This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:
    • 1.1:
      • 1.1.1:
        • 1.1.2:
        • 1.2:
          • 1.3:
            • 1.3.1:
              • 1.3.2:
                • 1.3.3:
                  • 1.3.4:
                  • 1.4:
                    • 1.5:
                      • 1.6:
                        • 1.7:
                          • 1.8:
                            • 1.9:
                              • 1.10:
                                • 1.11:
                                  • 1.12:
                                  • 2:
                                    • 2.1:
                                      • 2.2:
                                        • 2.2.1:
                                          • 2.2.2:
                                            • 2.2.3:
                                            • 2.3:
                                              • 2.4:
                                                • 2.4.1:
                                                  • 2.4.2:
                                                    • 2.4.3:
                                                      • 2.4.4:
                                                        • 2.4.4.1:
                                                        • 2.4.5:
                                                          • 2.4.6:
                                                            • 2.4.7:
                                                            • 2.5:
                                                              • 2.6:
                                                                • 2.7:
                                                                  • 2.8:
                                                                    • 2.8.1:
                                                                      • 2.8.2:
                                                                        • 2.8.3:
                                                                        • 2.9:
                                                                          • 2.10:
                                                                            • 2.11:
                                                                            • 3:
                                                                              • 4:

                                                                                Sysdig Agent

                                                                                Sysdig agents are simple to deploy and upgrade, and out of the box, they will gather and report on a wide variety of pre-defined metrics. Agent installation can be as simple as copying and pasting a few lines of code from a Wizard prompt, or you can follow step-by-step instructions to check supported environments and distributions, review installation options, and customize the agent configuration file post-install.

                                                                                About Sysdig Agent

                                                                                Sysdig agent is a lightweight host component that processes syscall, creates capture files, and performs auditing and compliance. It is a platform that supports monitoring, securing, and troubleshooting cloud-native environments

                                                                                In addition, the agent performs the following:

                                                                                • Metrics processing, analysis, aggregation, and transmission

                                                                                • Policy monitoring and alert notification through bidirectional communication with the Sysdig collector

                                                                                • Integration with third-party software for consolidating customer ecosystem data

                                                                                • Full assimilation into containerized and orchestrated environment

                                                                                Data Processing

                                                                                A top-level flow for monitoring is illustrated in the following diagram.

                                                                                1. The following agent components gather relevant data:

                                                                                  • Syscall

                                                                                  • StatsD

                                                                                  • JMX

                                                                                  • Promscrape

                                                                                2. Store the metrics for analysis.

                                                                                3. Sends the metrics in every second for analysis and aggregation.

                                                                                4. Build the 10-second roll-up data.

                                                                                5. Send the data every tenth second for serialization

                                                                                6. Send the serialized metrics to the Sysdig collector

                                                                                Learn More

                                                                                1 -

                                                                                Agent Installation

                                                                                Sysdig agents are delivered as either a container or a service and can be deployed with or without an orchestrator such as Kubernetes or Mesos.

                                                                                A quick install involves just a few lines of code from the Getting Started Wizard copied into a shell. The complete install instructions address checking for and installing kernel headers if needed, any prerequisite permissions settings for particular environments, and tips about updating the configuration files after initial installation.

                                                                                Plan the Installation

                                                                                Topic

                                                                                Description

                                                                                Host Requirements

                                                                                Review the platforms, runtimes, Linux distributions, orchestration, browsers, etc. that are supported.

                                                                                Kernel Header Troubleshooting

                                                                                Additional tips if your kernel module or header are not automatically compiled by the agent

                                                                                Access key

                                                                                An agent access key is provided with a Sysidg trial

                                                                                Installation flavours

                                                                                Choose one of the installations:

                                                                                • Slim Agent : A lighter version of the Sysdig agent created by splitting the regular agent image into two components responsible for different functionalities. You install and run these modules as containers.

                                                                                • Regular Agent: The Sysdig agent that you can run as a container or a service.

                                                                                Install Options

                                                                                Wizard-Based

                                                                                With the Getting Started Wizard, you can copy/paste a simple line of code to deploy agents in a variety of environments.

                                                                                Node Image Analyzer by default is installed with Sysdig Agent for Sysdig Secure. See Installing the Image Analyzer for more information.

                                                                                Behind the scenes, the Wizard auto-detects and completes configuration items such as the required access key and port information. The Wizard is launched from the Start a Free Trial button at sysdig.com.

                                                                                After the first install, Sysdig Secure and Monitor users can access the Wizard at any time from the Rocket icon in the navbar.

                                                                                Manual Options

                                                                                There are a variety of ways to install agents without using the Wizard.

                                                                                Flavor

                                                                                Helm

                                                                                Manual

                                                                                Slim Agent

                                                                                Notes

                                                                                Kubernetes

                                                                                Open Source

                                                                                Readme

                                                                                Kubernetes vanilla

                                                                                Install Slim Agent

                                                                                Used for most environments, e.g. Amazon EKS or EC2 on AWS Cloud or AWS Outpost, EC2, Azure AKS, etc.

                                                                                OpenShift

                                                                                Readme

                                                                                OpenShift

                                                                                Used for any environment with OpenShift.

                                                                                GKE

                                                                                Readme

                                                                                GKE

                                                                                Slim agent is not supported on GKE clusters running on Container-Optimized OS (COS).

                                                                                Used for Google Kubernetes Service environment

                                                                                Non-Orchestrated

                                                                                Agent as container or agent as service

                                                                                n/a

                                                                                Container

                                                                                Service

                                                                                Install Slim Agent

                                                                                Used when there is no orchestrator such as Kubernetes.

                                                                                IKS

                                                                                n/a

                                                                                IBM Cloud with Sysdig)

                                                                                Install Slim Agent

                                                                                IBM manages and documents Sysdig installs as part of IKS.

                                                                                Certain environments may need a different option:

                                                                                1.1 -

                                                                                Host Requirements for Agent Installation

                                                                                Sysdig agents can be installed on a wide array of Linux hosts. Check your environment to ensure it meets the minimum supported platform, operating system, runtime, and orchestration requirements and uses the appropriate installation instructions.

                                                                                Versioning Scheme

                                                                                The versioning scheme for agent releases has been updated with version 9.5.0. Previous versions used the format, <version number><hotfix> such as, 0.94.0.

                                                                                Sysdig is aligning version numbers to the rest of the product. The new version number reflects the maturity of the agent software over the last several years. Starting v9.5.0, all agent versions are numbered as Major.minor.hotfix

                                                                                We encourage users to be on the latest version of the agent. Starting with v9.6.0, we support n-3 versions backbased on the minor number. For example, if the release is v9.6.0, we will support n-3 versions back, for example, to 9.3.0. The old version scheme is 0.93.0.

                                                                                Agent Installation Requirements

                                                                                Cloud Platform or Private Data Center

                                                                                Cloud Platforms Supported

                                                                                • AWS AWS Elastic Kubernetes Service (EKS), Elastic Cloud Compute (EC2), AWS Elastic Container Service (ECS) on AWS Cloud or AWS Outpost

                                                                                • Google Cloud Provider (GCP) and Google Kubernetes Engine (GKE).

                                                                                • Microsoft Azure and Microsoft Azure Container Service (AKS)

                                                                                • IBM: Including IBM Cloud Kubernetes Service (IKS)

                                                                                Private Data Center

                                                                                See the Supported Linux Distributions table, below.

                                                                                Container Runtimes

                                                                                The agent supports the detection of Docker, RKT, LXC, containerd, CRI-O, and Mesos containers.

                                                                                Prerequisites for CRI-O Environments

                                                                                Agent artifacts are stored on the Docker registry. In CRI-O and Kubernetes environments, Docker is not a specified registry by default. In order to prevent image pull failure for Sysdig agent installations in CRI-O environments, add docker.ioto the CRI-O configuration file:

                                                                                1. Edit /etc/crio/crio.conf.

                                                                                2. Add registries = ["docker.io"] to the crio.conf file.

                                                                                  For example:

                                                                                  # registries is used to specify a comma separated list of registries to be used
                                                                                  # when pulling an unqualified image (e.g. fedora:rawhide).
                                                                                  registries = [
                                                                                  “registry.example.xyz”,
                                                                                  “docker.io”
                                                                                  ]
                                                                                  
                                                                                3. Restart CRI-O.

                                                                                Prerequisites for Podman Environments

                                                                                Sysdig agent supports running as a Podman container.

                                                                                • Enable Podman API service for all the users.

                                                                                  The agent will not able to collect Podman-managed container metadata, such as the container name, if the API service is not enabled.

                                                                                • Secure rules and policies that depend on container metadata other than the container ID will not work.

