Security observability is undergoing a quiet revolution—and at its heart is eBPF, the powerful in-kernel technology enabling deep, zero-overhead visibility into system behavior. In this talk, we’ll explore how eBPF can be combined with OpenSearch to build a high-performance, real-time SIEM (Security Information and Event Management) pipeline—without the heavyweight infrastructure of traditional security stacks.

You’ll learn how to use eBPF to trace critical security signals like syscall events, file access patterns, unauthorized network connections, and privilege escalations—all from kernel space, with minimal performance impact. Then we’ll walk through how to structure, enrich, and ship these events directly into OpenSearch, where they can be indexed, queried, and visualized for active threat detection and forensic analysis.

We’ll close with a live demo of a “lightweight SIEM in action”—catching threats on a Linux system using eBPF sensors and surfacing alerts in OpenSearch in real time.

Whether you're a security engineer, SRE, or search architect, this session will show how eBPF and OpenSearch can form a fast, open, and flexible foundation for next-generation SecOps.