Skip to main content

Introducing Eolh

· 2 min read
Yuki Mogi

We are very happy to introduce Eolh to bring security observability to Windows containers.

In the cloud-native era, observability is gaining attention. In particular, eBPF is a core technology. Falco, Tracee and Tetragon are popular tools for security observability using eBPF.

However, they can only be used with Linux container. There are two reasons why these cannot be used against Windows container.

The first reason is that there is no eBPF in Windows. Strictly speaking, this is not an accurate statement. Microsoft is trying to implement eBPF on Windows. However, to our knowledge, the implementation was still insufficient when Eolh was first created.

The second reason is the difference in structure between Linux and Windows. This creates differences in the information that can be obtained. For example, cgroup does not exist in Windows. Also, the proc directory does not exist in Windows.

For these reasons, achieving security observability in Windows containers required a different approach to the tools listed above. That is, Event Tracing for Windows (ETW).

ETW is a logging facility for Windows kernel and applications. Of particular note is that kernel information is logged like eBPF.

Currently, Eolh employs three ETW Providers: Microsoft-Windows-Kernel-Process, Microsoft-Windows-Kernel-File and Microsoft-Windows-Kernel-Network. Eolh can use the information from these ETW Providers to detect suspicious activity and also identify which pods and containers it is happening in. You can create custom detection rules in Rego or Go lang, although default detection rules are still few.

FAQ

What is the difference between Microsoft Log Monitor and Eolh? Why not use Log Monitor?

Log Monitor is designed to be deployed inside a container alongside an application. In contrast, Eolh monitors containers from outside the container using kernel-level ETW logs. Log Monitor can do this as a hosted process, like Eolh, but Eolh can link ETW logs to information about each container. If you only need node ETW logs, it is recommended to deploy Log Monitor as a hosted process instead of Eolh.

Why was "Eolh" chosen as a name?

Eolh is a rune of protection and defense. So we adopted this as the name for Windows container protection and defense.

Community

We welcome your feedbacks and contributions. If you use Eolh and notice anything, get in touch with us.

Acknowledgements

Eolh is built on the foundation of Aqua Security's Tracee's code base.