                                                                                • Pausing and terminating containers will not work because Policy actions for Podman are not supported.

                                                                                • The containers started as a non-root user will have the podman_owner_uid label associated with it if the API service is enabled for that user. The value of podman_owner_uid will be the numeric user ID corresponding to the user that started the container.

                                                                                Supported Container Registries

                                                                                • Quay.io

                                                                                  For example, to pull the latest agent container from Quay.io:

                                                                                  docker pull quay.io/sysdig/agent
                                                                                  
                                                                                • Docker Hub

                                                                                  For example, to pull the latest agent container from Docker Hub:

                                                                                  docker pull sysdig/agent
                                                                                  

                                                                                Supported Linux Distributions

                                                                                Private Data Center

                                                                                AWS EC2

                                                                                GCP

                                                                                GKE

                                                                                Azure

                                                                                Core set of distributions:

                                                                                • Debian 6.0+

                                                                                • Ubuntu 10.04+

                                                                                • CentOS 6+

                                                                                • RHEL 6+

                                                                                • Fedora 13+

                                                                                • Linux Mint 9+

                                                                                • Oracle 6.0+ (UEK kernels R3+, all RHCK kernels)

                                                                                • Suse Linux Enterprise Server 11+

                                                                                • Amazon AMI

                                                                                  (any version available from the AWS Marketplace) and

                                                                                  Amazon Linux 2

                                                                                  +

                                                                                • Core set

                                                                                Core set

                                                                                Ubuntu/COS

                                                                                Core set

                                                                                Orchestrator: Yes/No

                                                                                • If NO orchestrator is used, follow the installation instructions for Agent Install: Non-Orchestrated .

                                                                                • If you ARE using an orchestrator what kind are you using?

                                                                                Supported Open-Source Orchestrators

                                                                                KubernetesMesos/MarathonDocker Swarm
                                                                                Supported versions1.9+Docker 1.12+
                                                                                Use Orchestrator to install agents?Agent Install: KubernetesAgent Install: Mesos/MarathonAgent Install: Non-Orchestrated

                                                                                Supported Container Platforms

                                                                                OpenShift

                                                                                GKE

                                                                                ECS

                                                                                Azure CS

                                                                                Docker Datacenter

                                                                                Rancher

                                                                                Special installation instructions?

                                                                                Agent Install: Kubernetes

                                                                                (with OpenShift options)

                                                                                Agent Install: Kubernetes

                                                                                (with GKE options)

                                                                                Agent Install: Non-Orchestrated

                                                                                (+ AWS Integration instructions)

                                                                                Agent Install: Non-Orchestrated

                                                                                No special instructions

                                                                                Agent Install: Non-Orchestrated

                                                                                No special instructions

                                                                                Agent Install: Non-Orchestrated

                                                                                No special instructions

                                                                                Supported Java Versions and Vendors

                                                                                The Sysdig agent supports only:

                                                                                Java versions: 7 and above

                                                                                Vendors: Oracle, OpenJDK

                                                                                For Java-based applications (Cassandra, Elasticsearch, Kafka, Tomcat, Zookeeper and etc.), the Sysdig agent requires the Java runtime environment (JRE) to be installed to poll for metrics (beans).

                                                                                If the Docker-container-based Sysdig agent is installed, the JRE is installed alongside the agent binaries and no further dependencies exist. However, if you are installing the service-based agent (non-container) and you do not see the JVM/JMX metrics reporting, your host may not have the JRE installed or it may not be installed in the expected location: usr/bin/java

                                                                                Resource Limits

                                                                                The resource requirements of the agent are subjective to the size and load of the host— more activity equates to more resources required. At a minimum, the agent requires 2% of the total CPU and 512MiB of memory.

                                                                                It is typical to see between 5-20KiB/s of bandwidth consumed—different variables can increase the throughput required such as the number of metrics, events, Kubernetes objects, and which products and features are enabled. When a Sysdig Capture is being collected, you can expect to see a spike in bandwidth while the capture file is being ingested.

                                                                                We do not recommend placing bandwidth shaping or caps on the agent to ensure data can be sent to our collection service.

                                                                                Supported Web Browsers

                                                                                Sysdig supports, tests, and verifies the latest versions of Chrome and Firefox.

                                                                                Other browsers may also work, but are not tested in the same way.

                                                                                Additional Requirements

                                                                                Access key

                                                                                The installation of the Sysdig agent requires an access key. This key and the agent installation instructions are presented to you after activating your account and using a web-based wizard upon initial login.

                                                                                The same information can also be found in the Settings > Agent Installation menu of the web interface after logging in. See Agent Installation: Overview and Key for details.

                                                                                Network connection

                                                                                A Sysdig agent (containerized or native) is installed into each host being monitored and will need to be able to connect to the Sysdig Monitor backend servers to report host metrics. The agent must be able to reach the Sysdig Collector addresses. For example, for US East, it is ‘collector.sysdigcloud.com’ (via multiple IPs) over port tcp/6443 . See Sysdig Collector Ports for supported ports for other regions.

                                                                                The agent supports the HTTP proxy for communicating with Sysdig backend components. For more information, see Enable HTTP Proxy for Agents.

                                                                                Tags

                                                                                Tagging your hosts is highly recommended. Tags allow you to sort nodes of your infrastructure into custom groups in Sysdig Monitor.

                                                                                Replace the [TAGS] parameter in the configuration file with a comma-separated list in the form of TAG_NAME:TAG_VALUE. For example, role:webserver,location:europe.

                                                                                See Understanding the Agent Config Files.

                                                                                TracePoints Support

                                                                                All supported distribution released kernels have this support but if creating a custom kernel, it must support the following options:

                                                                                CONFIG_TRACEPOINTS

                                                                                CONFIG_HAVE_SYSCALL_TRACEPOINTS

                                                                                See Also

                                                                                Kernel Header Troubleshooting

                                                                                1.1.1 -

                                                                                Tuning Sysdig Agent

                                                                                The resource requirements for the Sysdig agent are subjective to the size and load of the host. Increased activity equates to higher resource requirements. At a minimum, the agent requires 2% of the total CPU and 512 MiB of memory.

                                                                                You might see 5 to 20 KiB/s of bandwidth consumed. Different variables can increase the throughput required. For example:

                                                                                • The number of metrics

                                                                                • The number of events

                                                                                • Kubernetes objects

                                                                                • Products and features enabled

                                                                                When a Sysdig Capture is being collected, you can expect to see a spike in the bandwidth while the capture file is being ingested.

                                                                                Sysdig does not recommend placing bandwidth shaping or caps on the agent to ensure that data is sent to the Sysdig Collection service.

                                                                                In general, in larger clusters, the agent requires more memory, and in servers with a high number of cores, the agent requires more CPU cores to monitor all the system calls. You will use CPU cores on the host and the Kubernetes nodes visible to the agent as proxies for the rate of events processed in the agent.

                                                                                Similarly, there are different factors that are at play, and considering all the factors, we recommend the following:

                                                                                Small: CPU core count <= 8. Kubernetes nodes <=10

                                                                                Medium: 8 < CPU core count <= 32. 10 < Kubernetes nodes <= 100

                                                                                Large: CPU core count > 32. Kubernetes nodes > 100

                                                                                While you can expect the behavior with the given numbers to be better than simply using the default values, Sysdig cannot guarantee that resource allocation will be correct for all the cases.

                                                                                Cluster SizeSmallMediumLarge
                                                                                Kubernetes CPU Request135
                                                                                Kubernetes CPU Limit135
                                                                                Kubernetes Memory Request1024 MB3072 MB6144 MB
                                                                                Kubernetes Memory Limit1024 MB3072 MB6144 MB
                                                                                Dragent Memory Watchdog512 MB1024 MB2048 MB
                                                                                Cointerface Memory Watchdog512 MB2048 MB4096 MB

                                                                                Note that the agent has its own memory watchdog to prevent runaway memory consumption on the host in case of memory leaks. The default values of the watchdog are specified in the following agent configuration file.

                                                                                watchdog:
                                                                                  max_memory_usage_mb: 1024
                                                                                  max_memory_usage_subprocesses:
                                                                                    sdchecks: 128
                                                                                    sdjagent: 256
                                                                                    mountedfs_reader: 32
                                                                                    statsite_forwarder: 32
                                                                                    cointerface: 256
                                                                                

                                                                                All the values are given in MiB.

