Provided by: wireshark-common_4.2.2-1.1build3_amd64
NAME
falcodump - Dump log data to a file using a Falco source plugin.
SYNOPSIS
falcodump [ --help ] [ --version ] [ --plugin-api-version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --plugin-source=<source path or URL> ]
DESCRIPTION
falcodump is an extcap tool that allows one to capture log messages from cloud providers. Each plugin is listed as a separate interface. For example, the AWS CloudTrail plugin is listed as “cloudtrail”.
OPTIONS
--help Print program arguments. This will also list the configuration arguments for each plugin. --version Print the program version. --plugin-api-version Print the Falco plugin API version. --extcap-interfaces List the available interfaces. --extcap-interface=<interface> Use the specified interface. --extcap-dlts List the DLTs of the specified interface. --extcap-config List the configuration options of specified interface. --extcap-capture-filter=<capture filter> The capture filter. Must be a valid Sysdig / Falco filter. --capture Start capturing from the source specified by --plugin-source via the specified interface and write raw packet data to the location specified by --fifo. --fifo=<path to file or pipe> Save captured packet to file or send it through pipe. --plugin-source=<source path or URL> Capture from the specified location.
PLUGINS
cloudtrail (AWS CloudTrail) CloudTrail sources can be S3 buckets or SQS queue URLs. S3 bucket URLs have the form s3://bucket_name/AWSLogs/id/CloudTrail/region/year/month/day The region, year, month, and day components can be omitted in order to fetch more or less data. For example, the source s3://mybucket/AWSLogs/012345678/CloudTrail/us-west-2/2023 will fetch all CloudWatch logs for the year 2023. The cloudtrail plugin uses the AWS SDK for Go, which can obtain profile, region, and credential settings from a set of standard environment variables and configuration files <https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/>. Falcodump will show a list of locally configured profiles and the current regions, and will let you supply a custom value as well.
EXAMPLES
To see program arguments: falcodump --help To see program version: falcodump --version To see interfaces: falcodump --extcap-interfaces Only one interface (falcodump) is supported. Example output interface {value=cloudtrail}{display=Falco plugin} To see interface DLTs: falcodump --extcap-interface=cloudtrail --extcap-dlts Example output dlt {number=147}{name=cloudtrail}{display=USER0} To see interface configuration options: falcodump --extcap-interface=cloudtrail --extcap-config Example output arg {number=0}{call=--plugin-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL…}{required=true}{group=Capture} arg {number=1}{call=cloudtrail-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture} arg {number=2}{call=cloudtrail-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture} arg {number=3}{call=cloudtrail-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture} To capture AWS CloudTrail events from an S3 bucket: falcodump --extcap-interface=cloudtrail --fifo=/tmp/cloudtrail.pcap --plugin-source=s3://aws-cloudtrail-logs.../CloudTrail/us-east-2/... --capture Note CTRL + C should be used to stop the capture in order to ensure clean termination.
SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4)
NOTES
falcodump is part of the Logray distribution. The latest version of Logray can be found at https://www.wireshark.org. HTML versions of the Wireshark project man pages are available at https://www.wireshark.org/docs/man-pages.
AUTHORS
Original Author Gerald Combs <gerald[AT]wireshark.org> 2024-04-16 FALCODUMP(1)