Abstract: A computer-implemented method of monitoring applications executing on a plurality of computing nodes, includes the steps of: deploying agents on each of the computing nodes to detect operations performed on different objects by the executing applications; at each of the computing nodes, storing by a corresponding one of the agents, records of the operations performed on the different objects by the executing applications and associating each of the operations with a set of metadata properties; organizing the operations into groups based on the metadata properties; for one of the groups, generating a monitoring rule based on properties of the stored records of the operations of the one group; and configuring the agents according to the generated monitoring rule.

Abstract: A monitoring system is configured to receive information regarding a microservice run in one or more containers at a computing cluster; submit a request to a cluster manager of the computing cluster via an application programming interface (API) for adding one or more configurations for monitoring the microservice to a configuration dataset managed by the cluster manager; receive monitoring data related to the microservice in accordance with the one or more configurations; and transmit the monitoring data to a user device associated with the microservice.

Abstract: A method of automatically determining operation rules for access control related to container operations on a plurality of computing nodes is disclosed. The method comprises receiving operation datasets representing operations that have been performed by one or more processes associated with one or more computer applications instantiated within one or more containers on the computing nodes; generating a baseline dataset of operations having operation properties from the operation datasets; computing a score for each operation in the baseline dataset, the score indicating whether the operation is a candidate for generating a rule that defines one or more expected values for an operation property of the operation; automatically generating a set of baseline operation rules for only those operations in the baseline dataset that score more than a score threshold; and causing modifying an orchestrator configuration file for the plurality of computing nodes based on the set of baseline operation rules.

Abstract: In one embodiment, a method includes accessing a loaded but paused source process executable and disassembling the source process executable to identify a system call to be instrumented and an adjacent relocatable instruction. Instrumenting the system call includes building a trampoline for the system call that includes a check flag instruction at or near an entry point to the trampoline and two areas of the trampoline that are selectively executed according to results of the check flag instruction. Building a first area of the trampoline includes providing instructions to execute a relocated copy of the adjacent relocatable instruction and return flow to an address immediately following the adjacent relocatable instruction. Building a second area of the trampoline includes providing instructions to invoke at least one handler associated with executing a relocated copy of the system call and return flow to an address immediately following the system call.

Abstract: A computer-implemented method of providing unified event monitoring and log processing is disclosed. The method comprises receiving streaming event data comprising a plurality of event entries from a plurality of domains including a cloud manager for a cloud platform and an application running within a container on the cloud platform; processing the streaming event data into a normalized, domain-independent format; evaluating a plurality of policy rules on the streaming event data, wherein the plurality of policy rules is defined with a unified syntax; and in response to the evaluating satisfying a condition of a first rule of the plurality of policy rules, transmitting to a remote device data related to an action defined in the first rule, wherein the receiving, processing, evaluating, and transmitting for each event entry for the plurality of event entries are performed in real time.

Abstract: A computer-implemented method of monitoring programmatic containers (containers) through executing a computer program in a kernel space is disclosed. The method comprises storing trace data in a memory buffer that is shared by the kernel space and a user space, the trace data being related to execution of a process associated with a container at an execution point of the process. The method also comprises retrieving container data related to the container through raw access of one or more kernel data structures when execution of the process is stopped. In addition, the method comprises storing the container data in association with the trace data in the memory buffer.

Abstract: Techniques for dynamically instrumenting code to capture cleartext from transformed communications are provided. In one technique, an operating system (OS) mechanism receives an OS call. The OS mechanism determines whether the OS call is of a particular type. In response to determining that the OS call is of the particular type, a certain location within executable code of a unction is identified. A user-level collection mechanism is inserted at the certain location. After inserting the user-level collection mechanism, code at the certain location is executed that causes the user-level collection mechanism to be executed.

Abstract: A method of automatically determining operation rules for access control related to container operations on a plurality of computing nodes is disclosed. The method comprises receiving operation datasets representing operations that have been performed by one or more processes associated with one or more computer applications instantiated within one or more containers on the computing nodes; generating a baseline dataset of operations having operation properties from the operation datasets; computing a score for each operation in the baseline dataset, the score indicating whether the operation is a candidate for generating a rule that defines one or more expected values for an operation property of the operation; automatically generating a set of baseline operation rules for only those operations in the baseline dataset that score more than a score threshold; and causing modifying an orchestrator configuration file for the plurality of computing nodes based on the set of baseline operation rules.

Abstract: Techniques related to communication between independent containers are provided. In an embodiment, a first programmatic container includes one or more first namespaces in which an application program is executing. A second programmatic container includes one or more second namespaces in which a monitoring agent is executing. The one or more first namespaces are independent of the one or more second namespaces. A monitoring agent process hosts the monitoring agent. The monitoring agent is programmed to receive an identifier of the application program. The monitoring agent is further programmed to switch the monitoring agent process from the one or more second namespaces to the one or more first namespaces. After the switch, the monitoring agent process continues to execute in the second programmatic container, but communication is enabled between the application program and the monitoring agent via the monitoring agent process.

Abstract: A computer-implemented method of providing unified event monitoring and log processing is disclosed. The method comprises receiving streaming event data comprising a plurality of event entries from a plurality of domains including a cloud manager for a cloud platform and an application running within a container on the cloud platform; processing the streaming event data into a normalized, domain-independent format; evaluating a plurality of policy rules on the streaming event data, wherein the plurality of policy rules is defined with a unified syntax; and in response to the evaluating satisfying a condition of a first rule of the plurality of policy rules, transmitting to a remote device data related to an action defined in the first rule, wherein the receiving, processing, evaluating, and transmitting for each event entry for the plurality of event entries are performed in real time.