                                                                                For example, to match the agent watchdog settings with large values, the agent configuration would be:

                                                                                watchdog:
                                                                                  max_memory_usage_mb: 2048
                                                                                  max_memory_usage_subprocesses:
                                                                                    sdchecks: 128
                                                                                    sdjagent: 256
                                                                                    mountedfs_reader: 32
                                                                                    statsite_forwarder: 32
                                                                                    cointerface: 4096
                                                                                
                                                                                

                                                                                1.1.2 -

                                                                                Kernel Header Troubleshooting

                                                                                In addition to the information on Host Requirements for Agent Installation, this page describes how the agent uses kernel headers and tips on troubleshooting, if needed.

                                                                                About Kernel Headers and the Kernel Module

                                                                                The Sysdig agent requires a kernel module in order to install successfully on a host. This can be obtained in three ways:

                                                                                1. Agent compiles the module using kernel headers.

                                                                                  If the hosts in your environment already have kernel header files pre-installed, no special action is needed. Or you can install the kernel headers manually; see below.

                                                                                2. Agent auto-downloads precompiled modules from Sysdig’s AWS storage location.

                                                                                  If the headers are not already installed but the agent is able to auto-download, no special action is needed. If there is no internet connectivity, you can use method 3 (download from an internal URL).

                                                                                3. Agent downloads precompiled modules from an internal URL.

                                                                                  Use the environment variable SYSDIG_PROBE_URL. See also Understanding the Agent Config Files. Contact Sysdig support for assistance.

                                                                                To Install Kernel Headers

                                                                                In some cases, the host(s) in your environment may use Unix versions that do not match the provided headers, and the agent may fail to install correctly. In those cases, you must install the kernal headers manually.

                                                                                Debian-Style

                                                                                For Debian-syle distributions, run the command:

                                                                                apt-get -y install linux-headers-$(uname -r)
                                                                                

                                                                                RHEL-Style

                                                                                For RHEL-style distributions, run the command:

                                                                                yum -y install kernel-devel-$(uname -r)
                                                                                

                                                                                RancherOS

                                                                                For RancherOS distributions, the kernel headers are available in the form of a system service and therefore are enabled using the ros service command:

                                                                                sudo ros service enable kernel-headers-system-docker
                                                                                sudo ros service up -d kernel-headers-system-docker
                                                                                

                                                                                NOTE: Some cloud hosting service providers supply pre-configured Linux instances with customized kernels. You may need to contact your provider’s support desk for instructions on obtaining appropriate header files, or for installing the distribution’s default kernel.

                                                                                To Correct Kernel Header Errors in AWS AMI

                                                                                During an agent installation in an Amazon machine image (AMI) you may encounter the following errors while the installer is trying to compile the Sysdig kernel module:

                                                                                Errors

                                                                                • “Unable to find kernel development files for the current kernel version” or

                                                                                • “FATAL: Module sysdigcloud-probe not found”

                                                                                This indicates your machine is running a kernel in an older AMI for which the kernel headers are no longer available in the configured repositories. The issue has to do with Amazon purging packages in the yum repository when new Amazon Linux machine images are released.

                                                                                The solution is either to update your kernel to a version for which header files are readily available (recommended), or perform a one-time installation of the kernel headers for your older AMI.

                                                                                Option 1: Upgrade Your Host’s Kernel

                                                                                First install a new kernel and reboot your instance:

                                                                                sudo yum -y install kernel
                                                                                sudo reboot
                                                                                

                                                                                After rebooting, check to see if the host is reporting metrics to your Sysdig account. If not, you may need to issue three more commands to install the required header files:

                                                                                sudo yum -y install kernel-devel-$(uname -r)
                                                                                sudo /usr/lib/dkms/dkms_autoinstaller start
                                                                                sudo service dragent restart
                                                                                

                                                                                Option 2: Install Older Kernel Headers

                                                                                Although it is recommended to upgrade to the latest kernel for security and performance reasons, you can alternatively install the older headers for your AMI.

                                                                                Find the the AMI version string and install the appropriate headers with the commands:

                                                                                releasever=$(cat /etc/os-release | grep 'VERSION_ID' | grep -Eo "[0-9]{4}\.[0-9]{2}")
                                                                                sudo yum -y --releasever=${releasever} install kernel-devel-$(uname -r)
                                                                                

                                                                                Issue the remaining commands to allow the Sydig Agent to start successfully:

                                                                                sudo /usr/lib/dkms/dkms_autoinstaller start
                                                                                sudo service dragent restart
                                                                                

                                                                                Reference: Find Your AWS Instance Image Version

                                                                                The file /etc/image-id shows information about the original machine image with which your instance was set up:

                                                                                [ec2-user ~]$ cat /etc/image-id
                                                                                image_name="amzn-ami-hvm"
                                                                                image_version="2017.03"
                                                                                image_arch="x86_64"
                                                                                image_file="amzn-ami-hvm-2017.03.0.20170401-x86_64.ext4.gpt"
                                                                                image_stamp="26a3-ed31"
                                                                                image_date="20170402053945"
                                                                                recipe_name="amzn ami"
                                                                                recipe_id="47cfa924-413c-d460-f4f2-2af7-feb6-9e37-7c9f1d2b"
                                                                                

                                                                                This file will not change as you install updates from the yum repository.

                                                                                The file /etc/system-release will tell what version of the AWS image is currently installed:

                                                                                [ec2-user ~]$ cat /etc/system-release
                                                                                Amazon Linux AMI release 2017.03
                                                                                
                                                                                

                                                                                1.2 -

                                                                                Quick Install Sysdig Agent on Kubernetes

                                                                                Sysdig provides a single-line Sysdig Agent installer to help you get started quickly in Kubernetes environments. The code for using the installer is also presented in the Get Started pages of the Sysdig Monitor and Sysdig Secure UIs, with some of the values auto-completed.

                                                                                This page documents the single-line installer options in more detail.

                                                                                You can also access the help by using the following command:

                                                                                 $ ./install-agent-kubernetes --help
                                                                                

                                                                                Access from Get Started Pages

                                                                                To access the quick-install code pre-filled with some of your environment variables:

                                                                                1. Log in as admin to Sysdig Monitor or Sysdig Secure.

                                                                                2. Select the Get Started page (rocket icon).

                                                                                3. Choose Install the Agent, select the appropriate deployment type (e.g. Helm or Kubernetes), and copy the auto-generated code, filling in remaining variable values as required.

                                                                                Sample Usage

                                                                                $ install-agent-kubernetes [-a | --access_key <value>] [-t | --tags <value>] [-c | --collector <value>] [-cp | --collector_port <value>] [-s | --secure <value>] [-cc | --check_certificate <value>] [-ns | --namespace | --project <value>] [-ac | --additional_conf <value>] [-op | --openshift] [-as | --agent_slim] [-av | --agent_version <value>] [-ae | --api_endpoint <value> ] [-na | --nodeanalyzer ] [-ia | --imageanalyzer ] [-am | --analysismanager <value>] [-ds | --dockersocket <value>] [-cs | --crisocket <value>] [-cv | --customvolume <value>] [-cn | --cluster_name <value>] [-r | --remove ] [-h | --help]
                                                                                

                                                                                Options

                                                                                Option

                                                                                Description

                                                                                -a

                                                                                The agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure.

                                                                                -t

                                                                                The list of tags for the host where the agent is installed. For example: "role:webserver, location:europe", "role:webserver" or "webserver".

                                                                                -c or collector_url

                                                                                The collector URL for Sysdig Monitor or Sysdig Secure. This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. It is a custom value in on-prem installations.

                                                                                -cp

                                                                                The collector port. The default is 6443.

                                                                                -s

                                                                                Use a secure SSL/TLS connection to send metrics to the collector. This option is enabled by default.

                                                                                -cc

                                                                                Enable strong SSL certificate check. The default is true.

                                                                                -ns

                                                                                If a value is provided, the agent will be deployed to the specified namespace/project. The default is sysdig-agent.

                                                                                -op

                                                                                If provided, perform the agent installation using the OpenShift command line.

                                                                                -ac

                                                                                If a value is provided, the additional configuration will be appended to the agent configuration file.

                                                                                -av

                                                                                If a version is provided, use the specified agent version. The default is the latest version.

                                                                                -r

                                                                                If a value is provided, the daemonset, configmap, cluster role binding, service acccount and secret associated with the Sysdig Agent will be removed from the specified namespace.

                                                                                -ae

                                                                                The api_endpoint is the region-dependent domain for the Sysdig product, without the protocol. E.g. secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com

                                                                                -h

                                                                                Print this usage and exit.

                                                                                Sysdig Secure Only

                                                                                -na

                                                                                If provided, will install the Node Analyzer tools. It is an error to set both -ia and -na.

                                                                                -ds

                                                                                The docker socket for Image Analyzer.

