Update README

Author: robfromboulder

README.md

@@ -1,127 +1,95 @@
 # logger-ebpf
-Easily log **encrypted** API requests and responses to your own <a href="https://resurface.io">security data lake</a>.
+Easily log **encrypted** API calls to your own <a href="https://graylog.org/products/api-security/">security data lake</a>.
+
+This open-source [eBPF](https://ebpf.io/) agent logs API requests and responses to [Graylog API Security](https://graylog.org/products/api-security/)
+for analysis and storage. This agent logs encrypted API calls without configuring any encryption keys or making any changes to client or server applications. 
 
 [![CodeFactor](https://www.codefactor.io/repository/github/resurfaceio/logger-ebpf/badge?s=1edfaf41d674519709d3abb9c1836e84b4c3a20f)](https://www.codefactor.io/repository/github/resurfaceio/logger-ebpf)
-[![License](https://img.shields.io/github/license/resurfaceio/logger-ebpf?s=1edfaf41d674519709d3abb9c1836e84b4c3a20f)](https://github.com/resurfaceio/logger-ebpf/blob/master/LICENSE)
 [![Contributing](https://img.shields.io/badge/contributions-welcome-green.svg)](https://github.com/resurfaceio/logger-ebpf/blob/master/CONTRIBUTING.md)
+[![License](https://img.shields.io/github/license/resurfaceio/logger-ebpf?s=1edfaf41d674519709d3abb9c1836e84b4c3a20f)](https://github.com/resurfaceio/logger-ebpf/blob/master/LICENSE)
 
+⚠️ [Graylog API Security](https://graylog.org/products/api-security/) is licensed and installed separately, and runs as a remote service (on Kubernetes) that receives data from this eBPF agent.
 
 ## Contents
 
 <ul>
-<li><a href="#dependencies">Dependencies</a></li>
-<li><a href="#usage">Usage</a></li>
-<li><a href="#logging-from-container">Capturing traffic from a containerized application</a></li>
-<li><a href="#build-from-source">Building from source</a></li>
+<li><a href="#system-requirements">System Requirements</a></li>
+<li><a href="#current-limitations">Current Limitations</a></li>
+<li><a href="#environment-variables">Environment Variables</a></li>
+<li><a href="#logging-from-linux-vm-or-physical-machine">Logging from Linux VM or Physical Machine</a></li>
+<li><a href="#logging-from-docker-container">Logging from Docker Container</a></li>
+<li><a href="#logging-from-kubernetes">Logging from Kubernetes</a></li>
 <li><a href="#privacy">Protecting User Privacy</a></li>
 </ul>
 
+<a name="system-requirements"></a>
 
-<a name="dependencies"></a>
-
-## Dependencies
-
-Requires Linux kernel v5.8+ and OpenSSL v1.0+
-
-<a name="usage"></a>
+## System Requirements
 
-## Usage
-
-- Get the apropriate binary for your CPU arch from our [releases](https://github.com/resurfaceio/logger-ebpf/releases).
-
-- Set the [variables](#environment-variables) used by the logger, according to your use case.
-
-- Run binary as a privileged user
-
-```sh
-sudo ./ebpf-logger
-```
+* 64-bit Intel or AMD CPU
+* Linux kernel v5.8 or higher
+* OpenSSL v1.0 or higher
+* Root privileges to run the eBPF agent binary
+* Network access to the Kubernetes cluster where [Graylog API Security](https://graylog.org/products/api-security/) is running
 
-## Environment variables
+<a name="current-limitations"></a>
 
-This plugin has access to five environment variables, but only two of them are required for the logger to work properly.
+## Current Limitations
 
-#### ✔ All API calls are sent to the database running inside the `resurface` container
-The environment variable `USAGE_LOGGERS_URL` stores this address, which by default should be the string `"http://localhost:7701/message"`
-#### ✔ TLS traffic is captured directly from OpenSSL
-Encrypted traffic is captured by adding uprobes to symbols found in the OpenSSL shared library. The environment variable `USAGE_LOGGERS_EBPF_EXPATH` specifies the path to this file. This can be found by running the following command:
+* ARM64 chipsets are not yet supported
+* API calls made via HTTP are not logged yet (only HTTPS)
+* Only applications using OpenSSL are supported (additional encryption libraries coming soon)
+* HTTP v3, UDP, and streaming protocols are not supported
 
-```sh
-ldconfig -p | grep ssl
-```
-#### ✔ All API calls are filtered using a set of rules (Optional)
-The environment variable `USAGE_LOGGERS_RULES` stores these [logging rules](#protecting-user-privacy) as a string. Even though this variable is optional, it is recommended to set it to `"include debug"` or `"allow_http_url"` when trying the plugin for the first time.
-#### ✔ The Logger can capture calls in client mode (Optional)
-You can set the environment variable `USAGE_LOGGERS_EBPF_ROLE` to `"client"` for the logger to capture API calls made from a client application (e.g. cURL).
-#### ✔ The Logger can be disabled at any time (Optional)
-By setting the environment variable `USAGE_LOGGERS_DISABLE` to `true` the logger will be disabled and no API calls will be logged.
+<a name="environment-variables"></a>
 
+## Environment Variables
 
-<a name="logging-from-container"></a>
+These environment variables are used to configure this eBPF agent and to control what information is logged.
 
