mkdir fluentbit/
cd fluentbit/
git clone https://github.com/fluent/helm-charts.git
cd helm-charts/charts/fluent-bit/
vi flb-falco-test.yaml
grab https://pub.nethence.com/bin/blue-team/flb-falco-test.yaml
kubectx
kubens -c
helm uninstall flb-falco-test
helm install flb-falco-test . --values=flb-falco-test.yaml
helm upgrade flb-falco-test . --values=flb-falco-test.yaml
kubectl get nodes
kubectl get ds
kubectl get pods | grep ^flb-falco-test
pods=`kubectl get pods | grep ^flb-falco-test | awk '{print $1}'`
for pod in $pods; do kubectl logs $pod; done; unset pod
# --tail=5
check falco logs live
kubectl logs -l app.kubernetes.io/name=falco -f
also check flb-falco-test logs live
watch -n1 kubectl logs $pod --tail=10
generate some falco alert
kubectl exec -ti $pod -- bash
==> should show up in falco pod logs and also in flb-falco-test pods output
if so, you are ready to send those to opensearch
https://docs.fluentbit.io/manual/administration/buffering-and-storage
https://docs.fluentbit.io/manual/pipeline/inputs/tail
https://docs.fluentbit.io/manual/pipeline/filters/nest
FW https://yossicohn.medium.com/fluent-bit-configuration-for-kubernetes-with-cri-38ea88ad6a7c
https://github.com/microsoft/fluentbit-containerd-cri-o-json-log
https://github.com/fluent/fluent-bit/issues/3819
==> setup a new index template
https://github.com/fluent/fluent-bit/issues/714
==> define custom parser without time_key