                                                                                -cs

                                                                                The CRI socket for Image Analyzer.

                                                                                -cv

                                                                                The custom volume for Image Analyzer.

                                                                                -h

                                                                                Print this usage and exit.

                                                                                Sysdig Secure Only (Legacy)

                                                                                These values apply to the Node Image Analyzer (v1) in Sysdig Secure.

                                                                                -am

                                                                                The Analysis Manager endpoint for Sysdig Secure.

                                                                                -ia

                                                                                If provided, will install the Node Image Analyzer (v1). It is an error to set both -ia and -na. The v1 Node Image Analyzer will be deprecated and replaced by the NA tools.

                                                                                1.3 -

                                                                                Agent Install: Kubernetes

                                                                                This document describes how to install a regular Sysdig agent container in a Kubernetes environment. This document assumes you will run the agent container as a Kubernetes pod, which then enables the Sysdig agent automatically to detect and monitor your Kubernetes environment.

                                                                                If you want to install a slim agent, see Install Slim Agent.

                                                                                It is relevant for any platform where Kubernetes is deployed, including Amazon environments (EKS, EC2, ECS), Azure Container Service (AKS), Google Kubernetes Engine (GKE), Red Hat OpenShift, and IBM Cloud Kubernetes Service (IKS).

                                                                                You use DaemonSets to deploy agents on every node in your Kubernetes environment. Once deployed, Sysdig Monitor automatically begins monitoring all of your hosts, apps, pods, and services and automatically connects to the Kubernetes API server to pull relevant metadata about the environment. If licensed, Sysdig Secure launches with default policies that you can view and configure to suit your needs. You can access the front-end web interfaces for Sysdig Monitor and Sysdig Secure immediately.

                                                                                Prerequisites

                                                                                • A supported distribution. See Host Requirements for Agent Installation for details.

                                                                                • Kubernetes v 1.9+: The agent installation on Kubernetes requires using v1.9 or higher because the APIs used to fetch kubernetes metadata are only present in v1.9+.

                                                                                • Sysdig account and access key: Request a trial or full account at Sysdig.com and click the Activate Account button. You create a Sysdig user name and password.

                                                                                  The Getting Started Wizard provides an access key.

                                                                                Runtime Support: CRI-O and Containerd

                                                                                By default, Sysdig agents deployed in Kubernetes automatically detect metadata from containerd and CRI-O (in addition to Docker), as long as the prerequisites are fulfilled.

                                                                                After reviewing the information on this page, continue with the Sysdig agent installation steps: Kubernetes Agent Installation Steps.

                                                                                Containerd Support

                                                                                As of agent version 0.88.1, the Sysdig agent will automatically detect containerd metadata (as well as any Docker metadata) in your environment, as long as the prerequisites are fulfilled.

                                                                                Prerequisites

                                                                                • Agent version: Sysdig agent version 0.88.1 or higher

                                                                                  NOTE: If you are upgrading from an earlier version of the agent, you must also download the latest sysdig-agent-daemonset-v2.yamlfrom GitHub.

                                                                                • Configuration parameter: In the agent config file, new_k8s: true must be set.

                                                                                  As of agent 9.6.0, new_k8s is enabled by default.

                                                                                  See Enable Kube State Metrics and Cluster Name below for details on editing the config file.

                                                                                • Kubernetes-only: The containerd API must support CRI (a Kubernetes runtime interface).

                                                                                Results in the Sysdig Monitor UI

                                                                                If the Sysdig agent detects containerd metadata, it will be reported in the front end as follows:

                                                                                • Explore/Dashboard views: The icon next to container-specific items (container.name, container.id, etc.) shows whether it’s a Docker or containerd object.

                                                                                • Spotlight: Updated for containerd display.

                                                                                • Events: Containerd events die and oom are enabled by default.

                                                                                  Events create and exit are also supported.

                                                                                CRI-O Support

                                                                                The Sysdig agent will automatically detect CRI-O metadata (as well as any Docker and/or containerd metadata) in your environment, as long as the Prerequisites are fulfilled.

                                                                                Prerequisites

                                                                                • Platform version: Sysdig SaaS March 2019or higher

                                                                                • Agent version: Sysdig agent v 0.89.4 March 27, 2019 or higher.

                                                                                  NOTE: If you are upgrading from an earlier version of the agent, you must also download the latest sysdig-agent-daemonset-v2.yamlfrom GitHub.

                                                                                • Configuration parameter: In the agent config file, new_k8s: true must be set.

                                                                                  See Enable Kube State Metrics and Cluster Name below for details on editing the config file.

                                                                                • Kubernetes-only: The API must support CRI (a Kubernetes runtime interface).

                                                                                Results in the Sysdig Monitor UI

                                                                                • Events: There are no CRI-O events, so the Events pane remains unchanged.

                                                                                • Explore/Dashboard views: The icon next to container-specific items (container.name, container.id, etc.) shows CRI-O type.

                                                                                • Supported Metrics: By default, the same metrics are supported for CRI-O as for Docker and containerd, except for image id (container.image.id).

                                                                                Enable Image ID Metrics with cri: extra_queries

                                                                                As of agent version 0.92.1, this setting is enabled by default.

                                                                                To enable image id metrics, edit the agent configuration file dragent.yaml to contain the following:

                                                                                cri:
                                                                                  extra_queries: true
                                                                                

                                                                                See Understanding the Agent Config Files for more information on editing dragent.yaml.

                                                                                Complete the Installation

                                                                                Choose the appropriate link to complete the installation steps:

                                                                                1.3.1 -

                                                                                Steps for Kubernetes (Vanilla)

                                                                                Preparation

                                                                                Kernel Headers

                                                                                The Sysdig agent requires kernel header files to install successfully on a host.

                                                                                This setup step is required for some environments and not others, as noted.

                                                                                If the hosts in your environment match the pre-compiled kernel modules available from Sysdig, no special action is required.

                                                                                In some cases, the host(s) in your environment may use Unix versions that do not match the provided headers, and the agent may fail to install correctly. In those cases, you must install the kernel headers manually.

                                                                                To do so:

                                                                                For Debian-style distributions, run the command:

                                                                                apt-get -y install linux-headers-$(uname -r)
                                                                                

                                                                                For RHEL-style distributions, run the command:

                                                                                yum -y install kernel-devel-$(uname -r)
                                                                                

                                                                                Background info: see also About Kernel Headers and the Kernel Module.

                                                                                Background Info

                                                                                You can review Agent Install: Kubernetes | GKE | OpenShift | IBM and the Host Requirements for Agent Installation for additional context, if desired.

                                                                                Installation Steps

                                                                                To deploy agents using Kubernetes daemonsets, you will download the following configuration files, edit them as required, and deploy them.

                                                                                • sysdig-agent-clusterrole.yaml

                                                                                • sysdig-agent-service.yaml

                                                                                • sysdig-agent-daemonset-v2.yaml

                                                                                • sysdig-agent-configmap.yaml

                                                                                HELM CHART OPTIONKubernetes also offers a package manager, Helm, which uses charts to simplify this process.

                                                                                If you are using Helm charts in your K8s environment, we recommend using them to deploy Sysdig agents, as described here.

                                                                                Deploy the Agents

                                                                                1. Download the sample files:

                                                                                  • sysdig-agent-clusterrole.yaml

                                                                                  • sysdig-agent-daemonset-v2.yaml

                                                                                  • sysdig-agent-configmap.yaml

                                                                                  • sysdig-agent-service.yaml

                                                                                2. Create a namespace to use for the Sysdig agent.

                                                                                  You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account.

                                                                                  The default service account name was automatically defined in sysdig-agent-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

                                                                                  kubectl create ns sysdig-agent
                                                                                  
                                                                                3. Create a secret key:

                                                                                  kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                                                                  
                                                                                4. Create a cluster role and service account, and define the cluster role bindingthat grants the Sysdig agent rules in the cluster role, using the commands:

                                                                                  kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
                                                                                  kubectl create serviceaccount sysdig-agent -n sysdig-agent
                                                                                  kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
                                                                                  
                                                                                5. Edit sysdig-agent-configmap.yaml to add the collector address , port , and the SSL/TLS information:

                                                                                  collector:
                                                                                  collector_port:
                                                                                  ssl: #true or false
                                                                                  check_certificate: #true or false
                                                                                  
                                                                                6. (All installs) Apply the sysdig-agent-configmap.yaml file:

                                                                                  kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                7. (All installs) Apply the sysdig-agent-service.yaml file:

                                                                                  kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
                                                                                  

                                                                                  This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

                                                                                8. (All installs) Apply the daemonset-v2.yaml file :

                                                                                  kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
                                                                                  

                                                                                The agents will be deployed. See Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

                                                                                Enable Kube State Metrics and Cluster Name

                                                                                These steps are optional but recommended.

