Skip to content

rorate: add eventroratesize, eventroratetime to support file rorate #720 #794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 13, 2025
Merged

rorate: add eventroratesize, eventroratetime to support file rorate #720 #794

merged 1 commit into from
Jun 13, 2025

Conversation

chilli13
Copy link
Contributor

@chilli13 chilli13 commented Jun 10, 2025
edited
Loading

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. dependencies Pull requests that update a dependency file enhancement New feature or request labels Jun 10, 2025
@chilli13
Copy link
Contributor Author

add param eventroratesize and eventroratetime to support event log rorate

      --eventroratesize=0		the rorate size(MB) of the event collector file, 1M~65535M, only works for eventaddr server is file. --eventaddr=tls.log --eventroratesize=1 --eventroratetime=30
      --eventroratetime=0		the rorate time(s) of the event collector file, 1s~65535s, only works for eventaddr server is file. --eventaddr=tls.log --eventroratesize=1 --eventroratetime=30

full help info

# ./bin/ecapture  -h
NAME:
	eCapture - Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.

USAGE:
	eCapture [flags]

VERSION:
	linux_amd64:v1.1.0-20250609-0e774f1:5.15.0-136-generic

COMMANDS:
	bash		capture bash command
	gnutls		capture gnutls text content without CA cert for gnutls libraries.
	gotls		Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS.
	help		Help about any command
	mysqld		capture sql queries from mysqld 5.6/5.7/8.0 .
	nspr		capture nss/nspr encrypted text content without CA cert for nss/nspr libraries.
	postgres	capture sql queries from postgres 10+.
	tls		Used to capture TLS/SSL text content without the need for a CA certificate. (Supports OpenSSL 1.0.x/1.1.x/3.x or newer).
	zsh		capture zsh command

DESCRIPTION:
	eCapture(旁观者) is a tool that can capture plaintext packets
	such as HTTPS and TLS without installing a CA certificate.
	It can also capture bash commands, which is suitable for
	security auditing scenarios, such as database auditing of mysqld, etc (disabled on Android).
	Support Linux(Android)  X86_64 4.18/aarch64 5.5 or newer.
	Repository: https://github.com/gojue/ecapture
	HomePage: https://ecapture.cc
	
	Usage:
	  ecapture tls -h
	  ecapture bash -h
	
	Docker usage:
	docker pull gojue/ecapture:latest
	docker run --rm --privileged=true --net=host -v ${HOST_PATH}:${CONTAINER_PATH} gojue/ecapture -h

OPTIONS:
  -b, --btf=0				enable BTF mode.(0:auto; 1:core; 2:non-core)
  -d, --debug[=false]			enable debug logging
      --eventaddr=""			the server address that receives the captured event. --eventaddr tcp://127.0.0.1:8090, default: same as logaddr
      --eventroratesize=0		the rorate size(MB) of the event collector file, 1M~65535M, only works for eventaddr server is file. --eventaddr=tls.log --eventroratesize=1 --eventroratetime=30
      --eventroratetime=0		the rorate time(s) of the event collector file, 1s~65535s, only works for eventaddr server is file. --eventaddr=tls.log --eventroratesize=1 --eventroratetime=30
  -h, --help[=false]			help for eCapture
      --hex[=false]			print byte strings as hex encoded strings
      --listen="localhost:28256"	listen on this address for http server, default: 127.0.0.1:28256
  -l, --logaddr=""			send logs to this server. -l /tmp/ecapture.log or -l tcp://127.0.0.1:8080
      --mapsize=1024			eBPF map size per CPU,for events buffer. default:1024 * PAGESIZE. (KB)
  -p, --pid=0				if pid is 0 then we target all pids
  -t, --tsize=0				the truncate size in text mode, default: 0 (B), no truncate
  -u, --uid=0				if uid is 0 then we target all users
  -v, --version[=false]			version for eCapture


# ./bin/ecapture  tls --eventaddr=/var/log/tls/rorate.log   --eventroratesize=1 --eventroratetime=30
... ...

root@cd-ubuntu:/var/log/tls# ll /var/log/tls/
total 300
drwxr-xr-x  2 root root   4096 Jun 10 00:54 ./
drwxr-xr-x 12 root root   4096 Jun 10 00:51 ../
-rw-------  1 root root   4609 Jun 10 00:52 rorate-2025-06-10T00-52-45.122.log
-rw-------  1 root root  13866 Jun 10 00:53 rorate-2025-06-10T00-53-15.122.log
-rw-------  1 root root 273080 Jun 10 00:53 rorate-2025-06-10T00-54-04.511.log
-rw-------  1 root root      0 Jun 10 00:54 rorate.log

@chilli13 chilli13 force-pushed the feat/event-log-rorate branch from c5e0e01 to 1dc1106 Compare June 10, 2025 01:05
cfc4n
cfc4n requested changes Jun 10, 2025
View reviewed changes
Copy link
Member

@cfc4n cfc4n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please modify it according to the comments, thank you.

