in_ebpf: Implement openssl trace

[cosmo0920]

In this PR, I implemented OpenSSL's uprobe traces for read, write, handshake, and shutdown.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change

$ sudo bin/fluent-bit -i ebpf -ptrace=trace_openssl -o stdout -v

• Debug log output from testing the change

Fluent Bit v5.0.5
* Copyright (C) 2015-2026 The Fluent Bit Authors
* Fluent Bit is a CNCF graduated project under the Fluent organization
* https://fluentbit.io

______ _                  _    ______ _ _           _____  _____ 
|  ___| |                | |   | ___ (_) |         |  ___||  _  |
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   _|___ \ | |/' |
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / /   \ \|  /| |
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V //\__/ /\ |_/ /
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/ \____(_)\___/


[2026/05/11 20:10:09.392] [ info] Configuration:
[2026/05/11 20:10:09.418] [ info]  flush time     | 1.000000 seconds
[2026/05/11 20:10:09.424] [ info]  grace          | 5 seconds
[2026/05/11 20:10:09.424] [ info]  daemon         | 0
[2026/05/11 20:10:09.424] [ info] ___________
[2026/05/11 20:10:09.425] [ info]  inputs:
[2026/05/11 20:10:09.425] [ info]      ebpf
[2026/05/11 20:10:09.425] [ info] ___________
[2026/05/11 20:10:09.426] [ info]  filters:
[2026/05/11 20:10:09.426] [ info] ___________
[2026/05/11 20:10:09.426] [ info]  outputs:
[2026/05/11 20:10:09.426] [ info]      stdout.0
[2026/05/11 20:10:09.427] [ info] ___________
[2026/05/11 20:10:09.427] [ info]  collectors:
[2026/05/11 20:10:09.502] [ info] [fluent bit] version=5.0.5, commit=e523e3999d, pid=1053463
[2026/05/11 20:10:09.509] [debug] [engine] coroutine stack size: 4194304 bytes (4.0M)
[2026/05/11 20:10:09.516] [ info] [storage] ver=1.5.4, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2026/05/11 20:10:09.516] [ info] [simd    ] SSE2
[2026/05/11 20:10:09.517] [ info] [cmetrics] version=2.1.2
[2026/05/11 20:10:09.517] [ info] [ctraces ] version=0.7.1
[2026/05/11 20:10:09.535] [ info] [input:ebpf:ebpf.0] initializing
[2026/05/11 20:10:09.536] [ info] [input:ebpf:ebpf.0] storage_strategy='memory' (memory only)
[2026/05/11 20:10:09.537] [debug] [ebpf:ebpf.0] created event channels: read=21 write=22
[2026/05/11 20:10:09.538] [debug] [input:ebpf:ebpf.0] initializing eBPF input plugin
[2026/05/11 20:10:09.543] [debug] [input:ebpf:ebpf.0] processing trace: trace_openssl
[2026/05/11 20:10:09.544] [debug] [input:ebpf:ebpf.0] setting up trace configuration for: trace_openssl
[2026/05/11 20:10:14.794] [debug] [input:ebpf:ebpf.0] attaching BPF program for trace: trace_openssl
[2026/05/11 20:10:14.835] [debug] [input:ebpf:ebpf.0] registering trace handler for: trace_openssl
[2026/05/11 20:10:14.838] [ info] [input:ebpf:ebpf.0] registered trace handler for: trace_openssl
[2026/05/11 20:10:14.839] [ info] [input:ebpf:ebpf.0] trace configuration completed for: trace_openssl
[2026/05/11 20:10:14.840] [debug] [input:ebpf:ebpf.0] setting up collector with poll interval: 1000 ms
[2026/05/11 20:10:14.842] [ info] [input:ebpf:ebpf.0] eBPF input plugin initialized successfully
[2026/05/11 20:10:14.845] [debug] [stdout:stdout.0] created event channels: read=55 write=56
[2026/05/11 20:10:14.884] [ info] [sp] stream processor started
[2026/05/11 20:10:14.886] [ info] [engine] Shutdown Grace Period=5, Shutdown Input Grace Period=2
[2026/05/11 20:10:14.898] [ info] [output:stdout:stdout.0] worker #0 started
[2026/05/11 20:10:15.841] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/05/11 20:10:15.841] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_openssl
[2026/05/11 20:10:15.842] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_openssl
[2026/05/11 20:10:16.817] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/05/11 20:10:16.818] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_openssl
[2026/05/11 20:10:16.818] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_openssl
[2026/05/11 20:10:17.817] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/05/11 20:10:17.818] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_openssl
[2026/05/11 20:10:17.818] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_openssl
[2026/05/11 20:10:18.820] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/05/11 20:10:18.820] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_openssl
[2026/05/11 20:10:18.865] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_openssl
[0] ebpf.0: [[1778497818.829102360, {}], {"event_type"=>"tls_handshake", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_handshake", "ssl_ptr"=>97020258710144, "latency_ns"=>15636586, "ret"=>-1}]