                                                                                1. Edit sysdig-agent-configmap.yaml to uncomment the line: new_k8s: true

                                                                                  This allows kube state metrics to be automatically detected, monitored, and displayed in Sysdig Monitor.

                                                                                  For more information, see the Kube State Metrics entry in the Sysdig blog.

                                                                                  As of agent 9.6.0, new_k8s is enabled by default.

                                                                                2. Edit sysdig-agent-configmap.yaml to uncomment the line: **k8s_cluster_name: **and add your cluster name.

                                                                                  Setting cluster name here allows you to view, scope, and segment metrics in the Sysdig Monitor UI by the Kubernetes cluster.

                                                                                  Note: Alternatively, if you assign a tag with “cluster” in the tag name, Sysdig Monitor will display that as the Kubernetes cluster name.

                                                                                3. Apply the configmap changes using the command:

                                                                                  kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                4. Proceed to verify the metrics in the Sysdig Monitor UI.

                                                                                There are two ways to update the agent configuration

                                                                                Option 1: Edit the files locally and apply the changes with kubectl apply -f:

                                                                                kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent

                                                                                Option 2: Use kubectl edit to edit files on the fly:

                                                                                kubectl edit configmap sysdig-agent -n sysdig-agent

                                                                                Running agents will automatically pick the new configuration after Kubernetes pushes the changes across all the nodes in the cluster.

                                                                                Additional Options

                                                                                Connect to the Sysdig Backend via Static IPs (SaaS only)

                                                                                Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

                                                                                The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

                                                                                To configure the collector IP in a Kubernetes SaaS instance:

                                                                                1. Open sysdig-agent-configmap.yaml in a text editor.

                                                                                2. Uncomment the following lines:

                                                                                  • collector:

                                                                                  • collector_port

                                                                                3. Set the collector: value to collector-static.sysdigcloud.com

                                                                                  See SaaS Regions and IP Ranges and identify the correct URL associated with your Sysdig collector and region.

                                                                                4. Set the collector_port: value to 6443

                                                                                5. Save the file.

                                                                                The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

                                                                                apiVersion: v1
                                                                                kind: ConfigMap
                                                                                metadata:
                                                                                  name: sysdig-agent
                                                                                data:
                                                                                  dragent.yaml: |
                                                                                    ### Agent tags
                                                                                    # tags: linux:ubuntu,dept:dev,local:nyc
                                                                                
                                                                                    #### Sysdig Software related config ####
                                                                                
                                                                                    # Sysdig collector address
                                                                                    collector: collector-static.sysdigcloud.com
                                                                                
                                                                                    # Collector TCP port
                                                                                    collector_port: 6443
                                                                                
                                                                                    # Whether collector accepts ssl/TLS
                                                                                    ssl: true
                                                                                
                                                                                    # collector certificate validation
                                                                                    ssl_verify_certificate: true
                                                                                
                                                                                    # Sysdig Secure
                                                                                    security:
                                                                                                enabled: true
                                                                                
                                                                                    #######################################
                                                                                    # new_k8s: true
                                                                                    # k8s_cluster_name: production
                                                                                

                                                                                Verify Metrics in Sysdig Monitor UI

                                                                                Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                                                                The steps below give one way to do the check.

                                                                                1. Access Sysdig Monitor:

                                                                                  SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                                                                  For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                                                                  Log in with your Sysdig user name and password.

                                                                                2. Select the Explore tab to see if metrics are displayed.

                                                                                3. (Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.

                                                                                  As of agent 9.6.0, new_k8s is enabled by default.

                                                                                4. Select an individual container or pod to see details.

                                                                                Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

                                                                                If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

                                                                                1.3.2 -

                                                                                Steps for GKE

                                                                                Google Kubernetes Engine (GKE) is a managed environment for running Kubernetes in Google Cloud, in order to deploy containerized applications. As of Sysdig agent version 0.88, Sysdig supports all flavors of GKE, including Ubuntu and GKE’s default Container-Optimized OS (COS).

                                                                                Note that the standard Sysdig agent cannot be installed on GKE COS because Sysdig relies on a kernel module that COS does not allow. To accommodate this limitation Sysdig has developed an alternate probe built on eBPF, a “universal in-kernel virtual machine.”

                                                                                eBPF probe is supported only in GKE COS environments.

                                                                                The instructions below describe a standard GKE agent install and call out the special steps needed to install the eBPF probe if you are using COS.

                                                                                Preparation

                                                                                Open Port 6443 for Agent Egress

                                                                                Because GKE uses stateful firewalls, you must actively open port 6443 for the Sysdig agent outbound traffic.

                                                                                In earlier versions, the Sysdig Agent connected to port 6666. This behavior has been deprecated, as the Sysdig agent now connects to port 6443.

                                                                                GKE COS/eBPF-Specific Requirements

                                                                                • Linux kernel version >= 4.14.

                                                                                • When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7, below. Note that the eBPF probe is supported only in GKE COS environments.

                                                                                Background Info

                                                                                You can review Agent Install: Kubernetes | GKE | OpenShift | IBM and the Host Requirements for Agent Installation for additional context, if desired.

                                                                                Installation Steps

                                                                                To deploy agents using Kubernetes daemonsets, you will download the following configuration files, edit them as required, and deploy them.

                                                                                • sysdig-agent-clusterrole.yaml

                                                                                • sysdig-agent-daemonset-v2.yaml

                                                                                • sysdig-agent-configmap.yaml

                                                                                HELM CHART OPTIONKubernetes also offers a package manager, Helm, which uses charts to simplify this process.

                                                                                If you are using Helm charts in your K8s environment, we recommend using them to deploy Sysdig agents, as described here.

                                                                                Deploy the Agents

                                                                                1. Download the sample files:

                                                                                  • sysdig-agent-clusterrole.yaml

                                                                                  • sysdig-agent-daemonset-v2.yaml

                                                                                  • sysdig-agent-configmap.yaml

                                                                                  • sysdig-agent-service.yaml

                                                                                2. Create a namespace to use for the Sysdig agent.

                                                                                  You can use whatever name you want. In this document, we used sysdig-agent for both the namespace and the service account.

                                                                                  kubectl create ns sysdig-agent
                                                                                  
                                                                                3. Create a secret key:

                                                                                  kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                                                                  
                                                                                4. If you are running Kubernetes 1.6 or higher, you must

                                                                                  Grant your user the ability to create roles in Kubernetes by running the following command (see Google documentation for more):

                                                                                  kubectl create clusterrolebinding your-user-cluster-admin-binding --clusterrole=cluster-admin --user=your.google.cloud.email@example.org
                                                                                  

                                                                                  Create a service account for the Sysdig agent using the clusterrole.yaml file.

                                                                                  The Sysdig agent must be granted read-only access to certain Kubernetes APIs, which the agent uses to populate metadata and provide component metrics.

                                                                                  Sysdig provides a config file in GitHub. Deploying this file creates a cluster role and service account in Kubernetes, and defines cluster role binding that grants the Sysdig agent rules in the cluster role.

                                                                                  Run the following commands (using whatever namespace you defined in Step 2):

                                                                                  kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
                                                                                  kubectl create serviceaccount sysdig-agent -n sysdig-agent
                                                                                  kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
                                                                                  
                                                                                5. Edit sysdig-agent-configmap.yaml to add the collector address, port, and the SSL/TLS information :

                                                                                  collector:
                                                                                  collector_port:
                                                                                  ssl: #true or false
                                                                                  check_certificate: #true or false
                                                                                  
                                                                                6. (All installs) Apply the sysdig-agent-configmap.yaml file using the command:

                                                                                  kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                7. FOR GKE COS ONLY: To enable the eBPF probe required for COS, uncomment the following parameters in  sysdig-agent-daemonset-v2.yaml under the env section:

                                                                                  env:
                                                                                    - name: SYSDIG_BPF_PROBE
                                                                                      value: ""
                                                                                  
                                                                                8. Apply the sysdig-agent-service.yaml file:

                                                                                  kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
                                                                                  

                                                                                  This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

                                                                                9. (All installs) Apply the daemonset-v2.yaml file using the command:

                                                                                  kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
                                                                                  

                                                                                The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

                                                                                Enable Kube State Metrics and Cluster Name

                                                                                These steps are optional but recommended.

                                                                                1. Edit sysdig-agent-configmap.yaml to uncomment the line: new_k8s: true

                                                                                  This allows kube state metrics to be automatically detected, monitored, and displayed in Sysdig Monitor.

