aquasecurity · josedonizetti · Mar 6, 2025
diff --git a/cmd/tracee-ebpf/main.go b/cmd/tracee-ebpf/main.go
@@ -129,7 +129,7 @@ func main() {
 			&cli.StringSliceFlag{
 				Name:  "log",
 				Usage: "logger option. run '--log help' for more info.",
-				Value: cli.NewStringSlice("info"),
+				Value: cli.NewStringSlice("level=info"),
 			},
 		},
 	}

diff --git a/cmd/tracee/cmd/analyze.go b/cmd/tracee/cmd/analyze.go
@@ -49,10 +49,10 @@
 	)
 
 	analyzeCmd.Flags().StringArrayP(
-		"log",
-		"l",
-		[]string{"info"},
-		"Logger options [debug|info|warn...]",
+		flags.LogFlag,
+		flags.LogFlagShort,
+		[]string{flags.DefaultLogLevelFlag},
+		"Logger options",
 	)
 }
 
@@ -71,15 +71,15 @@
 		bindViperFlag(cmd, "events")
 		bindViperFlag(cmd, "source")
 		bindViperFlag(cmd, "output")
-		bindViperFlag(cmd, "log")
+		bindViperFlag(cmd, flags.LogFlag)
 		bindViperFlag(cmd, "signatures-dir")
 	},
 	Run:                   command,
 	DisableFlagsInUseLine: true,
 }
 
 func command(cmd *cobra.Command, args []string) {
-	logFlags := viper.GetStringSlice("log")
+	logFlags := viper.GetStringSlice(flags.LogFlag)
 
 	logCfg, err := flags.PrepareLogger(logFlags, true)
 	if err != nil {

diff --git a/cmd/tracee/cmd/root.go b/cmd/tracee/cmd/root.go
@@ -279,9 +279,9 @@
 	}
 
 	rootCmd.Flags().StringArrayP(
-		"log",
-		"l",
-		[]string{"info"},
+		flags.LogFlag,
+		flags.LogFlagShort,
+		[]string{flags.DefaultLogLevelFlag},
 		"[debug|info|warn...]\t\tLogger options",
 	)
 	err = viper.BindPFlag("log", rootCmd.Flags().Lookup("log"))

diff --git a/deploy/helm/tracee/templates/tracee-config.yaml b/deploy/helm/tracee/templates/tracee-config.yaml
@@ -25,6 +25,91 @@ data:
     {{- end }}
     log:
         level: {{ .Values.config.log.level }}
+        {{- if .Values.config.log.file }}
+        file: {{ .Values.config.log.file }}
+        {{- end }}
+        {{- if .Values.config.log.aggregate }}
+        aggregate:
+            enabled: {{ .Values.config.log.aggregate.enabled | default false }}
+            {{- if .Values.config.log.aggregate.flushInterval }}
+            flush-interval: {{ .Values.config.log.aggregate.flushInterval }}
+            {{- end }}
+        {{- end }}
+        {{- if .Values.config.log.filters }}
+        filters:
+            {{- if .Values.config.log.filters.libbpf }}
+            libbpf: {{ .Values.config.log.filters.libbpf }}
+            {{- end }}
+            {{- if .Values.config.log.filters.include }}
+            include:
+                {{- if .Values.config.log.filters.include.msg }}
+                msg:
+                    {{- range .Values.config.log.filters.include.msg }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+                {{- if .Values.config.log.filters.include.pkg }}
+                pkg:
+                    {{- range .Values.config.log.filters.include.pkg }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+                {{- if .Values.config.log.filters.include.file }}
+                file:
+                    {{- range .Values.config.log.filters.include.file }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+                {{- if .Values.config.log.filters.include.level }}
+                level:
+                    {{- range .Values.config.log.filters.include.level }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+                {{- if .Values.config.log.filters.include.regex }}
+                regex:
+                    {{- range .Values.config.log.filters.include.regex }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+                {{- if .Values.config.log.filters.include.libbpf }}
+                libbpf: {{ .Values.config.log.filters.include.libbpf }}
+                {{- end }}
+            {{- end }}
+            {{- if .Values.config.log.filters.exclude }}
+            exclude:
+                {{- if .Values.config.log.filters.exclude.msg }}
+                msg:
+                    {{- range .Values.config.log.filters.exclude.msg }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+                {{- if .Values.config.log.filters.exclude.pkg }}
+                pkg:
+                    {{- range .Values.config.log.filters.exclude.pkg }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+                {{- if .Values.config.log.filters.exclude.file }}
+                file:
+                    {{- range .Values.config.log.filters.exclude.file }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+                {{- if .Values.config.log.filters.exclude.level }}
+                level:
+                    {{- range .Values.config.log.filters.exclude.level }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+                {{- if .Values.config.log.filters.exclude.regex }}
+                regex:
+                    {{- range .Values.config.log.filters.exclude.regex }}
+                    - {{ . }}
+                    {{- end }}
+                {{- end }}
+            {{- end }}
+        {{- end }}
     output:
         {{ .Values.config.output.format }}:
             files:

