Configuration Library

The Sysdig configuration library lists all the major configurations supported by Sysdig agent components. This document is evolving and will be updated as new configurations are added to the product.

Generic Configuration

Configurationdragent.yamlHelmDescriptionDefault and Example
Clusterk8s_cluster_nameglobal.clusterConfig.name

Identifier for the Kubernetes cluster where you install the agent. For more information, see Agent Configuration.

For example, ec2_cluster

Access Keycustomeridglobal.sysdig.accessKey

See Sysdig Agent Access Keys to learn how to retrieve the agent keys.

SecretN/Aglobal.sysdig.accessKeySecretThe name of a Kubernetes secret containing an access-key entry.
RegionN/Aglobal.sysdig.region

The SaaS region where the agent is installed. Possible values include: us1, us2, us3, us4, eu1, au1, and custom. See Regions and IP Ranges for more information.

us1
Global Tagstagsglobal.sysdig.tags

Sets the global tags which can override agent tags. See Quick Install Sysdig Agent for more information

Agent TagstagsThe list of tags to identify the host where the agent is installed. For example: role:webserver, location:europe, role:webserver. See Quick Install Sysdig Agent for more information.
Proxyhttp_proxyglobal.proxy.httpProxy

Allows the agent to communicate with Sysdig collector through a http_proxy. See Enable HTTP Proxy for Agents for more information.

HTTP Proxy Hosthttp_proxy.proxy_host

The host IP of the proxy server.

HTTP Proxy Porthttp_proxy.proxy_port

See Enable HTTP Proxy for Agents for more information.

http_proxy.proxy_user

See Enable HTTP Proxy for Agents for more information.

http_proxy.proxy_password

See Enable HTTP Proxy for Agents for more information.

http_proxy.ssl

See Enable HTTP Proxy for Agents for more information.

http_proxy.ssl_verify_certificate

See Enable HTTP Proxy for Agents for more information.

http_proxy.ca_certificate

See Enable HTTP Proxy for Agents for more information.

CollectorcollectorSettings.collectorHost

Enter the hostname or IP address of the Sysdig collector service. Note that when used within dragent.yaml, must be lowercase collector.

See On-Premises Installation for more information.

Collector PortOn-prem only. The port used by the Sysdig collector service.6443
eBPFN/Aebpf.enabled

Set to true to enable the agent Universal eBPF (Technical Preview) or the current eBPF driver.

The default is false.

N/Aebpf.kind

Set to universal_ebpf to enable the Universal eBPF (Technical Preview) driver. Set to legacy_ebpf to enable the eBPF driver. Note: ebpf.enabled must also be set to true for this configuration to work.

FIPS modefips_mode

Optional. Set to true for the agent to use a FIPS-validated crypto module to encrypt the communication between the agent and the Sysdig backend. The agent will log FIPS mode is enabled if a FIPS-validated crypto module was successfully loaded.

The default is false.

OpenSSL Library Locationopenssl_lib

Version 12.16.x:

Required when fips_mode is set to true. Path to the directory containing user-provided OpenSSL v1.1.1 shared library files, (libcrypto.so.1, and libssl.so.1). User-provided OpenSSL libraries must contain a FIPS-validated crypto module if setting fips_mode to true.

Version 12.17.0 and newer:

Optional. Path to the directory containing user-provided OpenSSL v3.1 shared library files, (libcrypto.so.3, and libssl.so.3). User-provided OpenSSL libraries must contain a FIPS-validated crypto module if setting fips_mode to true.

By default, the agent uses bundled OpenSSL shared libraries.

Monitor-Specific Configuration

Configurationdragent.yamlHelmDescriptionDefault and Example
StatsDstatsd

Controls StatsD metric collection.

enabled
statsd:
	blacklisted_ports

See StatsD for more information.

statsd:
	tcp_port

See StatsD for more information.

statsd:
  udp_port

See StatsD for more information.

statsd:
  ip_address: 0.0.0.0

The value indicates that the statsd server will accept incoming traffic from any IP, local or remote. Use this configuration to add the ability to send statsd messages to a host running the agent from a remote host, and for the agent to process the message as if they have originated on the host on which the agent is running.

By default, the agent includes a statsd server that listens on the loopback interface (127.0.0.1) for incoming statsd messages, which does not allow accepting messages originating from remote hosts. Use the ip_address: 0.0.0.0 configuration to change this default behavior.

Events
events:
  docker

Controls Event Collection metric collection.

events:
  kubernetes
Log
log:
  event_priority

Allows you to configure log levels metric collection.

log:
  console_priority
log:
  file_priority
Prometheus
prometheus:
  enabled

Controls Prometheus Native Service Discovery.

JMX
jmx:
  enabled

Controls JMX metrics collection.

App Checks
app_checks:
  enabled

Controls monitoring capabilities using App Checks.

KSM
k8s_extra_resources:
  - include
  ...

Enable and disable Kube State Metrics collection.

enabled
Go Eventsgo_k8s_user_events

Streamline Sysdig agent processing times and reduce CPU load.

true
Agent Console
command_line:
  enabled

Enable Agent Console to interact with the Sysdig agent to troubleshoot and investigate agent configuration problems quickly.

enabled

Secure-Specific Configuration

Configure Falco Rule Matching Strategy

Prerequisites: Sysdig agent v.12.18+

From Sysdig agent v12.18.0+, the agent evaluates an event against all the rules, potentially triggering multiple alerts. In previous versions, the agent stopped evaluating rules after the first match.

To control this behavior, a new option has been added to dragent.yaml: security.falco_match_strategy

security:
  falco_match_strategy: all

To evaluate all rules for every event; set it to all. This is the default option.

To stop evaluation after the first match; set it to first.

Report Actions in Kubernetes Events

For a full description of the feature, see Threat Detection Policies.

Prerequisites

Sysdig agent v.12.18+

Permissions

  • Helm: If you deploy the agent using Helm, the permissions to enable create and patch actions for events on all APIs are automatically granted.

  • Manual: If you deploy manually, you must set up a Kubernetes cluster role with those permissions enabled. Example without cluster role binding:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: sysdig-agent
    rules:
    - apiGroups:
      - ""
      resources:
      - events
      verbs:
      - create
      - patch
    

    Example with cluster role binding:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: sysdig-agent
    rules:
    - apiGroups:
      - ""
      resources:
      - events
      verbs:
      - create
      - patch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: sysdig-agent
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: sysdig-agent
    subjects:
    - kind: ServiceAccount
      name: sysdig-agent 
      namespace: sysdig-agent
    ---