Abstract
System call telemetry is essential for understanding runtime behavior in cloud-native infrastructures, but existing eBPF-based monitors suffer from high per-event overhead, unreliable delivery under load, and limited context for correlating multi-step activities. These issues reduce scalability, create blind spots in telemetry streams, and complicate the analysis of complex workload behaviors. This work presents Aquila, a lightweight telemetry framework that emphasizes efficiency, reliability, and semantic fidelity. Aquila employs a dual-path kernel pipeline that separates fixed-size metadata from variable-length attributes, reducing serialization costs and enabling high-throughput event processing. It introduces priority-aware buffering and explicit drop detection to retain loss-sensitive events while providing visibility into overload conditions. In the user space, kernel traces are enriched with Kubernetes metadata, mapping low-level system calls to pods, containers, and namespaces. Evaluation under representative workloads shows that Aquila improves scalability, reduces event loss, and enhances the semantic completeness of system call telemetry compared with existing approaches.