This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 2:
      • 3:
        • 4:
          • 5:
            • 6:
              • 7:
                • 8:
                  • 9:
                    • 10:

                      Event Forwarding

                      Sysdig supports sending different types of security data to third-party SIEM (security information and event management) platforms and logging tools, such as Splunk, Elastic Stack, Qradar, Arcsight, LogDNA. Use Event Forwarding to perform these integrations so you can view security events and correlate Sysdig findings with the tool that you are already using for analysis.

                      Review the Types of Secure Integrations table for more context. The Event Forwarding column lists the various options and their levels of support.

                      Supported Event Forwarding Data Sources

                      At this time, Sysdig Secure can forward the following types of data:

                      • Policy events: there are now two supported formats: the older one (legacy policy events) and current one (runtime policy events).

                      • Activity audit information in each of the four audit types: command, network, file, and kubectl exec.

                      • Benchmarks (v2): When the benchmarks component is installed with the Node Analyzer, forwarding benchmark data is supported.

                      • Host Scanning: When the feature has been installed with the Node Analyzer, forwarding host scanning data is supported.

                      JSON Formats Used per Data Source

                      Informational; in most cases, there is no need to change the default format.

                      Policy Event Payloads

                      There are now two formats supported. See also this Release Note.

                      New Runtime Policy Events Payload

                      {
                          "id": "164ace360cc3cfbc26ec22d61b439500",
                          "type": "policy",
                          "timestamp": 1606322948648718268,
                          "originator": "policy",
                          "category": "runtime",
                          "source": "syscall",
                          "name": "Notable Filesystem Changes",
                          "description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.",
                          "severity": 0,
                          "agentId": 13530,
                          "containerId": "",
                          "machineId": "08:00:27:54:f3:9d",
                          "content": {
                            "policyId": 544,
                            "baselineId": "",
                            "ruleName": "Write below etc",
                            "ruleType": "RULE_TYPE_FALCO",
                            "ruleTags": [
                              "mitre_persistence",
                              "NIST",
                              "NIST_3.4.4",
                              "filesystem"
                            ],
                            "output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)",
                            "fields": {
                              "container.id": "host",
                              "container.image.repository": "<NA>",
                              "falco.rule": "Write below etc",
                              "fd.name": "/etc/ard",
                              "proc.aname[2]": "su",
                              "proc.aname[3]": "sudo",
                              "proc.aname[4]": "bash",
                              "proc.cmdline": "touch /etc/ard",
                              "proc.name": "touch",
                              "proc.pcmdline": "bash",
                              "proc.pname": "bash",
                              "user.name": "root"
                            },
                            "falsePositive": false,
                            "matchedOnDefault": false,
                            "policyVersion": 2,
                            "policyOrigin": "Sysdig"
                          },
                          "labels": {
                            "host.hostName": "ardbox",
                            "process.name": "touch /etc/ard"
                          }
                      }
                      

                      Legacy Secure Policy Event Payload

                      {
                          "id": "164ace360cc3cfbc26ec22d61b439500",
                          "containerId": "",
                          "name": "Notable Filesystem Changes",
                          "description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.",
                          "severity": 0,
                          "policyId": 544,
                          "actionResults": [],
                          "output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)",
                          "ruleType": "RULE_TYPE_FALCO",
                          "matchedOnDefault": false,
                          "fields": [
                            {
                              "key": "container.image.repository",
                              "value": "<NA>"
                            },
                            {
                              "key": "proc.aname[3]",
                              "value": "sudo"
                            },
                            {
                              "key": "proc.aname[4]",
                              "value": "bash"
                            },
                            {
                              "key": "proc.cmdline",
                              "value": "touch /etc/ard"
                            },
                            {
                              "key": "proc.pname",
                              "value": "bash"
                            },
                            {
                              "key": "falco.rule",
                              "value": "Write below etc"
                            },
                            {
                              "key": "proc.name",
                              "value": "touch"
                            },
                            {
                              "key": "fd.name",
                              "value": "/etc/ard"
                            },
                            {
                              "key": "proc.aname[2]",
                              "value": "su"
                            },
                            {
                              "key": "proc.pcmdline",
                              "value": "bash"
                            },
                            {
                              "key": "container.id",
                              "value": "host"
                            },
                            {
                              "key": "user.name",
                              "value": "root"
                            }
                          ],
                          "eventLabels": [
                            {
                              "key": "host.hostName",
                              "value": "ardbox"
                            },
                            {
                              "key": "process.name",
                              "value": "touch /etc/ard"
                            }
                          ],
                          "falsePositive": false,
                          "baselineId": "",
                          "policyVersion": 2,
                          "origin": "Sysdig",
                          "timestamp": 1606322948648718,
                          "timestampNs": 1606322948648718268,
                          "hostMac": "08:00:27:54:f3:9d",
                          "isAggregated": false
                      }
                      

