Fluent Bit Integration
Overview
Fluent Bit is a lightweight, high-performance log processor and forwarder that serves as the bridge between Anchore Enterprise event files and your destination system. This guide covers deploying Fluent Bit as a sidecar container to forward events to external systems.
Prerequisites
- Data event streaming enabled in Anchore Enterprise
- Shared volume configured between Reports Worker and Fluent Bit
- Network access from Fluent Bit to your destination system
Architecture
Fluent Bit runs as a sidecar container alongside the Reports Worker, sharing a volume for event files:
┌──────────────────────────────────────────────────────────────────────┐
│ Kubernetes Pod │
│ ┌─────────────────┐ ┌─────────────────────────┐ │
│ │ Reports Worker │ │ Fluent Bit │ │
│ │ │ │ │ │
│ │ Data Event │ │ Tail Input Plugin │ │
│ │ Emitter │ │ │ │ │
│ └────────┬────────┘ │ ▼ │ │
│ │ │ JSON Parser │ │
│ │ writes │ │ │ │
│ ▼ │ ▼ │ │
│ ┌──────────────────────────┐ │ Output Plugin ─────────┼───┼──► Splunk/Elastic/etc
│ │ /var/log/anchore/events/ │◄─────────┤ (HTTP/HEC) │ │
│ │ │ reads │ │ │
│ └──────────────────────────┘ └─────────────────────────┘ │
│ Shared Volume │
└──────────────────────────────────────────────────────────────────────┘
Deployment
Kubernetes (Helm)
Add a Fluent Bit sidecar to your Anchore Enterprise deployment by modifying your Helm values:
reportsWorker:
extraVolumes:
- name: anchore-events
emptyDir: {}
- name: fluent-bit-config
configMap:
name: fluent-bit-config
defaultMode: 0644
- name: fluent-bit-lua-helpers
configMap:
name: fluent-bit-lua-helpers
defaultMode: 0644
extraVolumeMounts:
- name: anchore-events
mountPath: /var/log/anchore/events
initContainers:
- name: fluent-bit
image: fluent/fluent-bit:latest
imagePullPolicy: IfNotPresent
restartPolicy: Always
ports:
- containerPort: 2020
name: metrics
protocol: TCP
volumeMounts:
- name: fluent-bit-config
mountPath: /fluent-bit/etc/fluent-bit.conf
subPath: fluent-bit.conf
readOnly: true
- name: fluent-bit-config
mountPath: /fluent-bit/etc/parsers.conf
subPath: parsers.conf
readOnly: true
- name: fluent-bit-lua-helpers
mountPath: /fluent-bit/etc/anchore_helpers.lua
subPath: anchore_helpers.lua
- name: anchore-events
mountPath: /var/log/anchore/events
Create a ConfigMap for Fluent Bit configuration:
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
data:
fluent-bit.conf: |
[SERVICE]
Flush 1
Daemon Off
Log_Level info
Parsers_File parsers.conf
HTTP_Server On
HTTP_Listen 0.0.0.0
HTTP_Port 2020
[INPUT]
Name tail
Path /var/log/anchore/events/events.json.*
Tag anchore.events
Parser json
DB /var/log/anchore/events/offsets.db
Mem_Buf_Limit 64MB
Buffer_Chunk_Size 32MB
Buffer_Max_Size 64MB
Skip_Long_Lines Off
Refresh_Interval 10
Rotate_Wait 5
Read_from_Head On
[FILTER]
Name modify
Match anchore.events
Add anchore_service reports_worker
[OUTPUT]
Name splunk
Match anchore.events
Host ${SPLUNK_HEC_HOST}
Port ${SPLUNK_HEC_PORT}
TLS On
TLS.Verify On
Splunk_Token ${SPLUNK_HEC_TOKEN}
Splunk_Send_Raw Off
Event_Host anchore-enterprise
Event_Sourcetype anchore:events
Retry_Limit 5
parsers.conf: |
[PARSER]
Name json
Format json
Time_Key timestamp
Time_Format %Y-%m-%dT%H:%M:%S.%LZ
Time_Keep On
Docker Compose
Add Fluent Bit to your Docker Compose configuration:
services:
fluent-bit:
image: fluent/fluent-bit:latest
restart: unless-stopped
volumes:
- ./fluent-bit/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf:ro
- ./fluent-bit/parsers.conf:/fluent-bit/etc/parsers.conf:ro
- anchore-events:/var/log/anchore:rw
environment:
SPLUNK_HEC_HOST: "${SPLUNK_HEC_HOST:-splunk}"
SPLUNK_HEC_PORT: "${SPLUNK_HEC_PORT:-8088}"
SPLUNK_HEC_TOKEN: "${SPLUNK_HEC_TOKEN}"
ports:
- "2020:2020"
depends_on:
- reports-worker
networks:
- anchore-network
volumes:
anchore-events:
Create the configuration files in a fluent-bit/ directory:
fluent-bit/fluent-bit.conf:
[SERVICE]
Flush 1
Daemon Off
Log_Level info
Parsers_File parsers.conf
HTTP_Server On
HTTP_Listen 0.0.0.0
HTTP_Port 2020
[INPUT]
Name tail
Path /var/log/anchore/events/events.json.*
Tag anchore.events
Parser json
DB /var/log/anchore/events/offsets.db
Mem_Buf_Limit 64MB
Buffer_Chunk_Size 32MB
Buffer_Max_Size 64MB
Skip_Long_Lines Off
Refresh_Interval 10
Rotate_Wait 5
Read_from_Head On
[FILTER]
Name modify
Match anchore.events
Add anchore_service reports_worker
[OUTPUT]
Name splunk
Match anchore.events
Host ${SPLUNK_HEC_HOST}
Port ${SPLUNK_HEC_PORT}
TLS On
TLS.Verify On
Splunk_Token ${SPLUNK_HEC_TOKEN}
Splunk_Send_Raw Off
Event_Host anchore-enterprise
Event_Sourcetype anchore:events
Retry_Limit 5
fluent-bit/parsers.conf:
[PARSER]
Name json
Format json
Time_Key timestamp
Time_Format %Y-%m-%dT%H:%M:%S.%LZ
Time_Keep On
