Logstash container with the required plugins to push to Azure Sentinel
Pre requisites:
brew install lima
brew install helm
brew install k9sYou can reference the worklows.garden.yaml in the archived POC for various helm chart set ups:
git clone org-118997105@github.com:portswigger-cloud/saas-platform-poc.gitStep 1:
Set up the local kuberne'test cluster.
First export kubeconfig.yaml which contains certs etc into local shell:
mkdir -p "${HOME}/.lima/falco-k8s/conf"
export KUBECONFIG="${HOME}/.lima/falco-k8s/conf/kubeconfig.yaml"
limactl shell falco-k8s sudo cat /etc/kubernetes/admin.conf >$KUBECONFIG
chmod 0600 ${KUBECONFIG}Then start the k8s container:
limactl start --name=falco-k8s template://k8s --tty=falseList containers:
limactl listNext install falco and logstash: To run falco on mac, we set this driver: modern-bpf. We also set 'enabled: true' in falco.yaml to ensure falcosidekick is installed.
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install -f falco.yaml falco falcosecurity/falco --namespace falco --create-namespaceThen add and install the logstash container:
helm repo add elastic https://helm.elastic.co
helm install -f logstash.yaml logstash elastic/logstash --namespace observability --create-namespaceYou can release new versions of the chart like this:
helm upgrade -f logstash.yaml logstash elastic/logstash --namespace observability --create-namespaceVoila! If you now jump onto the cluster with k9s you should see an up and running falco and logstash, where logstash will be listening for logs from falco and forwarding them to Azure Sentinel.
Now we have the option to generate dummy events in falco to test the log flow. ! Event generator is noisy so stop it swiftly or you'll end up drowning in logs.
Start generating events:
helm upgrade --install --atomic event-generator falco-security/event-generator --namespace event-generator --create-namespace --set config.actions=""Stop generating events:
helm uninstall -n event-generator event-generator