                      Activity Audit Forwarding Payloads

                      Each of the activity audit types has its own JSON format.

                      Command (cmd) Payload

                      {
                          "id": "164806c17885b5615ba513135ea13d79",
                          "agentId": 32212,
                          "cmdline": "calico-node -felix-ready -bird-ready",
                          "comm": "calico-node",
                          "containerId": "a407fb17332b",
                          "count": 1,
                          "cwd": "/",
                          "hostname": "qa-k8smetrics",
                          "loginShellDistance": 0,
                          "loginShellId": 0,
                          "pid": 29278,
                          "ppid": 29275,
                          "rxTimestamp": 1605540695537513500,
                          "timestamp": 1605540695178065200,
                          "type": "command",
                          "tty": 0,
                          "uid": 0
                      }
                      

                      Network (net) Payload

                      {
                          "id": "164806f43b4d7e8c6708f40cdbb47838",
                          "agentId": 32212,
                          "clientIpv4": 2886795285,
                          "clientPort": 60720,
                          "containerId": "da3abd373c7a",
                          "direction": "out",
                          "errorCode": 115,
                          "hostname": "qa-k8smetrics",
                          "l4protocol": 6,
                          "pid": 2452,
                          "processName": "kubectl",
                          "rxTimestamp": 0,
                          "serverIpv4": 174063617,
                          "serverPort": 443,
                          "timestamp": 1605540913194303200,
                          "type": "connection"
                      }
                      

                      File (file) Payload

                      {
                          "id": "164806c161a5dd221c4ee79d6b5dd1ce",
                          "agentId": 32212,
                          "containerId": "a407fb17332b",
                          "hostname": "qa-k8smetrics",
                          "timestamp": 1605540694794296600,
                          "type": "fileaccess",
                          "directory": "/etc/service/enabled/confd/supervise/",
                          "filename": "ok",
                          "permissions": "w",
                          "pid": 29237,
                          "comm": "sv",
                          "cmdline": ""
                      }
                      

                      Kubernetes (kube exec) Payload

                      {
                          "id": "164806f4c47ad9101117d87f8b574ecf",
                          "agentId": 32212,
                          "args": {
                              "command": "bash",
                              "container": "nginx"
                          },
                          "auditId": "c474d1de-c764-445a-8142-a0142505868e",
                          "containerId": "397be1762fba",
                          "hostname": "qa-k8smetrics",
                          "name": "nginx-76f9cf7469-k5kf7",
                          "namespace": "nginx",
                          "resource": "pods",
                          "sourceAddresses": [
                              "172.17.0.21"
                          ],
                          "stages": {
                              "started": 1605540915526159000,
                              "completed": 1605540915660084000
                          },
                          "subResource": "exec",
                          "timestamp": 1605540915495754000,
                          "type": "kubernetes",
                          "user": {
                              "username": "system:serviceaccount:default:default-kubectl-trigger",
                              "groups": [
                                  "system:serviceaccounts",
                                  "system:serviceaccounts:default",
                                  "system:authenticated"
                              ]
                          },
                          "userAgent": "kubectl/v1.16.2 (linux/amd64) kubernetes/c97fe50"
                      }
                      

                      Benchmark Result Payloads

                      To forward benchmark events, you must have Benchmarks v2 installed and configured, using the Node Analyzer.

                      A Benchmark Control payload is emitted for each control on each host on every Benchmark Run. A Benchmark Run payload containing a summary of the results is emitted for each host on every Benchmark Run.

