Open-source platform for end-to-end observability and AI-powered reasoning across distributed systems.
Build a complete observability platform that:
- Collects sparse telemetry from hosts and Kubernetes using eBPF
- Aggregates data through open-source pipelines (OpenTelemetry, Kafka, ClickHouse)
- Builds a unified knowledge graph of system architecture
- Reasons using GraphRAG and LLMs to:
- Explain components and dependencies
- Generate live architecture diagrams
- Auto-document infrastructure
- Answer natural language questions about security, performance, and architecture
brew install colima docker docker-compose
colima start --cpu 4 --memory 8git clone <your-repo-url> sds-ebpf
cd sds-ebpf
docker build -t sds-observer:latest -f docker/Dockerfile.agent .
cd docker && docker-compose uptail -f docker/output/events_*.json | jq .See full instructions: Quick Start Guide
What's Built:
- Sparse-sampling eBPF agent (60s on / 4min off)
- Monitors: processes, syscalls, network connections, containers
- User-space collector in Go
- JSON event output
- Docker setup for local macOS development
Documentation:
Try it:
cd agent
make build
sudo ./bin/sds-observer --output /tmp/sds-observer --verbosePlanned:
- OpenTelemetry Collector integration
- Kafka/Redpanda for streaming
- ClickHouse for event queries
- VictoriaMetrics for metrics
- Neo4j/Memgraph for graph storage
- ETL pipeline to build unified graph schema
- Phase 3: GraphRAG indexing, LLM training on architecture data
- Phase 4: Interactive diagrams with LLM explanations
- Phase 5: Auto-generated documentation and testing guides
sds-ebpf/
โโโ agent/ # eBPF agent (C + Go)
โ โโโ ebpf/ # eBPF programs (C)
โ โ โโโ observer.bpf.c # Main eBPF program
โ โ โโโ vmlinux.h # Kernel type definitions
โ โโโ cmd/observer/ # Go entry point
โ โโโ pkg/ # Go packages
โ โ โโโ collector/ # Event collection & parsing
โ โ โโโ config/ # Configuration
โ โโโ Makefile # Build system
โ โโโ go.mod # Go dependencies
โ
โโโ collector/ # (Phase 2) OTel collector configs
โโโ storage/ # (Phase 2) Database schemas
โโโ ml/ # (Phase 3) RAG & LLM scripts
โโโ diagrams/ # Architecture diagrams
โ โโโ phase1-architecture.mmd # Mermaid
โ โโโ phase1-architecture.d2 # D2
โ โโโ phase1-sparse-sampling.mmd # Sequence diagram
โ
โโโ docs/ # Documentation
โ โโโ PHASE_1.md # Phase 1 complete guide
โ โโโ LOCAL_DEV_macOS.md # macOS development
โ โโโ QUICKSTART.md # Quick start
โ
โโโ docker/ # Docker & docker-compose
โโโ Dockerfile.agent # Agent container
โโโ docker-compose.yml # Local testing setup
| Feature | Status | Description |
|---|---|---|
| Sparse Sampling | โ | Collect for 60s every 5min (configurable) |
| Process Monitoring | โ | Exec, exit, PID, PPID, UID, GID |
| Syscall Tracing | โ | Sample key syscalls with duration |
| Network Monitoring | โ | TCP connections with src/dst IP:port |
| Container Awareness | โ | Cgroup IDs for correlation |
| JSON Output | โ | Structured events to files |
| HTTP Export | โ | Optional endpoint for streaming (prep for Phase 2) |
| Docker Support | โ | Local testing on macOS via Colima/Docker Desktop |
| CO-RE | โ | Portable across kernel versions (using cilium/ebpf) |
| Component | Technology | Purpose |
|---|---|---|
| eBPF Programs | C (libbpf) | Kernel instrumentation |
| User-space Collector | Go 1.21+ | Event processing |
| eBPF Library | cilium/ebpf | CO-RE support |
| Output Format | JSON (NDJSON) | Structured events |
| Container Runtime | Docker | Local development |
| Component | Technology | Purpose |
|---|---|---|
| Telemetry Pipeline | OpenTelemetry Collector | Normalize & route events |
| Streaming | Kafka / Redpanda | Event streaming |
| Event Store | ClickHouse | Fast analytical queries |
| Metrics | VictoriaMetrics | Time-series data |
| Graph DB | Neo4j / Memgraph | Relationship modeling |
| Vector DB | Weaviate / LanceDB | Embeddings for RAG |
Measured on Ubuntu 22.04, 4 vCPUs, 8GB RAM:
| Metric | Sampling ON (60s) | Sampling OFF (240s) |
|---|---|---|
| CPU Usage | 2-5% | <0.1% |
| Memory | 50-80 MB | 20 MB |
| Events/sec | 50-200 | 0 |
| Disk I/O | 1-5 MB/min | 0 |
Scalability: Tested with 500+ concurrent processes without drops.
This is an open-source project. Contributions welcome!
- Fork and clone
- Set up local environment: See macOS Dev Guide
- Make changes
- Test locally
- Submit PR
- eBPF program enhancements (more protocols, better filtering)
- Go collector optimizations
- Documentation improvements
- Phase 2-5 implementation
- Performance benchmarking
- Kubernetes manifests
- Quick Start - Get running in 5 minutes
- Complete Guide - Full platform documentation with use cases
- Phase 1 Guide - eBPF agent implementation details
- macOS Development - Local setup on macOS
- Phase 1 Summary - Implementation summary
- Diagrams Guide - All Excalidraw architecture diagrams
- Instrumentation Overview - How we instrument different environments
- End-to-End Pipeline - Complete data flow
- Phase 2 Architecture - Aggregation & storage layer
This is a defensive security tool for observability and monitoring.
- โ Monitors system activity for understanding architecture
- โ No data exfiltration (local storage by default)
- โ Open-source and auditable
- โ Not for malicious use
- โ Does not harvest credentials or sensitive data
Note: Always review your organization's policies before deploying observability tools.
Apache 2.0 License (to be added)
Built with:
Questions or feedback? Open an issue or reach out!
Status: Phase 1 Complete โ | Phase 2 In Planning ๐