                                                                                  For more information, see the Kube State Metrics entry in the Sysdig blog.

                                                                                  As of agent 9.6.0, new_k8s is enabled by default.

                                                                                2. Edit sysdig-agent-configmap.yaml to uncomment the line: **k8s_cluster_name: **and add your cluster name.

                                                                                  Setting cluster name here allows you to view, scope, and segment metrics in the Sysdig Monitor UI by the Kubernetes cluster.

                                                                                  Note: Alternatively, if you assign a tag with “cluster” in the tag name, Sysdig Monitor will display that as the Kubernetes cluster name.

                                                                                3. Apply the configmap changes using the command:

                                                                                  kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                4. Proceed to verify the metrics in the Sysdig Monitor UI.

                                                                                There are two ways to update the agent configuration

                                                                                Option 1: Edit the files locally and apply the changes with kubectl apply -f:

                                                                                kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent

                                                                                Option 2: Use kubectl edit to edit files on the fly:

                                                                                kubectl edit configmap sysdig-agent -n sysdig-agent

                                                                                Running agents will automatically pick the new configuration after Kubernetes pushes the changes across all the nodes in the cluster.

                                                                                Verify Metrics in Sysdig Monitor UI

                                                                                Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                                                                The steps below give one way to do the check.

                                                                                1. Access Sysdig Monitor:

                                                                                  SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                                                                  For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                                                                  Log in with your Sysdig user name and password.

                                                                                2. Select the Explore tab to see if metrics are displayed.

                                                                                3. (Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.

                                                                                  As of agent 9.6.0, new_k8s is enabled by default.

                                                                                4. Select an individual container or pod to see details.

                                                                                Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

                                                                                If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

                                                                                Additional Options

                                                                                Connect to the Sysdig Backend via Static IPs (SaaS only)

                                                                                Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

                                                                                The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

                                                                                To configure the collector IP in a Kubernetes SaaS instance:

                                                                                1. Open sysdig-agent-configmap.yaml in a text editor.

                                                                                2. Uncomment the following lines:

                                                                                  • collector:

                                                                                  • collector_port

                                                                                3. Set the collector: value to collector-static.sysdigcloud.com

                                                                                4. Set the collector_port: value to 6443

                                                                                5. Save the file.

                                                                                The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

                                                                                apiVersion: v1
                                                                                kind: ConfigMap
                                                                                metadata:
                                                                                  name: sysdig-agent
                                                                                data:
                                                                                  dragent.yaml: |
                                                                                    ### Agent tags
                                                                                    # tags: linux:ubuntu,dept:dev,local:nyc
                                                                                
                                                                                    #### Sysdig Software related config ####
                                                                                
                                                                                    # Sysdig collector address
                                                                                    collector: collector-static.sysdigcloud.com
                                                                                
                                                                                    # Collector TCP port
                                                                                    collector_port: 6443
                                                                                
                                                                                    # Whether collector accepts ssl/TLS
                                                                                    ssl: true
                                                                                
                                                                                    # collector certificate validation
                                                                                    ssl_verify_certificate: true
                                                                                
                                                                                    # Sysdig Secure
                                                                                    security:
                                                                                      enabled: true
                                                                                
                                                                                    #######################################
                                                                                    # new_k8s: true
                                                                                    # k8s_cluster_name: production
                                                                                
                                                                                

                                                                                1.3.3 -

                                                                                Steps for OpenShift

                                                                                Review the Prerequisites in Agent Install: Kubernetes | GKE | OpenShift | IBM and the Host Requirements for Agent Installation, then proceed with the installation.

                                                                                Kernel Headers

                                                                                The Sysdig agent requires kernel header files to install successfully on a host.

                                                                                This setup step is required for some environments and not others, as noted.

                                                                                If the hosts in your environment match the pre-compiled kernel modules available from Sysdig, no special action is required.

                                                                                In some cases, the host(s) in your environment may use Unix versions that do not match the provided headers, and the agent may fail to install correctly. In those cases, you must install the kernel headers manually.

                                                                                To do so:

                                                                                For Debian-style distributions, run the command:

                                                                                apt-get -y install linux-headers-$(uname -r)
                                                                                

                                                                                For RHEL-style distributions, run the command:

                                                                                yum -y install kernel-devel-$(uname -r)
                                                                                

                                                                                Background info: see also About Kernel Headers and the Kernel Module.

                                                                                Configure for OpenShift

                                                                                If you are using Red Hat OpenShift, these steps are required. They describe how to create a project, assign and label the node selector, create a privileged service account, and add it to a cluster role.

                                                                                Copy/Paste Sample Code Block

                                                                                In the example code, this document uses sysdig-agent for the PROJECT NAME (-n), the SERVICE ACCOUNT (-z), and the NODE SELECTOR.

                                                                                You can copy-paste the code as-is, or follow the steps below to customize your naming conventions.

                                                                                oc adm new-project sysdig-agent --node-selector='app=sysdig-agent'
                                                                                oc label node --all "app=sysdig-agent"
                                                                                oc project sysdig-agent
                                                                                oc create serviceaccount sysdig-agent
                                                                                oc adm policy add-scc-to-user privileged -n sysdig-agent -z sysdig-agent
                                                                                oc adm policy add-cluster-role-to-user cluster-reader -n sysdig-agent -z sysdig-agent
                                                                                

                                                                                Customize the Code

                                                                                You can use your own Project Name and Node Selector names if desired.

                                                                                Note that if you use a different Service Acccount name, you will need to edit the default service account in the Sysdig Installation Steps, below.

                                                                                1. Create a new OpenShift project for the Sysdig agent deployment and assign the node selector:

                                                                                  oc adm new-project PROJECT-NAME --node-selector="app=APP-NAME"
                                                                                  
                                                                                2. Label the node with the node selector:

                                                                                  oc label node --all "app=APP-NAME"
                                                                                  
                                                                                3. Change to the new OpenShift Project for the Sysdig agent deployment:

                                                                                  oc project PROJECT-NAME
                                                                                  
                                                                                4. Create a service account for the project:

                                                                                  oc create serviceaccount SERVICE-ACCOUNT
                                                                                  
                                                                                5. Add the service account to privileged Security Context Constraints:

                                                                                  oc adm policy add-scc-to-user privileged -n PROJECT-NAME -z SERVICE-ACCOUNT
                                                                                  
                                                                                6. Add the service account to the cluster-reader Cluster Role:

                                                                                  oc adm policy add-cluster-role-to-user cluster-reader -n PROJECT-NAME -z SERVICE-ACCOUNT
                                                                                  

                                                                                Sysdig Installation Steps

                                                                                To deploy agents using Kubernetes daemonsets, you download the configuration files, edit them as required, and deploy them.

                                                                                • sysdig-agent-daemonset-v2.yaml

                                                                                • sysdig-agent-clusterrole.yaml

                                                                                • sysdig-agent-configmap.yaml

                                                                                • sysdig-agent-service.yaml

                                                                                HELM CHART OPTIONKubernetes also offers a package manager, Helm, which uses charts to simplify this process.

                                                                                If you are using Helm charts in your K8s environment, we recommend using them to deploy Sysdig agents, as described here.

                                                                                Deploy the Agents

                                                                                1. Download the sample files:

                                                                                  • sysdig-agent-daemonset-v2.yaml

                                                                                  • sysdig-agent-clusterrole.yaml

                                                                                  • sysdig-agent-configmap.yaml

                                                                                  • sysdig-agent-service.yaml

                                                                                2. Create the sysdig-agent cluster role and assign it to the service account:

                                                                                   oc apply -f sysdig-agent-clusterrole.yaml
                                                                                   oc adm policy add-cluster-role-to-user sysdig-agent -n PROJECT-NAME -z SERVICE-ACCOUNT
                                                                                  
                                                                                3. Create a secret key using the command:

                                                                                  oc create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                                                                  
                                                                                4. If you created a service account name other than sysdig-agent: Edit sysdig-agent-daemonset-v2.yamlto provide your custom value:``

                                                                                  serviceAccount: sysdig-agent
                                                                                  
                                                                                5. Edit sysdig-agent-configmap.yaml to add the collector address, port, and the SSL/TLS information:

                                                                                  collector:
                                                                                  collector_port:
                                                                                  ssl: #true or false
                                                                                  check_certificate: #true or false
                                                                                  
                                                                                6. (All installs) Apply the sysdig-agent-configmap.yaml file using the command:

                                                                                  oc apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                7. Apply the sysdig-agent-service.yaml file:

                                                                                  oc apply -f sysdig-agent-service.yaml -n sysdig-agent
                                                                                  

                                                                                  This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

                                                                                8. (All installs) Apply the daemonset-v2.yaml file:

                                                                                  oc apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
                                                                                  

                                                                                The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

                                                                                Enable Kube State Metrics and Cluster Name

                                                                                These steps are optional but recommended.