                      Benchmark Control Payload

                      {
                        "agentId": 0,
                        "category": "runtime",
                        "containerId": "",
                        "content": {
                          "control": {
                            "auditCommand": "ps -ef | grep etcd | grep -- --data-dir | sed 's%.*data-dir[= ]\\([^ ]*\\).*%\\1%' | xargs stat -c %U:%G",
                            "description": "etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.",
                            "expectedOutput": "'' is present",
                            "failingResources": [
                              {
                                "Hostname": "qa-k8smetrics"
                              }
                            ],
                            "familyName": "Master Node Configuration Files",
                            "id": "1.1.12",
                            "level": "Level 1",
                            "rationale": "etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.",
                            "remediation": "On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the below command:\nps -ef | grep etcd\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd:etcd /var/lib/etcd\n",
                            "resourceCount": 0,
                            "resourceType": "Hosts",
                            "result": "Fail",
                            "title": "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
                          },
                          "runId": "e569ccbb-b314-4fcc-991e-7baa0671ff34",
                          "schema": "kube_bench_cis-1.6.0",
                          "source": "host",
                          "subType": "control",
                          "taskId": 205
                        },
                        "description": "Kubernetes benchmark kube_bench_cis-1.6.0 control 1.1.12 completed.",
                        "id": "167e641d319f53438dca3c702ecb2460",
                        "labels": {
                          "aws.accountId": "059797578166",
                          "aws.instanceId": "i-0fb61365358ce26a7",
                          "aws.region": "us-east-1",
                          "host.hostName": "qa-k8smetrics",
                          "host.mac": "16:16:ef:cb:72:15",
                          "kubernetes.cluster.name": "test-k8s-data",
                          "kubernetes.node.name": "qa-k8smetrics"
                        },
                        "machineId": "16:16:ef:cb:72:15",
                        "name": "Kubernetes Benchmark Control Reported",
                        "originator": "benchmarks",
                        "severity": 0,
                        "source": "host",
                        "timestamp": 1620842992449311555,
                        "type": "benchmark"
                      }
                      

                      Benchmark Run Payload

                      {
                        "agentId": 0,
                        "category": "runtime",
                        "containerId": "",
                        "content": {
                          "run": {
                            "failCount": 11,
                            "passCount": 67,
                            "warnCount": 44
                          },
                          "runId": "e569ccbb-b314-4fcc-991e-7baa0671ff34",
                          "schema": "kube_bench_cis-1.6.0",
                          "source": "host",
                          "subType": "run",
                          "taskId": 205
                        },
                        "description": "Kubernetes benchmark kube_bench_cis-1.6.0 completed.",
                        "id": "167e641d319f5343019a4183b1ec2906",
                        "labels": {
                          "aws.accountId": "059797578166",
                          "aws.instanceId": "i-0fb61365358ce26a7",
                          "aws.region": "us-east-1",
                          "host.hostName": "qa-k8smetrics",
                          "host.mac": "16:16:ef:cb:72:15",
                          "kubernetes.cluster.name": "test-k8s-data",
                          "kubernetes.node.name": "qa-k8smetrics"
                        },
                        "machineId": "16:16:ef:cb:72:15",
                        "name": "Kubernetes Benchmark Run Failed",
                        "originator": "benchmarks",
                        "severity": 0,
                        "source": "host",
                        "timestamp": 1620842992449311555,
                        "type": "benchmark"
                      }
                      

                      Host Scanning Payload

                      Incremental Report

                      This is the “vuln diff” report; it contains the list of added, removed, or updated vulnerabilities that the host presents compared to the previous scan.

