Run 'tetra getevents' with the '--output json' flag to receive newline-delimited JSON event records from the Tetragon gRPC server
Pipe the JSON output to a log shipper or file for ingestion; each event object contains a 'process_exec', 'process_exit', 'process_kprobe', or similar top-level key
Parse the nested process metadata fields including binary, arguments, pod name, namespace, and workload labels from the JSON structure
Filter event types using '--event-types' flag to select only the event categories relevant to your SIEM use case such as PROCESS_EXEC and PROCESS_KPROBE
Configure export-stdout in Tetragon's Helm values or DaemonSet args to write all events to stdout so a log collector sidecar can forward them to the SIEM
Known gotchas
tetra getevents connects to the local Tetragon gRPC socket; when running outside the pod you must either exec into the Tetragon pod or expose the gRPC port via a service
JSON event schemas can change between Tetragon versions; pin the tetra CLI version to the same version as the deployed Tetragon agent to ensure schema compatibility
High-frequency workloads can produce very large event volumes; apply TracingPolicy selectors and event-type filters to reduce cardinality before forwarding to a SIEM to avoid excessive ingestion costs
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp