Open in app

Sign in

Write

Sign in

Mastering Linux Monitoring with Tetragon and Wazuh

SOCFortress
4 min readFeb 4, 2025

--

In this post, we’ll explore how to use Tetragon, a powerful eBPF-based monitoring tool, to gain deep visibility into your Linux endpoints. We’ll then integrate Tetragon with Wazuh to forward those security events to your SIEM stack, enabling comprehensive analysis and detection in real-time.

WHAT IS TETRAGON?

Tetragon is an open-source runtime security and observability platform built on eBPF. By hooking into the Linux kernel, Tetragon can monitor:

• Process executions and exits

• System calls

• Network connections

• Various other kernel-level activities

This level of insight is crucial for diagnosing security events, building proactive defense rules, and investigating suspicious processes or network connections.

INSTALLING TETRAGON

Download and extract Tetragon (example commands):

https://tetragon.io/docs/installation/package/

curl -LO https://github.com/cilium/tetragon/releases/download/v1.3.0/tetragon-v1.3.0-amd64.tar.gz

Extract the downloaded archive, and start the install script to install Tetragon. Feel free to inspect the script before starting it.

tar -xvf tetragon-v1.3.0-amd64.tar.gz
cd tetragon-v1.3.0-amd64/
sudo ./install.sh
sudo systemctl status tetragon

You should see the Tetragon service marked as active/running.

By default, Tetragon logs events — like process executions and exits — to /var/log/tetragon/tetragon.log. You can watch events in real-time:

tail -f /var/log/tetragon/tetragon.log

Try running simple commands (e.g., cat /etc/passwd or telnet youtube.com 443) to see Tetragon capture and log process and network activity.

EXTENDING NETWORK MONITORING

You can create custom .yaml files in Tetragon’s tetragon.tp.d folder to expand what gets monitored (for example, adding additional network data like destination IP and ports).

nano /etc/tetragon/tetragon.tp.d/network-monitoring.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "connect-only-local-addrs"
spec:
  kprobes:
  - call: "tcp_connect"
    syscall: false
    args:
    - index: 0
      type: "sock"
    selectors:
    - matchArgs:
      - index: 0
        operator: "NotDAddr"
        values:
        - "127.0.0.0/8"
        - "10.0.0.0/8"
  - call: "ip4_datagram_connect"
    syscall: false
    args:
    - index: 0
      type: "sock"
    selectors:
    - matchArgs:
      - index: 0
        operator: "NotDAddr"
        values:
        - "127.0.0.0/8"
systemctl restart tetragon

After doing this, running telnet youtube.com 443 (or any network command) will log extra details in /var/log/tetragon/tetragon.log, such as the resolved IP address and destination port.

EXCLUDING NOISY EVENTS

Sometimes certain scripts or processes (like open-audit.sh) produce repetitive logs. Tetragon supports exclusion rules:

1. Go to /etc/tetragon/tetragon.conf/.

2. Create or edit a file (e.g., export-denylist <-must be the filename) and specify filters like:

{"event_set": ["PROCESS_EXEC", "PROCESS_EXIT"], "binary_regex": ["^/bin/bash$", "^/usr/bin/bash$"],"arguments_regex":["/usr/share/socfortress/scripts/open-audit.sh"]}
{"event_set":["PROCESS_EXEC","PROCESS_EXIT"],"parent_binary_regex":["^/usr/bin/bash$"],"parent_arguments_regex":["/usr/share/socfortress/scripts/open-audit.sh"]}
systemctl restart tetragon

You can also exclude parent processes similarly (using parent_binary or parent_arguments). This helps reduce unnecessary noise in your logs.

INTEGRATING TETRAGON WITH WAZUH

1. CREATING WAZUH RULES

Wazuh must recognize Tetragon’s JSON-formatted logs. Test Tetragon log entries with the Wazuh ruleset tool. If no rule matches, create a new rule file (e.g., 700000-tetragon.xml) in the Wazuh manager’s rules directory with something like:

<group name="tetragon,">
  <rule id="700000" level="5">
    <decoded_as>json</decoded_as>
    <field name="process_exec.process.exec_id">\.*</field>
    <options>no_full_log</options>
 <group>process_exec,</group>
 <description>Process execution detected.</description>
  </rule>
  <rule id="700001" level="5">
    <decoded_as>json</decoded_as>
    <field name="process_exit.process.exec_id">\.*</field>
    <options>no_full_log</options>
 <group>process_exit,</group>
 <description>Process exit detected.</description>
  </rule>
  <rule id="700002" level="5">
    <decoded_as>json</decoded_as>
    <field name="process_kprobe.process.exec_id">\.*</field>
    <options>no_full_log</options>
 <group>process_kprobe,</group>
 <description>Kernel probe detected.</description>
  </rule>
</group>

Restart the Wazuh manager:

systemctl restart wazuh-manager

Test again with the rule test to confirm the rule fires.

2. CONFIGURING THE WAZUH AGENT TO COLLECT TETRAGON LOGS

In your Wazuh manager’s endpoint group configuration (or local ossec.conf on the Linux host), add:

<localfile>
  <log_format>json</log_format>
  <location>/var/log/tetragon/tetragon.log</location>
 </localfile>

This tells the Wazuh agent to collect Tetragon’s main log. Once saved, Wazuh will restart the agent on that endpoint automatically.

3. VIEWING TETRAGON EVENTS IN YOUR SIEM

Use your SIEM dashboard (Graylog, Grafana, Wazuh Dashboards, etc.) to view Tetragon events. For instance, in Graylog, filter on rule.groups:“tetragon” to find matching alerts. You’ll see:

• Process arguments, environment, and working directory

• Network activity (IP addresses, ports, etc.)

  • Metadata such as user ID, time, and command history

PUTTING IT ALL TOGETHER

By leveraging Tetragon’s eBPF-based monitoring in combination with Wazuh, you gain:

1. Deep visibility into process/network events on Linux

2. Centralized logging within your existing SIEM stack

3. Fine-grained control to exclude noisy processes

4. Future scalability for advanced correlation and potential blocking

Tetragon is exceptionally powerful for runtime observability, while Wazuh remains your centralized SIEM and analysis layer. Together, they provide near real-time insight and detection for Linux endpoints.

NEXT STEPS

• Build correlation rules around Tetragon’s execution IDs to reconstruct complex attack chains

• Leverage Tetragon’s ability to block or deny certain process actions proactively

  • Integrate with containers or Kubernetes clusters for a holistic DevOps security view

CONCLUSION

With Tetragon and Wazuh working together, you can capture key system events at the kernel level and escalate them to your SIEM for thorough analysis and alerting. From installation to custom exclusions, you now have a blueprint for integrating these two powerful open-source solutions.

Stay tuned for more advanced use cases — like correlating full kill chains and adding proactive blocking. Happy defending!

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Cybersecurity
Open Source
Infosec
Siem
Socfortress

--

--

SOCFortress
SOCFortress

Written by SOCFortress

3.9K Followers
2 Following

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams