Kernel-Stream is a full-stack, real-time Linux observability pipeline engineered to trace process execution end-to-end. It hooks sched_process_exec inside the Linux kernel using eBPF, captures and structures events in a C++ agent, serializes telemetry with Protobuf, streams it through gRPC to a Python aggregation layer, and fan-outs live updates to a React dashboard over WebSockets. The result is a low-latency telemetry path from kernel events to operator-facing visualization.
graph LR
A[Linux Kernel<br/>sched_process_exec tracepoint]
B[C++ eBPF Agent<br/>libbpf + ring buffer]
C[Python Aggregator<br/>gRPC server + Socket.IO bridge]
D[React Dashboard<br/>Recharts + real-time table]
A --> B
B -->|Protobuf over gRPC| C
C -->|WebSocket broadcast| D
-
Kernel / Agent
- Linux eBPF (
tp/sched/sched_process_exec) - libbpf + BPF ring buffer
- C++ userspace loader/client
- Protobuf + gRPC C++ stubs
- Linux eBPF (
-
Backend
- Python 3
- gRPC Python server
- Flask + Flask-SocketIO
- Flask-CORS
-
Frontend
- React (Vite)
socket.io-client- Recharts
- Lucide React icons
- Ubuntu / WSL2 (Linux kernel with eBPF/BTF support)
clanglibbpf-dev- Python 3 (
venvenabled) - Node.js + npm
cd ~/Kernel-Stream
bash build_and_run.shcd ~/Kernel-Stream/web
npm installTerminal A: Python Aggregator (gRPC + WebSocket bridge)
cd ~/Kernel-Stream
source venv/bin/activate
python3 server/aggregator.pyTerminal B: React Dashboard
cd ~/Kernel-Stream/web
npm run devTerminal C: eBPF Agent
cd ~/Kernel-Stream
sudo ./monitorAfter startup, open the Vite URL shown in Terminal B (typically http://localhost:5173) to view live process execution telemetry.
- Persist event streams into SQLite for replay, audit, and offline analytics
- Add network packet/event instrumentation for process-to-network correlation
- Extend telemetry schema with CPU, RSS memory, and per-process lifecycle metrics
- Introduce alerting rules (threshold-based and anomaly-driven) on top of the event bus