                                                                                1. Edit sysdig-agent-configmap.yaml to uncomment the line: new_k8s: true

                                                                                  This allows kube state metrics to be automatically detected, monitored, and displayed in Sysdig Monitor.

                                                                                  For more information, see the Kube State Metrics entry in the Sysdig blog.

                                                                                  As of agent 9.6.0, new_k8s is enabled by default.

                                                                                2. Edit sysdig-agent-configmap.yaml to uncomment the line: **k8s_cluster_name: **and add your cluster name.

                                                                                  Setting cluster name here allows you to view, scope, and segment metrics in the Sysdig Monitor UI by the Kubernetes cluster.

                                                                                  Note: Alternatively, if you assign a tag with “cluster” in the tag name, Sysdig Monitor will display that as the Kubernetes cluster name.

                                                                                3. Apply the configmap changes using the command:

                                                                                  oc apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                4. Proceed to verify the metrics in the Sysdig Monitor UI.

                                                                                There are two ways to update the agent configuration

                                                                                Option 1: Edit the files locally and apply the changes with oc apply -f:

                                                                                oc apply -f sysdig-agent-configmap.yaml -n sysdig-agent

                                                                                Option 2: Use oc edit to edit files on the fly:

                                                                                oc edit configmap sysdig-agent -n sysdig-agent

                                                                                Running agents will automatically pick the new configuration after Kubernetes pushes the changes across all the nodes in the cluster.

                                                                                Verify Metrics in Sysdig Monitor UI

                                                                                Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                                                                The steps below give one way to do the check.

                                                                                1. Access Sysdig Monitor:

                                                                                  SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                                                                  For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                                                                  Log in with your Sysdig user name and password.

                                                                                2. Select the Explore tab to see if metrics are displayed.

                                                                                3. (Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.

                                                                                  As of agent 9.6.0, new_k8s is enabled by default.

                                                                                4. Select an individual container or pod to see details.

                                                                                Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

                                                                                If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

                                                                                Additional Options

                                                                                Connect to the Sysdig Backend via Static IPs (SaaS only)

                                                                                Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

                                                                                The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

                                                                                To configure the collector IP in a Kubernetes SaaS instance:

                                                                                1. Open sysdig-agent-configmap.yaml in a text editor.

                                                                                2. Uncomment the following lines:

                                                                                  • collector:

                                                                                  • collector_port

                                                                                3. Set the collector: value to collector-static.sysdigcloud.com

                                                                                4. Set the collector_port: value to 6443

                                                                                5. Save the file.

                                                                                The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

                                                                                apiVersion: v1
                                                                                kind: ConfigMap
                                                                                metadata:
                                                                                  name: sysdig-agent
                                                                                data:
                                                                                  dragent.yaml: |
                                                                                    ### Agent tags
                                                                                    # tags: linux:ubuntu,dept:dev,local:nyc
                                                                                
                                                                                    #### Sysdig Software related config ####
                                                                                
                                                                                    # Sysdig collector address
                                                                                    collector: collector-static.sysdigcloud.com
                                                                                
                                                                                    # Collector TCP port
                                                                                    collector_port: 6443
                                                                                
                                                                                    # Whether collector accepts ssl/TLS
                                                                                    ssl: true
                                                                                
                                                                                    # collector certificate validation
                                                                                    ssl_verify_certificate: true
                                                                                
                                                                                    # Sysdig Secure
                                                                                    security:
                                                                                      enabled: true
                                                                                
                                                                                    #######################################
                                                                                    # new_k8s: true
                                                                                    # k8s_cluster_name: production
                                                                                

                                                                                1.3.4 -

                                                                                Steps for Rancher

                                                                                Preparation

                                                                                General Requirements

                                                                                You can review Agent Install: Kubernetes | GKE | OpenShift | IBM and the Host Requirements for Agent Installation for additional context if desired.

                                                                                Kernel Headers

                                                                                The Sysdig agent requires a kernel module in order to be installed successfully on a host. On RancherOS distributions, the Unix version does not match the provided headers, and the agent might fail to install correctly. Therefore, you must install the kernel headers manually.

                                                                                For RancherOS distributions, the kernel headers are available in the form of a system service and therefore are enabled using the ros service command:

                                                                                $ sudo ros service enable kernel-headers-system-docker
                                                                                $ sudo ros service up -d kernel-headers-system-docker
                                                                                

                                                                                Some cloud hosting service providers supply pre-configured Linux instances with customized kernels. You may need to contact your provider’s support desk for instructions on obtaining appropriate header files, or for installing the distribution’s default kernel.

                                                                                Install Agent

                                                                                To deploy agents using Kubernetes daemonsets, download the following configuration files, edit them as required, and deploy them.

                                                                                • sysdig-agent-clusterrole.yaml

                                                                                • sysdig-agent-service.yaml

                                                                                • sysdig-agent-daemonset-v2.yaml

                                                                                • sysdig-agent-configmap.yaml

                                                                                HELM CHART OPTIONKubernetes also offers a package manager, Helm, which uses charts to simplify this process.

                                                                                If you are using Helm charts in your K8s environment, we recommend using them to deploy Sysdig agents, as described here.

                                                                                Deploy Agent

                                                                                • Download the sample files:

                                                                                  • sysdig-agent-clusterrole.yaml

                                                                                  • sysdig-agent-daemonset-v2.yaml

                                                                                  • sysdig-agent-configmap.yaml

                                                                                  • sysdig-agent-service.yaml

                                                                                • Create a namespace to use for the Sysdig agent.

                                                                                  You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account.

                                                                                  The default service account name was automatically defined in sysdig-agent-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

                                                                                  kubectl create ns sysdig-agent
                                                                                  
                                                                                • Create a secret key:

                                                                                  kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                                                                  
                                                                                • Create a cluster role and service account, and define the cluster role bindingthat grants the Sysdig agent rules in the cluster role, using the commands:

                                                                                  kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
                                                                                  kubectl create serviceaccount sysdig-agent -n sysdig-agent
                                                                                  kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
                                                                                  
                                                                                • Edit sysdig-agent-configmap.yaml to add the collector address , port , and the SSL/TLS information:

                                                                                  collector:
                                                                                  collector_port:
                                                                                  ssl: #true or false
                                                                                  check_certificate: #true or false
                                                                                  
                                                                                • (All installs) Apply the sysdig-agent-configmap.yaml file:

                                                                                  kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                • (All installs) Apply the sysdig-agent-service.yaml file:

                                                                                  kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
                                                                                  

                                                                                  This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

                                                                                • (All installs) Apply the daemonset-v2.yaml file :

                                                                                  kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
                                                                                  

                                                                                The agents will be deployed. See Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

                                                                                Enable Kube State Metrics and Cluster Name

                                                                                These steps are optional but recommended.

                                                                                • Edit sysdig-agent-configmap.yaml to uncomment the line: new_k8s: true

                                                                                  This allows kube state metrics to be automatically detected, monitored, and displayed in Sysdig Monitor.

                                                                                  For more information, see the Kube State Metrics entry in the Sysdig blog.

                                                                                  As of agent 9.6.0, new_k8s is enabled by default.

                                                                                • Edit sysdig-agent-configmap.yaml to uncomment the line: **k8s_cluster_name: **and add your cluster name.

                                                                                  Setting cluster name here allows you to view, scope, and segment metrics in the Sysdig Monitor UI by the Kubernetes cluster.

                                                                                  Note: Alternatively, if you assign a tag with “cluster” in the tag name, Sysdig Monitor will display that as the Kubernetes cluster name.

                                                                                • Apply the configmap changes using the command:

                                                                                  kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                • Proceed to verify the metrics in the Sysdig Monitor UI.

                                                                                Connect to the Sysdig Backend via Static IPs (SaaS only)

                                                                                Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

                                                                                The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

                                                                                To configure the collector IP in a Kubernetes SaaS instance:

                                                                                • Open sysdig-agent-configmap.yaml in a text editor.

                                                                                • Uncomment the following lines:

                                                                                  • collector:

                                                                                  • collector_port

                                                                                • Set the collector: value to collector-static.sysdigcloud.com

                                                                                  See SaaS Regions and IP Ranges and identify the correct URL associated with your Sysdig collector and region.

                                                                                • Set the collector_port: value to 6443

                                                                                • Save the file.

