eBPF Application Auto-Instrumentation with OBI

Collecting application metrics and traces usually means adding language-specific agents or modifying application code. OBI (OpenTelemetry eBPF-based instrumentation) simplifies this process using eBPF for automatic application instrumentation. Without any code changes, OBI inspects executables and the OS networking stack to capture trace spans for web traffic and RED (Rate, Errors, Duration) metrics in Linux-based HTTP/S and gRPC services.

OBI includes the following capabilities:

• Broad language compatibility: Supports Java, .NET, Go, Python, Ruby, Node.js, C, C++, and Rust
• Minimal footprint: Requires no code modifications, library installations, or application restarts
• High-efficiency instrumentation: Leverages eBPF probes to collect traces and metrics with low overhead
• End-to-end tracing: Automatically captures and forwards distributed trace spans to a central collector
• Kubernetes-first approach: Enables auto-instrumentation for Kubernetes workloads with zero configuration
• Encrypted traffic visibility: Monitors TLS/SSL transactions without decrypting content
• Automatic context propagation: Seamlessly passes trace context between services
• Multi-protocol support: Compatible with HTTP/S, gRPC, and gRPC-Web
• Optimized metrics: Emits Prometheus-style metrics with low cardinality to reduce observability costs
• Service-level network insights: Tracks inter-service network communication flows
• Database observability: Captures database queries and connection activity
• Cross-service trace continuity: Maintains trace context as requests move through distributed systems

OBI enables scalable, vendor-neutral observability without invasive changes.

eBPF overview

eBPF (extended Berkeley Packet Filter) is a groundbreaking Linux kernel technology for observability, networking, and security. It allows applications like Coralogix APM to safely execute custom logic within the kernel, enabling real-time, high-fidelity metrics—without requiring manual instrumentation or code changes.

Coralogix leverages the OpenTelemetry eBPF instrumentation agent to provide zero-code automatic instrumentation with minimal system overhead. This open-source agent delivers a powerful observability layer that:

• Follows OTel standards
• Supports programming languages that are difficult to instrument traditionally
• Automatically discovers and monitors services at the cluster level
• Offers deep visibility into application behavior from the kernel up

This approach enables comprehensive observability across environments without invasive setup or application modifications. For background on the underlying technology, visit the eBPF Foundation.

The OpenTelemetry eBPF instrumentation agent has been donated to the CNCF OpenTelemetry project and is now part of the official OpenTelemetry ecosystem. You can explore the code and contribute via the OpenTelemetry eBPF instrumentation repository.

Benefits

Accelerated time-to-value

Traditional instrumentation setup can be time-consuming and requires deployment effort, especially across complex or distributed systems. With eBPF, monitoring starts immediately after deployment, capturing relevant metrics and events from the kernel without the need to instrument or redeploy applications. This rapid setup accelerates time-to-value for APM tools.

Real-time, system-wide observability with minimal overhead

eBPF enables an APM solution to provide in-depth, real-time visibility across all aspects of system performance and application behavior without impacting overall system efficiency, making it a highly effective choice for modern, production-grade observability.

Unrestricted monitoring for legacy and closed-source applications

For certain applications, especially legacy systems or proprietary software, adding instrumentation via OpenTelemetry or other SDKs may not be possible. eBPF shines here, as it attaches directly to system calls or network events at the kernel level, capturing relevant data regardless of application type, language, or compatibility with instrumentation libraries. This capability is crucial in environments with heterogeneous services or closed-source applications, allowing APM solutions to gather necessary performance data for uninstrumented services without any dependency on application-level telemetry support.

Security

eBPF runs securely within the kernel, with limited permissions needed. It minimizes attack surface and doesn't require changes to applications.

Vendor-neutral and open source

The OpenTelemetry eBPF instrumentation agent is vendor-neutral and open source, ensuring no vendor lock-in and allowing for community-driven development and improvements.

Concepts

• DaemonSet – Deploying as a DaemonSet ensures that each Kubernetes node has an eBPF-based monitoring agent, giving full visibility across the cluster. This method scales easily as your cluster grows. Learn more about Kubernetes DaemonSets.
• Automatic service discovery – The OpenTelemetry eBPF agent detects new pods, containers, and services automatically, adapting to changes in real-time without manual configuration.
• Network observability – eBPF captures data on network latency, packet drops, and errors, supporting microservices monitoring with insights into inter-service communication.
• Service name - The eBPF agent uses Kubernetes metadata such as deployment, daemonset, or statefulset names as the service name, enriching observability data with container orchestration context.

How it works

The OpenTelemetry eBPF instrumentation agent runs as a DaemonSet across your Kubernetes cluster, providing complete visibility into every packet transmitted or received by each service with no sampling or guesswork required; it captures everything at the kernel level.

The eBPF agent categorizes traffic by protocol, either by detecting it from raw data or identifying the originating library. Service-to-service connections are fully mapped, enabling complete interaction tracing, such as HTTP requests, gRPC calls, SQL queries, and their responses. Each interaction is enriched with OpenTelemetry (OTel) conventions, enhancing the contextual insights.

Your OpenTelemetry collector then gathers, processes, and enriches this data as metrics or spans, before sending it to Coralogix. This process provides deep visibility into service behaviors and interactions.

Instrumentation support

The OpenTelemetry eBPF instrumentation agent supports:

• Architecture: AMD64, ARM64
• Kernel version: 5.8 and above (with BTF enabled), or RHEL 4.18 kernels build 348+
• Protocols and technologies:
  • HTTP/HTTPS/HTTP2: All programming languages
  • gRPC: All programming languages
  • SQL: MySQL, MariaDB, PostgreSQL, and other database protocols
  • NoSQL: MongoDB
  • Redis: Redis protocol support
  • Kafka: All Kafka implementations
  • SSL/TLS: Support for encrypted protocols using OpenSSL

Go-specific instrumentations

For Go applications, the agent provides enhanced instrumentation for specific libraries:

Library	Support
Standard Go net/http	✅
Gorilla Mux	✅
Gin	✅
gRPC-Go	✅
Go x/net/http2	✅
Go-Redis v9	✅
Sarama Kafka	✅
Kafka-Go	✅

APM feature matrix

The table below compares the features supported by Coralogix APM with full OpenTelemetry integration versus those of the eBPF-based APM.

Feature (K8s environments only)	eBPF	Full OpenTelemetry
Service catalog	✔️	✔️
Database catalog	✔️	✔️
Service map (only for Events2Metrics as metrics data source)	✔️	✔️
Metrics contextualization	✔️	✔️
Service alerts	✔️	✔️
SLOs	✔️	✔️
Apdex	✔️	✔️
Span - log correlation	❌	✔️
API error tracking	✔️	✔️
Service - log correlation	✔️	✔️
K8s resources correlation	✔️	✔️
Serverless monitoring	❌	✔️
Transactions	❌	✔️
Spans exploration	✔️	✔️
Traces exploration	✔️	✔️
Trace map	✔️	✔️
Sampling	✔️	✔️
Span metrics	✔️	✔️

Additional resources

• Zero Instrumentation with OBI on our website
• OpenTelemetry eBPF Instrumentation GitHub Repository
• OpenTelemetry Documentation
• eBPF Foundation