensor.FimEventType `json:"eventType"`
	Path      string                     `json:"path"`
	FileHash  string                     `json:"fileHash"`
	Timestamp time.Time                  `json:"timestamp"`
	Uid       uint32                     `json:"uid"`
	Gid       uint32                     `json:"gid"`
	Mode      uint32                     `json:"mode"`

	// Enhanced fields for richer event context
	FileSize    int64     `json:"fileSize"`
	FileInode   uint64    `json:"fileInode"`
	FileDevice  uint64    `json:"fileDevice"`
	FileMtime   time.Time `json:"fileMtime"`
	FileCtime   time.Time `json:"fileCtime"`
	ProcessPid  uint32    `json:"processPid"`
	ProcessName string    `json:"processName"`
	ProcessArgs []string  `json:"processArgs"`
	HostName    string    `json:"hostName"`
	AgentId     string    `json:"agentId"`
}

type FimEventReport added in v0.2.393 

type FimEventReport struct {
	Events      []FimEvent `json:"events"`
	Host        string     `json:"host"`
	NodeName    string     `json:"nodeName"`
	ClusterName string     `json:"clusterName"`
	ReportedBy  string     `json:"reportedBy"`
	Timestamp   time.Time  `json:"timestamp"`
}

type HTTPAlertsList 

type HTTPAlertsList struct {
	Kind       string             `json:"kind"`
	APIVersion string             `json:"apiVersion"`
	Metadata   apitypes.Metadata  `json:"metadata"`
	Spec       HTTPAlertsListSpec `json:"spec"`
}

type HTTPAlertsListSpec 

type HTTPAlertsListSpec struct {
	Alerts        []apitypes.RuntimeAlert `json:"alerts"`
	ProcessTree   apitypes.ProcessTree    `json:"processTree"`
	CloudMetadata apitypes.CloudMetadata  `json:"cloudMetadata"`
}

type HTTPExporter 

type HTTPExporter struct {
	// contains filtered or unexported fields
}

func NewHTTPExporter added in v0.2.197 

func NewHTTPExporter(config HTTPExporterConfig, clusterName, nodeName string, cloudMetadata *apitypes.CloudMetadata) (*HTTPExporter, error)

NewHTTPExporter creates a new HTTPExporter instance

func (*HTTPExporter) Close added in v0.2.405 

func (e *HTTPExporter) Close() error

Close stops the bulk manager and flushes all pending bulks

func (*HTTPExporter) FlushContainerAlerts added in v0.2.405 

func (e *HTTPExporter) FlushContainerAlerts(containerID string)

FlushContainerAlerts flushes alerts for a specific container immediately This should be called when a container stops

func (*HTTPExporter) SendFimAlerts added in v0.2.393 

func (e *HTTPExporter) SendFimAlerts(fimEvents []hostfimsensor.FimEvent)

SendFimAlerts implements the Exporter interface

func (*HTTPExporter) SendMalwareAlert 

func (e *HTTPExporter) SendMalwareAlert(malwareResult malwaremanager.MalwareResult)

SendMalwareAlert implements the Exporter interface

func (*HTTPExporter) SendRuleAlert 

func (e *HTTPExporter) SendRuleAlert(failedRule types.RuleFailure)

SendRuleAlert implements the Exporter interface

type HTTPExporterConfig 

type HTTPExporterConfig struct {
	URL                string          `json:"url"`
	Path               *string         `json:"path,omitempty"`
	QueryParams        []HTTPKeyValues `json:"queryParams,omitempty"`
	Headers            []HTTPKeyValues `json:"headers"`
	TimeoutSeconds     int             `json:"timeoutSeconds"`
	Method             string          `json:"method"`
	MaxAlertsPerMinute int             `json:"maxAlertsPerMinute"`
	// Alert bulking configuration
	EnableAlertBulking bool `json:"enableAlertBulking"`
	BulkMaxAlerts      int  `json:"bulkMaxAlerts"`
	BulkTimeoutSeconds int  `json:"bulkTimeoutSeconds"`
	// Send queue configuration
	BulkSendQueueSize    int `json:"bulkSendQueueSize"`    // Default: 1000
	BulkMaxRetries       int `json:"bulkMaxRetries"`       // Default: 3
	BulkRetryBaseDelayMs int `json:"bulkRetryBaseDelayMs"` // Default: 1000ms
	BulkRetryMaxDelayMs  int `json:"bulkRetryMaxDelayMs"`  // Default: 30000ms
}

func (*HTTPExporterConfig) Validate 

func (config *HTTPExporterConfig) Validate() error

type HTTPKeyValues added in v0.2.256 

type HTTPKeyValues struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

type StdoutExporter 

type StdoutExporter struct {
	// contains filtered or unexported fields
}

func InitStdoutExporter 

func InitStdoutExporter(useStdout *bool, cloudmetadata *apitypes.CloudMetadata) *StdoutExporter

func (*StdoutExporter) SendFimAlerts added in v0.2.393 

func (exporter *StdoutExporter) SendFimAlerts(fimEvents []hostfimsensor.FimEvent)

func (*StdoutExporter) SendMalwareAlert 

func (exporter *StdoutExporter) SendMalwareAlert(malwareResult malwaremanager.MalwareResult)

func (*StdoutExporter) SendRuleAlert 

func (exporter *StdoutExporter) SendRuleAlert(failedRule types.RuleFailure)

type SyslogExporter 

type SyslogExporter struct {
	// contains filtered or unexported fields
}

SyslogExporter is an exporter that sends alerts to syslog

func InitSyslogExporter 

func InitSyslogExporter(syslogHost string) *SyslogExporter

InitSyslogExporter initializes a new SyslogExporter

func (*SyslogExporter) SendFimAlerts added in v0.2.393 

func (se *SyslogExporter) SendFimAlerts(fimEvents []hostfimsensor.FimEvent)

func (*SyslogExporter) SendMalwareAlert 

func (se *SyslogExporter) SendMalwareAlert(malwareResult malwaremanager.MalwareResult)

SendMalwareAlert sends an alert to syslog (RFC 5424) - https://tools.ietf.org/html/rfc5424

func (*SyslogExporter) SendRuleAlert 

func (se *SyslogExporter) SendRuleAlert(failedRule types.RuleFailure)

SendRuleAlert sends an alert to syslog (RFC 5424) - https://tools.ietf.org/html/rfc5424

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.