I’m pleased to announce the release of Fibratus 0.4.0. The remarkable features of this release include per-pid process spying, Elasticsearch output adapter and the configuration based process exclusions.
Per-pid process spying
Let me introduce the --pid command line option which enables to attach and spy on the activity of the given process. For example, here is the output when attached to the Chrome process:
Here we can observe the file system operations, the registry activity and the network requests performed by the Chrome process. If you want to narrow the scope of a trace to a specific kernel events, use process spying in combination with the --filters flag.
Streaming kernel events to Elasticsearch
The kernel event stream can now be emitted to Elasticsearch via the output adapter.
It can perform per-document indexing as well as bulk indexing. The elasticsearch accessor is injected into filament at runtime. For more information see fibratus.yml configuration descriptor.
To avoid the overhead of the unecessary kernel events you can exclude them from the trace.
Just add the process name (including the extension) to the fibratus.yml configuration file.
If you have any feedback or want to contribute you can reach out via Github or drop me an email.