Description
The userspace Rust daemon currently ingests eBPF ringbuffer trace payloads, enriches cluster metadata, and distributes metrics over HTTP servers. To support users who route security events directly to SIEM solutions (e.g., Elasticsearch, Splunk, Datadog), we need to support logging metrics natively in JSON format directly into a local file system pathway when configured.
Proposed Scope
- Introduce a command-line flag parser configuration payload (e.g.
--export-json="/var/log/sentinelml.json") inside the daemon entrypoint.
- Build an async append stream loop utilizing
tokio::fs::OpenOptions or serde_json to append enriched threat structures into the designated file target whenever telemetry alerts fire.
- Ensure the daemon handles file-write permission failures gracefully (logs warning instead of panicking or crashing the system process).
Expected Files to Modify
- Open-source Rust daemon source files (CLI arguments parser, event routers).
Verification Steps
- Run
cargo fmt --check && cargo clippy to ensure formatting conforms to our standard styles.
- Spin up the daemon locally targeting a mock destination path and verify JSON payloads parse successfully.
Description
The userspace Rust daemon currently ingests eBPF ringbuffer trace payloads, enriches cluster metadata, and distributes metrics over HTTP servers. To support users who route security events directly to SIEM solutions (e.g., Elasticsearch, Splunk, Datadog), we need to support logging metrics natively in JSON format directly into a local file system pathway when configured.
Proposed Scope
--export-json="/var/log/sentinelml.json") inside the daemon entrypoint.tokio::fs::OpenOptionsorserde_jsonto append enriched threat structures into the designated file target whenever telemetry alerts fire.Expected Files to Modify
Verification Steps
cargo fmt --check && cargo clippyto ensure formatting conforms to our standard styles.