Abstract: In an embodiment, a data processing method comprises receiving, from one or more service monitoring processes configured to monitor operations of one or more computer applications instantiated within one or more containers, operation datasets representing operations that have been performed by one or more processes associated with the one or more computer applications; generating a baseline dataset of operations having operation properties from the operation datasets; computing a score for each operation in the baseline dataset, from the operation datasets, the score indicating whether the operation is a candidate for generating a rule that defines one or more expected values for an operation property of the operation; automatically generating a set of baseline operations rules for only those operations in the baseline dataset that score more than a score threshold.

Abstract: In one embodiment, a method includes accessing a loaded but paused source process executable and disassembling the source process executable to identify a system call to be instrumented and an adjacent relocatable instruction. Instrumenting the system call includes building a trampoline for the system call that includes a check flag instruction at or near an entry point to the trampoline and two areas of the trampoline that are selectively executed according to results of the check flag instruction. Building a first area of the trampoline includes providing instructions to execute a relocated copy of the adjacent relocatable instruction and return flow to an address immediately following the adjacent relocatable instruction. Building a second area of the trampoline includes providing instructions to invoke at least one handler associated with executing a relocated copy of the system call and return flow to an address immediately following the system call.

Abstract: A monitoring system is configured to receive information regarding a microservice run in one or more containers at a computing cluster; submit a request to a cluster manager of the computing cluster via an application programming interface (API) for adding one or more configurations for monitoring the microservice to a configuration dataset managed by the cluster manager; receive monitoring data related to the microservice in accordance with the one or more configurations; and transmit the monitoring data to a user device associated with the microservice.

Abstract: A computer-implemented method of monitoring programmatic containers (containers) through executing a computer program in a kernel space is disclosed. The method comprises storing trace data in a memory buffer that is shared by the kernel space and a user space, the trace data being related to execution of a process associated with a container at an execution point of the process. The method also comprises retrieving container data related to the container through raw access of one or more kernel data structures when execution of the process is stopped. In addition, the method comprises storing the container data in association with the trace data in the memory buffer.

Abstract: In one embodiment, a method includes accessing a loaded but paused source process executable and disassembling the source process executable to identify a system call to be instrumented and an adjacent relocatable instruction. Instrumenting the system call includes building a trampoline for the system call that includes a check flag instruction at or near an entry point to the trampoline and two areas of the trampoline that are selectively executed according to results of the check flag instruction. Building a first area of the trampoline includes providing instructions to execute a relocated copy of the adjacent relocatable instruction and return flow to an address immediately following the adjacent relocatable instruction. Building a second area of the trampoline includes providing instructions to invoke at least one handler associated with executing a relocated copy of the system call and return flow to an address immediately following the system call.

Abstract: When it is detected that microservices have been created at a computing cluster running the microservices in containers, a respective monitoring subsystem is assigned to each microservice. Monitoring data for each of the microservices is then collected via the respective monitoring subsystems. Respective graphical user interfaces are then provided presenting at least a portion of the respective monitoring data for each microservice.

Abstract: A computer-implemented method of monitoring programmatic containers (containers) through executing a computer program in a kernel space is disclosed. The method comprises storing trace data in a memory buffer that is shared by the kernel space and a user space, the trace data being related to execution of a process associated with a container at an execution point of the process. The method also comprises retrieving container data related to the container through raw access of one or more kernel data structures when execution of the process is stopped. In addition, the method comprises storing the container data in association with the trace data in the memory buffer.

Abstract: Techniques related to communication between independent containers are provided. In an embodiment, a first programmatic container includes one or more first namespaces in which an application program is executing. A second programmatic container includes one or more second namespaces in which a monitoring agent is executing. The one or more first namespaces are independent of the one or more second namespaces. A monitoring agent process hosts the monitoring agent. The monitoring agent is programmed to receive an identifier of the application program. The monitoring agent is further programmed to switch the monitoring agent process from the one or more second namespaces to the one or more first namespaces. After the switch, the monitoring agent process continues to execute in the second programmatic container, but communication is enabled between the application program and the monitoring agent via the monitoring agent process.

Abstract: In one embodiment, a method includes accessing a loaded but paused source process executable and disassembling the source process executable to identify a system call to be instrumented and an adjacent relocatable instruction. Instrumenting the system call includes building a trampoline for the system call that includes a check flag instruction at or near an entry point to the trampoline and two areas of the trampoline that are selectively executed according to results of the check flag instruction. Building a first area of the trampoline includes providing instructions to execute a relocated copy of the adjacent relocatable instruction and return flow to an address immediately following the adjacent relocatable instruction. Building a second area of the trampoline includes providing instructions to invoke at least one handler associated with executing a relocated copy of the system call and return flow to an address immediately following the system call.

Abstract: Techniques related to communication between independent containers are provided. In an embodiment, a first programmatic container includes one or more first namespaces in which an application program is executing. A second programmatic container includes one or more second namespaces in which a monitoring agent is executing. The one or more first namespaces are independent of the one or more second namespaces. A monitoring agent process hosts the monitoring agent. The monitoring agent is programmed to receive an identifier of the application program. The monitoring agent is further programmed to switch the monitoring agent process from the one or more second namespaces to the one or more first namespaces. After the switch, the monitoring agent process continues to execute in the second programmatic container, but communication is enabled between the application program and the monitoring agent via the monitoring agent process.