diff --git a/deploy/helm/tracee/values.yaml b/deploy/helm/tracee/values.yaml
@@ -90,6 +90,39 @@ config:
   signaturesDir: ""
   log:
     level: info
+    # file: "/var/log/tracee.log"
+    # aggregate:
+    #   enabled: true
+    #   flush-interval: "5s"
+    # filters:
+    #   include:
+    #     libbpf: false
+    #     msg:
+    #       - SampleMessage1
+    #       - SampleMessage2
+    #     pkg:
+    #       - package1
+    #       - package2
+    #     file:
+    #       - file1.go
+    #       - file2.go
+    #     level:
+    #       - warn
+    #       - error
+    #     regex:
+    #       - ^pattern1
+    #       - ^pattern2
+    #   exclude:
+    #     msg:
+    #       - ExcludedMessage1
+    #     pkg:
+    #       - excludedPackage
+    #     file:
+    #       - excludedFile.go
+    #     level:
+    #       - debug
+    #     regex:
+    #       - ^excludedPattern
   output:
     format: json
     options:

diff --git a/docs/docs/advanced/os-info.md b/docs/docs/advanced/os-info.md
@@ -12,10 +12,10 @@ at helpers/kernel_config).
 ## OS-RELEASE
 
 Tracee will show you collected information about the running Linux OS with the
-`--log debug` argument:
+`--log level=debug` argument:
 
 ```console
-sudo ./dist/tracee --log debug --scope uid=1000 --scope pid=new --events execve
+sudo ./dist/tracee --log level=debug --scope uid=1000 --scope pid=new --events execve
 ```
 
 ```text
@@ -39,7 +39,7 @@ because you're running inside a container that does not support it, you may
 face the following error:
 
 ```console
-sudo ./dist/tracee --log debug --scope uid=1000 --scope pid=new --events execve
+sudo ./dist/tracee --log level=debug --scope uid=1000 --scope pid=new --events execve
 ```
 
 ```text
@@ -81,7 +81,7 @@ Tracee needs access to kconfig file (/proc/config.gz OR /boot/config-$(uname -r)
     - **missing kconfig file**
 
     ```console
-    sudo ./dist/tracee --log debug --scope uid=1000 --scope pid=new --events execve
+    sudo ./dist/tracee --log level=debug --scope uid=1000 --scope pid=new --events execve
     ```
 