-## Capturing traffic from a containerized application
+| Variable Name             | Default | Description                                                                                                                                                                                        |
+|---------------------------|---------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| USAGE_LOGGERS_DISABLE     | false   | When `true`, the eBPF agent is loaded but no calls are logged                                                                                                                                      |
+| USAGE_LOGGERS_EBPF_EXPATH | (none)  | Path to OpenSSL shared library<br>Use `ldconfig -p \| grep ssl` to find                                                                                                                            |
+| USAGE_LOGGERS_EBPF_ROLE   | (none)  | Use `server` for inbound calls, `client` for outbound calls                                                                                                                                        |
+| USAGE_LOGGERS_RULES       | (none)  | [Logging rules](https://go2docs.graylog.org/apisecurity-current/logging_rules/logging_rules.htm) used to mask or remove specific details<br>Use `import debug` to log entire request and response  |
+| USAGE_LOGGERS_URL         | (none)  | [Capture URL](https://go2docs.graylog.org/apisecurity-current/capture_api_calls/capture_api_calls.htm) for Graylog API Security instance<br>Looks like `https://GL_APISECURITY_HOST/fluke/message` |
 
-### Logging from a running container
+<a name="logging-from-linux-vm-or-physical-machine"></a>
 
--  Copy the binary to the container
-```sh
-docker cp ebpf-logger mycontainer:/
-```
+## Logging from Linux VM or Physical Machine
 
-- Exec into the container
-```sh
-docker exec -it -u root mycontainer sh
+Download agent binary:
+```bash
+wget https://github.com/resurfaceio/logger-ebpf/releases/download/v1.1.0/ebpf-logger-amd64 && chmod +x ebpf-logger-amd64
 ```
 
-- Run the application
-```sh
-./ebpf-logger
+Run agent binary, with your value for `GL_APISECURITY_HOST`:
+```bash
+sudo USAGE_LOGGERS_EBPF_EXPATH="/lib/x86_64-linux-gnu/libssl.so.3" USAGE_LOGGERS_EBPF_ROLE="server" USAGE_LOGGERS_RULES="include debug" USAGE_LOGGERS_URL="https://GL_APISECURITY_HOST/fluke/message" ./ebpf-logger-amd64
 ```
 
+⚠️ Use `CRTL-C` to stop the agent.
 
-### Building a new image
-
-You can use your existing container images to build a new one that contains our binary:
+<a name="logging-from-docker-container"></a>
 
-```dockerfile
-FROM yourapp:itstag
+## Logging from Docker Container
 
-ENV USAGE_LOGGERS_URL="http://172.17.0.1:7701/message"
-ENV USAGE_LOGGERS_RULES="include debug"
-ENV USAGE_LOGGERS_EBPF_ROLE="server"
-# choose according to your CPU arch
-ENV USAGE_LOGGERS_EBPF_EXPATH="/lib/x86_64-linux-gnu/libssl.so.3"
-#ENV USAGE_LOGGERS_EBPF_EXPATH="/lib/aarch64-linux-gnu/libssl.so.3"
+coming soon!
 
-COPY --chmod=755 ./ebpf-logger /usr/sbin/ebpf-logger
-RUN mkdir /var/log/graylog_ebpf_logger && touch /var/log/graylog_ebpf_logger/out.log /var/log/graylog_ebpf_logger/err.log
-ENTRYPOINT [ "/new-entrypoint.sh" ]
-```
+<a name="logging-from-kubernetes"></a>
 
-With `new-entrypoint.sh` following this pattern:
+## Logging from Kubernetes
 
-```
-#!/bin/sh
-
-ebpf-logger >> /var/log/graylog_ebpf_logger/out.log 2>> /var/log/graylog_ebpf_logger/err.log &
-# call your usual entrypoint.sh from here
-```
-
-<a name="build-from-source"></a>
-
-## Building from source
-
-Please, see our [CONTRIBUTING.md](https://github.com/resurfaceio/logger-ebpf/blob/master/CONTRIBUTING.md) guide.
+coming soon!
 
 <a name="privacy"></a>
 
 ## Protecting User Privacy
 
-Loggers always have an active set of <a href="https://resurface.io/rules.html">rules</a> that control what data is logged
-and how sensitive data is masked. All of the examples above apply a predefined set of rules, `include_debug`,
-but logging rules are easily customized to meet the needs of any application.
-
-<a href="https://go2docs.graylog.org/apisecurity-current/logging_rules/logging_rules.htm">Logging rules documentation</a>
+Loggers always have an active set of [logging rules](https://go2docs.graylog.org/apisecurity-current/logging_rules/logging_rules.htm)
+that control what data is logged and how sensitive data is masked. All of the examples above apply a predefined set of rules (`include_debug`),
+but logging rules are easily customized to meet your privacy requirements.
 
 ---
-<small>&copy; 2025 <a href="https://resurface.io">Graylog, Inc.</a></small>
+<small>&copy; 2025 <a href="https://graylog.org/products/api-security/">Graylog, Inc.</a></small>