Configuration Library

The Sysdig configuration library lists all the major configurations supported by Sysdig agent components. This document is evolving and will be updated as new configurations are added to the product.

Generic Configuration

Configuration	dragent.yaml	Helm	Description	Default and Example
Cluster	`k8s_cluster_name`	`global.clusterConfig.name`	Identifier for the Kubernetes cluster where you install the agent. For more information, see Agent Configuration.	For example, `ec2_cluster`
Access Key	`customerid`	global.sysdig.accessKey	See Sysdig Agent Access Keys to learn how to retrieve the agent keys.
Secret	N/A	`global.sysdig.accessKeySecret`	The name of a Kubernetes secret containing an access-key entry.
Region	N/A	`global.sysdig.region`	The SaaS region where the agent is installed. Possible values include: `us1`, `us2`, `us3`, `us4`, `eu1`, `au1`, and `custom`. See Regions and IP Ranges for more information.	`us1`
Global Tags	`tags`	`global.sysdig.tags`	Sets the global tags which can override agent tags. See Quick Install Sysdig Agent for more information
Agent Tags	`tags`		The list of tags to identify the host where the agent is installed. For example: `role:webserver`, `location:europe`, `role:webserver`. See Quick Install Sysdig Agent for more information.
Proxy	`http_proxy`	`global.proxy.httpProxy`	Allows the agent to communicate with Sysdig collector through a `http_proxy`. See Enable HTTP Proxy for Agents for more information.
HTTP Proxy Host	`http_proxy.proxy_host`		The host IP of the proxy server.
HTTP Proxy Port	`http_proxy.proxy_port`		See Enable HTTP Proxy for Agents for more information.
	`http_proxy.proxy_user`		See Enable HTTP Proxy for Agents for more information.
	`http_proxy.proxy_password`		See Enable HTTP Proxy for Agents for more information.
	`http_proxy.ssl`		See Enable HTTP Proxy for Agents for more information.
	`http_proxy.ssl_verify_certificate`		See Enable HTTP Proxy for Agents for more information.
	`http_proxy.ca_certificate`		See Enable HTTP Proxy for Agents for more information.
Collector		`collectorSettings.collectorHost`	Enter the hostname or IP address of the Sysdig collector service. Note that when used within `dragent.yaml`, must be lowercase collector. See On-Premises Installation for more information.
Collector Port			On-prem only. The port used by the Sysdig collector service.	6443
eBPF	N/A	`ebpf.enabled`	Set to `true` to enable the agent Universal eBPF (Technical Preview) or the current eBPF driver.	The default is `false`.
	N/A	`ebpf.kind`	Set to `universal_ebpf` to enable the Universal eBPF (Technical Preview) driver. Set to `legacy_ebpf` to enable the eBPF driver. *Note:* `ebpf.enabled` must also be set to `true` for this configuration to work.
FIPS mode	`fips_mode`		Optional. Set to `true` for the agent to use a FIPS-validated crypto module to encrypt the communication between the agent and the Sysdig backend. The agent will log `FIPS mode is enabled` if a FIPS-validated crypto module was successfully loaded.	The default is `false`.
OpenSSL Library Location	`openssl_lib`		Version 12.16.x: Required when `fips_mode` is set to `true`. Path to the directory containing user-provided OpenSSL v1.1.1 shared library files, (`libcrypto.so.1`, and `libssl.so.1`). User-provided OpenSSL libraries must contain a FIPS-validated crypto module if setting `fips_mode` to `true`. Version 12.17.0 and newer: Optional. Path to the directory containing user-provided OpenSSL v3.1 shared library files, (`libcrypto.so.3`, and `libssl.so.3`). User-provided OpenSSL libraries must contain a FIPS-validated crypto module if setting `fips_mode` to `true`.	By default, the agent uses bundled OpenSSL shared libraries.

Monitor-Specific Configuration

Configuration	dragent.yaml	Helm	Description	Default and Example
StatsD	`statsd`		Controls StatsD metric collection.	`enabled`
	`statsd: blacklisted_ports`		See StatsD for more information.
	`statsd: tcp_port`		See StatsD for more information.
	`statsd: udp_port`		See StatsD for more information.
	`statsd: ip_address: 0.0.0.0`		The value indicates that the statsd server will accept incoming traffic from any IP, local or remote. Use this configuration to add the ability to send statsd messages to a host running the agent from a remote host, and for the agent to process the message as if they have originated on the host on which the agent is running.	By default, the agent includes a statsd server that listens on the loopback interface (127.0.0.1) for incoming statsd messages, which does not allow accepting messages originating from remote hosts. Use the `ip_address: 0.0.0.0` configuration to change this default behavior.
Events	`events: docker`		Controls Event Collection metric collection.
	`events: kubernetes`
Log	`log: event_priority`		Allows you to configure log levels metric collection.
	`log: console_priority`
	`log: file_priority`
Prometheus	`prometheus: enabled`		Controls Prometheus Native Service Discovery.
JMX	`jmx: enabled`		Controls JMX metrics collection.
App Checks	`app_checks: enabled`		Controls monitoring capabilities using App Checks.
KSM	`k8s_extra_resources: - include ...`		Enable and disable Kube State Metrics collection.	`enabled`
Go Events	`go_k8s_user_events`		Streamline Sysdig agent processing times and reduce CPU load.	`true`
Agent Console	`command_line: enabled`		Enable Agent Console to interact with the Sysdig agent to troubleshoot and investigate agent configuration problems quickly.	`enabled`

Secure-Specific Configuration

Configure Falco Rule Matching Strategy

Prerequisites: Sysdig agent v.12.18+

From Sysdig agent v12.18.0+, the agent evaluates an event against all the rules, potentially triggering multiple alerts. In previous versions, the agent stopped evaluating rules after the first match.

To control this behavior, a new option has been added to dragent.yaml: security.falco_match_strategy

security:
  falco_match_strategy: all

To evaluate all rules for every event; set it to all. This is the default option.

To stop evaluation after the first match; set it to first.

Report Actions in Kubernetes Events

For a full description of the feature, see Threat Detection Policies.

Prerequisites

Sysdig agent v.12.18+

Permissions

Helm: If you deploy the agent using Helm, the permissions to enable create and patch actions for events on all APIs are automatically granted.

Manual: If you deploy manually, you must set up a Kubernetes cluster role with those permissions enabled. Example without cluster role binding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sysdig-agent
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch

Example with cluster role binding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sysdig-agent
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sysdig-agent
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sysdig-agent
subjects:
- kind: ServiceAccount
  name: sysdig-agent 
  namespace: sysdig-agent
---

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.