Configuration Reference
Input Configuration
The tail input plugin monitors event files and tracks read positions:
| Parameter | Value | Description |
|---|---|---|
Name | tail | Use the tail input plugin |
Path | /var/log/anchore/events/events.json.* | Pattern matching event files |
Tag | anchore.events | Tag for routing to outputs |
Parser | json | Parse each line as JSON |
DB | /var/log/anchore/events/offsets.db | SQLite database for position tracking |
Mem_Buf_Limit | 64MB | Memory buffer limit |
Buffer_Chunk_Size | 32MB | Buffer chunk size for reading |
Buffer_Max_Size | 64MB | Maximum buffer size per file |
Read_from_Head | On | Read from beginning for new files |
Refresh_Interval | 10 | Seconds between file checks |
Rotate_Wait | 5 | Seconds to wait before processing rotated files |
Buffer Sizing
Vulnerability reports can be large (10-100+ KB per event). The buffer settings should accommodate your largest expected events:
| Event Type | Typical Size | Recommended Buffer |
|---|---|---|
| Vulnerability Report (few CVEs) | 10-50 KB | 32 MB |
| Vulnerability Report (many CVEs) | 100-500 KB | 64 MB |
| Vulnerability Report (large image) | 500 KB - 2 MB | 128 MB |
| Policy Evaluation | 5-20 KB | 32 MB |
For large images with many vulnerabilities, increase the buffer settings:
[INPUT]
...
Mem_Buf_Limit 128MB
Buffer_Chunk_Size 64MB
Buffer_Max_Size 128MB
Position Tracking
Fluent Bit uses an SQLite database to track which events have been read and forwarded. This ensures:
- Events are not re-sent after Fluent Bit restarts
- Each file is tracked independently by inode
- Progress is persistent across container restarts
The position database is stored at the path specified by DB and should be on the same volume as the event files.
Output Plugins
Fluent Bit supports multiple output destinations. Common options include:
Splunk
See the Splunk Integration guide for detailed configuration.
[OUTPUT]
Name splunk
Match anchore.events
Host ${SPLUNK_HEC_HOST}
Port ${SPLUNK_HEC_PORT}
TLS On
TLS.Verify On
Splunk_Token ${SPLUNK_HEC_TOKEN}
Elasticsearch
[OUTPUT]
Name es
Match anchore.events
Host elasticsearch.example.com
Port 9200
Index anchore-events
Type _doc
TLS On
TLS.Verify On
HTTP_User ${ES_USER}
HTTP_Passwd ${ES_PASSWORD}
HTTP (Generic Webhook)
[OUTPUT]
Name http
Match anchore.events
Host webhook.example.com
Port 443
URI /api/events
Format json
TLS On
TLS.Verify On
Header Authorization Bearer ${API_TOKEN}
Stdout (Debugging)
For troubleshooting, add stdout output to see events in container logs:
[OUTPUT]
Name stdout
Match anchore.events
Format json_lines
Filtering and Transformation
Adding Metadata
Add custom fields to all events:
[FILTER]
Name modify
Match anchore.events
Add environment production
Add cluster_name my-cluster
Add anchore_service reports_worker
Filtering by Event Type
Route different event types to different outputs:
[FILTER]
Name rewrite_tag
Match anchore.events
Rule $event ^(image\.vulnerability_report)$ vuln.$1 false
Rule $event ^(tag\.policy_evaluation)$ policy.$1 false
[OUTPUT]
Name splunk
Match vuln.*
Host ${SPLUNK_HEC_HOST}
Splunk_Token ${VULN_TOKEN}
Event_Index vulnerabilities
[OUTPUT]
Name splunk
Match policy.*
Host ${SPLUNK_HEC_HOST}
Splunk_Token ${POLICY_TOKEN}
Event_Index policy_evaluations
Troubleshooting
No Events Forwarded
Check event files exist:
ls -la /var/log/anchore/events/Verify Fluent Bit can read files:
docker logs <fluent-bit-container> 2>&1 | grep -i "tail"Check position database:
ls -la /var/log/anchore/events/offsets.dbEnable debug logging:
[SERVICE] Log_Level debug
Connection Errors
Verify network connectivity:
# From inside the Fluent Bit container curl -k https://${SPLUNK_HEC_HOST}:${SPLUNK_HEC_PORT}/services/collector/healthCheck TLS settings: If using self-signed certificates, you may need
TLS.Verify Off(not recommended for production)Verify credentials: Test HEC token directly:
curl -k -X POST "https://${SPLUNK_HEC_HOST}:${SPLUNK_HEC_PORT}/services/collector/event" \ -H "Authorization: Splunk ${SPLUNK_HEC_TOKEN}" \ -d '{"event": "test"}'
Buffer Overflow
If you see buffer full errors:
Increase buffer limits:
Mem_Buf_Limit 128MB Buffer_Max_Size 128MBCheck destination throughput - events may be produced faster than they can be forwarded
Consider adding backpressure handling with
storage.type filesystem
Re-sending All Events
To reset position tracking and re-send all events:
# Stop Fluent Bit
# Delete the position database
rm /var/log/anchore/events/offsets.db
# Restart Fluent Bit
Warning
Re-sending all events will create duplicate events in your destination system. Use with caution.Next Steps
- Configure Splunk integration for security dashboards
- Review Data Stream Configuration options