Logging and producers

May 29, 2026 ยท View on GitHub

Glutton has two output paths: process logs through Go slog, and optional producer events sent to HTTP or hpfeeds sinks. Handlers can emit both, but they're configured separately.

Process logs

producer.NewLogger(...) creates a JSON slog logger that writes every record to:

  • stdout
  • the path configured by --logpath

The file writer uses lumberjack rotation: 200 MB max size, 356 days max age, compression on. Every record carries the sensorID attribute (read from / written to <var-dir>/glutton.id).

The --debug flag is parsed but not wired into slog.HandlerOptions, so it does not currently lower the log level.

Producer events

Producer events follow the producer.Event schema:

JSON fieldMeaning
timestampUTC event timestamp.
transporttcp or udp.
srcHostSource IP.
srcPortSource port.
dstPortOriginal destination port from metadata.
sensorIDGlutton sensor ID.
ruleRule string when metadata includes a rule.
handlerHandler name supplied by the protocol handler.
payloadBase64-encoded payload bytes.
scannerScanner classification from scanner.IsScanner(...).
decodedHandler-specific decoded data.

Events are emitted only when (1) producers.enabled is true so a producer object exists, (2) a handler calls ProduceTCP(...) or ProduceUDP(...), and (3) at least one sink is enabled. Before output, configured addresses values are scrubbed from the payload and replaced with 1.2.3.4.

Example shape:

{
  "timestamp": "2026-05-15T12:00:00Z",
  "transport": "tcp",
  "srcHost": "203.0.113.10",
  "srcPort": "54321",
  "dstPort": 80,
  "sensorID": "00000000-0000-0000-0000-000000000000",
  "rule": "Rule: tcp",
  "handler": "http",
  "payload": "R0VUIC8gSFRUUC8xLjENCg0K",
  "scanner": "",
  "decoded": { "protocol": "http", "fields": {} }
}

decoded is handler-specific. For proxy_tcp, it contains per-direction entries (direction, payload, payload_hash, bytes, truncated) when capture_traffic.enabled is true; samples are capped by max_tcp_payload, and truncated reflects whether more bytes were forwarded than captured.

HTTP producer

When producers.http.enabled is true, Glutton marshals each event as JSON and POSTs it to producers.http.remote with Content-Type: application/json. From source:

  • HTTP client timeout: 10s; TLS handshake timeout: 5s.
  • Events from private source IPs are skipped.
  • Userinfo in the remote URL is used as HTTP Basic Auth.
  • Query strings in the configured URL are preserved.

hpfeeds producer

When producers.hpfeeds.enabled is true, Glutton connects to the broker at startup and publishes gob-encoded producer.Event values to producers.hpfeeds.channel.

producers:
  hpfeeds:
    enabled: false
    host: 172.26.0.2
    port: 20000
    ident: ident
    auth: auth
    channel: test

Treat all logged payloads as attacker-controlled data in downstream pipelines.