                      [
                        {
                          "id": "167fddc1197bcc776d72f0f299e83530",
                          "type": "hostscanning",
                          "timestamp": 1621258212302,
                          "originator": "hostscanning",
                          "category": "hostscanning_incremental_report",
                          "source": "hostscanning",
                          "name": "Vulnerability updates - Host dev-vm",
                          "description": "",
                          "severity": 4,
                          "agentId": 0,
                          "containerId": "",
                          "machineId": "00:0c:29:e5:9e:51",
                          "content": {
                            "hostname": "dev-vm",
                            "mac": "00:0c:29:e5:9e:51",
                            "reportType": "incremental",
                            "added": [
                              {
                                "cve": "CVE-2020-27170",
                                "fixAvailable": "5.4.0-70.78",
                                "packageName": "linux-headers-5.4.0-67",
                                "packageType": "dpkg",
                                "packageVersion": "5.4.0-67.75",
                                "severity": "High",
                                "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-27170",
                                "vulnerablePackage": "linux-headers-5.4.0-67:5.4.0-67.75"
                              },
                              {
                                "cve": "CVE-2019-9515",
                                "fixAvailable": "None",
                                "packageName": "libgrpc6",
                                "packageType": "dpkg",
                                "packageVersion": "1.16.1-1ubuntu5",
                                "severity": "Medium",
                                "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9515",
                                "vulnerablePackage": "libgrpc6:1.16.1-1ubuntu5"
                              }
                            ],
                            "updated": [
                              {
                                "cve": "CVE-2018-17977",
                                "fixAvailable": "None",
                                "packageName": "linux-modules-5.4.0-72-generic",
                                "packageType": "dpkg",
                                "packageVersion": "5.4.0-72.80",
                                "severity": "Medium",
                                "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-17977",
                                "vulnerablePackage": "linux-modules-5.4.0-72-generic:5.4.0-72.80"
                              },
                              {
                                "cve": "CVE-2021-3348",
                                "fixAvailable": "5.4.0-71.79",
                                "packageName": "linux-modules-extra-5.4.0-67-generic",
                                "packageType": "dpkg",
                                "packageVersion": "5.4.0-67.75",
                                "severity": "Medium",
                                "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-3348",
                                "vulnerablePackage": "linux-modules-extra-5.4.0-67-generic:5.4.0-67.75"
                              },
                              {
                                "cve": "CVE-2021-29265",
                                "fixAvailable": "5.4.0-73.82",
                                "packageName": "linux-headers-5.4.0-67-generic",
                                "packageType": "dpkg",
                                "packageVersion": "5.4.0-67.75",
                                "severity": "Medium",
                                "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-29265",
                                "vulnerablePackage": "linux-headers-5.4.0-67-generic:5.4.0-67.75"
                              },
                              {
                                "cve": "CVE-2021-29921",
                                "fixAvailable": "None",
                                "packageName": "python3.8-dev",
                                "packageType": "dpkg",
                                "packageVersion": "3.8.5-1~20.04.2",
                                "severity": "Medium",
                                "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-29921",
                                "vulnerablePackage": "python3.8-dev:3.8.5-1~20.04.2"
                              }
                            ],
                            "removed": [
                              {
                                "cve": "CVE-2021-26932",
                                "fixAvailable": "None",
                                "packageName": "linux-modules-5.4.0-67-generic",
                                "packageType": "dpkg",
                                "packageVersion": "5.4.0-67.75",
                                "severity": "Medium",
                                "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-26932",
                                "vulnerablePackage": "linux-modules-5.4.0-67-generic:5.4.0-67.75"
                              },
                              {
                                "cve": "CVE-2020-26541",
                                "fixAvailable": "None",
                                "packageName": "linux-modules-extra-5.4.0-67-generic",
                                "packageType": "dpkg",
                                "packageVersion": "5.4.0-67.75",
                                "severity": "Medium",
                                "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-26541",
                                "vulnerablePackage": "linux-modules-extra-5.4.0-67-generic:5.4.0-67.75"
                              },
                              {
                                "cve": "CVE-2014-4607",
                                "fixAvailable": "2.04-1ubuntu26.8",
                                "packageName": "grub-pc",
                                "packageType": "dpkg",
                                "packageVersion": "2.04-1ubuntu26.7",
                                "severity": "Medium",
                                "url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-4607",
                                "vulnerablePackage": "grub-pc:2.04-1ubuntu26.7"
                              }
                            ]
                          },
                          "labels": {
                            "host.hostName": "dev-vm",
                            "host.id": "d82e5bde1d992bedd10a640bdb2f052493ff4b3e03f5e96d1077bf208f32ea96",
                            "host.mac": "00:0c:29:e5:9e:51",
                            "host.os.name": "ubuntu",
                            "host.os.version": "20.04"
                          }
                        }
                      ]
                      

                      Full Report

                      The full report contains all the vulnerabilities found during the first host scan.