[1] ebpf.0: [[1778497818.860493643, {}], {"event_type"=>"tls_handshake", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_handshake", "ssl_ptr"=>97020258710144, "latency_ns"=>847234, "ret"=>1}]
[2] ebpf.0: [[1778497818.861574587, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>15823, "ret"=>-1}]
[3] ebpf.0: [[1778497818.862571129, {}], {"event_type"=>"tls_write", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_write", "ssl_ptr"=>97020258710144, "latency_ns"=>10469, "ret"=>64}]
[4] ebpf.0: [[1778497818.862893858, {}], {"event_type"=>"tls_write", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_write", "ssl_ptr"=>97020258710144, "latency_ns"=>2548, "ret"=>36}]
[5] ebpf.0: [[1778497818.863038501, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>49383, "ret"=>40}]
[6] ebpf.0: [[1778497818.863164772, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>1884, "ret"=>-1}]
[7] ebpf.0: [[1778497818.863298124, {}], {"event_type"=>"tls_write", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_write", "ssl_ptr"=>97020258710144, "latency_ns"=>14401, "ret"=>9}]
[8] ebpf.0: [[1778497818.863422162, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>8510, "ret"=>9}]
[2026/05/11 20:10:19.838] [debug] [task] created task=0x842d8c0 id=0 OK
[2026/05/11 20:10:19.840] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2026/05/11 20:10:19.841] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/05/11 20:10:19.841] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_openssl
[2026/05/11 20:10:19.841] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_openssl
[9] ebpf.0: [[1778497818.863547422, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>1618, "ret"=>-1}]
[10] ebpf.0: [[1778497818.863682012, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>83784, "ret"=>406}]
[11] ebpf.0: [[1778497818.864054457, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>14460, "ret"=>239}]
[12] ebpf.0: [[1778497818.864339016, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>11207, "ret"=>17}]
[13] ebpf.0: [[1778497818.864480803, {}], {"event_type"=>"tls_write", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_write", "ssl_ptr"=>97020258710144, "latency_ns"=>91559, "ret"=>17}]
[14] ebpf.0: [[1778497818.864605882, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>12213, "ret"=>-1}]
[15] ebpf.0: [[1778497818.864841665, {}], {"event_type"=>"tls_shutdown", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_shutdown", "ssl_ptr"=>97020258710144, "latency_ns"=>20885, "ret"=>0}]
[16] ebpf.0: [[1778497818.865183949, {}], {"event_type"=>"tls_read", "pid"=>1053479, "tid"=>1053479, "comm"=>"curl", "trace"=>"openssl_tls_read", "ssl_ptr"=>97020258710144, "latency_ns"=>13848, "ret"=>-1}]
[2026/05/11 20:10:19.859] [debug] [out flush] cb_destroy coro_id=0
[2026/05/11 20:10:19.869] [debug] [task] destroy task=0x842d8c0 (task_id=0)
[2026/05/11 20:10:20.817] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/05/11 20:10:20.818] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_openssl
[2026/05/11 20:10:20.818] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_openssl
[2026/05/11 20:10:21.817] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2026/05/11 20:10:21.818] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_openssl
[2026/05/11 20:10:21.819] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_openssl
^C[2026/05/11 20:10:22] [engine] caught signal (SIGINT)
[2026/05/11 20:10:22.127] [ warn] [engine] service will shutdown in max 5 seconds
[2026/05/11 20:10:22.128] [ info] [engine] pausing all inputs..
[2026/05/11 20:10:22.128] [ info] [input] pausing ebpf.0
[2026/05/11 20:10:22.130] [debug] [input:ebpf:ebpf.0] collector paused
[2026/05/11 20:10:22.818] [ info] [engine] service has stopped (0 pending tasks)
[2026/05/11 20:10:22.818] [ info] [input] pausing ebpf.0
[2026/05/11 20:10:22.818] [debug] [input:ebpf:ebpf.0] collector paused
[2026/05/11 20:10:22.821] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2026/05/11 20:10:22.827] [ info] [output:stdout:stdout.0] thread worker #0 stopped
[2026/05/11 20:10:23.311] [ info] [input:ebpf:ebpf.0] eBPF input plugin exited

• Attached Valgrind output that shows no leaks or memory corruption was found

==1053463== 
==1053463== HEAP SUMMARY:
==1053463==     in use at exit: 0 bytes in 0 blocks
==1053463==   total heap usage: 4,032 allocs, 4,032 frees, 22,360,614 bytes allocated
==1053463== 
==1053463== All heap blocks were freed -- no leaks are possible
==1053463== 

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cd751b8a-d697-4848-a8bf-21478a7ad522

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cosmo0920-implement-openssl-trace

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}