/en/tags/exporter/Recent content in Exporter on Mi&Bee BlogHugo -- gohugo.ioen蓝宝石的傻话Thu, 21 May 2026 00:00:00 +0000/en/posts/telemetry/security-collector-exporter-from-compliance-to-runtime/Thu, 21 May 2026 00:00:00 +0000/en/posts/telemetry/security-collector-exporter-from-compliance-to-runtime/<h2 id="the-origin-compliance-check-hassles">The Origin: Compliance Check Hassles</h2> <p>Anyone in operations knows there&rsquo;s no escaping one hurdle for domestic servers: <strong>Cybersecurity Level Protection</strong> (GB/T 22239-2019, commonly known as &ldquo;Level Protection 2.0&rdquo;). Whether you&rsquo;re Level 3 or Level 2, auditors come asking about these things:</p> <ul> <li>Is SSH root login disabled? Are password policies compliant?</li> <li>Is the firewall on? Is SELinux enforcing?</li> <li>Are there expired accounts? What&rsquo;s the password validity period?</li> <li>Which ports are open? Are there high-risk services running?</li> <li>Are audit logs enabled? How long are they retained?</li> </ul> <p>There are plenty of compliance check tools on the market—search GitHub and you&rsquo;ll find a bunch: <code>Golin</code>, <code>EvaluationTools</code>, <code>Linux-Security-Compliance-Check</code>, etc. But they all share one limitation: <strong>Run once, get a report, done</strong>. You check compliance today, and someone changes <code>sshd_config</code> tomorrow, turns off the firewall, installs a backdoor service—you&rsquo;d never know.</p>/en/posts/telemetry/security-collector-exporter-ebpf-v030/Tue, 19 May 2026 00:00:00 +0000/en/posts/telemetry/security-collector-exporter-ebpf-v030/<h2 id="from-static-to-real-time">From Static to Real-Time</h2> <p>The previous article introduced <a href="../security-collector-exporter-v010/">security-collector-exporter v0.1.0</a> — turning Linux security configuration states into Prometheus metrics. But v0.1.0 is essentially &ldquo;snapshot-based&rdquo;: periodically reading <code>/etc</code>, <code>/proc</code>, capturing the static configuration at a single point in time.</p> <p>There&rsquo;s an area of security operations that snapshots can&rsquo;t cover: <strong>real-time security events</strong>. Someone running a reverse shell, a process escalating privileges, an abnormal network connection, someone loading a kernel module — these events happen and pass; you&rsquo;d never see them at your next scrape.</p>/en/posts/telemetry/security-collector-exporter-v010/Thu, 14 May 2026 00:00:00 +0000/en/posts/telemetry/security-collector-exporter-v010/<h2 id="why-this-was-built">Why This Was Built</h2> <p>Anyone managing servers has probably had this experience: compliance audit comes, SSH into machines one by one to check—SSH config correct, SELinux enabled, firewall running, any expired accounts, password policies compliant. A few machines are fine; dozens or hundreds becomes purely manual grunt work.</p> <p>And the more painful part: none of this has continuous monitoring. You check compliance today, someone changes a config tomorrow, and you&rsquo;d never know.</p>