     ```json
@@ -110,7 +110,7 @@ Tracee needs access to kconfig file (/proc/config.gz OR /boot/config-$(uname -r)
     variable:
 
 ```console
-sudo LIBBPFGO_KCONFIG_FILE=/boot/config-other -E ./dist/tracee --log debug --scope uid=1000 --scope pid=new --events execve
+sudo LIBBPFGO_KCONFIG_FILE=/boot/config-other -E ./dist/tracee --log level=debug --scope uid=1000 --scope pid=new --events execve
 ```
 
 ```text

diff --git a/docs/docs/flags/log.1.md b/docs/docs/flags/log.1.md
@@ -2,7 +2,7 @@
 title: TRACEE-LOG
 section: 1
 header: Tracee Log Flag Manual
-date: 2024/06
+date: 2025/03
 ...
 
 ## NAME
@@ -11,23 +11,24 @@ tracee **\-\-log** - Control logger options - aggregation and level priority
 
 ## SYNOPSIS
 
-tracee **\-\-log** aggregate[:flush-interval] | <debug|info|warn|error|panic\> | file:/path/to/file | filter:[msg=<value,...\>;regex=<value,...\>;pkg=<value,...\>;file=<value,...\>;lvl=<value,...\>;libbpf] | filter-out:[msg=<value,...\>;regex=<value,...\>;pkg=<value,...\>;file=<value,...\>;lvl=<value,...\>;libbpf]
+tracee **\-\-log** aggregate.flush-interval=<time\>| aggregate.enable=<true|false\> | level=<debug|info|warn|error|fatal\> | file=/path/to/file | filters.include.[msg=<value,...\>] | filters.include.[regex=<value,...\>] | filters.include.[pkg=<value,...\>] | filters.include.[file=<value,...\>] | filters.include.[level=<value,...\>] | filters.include.[libbpf] | filters.exclude.[msg=<value,...\>] | filters.exclude.[regex=<value,...\>] | filters.exclude.[pkg=<value,...\>] | filters.exclude.[file=<value,...\>] | filters.exclude.[level=<value,...\>] | filters.exclude.[libbpf]
+
 
 ## DESCRIPTION
 
 The **\-\-log** flag allows you to control logger options for the tool.
 
 Possible log options:
 
-- **aggregate[:flush-interval]**: Turns log aggregation on, delaying output with an optional interval (default: 3s). The flush-interval can be specified in seconds (s) or minutes (m).
+- **aggregate.flush-interval=[time] | aggregate.enable=[true|false]**: Turns log aggregation on, delaying output with an optional interval (default: 3s). The flush-interval can be specified in seconds (s) or minutes (m).
 
-- **<debug|info|warn|error|panic\>**: Sets the log level. The default log level is 'info'.
+- **level=<debug|info|warn|error|fatal\>**: Sets the log level. The default log level is 'info'.
 
-- **file:/path/to/file**: Writes the logs to the specified file. If the file exists, it will be created or trimmed.
+- **file=/path/to/file**: Writes the logs to the specified file. If the file exists, it will be created or trimmed.
 
-- **filter:**<option;...\>: Filters in logs that match the specified option values. Multiple filter options can be provided, separated by semicolons.
+- **filters.include.**<option;...\>: Filters in logs that match the specified option values. Multiple filter options can be provided, separated by semicolons.
 
-- **filter-out:**<option;...\>: Filters out logs that match the specified option values. Multiple filter options can be provided, separated by semicolons.
+- **filters.exclude.**<option;...\>: Filters out logs that match the specified option values. Multiple filter options can be provided, separated by semicolons.
 
 Filter options:
 
@@ -39,7 +40,7 @@ Filter options:
 
 - **file=<value,...\>**: Filters logs that originate from the specified file.
 
-- **lvl=<value,...\>**: Filters logs that are of the specified level.
+- **level=<value,...\>**: Filters logs that are of the specified level.
 
 - **libbpf**: Filters logs that originate from libbpf.
 
@@ -48,59 +49,59 @@ Filter options:
 - To output debug level logs, use the following flag:
 
   ```console
-  --log debug
+  --log level=debug
   ```
 
 - To output aggregated debug level logs every 3 seconds (default), use the following flag:
 
   ```console
-  --log debug --log aggregate
+  --log level=debug --log aggregate.enable=true
   ```
 
 - To output aggregated logs every 5 seconds, use the following flag:
 
   ```console
-  --log aggregate:5s
+  --log aggregate.flush-interval=5s
   ```
 
 - To output debug level logs to `/tmp/tracee.log`, use the following flag:
 
   ```console
-  --log debug --log file:/tmp/tracee.log
+  --log level=debug --log file=/tmp/tracee.log
   ```
 
 - To filter in logs that have either 'foo' or 'bar' in the message, are from the 'core' package, and are of 'error' level, use the following flag:
 
   ```console
-  --log filter:'msg=foo,bar;pkg=core;lvl=error'
+  --log filters.include.msg=foo,bar --log filters.include.pkg=core --log filters.include.level=error
   ```
 
 - To filter out logs that have either 'foo' or 'bar' in the message, are from the 'core' package, and are of 'error' level, use the following flag:
 
   ```console
-  --log filter-out:'msg=foo,bar;pkg=core;lvl=error'
+  --log filters.exclude.msg=foo,bar --log filters.exclude.pkg=core --log filters.exclude.level=error
   ```
 
 - To filter in logs that have either 'foo' or 'bar' in the message and, based on that result, filter out logs that are from the 'core' package, use the following flag:
 
   ```console
-  --log filter:msg=foo,bar --log filter-out:pkg=core
+  --log filters.include.msg=foo,bar --log filters.exclude.pkg=core
   ```
 
 - To filter out logs that originate from the '/pkg/cmd/flags/logger.go' file, use the following flag:
 
   ```console
-  --log filter-out:file=/pkg/cmd/flags/logger.go
+  --log filters.exclude.file=/pkg/cmd/flags/logger.go
   ```
 
 - To filter in logs that have messages matching the regex '^foo', use the following flag:
 
   ```console
-  --log filter:regex='^foo'
+  --log filters.include.regex='^foo'
   ```
 
 - To filter in logs that originate from libbpf, use the following flag:
 
   ```console
-  --log filter:libbpf
+  --log filters.include.libbpf
   ```