@chilli13 chilli13 force-pushed the feat/event-log-rorate branch 2 times, most recently from 61e7889 to a8bc897 Compare June 11, 2025 04:12
cfc4n
cfc4n requested changes Jun 11, 2025
View reviewed changes
user/config/iconfig.go Outdated
LoggerAddr string `json:"logger_addr"` // Address for logger output
LoggerType uint8 `json:"logger_type"` // Logger type (0:stdout, 1:file, 2:tcp)
EventCollectorAddr string `json:"event_collector_addr"` // Address of the event collector server
EventCollectorRorateSize uint16 `json:"event_collector_rate_size"` // Rate size(MB) of the event collector file, 1M~65535M, only works for collector server is file
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also redundant. Please restore this file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two variables are used by globalConf.EventCollectorAddr and globalConf.EventCollectorRorateSize, cannot be removed

Copy link
Member

@cfc4n cfc4n Jun 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chilli13

Revert this file.

Add variable life

Please add rorateSize and rorateTime after ByteCodeFiles at line 51 in the cmd/root.go file, as well as the following changes.

rootCmd.PersistentFlags().Uint16Var(&rorateSize, "eventroratesize", 0, "the rorate size(MB) of the event collector file, 1M~65535M, only works for eventaddr server is file. --eventaddr=tls.log --eventroratesize=1 --eventroratetime=30")
rootCmd.PersistentFlags().Uint16Var(&rorateTime, "eventroratetime", 0, "the rorate time(s) of the event collector file, 1s~65535s, only works for eventaddr server is file. --eventaddr=tls.log --eventroratesize=1 --eventroratetime=30")

Remove code

rorateSize := globalConf.EventCollectorRorateSize
rorateTime := globalConf.EventCollectorRorateTime

@chilli13 chilli13 force-pushed the feat/event-log-rorate branch from a8bc897 to c19ab03 Compare June 12, 2025 08:50
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Jun 12, 2025
@chilli13 chilli13 force-pushed the feat/event-log-rorate branch 2 times, most recently from 1d45bb8 to c9b3a4b Compare June 12, 2025 09:06
cfc4n
cfc4n requested changes Jun 12, 2025
View reviewed changes
user/config/iconfig.go Outdated
LoggerAddr string `json:"logger_addr"` // Address for logger output
LoggerType uint8 `json:"logger_type"` // Logger type (0:stdout, 1:file, 2:tcp)
EventCollectorAddr string `json:"event_collector_addr"` // Address of the event collector server
EventCollectorRorateSize uint16 `json:"event_collector_rate_size"` // Rate size(MB) of the event collector file, 1M~65535M, only works for collector server is file
Copy link
Member

@cfc4n cfc4n Jun 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chilli13

Revert this file.

Add variable life

Please add rorateSize and rorateTime after ByteCodeFiles at line 51 in the cmd/root.go file, as well as the following changes.

rootCmd.PersistentFlags().Uint16Var(&rorateSize, "eventroratesize", 0, "the rorate size(MB) of the event collector file, 1M~65535M, only works for eventaddr server is file. --eventaddr=tls.log --eventroratesize=1 --eventroratetime=30")
rootCmd.PersistentFlags().Uint16Var(&rorateTime, "eventroratetime", 0, "the rorate time(s) of the event collector file, 1s~65535s, only works for eventaddr server is file. --eventaddr=tls.log --eventroratesize=1 --eventroratetime=30")

Remove code

rorateSize := globalConf.EventCollectorRorateSize
rorateTime := globalConf.EventCollectorRorateTime

@chilli13 chilli13 force-pushed the feat/event-log-rorate branch from c9b3a4b to 2774e18 Compare June 13, 2025 01:15
@chilli13 chilli13 force-pushed the feat/event-log-rorate branch from 2774e18 to 42fa386 Compare June 13, 2025 07:19
cfc4n
cfc4n approved these changes Jun 13, 2025
View reviewed changes
Copy link
Member

@cfc4n cfc4n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks,

@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Jun 13, 2025
@cfc4n cfc4n merged commit 56f9dcf into gojue:master Jun 13, 2025
5 checks passed
@chilli13 chilli13 deleted the feat/event-log-rorate branch June 24, 2025 02:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfc4n cfc4n cfc4n approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file enhancement New feature or request lgtm This PR has been approved by a maintainer size:L This PR changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chilli13 @cfc4n