                      [
                        {
                          "id": "1680c8462f368eaf38d2f269d9de1637",
                          "type": "hostscanning",
                          "timestamp": 1621516069618,
                          "originator": "hostscanning",
                          "category": "hostscanning_full_report",
                          "source": "hostscanning",
                          "name": "Host ip-172-31-94-81 scanned",
                          "description": "",
                          "severity": 4,
                          "agentId": 0,
                          "containerId": "",
                          "machineId": "16:1f:b4:f5:02:03",
                          "content": {
                            "hostname": "ip-172-31-94-81",
                            "mac": "16:1f:b4:f5:02:03",
                            "reportType": "full",
                            "added": [
                              {
                                "cve": "CVE-2015-0207",
                                "fixAvailable": "None",
                                "packageName": "libssl1.1",
                                "packageType": "dpkg",
                                "packageVersion": "1.1.0l-1~deb9u3",
                                "severity": "Negligible",
                                "url": "https://security-tracker.debian.org/tracker/CVE-2015-0207",
                                "vulnerablePackage": "libssl1.1:1.1.0l-1~deb9u3"
                              },
                              {
                                "cve": "CVE-2016-2088",
                                "fixAvailable": "None",
                                "packageName": "libdns162",
                                "packageType": "dpkg",
                                "packageVersion": "1:9.10.3.dfsg.P4-12.3+deb9u8",
                                "severity": "Negligible",
                                "url": "https://security-tracker.debian.org/tracker/CVE-2016-2088",
                                "vulnerablePackage": "libdns162:1:9.10.3.dfsg.P4-12.3+deb9u8"
                              },
                              {
                                "cve": "CVE-2017-5123",
                                "fixAvailable": "None",
                                "packageName": "linux-headers-4.9.0-15-amd64",
                                "packageType": "dpkg",
                                "packageVersion": "4.9.258-1",
                                "severity": "Negligible",
                                "url": "https://security-tracker.debian.org/tracker/CVE-2017-5123",
                                "vulnerablePackage": "linux-headers-4.9.0-15-amd64:4.9.258-1"
                              },
                              {
                                "cve": "CVE-2014-2739",
                                "fixAvailable": "None",
                                "packageName": "linux-headers-4.9.0-15-common",
                                "packageType": "dpkg",
                                "packageVersion": "4.9.258-1",
                                "severity": "Negligible",
                                "url": "https://security-tracker.debian.org/tracker/CVE-2014-2739",
                                "vulnerablePackage": "linux-headers-4.9.0-15-common:4.9.258-1"
                              },
                              {
                                "cve": "CVE-2014-9781",
                                "fixAvailable": "None",
                                "packageName": "linux-kbuild-4.9",
                                "packageType": "dpkg",
                                "packageVersion": "4.9.258-1",
                                "severity": "Negligible",
                                "url": "https://security-tracker.debian.org/tracker/CVE-2014-9781",
                                "vulnerablePackage": "linux-kbuild-4.9:4.9.258-1"
                              },
                              {
                                "cve": "CVE-2015-8705",
                                "fixAvailable": "None",
                                "packageName": "libisc-export160",
                                "packageType": "dpkg",
                                "packageVersion": "1:9.10.3.dfsg.P4-12.3+deb9u8",
                                "severity": "Negligible",
                                "url": "https://security-tracker.debian.org/tracker/CVE-2015-8705",
                                "vulnerablePackage": "libisc-export160:1:9.10.3.dfsg.P4-12.3+deb9u8"
                              }
                            ]
                          },
                          "labels": {
                            "agent.tag.distribution": "Debian",
                            "agent.tag.fqdn": "ec2-3-231-219-145.compute-1.amazonaws.com",
                            "agent.tag.test-type": "qa-hs",
                            "agent.tag.version": "9.13",
                            "host.hostName": "ip-172-31-94-81",
                            "host.id": "cbd8fc14e9116a33770453e0755cbd1e72e4790e16876327607c50ce9de25a4b",
                            "host.mac": "16:1f:b4:f5:02:03",
                            "host.os.name": "debian",
                            "host.os.version": "9.13"
                          }
                        }
                      ]
                      

                      Delete an Event Forwarding Integration

                      To delete an existing integration:

                      1. From the Settings module of the Sysdig Secure UI, navigate to the Events Forwarding tab.

                      2. Click the More Options (three dots) icon.

                      3. Click the Delete Integration button.

                      4. Click the Yes, delete button to confirm the change.