                                                                                The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

                                                                                apiVersion: v1
                                                                                kind: ConfigMap
                                                                                metadata:
                                                                                  name: sysdig-agent
                                                                                data:
                                                                                  dragent.yaml: |
                                                                                    ### Agent tags
                                                                                    # tags: linux:ubuntu,dept:dev,local:nyc
                                                                                
                                                                                    #### Sysdig Software related config ####
                                                                                
                                                                                    # Sysdig collector address
                                                                                    collector: collector-static.sysdigcloud.com
                                                                                
                                                                                    # Collector TCP port
                                                                                    collector_port: 6443
                                                                                
                                                                                    # Whether collector accepts ssl/TLS
                                                                                    ssl: true
                                                                                
                                                                                    # collector certificate validation
                                                                                    ssl_verify_certificate: true
                                                                                
                                                                                    # Sysdig Secure
                                                                                    security:
                                                                                                enabled: true
                                                                                
                                                                                    #######################################
                                                                                    # new_k8s: true
                                                                                    # k8s_cluster_name: production
                                                                                

                                                                                Verify Metrics in Sysdig Monitor UI

                                                                                Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

                                                                                Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

                                                                                If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

                                                                                • Access Sysdig Monitor:

                                                                                  SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

                                                                                  For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

                                                                                  Log in with your Sysdig user name and password.

                                                                                • Select the Explore tab to see if metrics are displayed.

                                                                                • (Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.

                                                                                  As of agent 9.6.0, new_k8s is enabled by default.

                                                                                • Select an individual container or pod to see details.

                                                                                1.4 -

                                                                                Agent Install: Non-Orchestrated

                                                                                This section describes how to install the Sysdig agent directly on a Linux host, without using an orchestrator, such as Kubernetes or Mesos.

                                                                                The agent can be installed in two ways:

                                                                                • As a standard container

                                                                                  If you want to install the lighter version of the Sysdig agent, see Install Slim Agent.

                                                                                • As a non-containerized service

                                                                                The steps for each flavor differ slightly depending on whether you are using the SaaS or on-premises version of the Sysdig platform.

                                                                                If you are installing the Sysdig agent in an environment that has Kubernetes, use the Agent Install: Kubernetes instructions instead.

                                                                                Prerequisites

                                                                                • See Host Requirements for Agent Installation. There you can check the requirements concerning:

                                                                                  • Supported Linux distributions

                                                                                  • Network connection

                                                                                  • Sysdig access key

                                                                                  • Cloud service providers (AWS, Google, and Microsoft Azure) and any steps you may need to configure to integrate the Sysdig agent.

                                                                                On kernel headers: The Sysdig agent requires kernel header files in order to install successfully on a host, and the agent is delivered with precompiled headers. If the hosts in your environment match the kernel versions included with the agent, no special action is needed.

                                                                                In some cases, the host(s) in your environment may use Unix versions that do not match the provided headers, and the agent may fail to install correctly. In those cases, you must install the kernel headers manually. See About Kernel Headers and the Kernel Module for details.

                                                                                • Run any commands as root or with the sudo command.

                                                                                • Have your Sysdig access key on hand.

                                                                                  If you launch an agent install from www.sysdig.com, the welcome wizard will present an access key.

                                                                                Docker Container Agent Installation

                                                                                The Sysdig agent can be deployed as a Docker container.

                                                                                The commands below can also be copy/pasted from the Welcome Wizard or the Agent Installation page in the Sysdig UI.

                                                                                In that case, your access key will already be included in the command automatically.

                                                                                SaaS

                                                                                Run the agent image, providing the access key and (optional) user-defined tags:

                                                                                docker run -d --name sysdig-agent \
                                                                                --restart always \
                                                                                --privileged \
                                                                                --net host \
                                                                                --pid host\
                                                                                 -e ACCESS_KEY=[ACCESS_KEY] \
                                                                                 -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                                                                -e TAGS=[TAGS] \
                                                                                -v /var/run/docker.sock:/host/var/run/docker.sock \
                                                                                -v /dev:/host/dev \
                                                                                -v /proc:/host/proc:ro \
                                                                                -v /boot:/host/boot:ro \
                                                                                -v /lib/modules:/host/lib/modules:ro \
                                                                                -v /usr:/host/usr:ro --shm-size=512m sysdig/agent
                                                                                

                                                                                For the COLLECTOR, find the address for your region.

                                                                                On-Premises

                                                                                Provide collector and SSL/TLS information in addition to access key and optional tags:

                                                                                docker run -d --name sysdig-agent \
                                                                                --restart always \
                                                                                --privileged \
                                                                                --net host \
                                                                                --pid host \
                                                                                -e ACCESS_KEY=[ACCESS_KEY] \
                                                                                -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                                                                -e SECURE=true \
                                                                                -e CHECK_CERTIFICATE=true \
                                                                                [-e TAGS=[TAGS]]
                                                                                -v /var/run/docker.sock:/host/var/run/docker.sock \
                                                                                -v /dev:/host/dev \
                                                                                -v /proc:/host/proc:ro \
                                                                                -v /boot:/host/boot:ro \
                                                                                -v /lib/modules:/host/lib/modules:ro \
                                                                                -v /usr:/host/usr:ro --shm-size=512m sysdig/agent
                                                                                

                                                                                CHECK_CERTIFICATE should be set to false if a self-signed certificate or private, CA-signed cert is used.

                                                                                Service Agent Installation on Linux Host

                                                                                Use these instructions to install the agent on the host itself, not in a container. Install on each host in the environment.

                                                                                The command lines below can also be copy/pasted from the Welcome wizard or the Settings>Agent Installation page in the Sysdig Monitor interface.

                                                                                In that case, your access key will already be included in the command automatically.

                                                                                The Sysdig agent depends on several python modules, some of which might not be installed on the hosts where the agent is running as a service. When the required dependencies are not available, the sdchecks component in the agent will report errors in the log files, such as:

                                                                                 >> Error, sdchecks[0] ModuleNotFoundError: No module named 'posix_ipc'
                                                                                

                                                                                To address these errors, install the missing modules using the pip install command.

                                                                                SaaS

                                                                                1. Run the following command:

                                                                                  curl -s https://download.sysdig.com/stable/install-agent | sudo bash -s -- --access_key [ACCESS_KEY] --collector [COLLECTOR_ADDRESS] [--tags [TAGS]]
                                                                                  

                                                                                  Where [ACCESS_KEY] is your unique agent access key string. For example, 1234-your-key-here-1234. [TAGS] is an optional list of user-defined agent tags. For example, role:webserver,location:europe.

                                                                                  Find the collector endpoint for your region listed here.

                                                                                2. Make sure restarting the agent results in starting the service:

                                                                                  sudo systemctl enable dragent
                                                                                  

                                                                                On-Premises

                                                                                1. Run the following command:

                                                                                  curl -s https://download.sysdig.com/stable/install-agent | sudo bash -s -- --access_key [ACCESS_KEY] --collector [COLLECTOR_ADDRESS] --secure true --check_certificate true [--tags [TAGS]]
                                                                                  

                                                                                  check_certificate should be set to false if a self-signed certificate, a private, or a CA-signed certificate is used. See information about SSL in on-premises here.

                                                                                2. Make sure restarting the agent results in starting the service:

                                                                                  sudo systemctl enable dragent
                                                                                  

                                                                                Connect to the Sysdig Backend via Static IPs (SaaS only)

                                                                                Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com:

                                                                                user@host:~$ docker run --name sysdig-agent \
                                                                                --privileged \
                                                                                --net host \
                                                                                --pid host \
                                                                                -e ACCESS_KEY=[ACCESS_KEY] \
                                                                                -e TAGS=[TAGS] \
                                                                                -v /var/run/docker.sock:/host/var/run/docker.sock \
                                                                                -v /dev:/host/dev \
                                                                                -v /proc:/host/proc:ro \
                                                                                -v /boot:/host/boot:ro \
                                                                                -v /lib/modules:/host/lib/modules:ro \
                                                                                -v /usr:/host/usr:ro \
                                                                                -e COLLECTOR=collector-static.sysdigcloud.com \
                                                                                -e COLLECTOR_PORT=6443 \
                                                                                -e SECURE=true \
                                                                                -e CHECK_CERTIFICATE=true \
                                                                                --shm-size=512m \
                                                                                sysdig/agent
                                                                                

                                                                                Note on Manual Agent Installation

                                                                                In the following cases, it may be preferable to perform a manual installation.

                                                                                • Full control over the deployment process

                                                                                • Integration with configuration management tools

                                                                                • Custom kernel

                                                                                • Unsupported distribution

                                                                                If desired, see Agent Install: Manual Linux Installation.

                                                                                1.5 -

                                                                                Install Slim Agent

                                                                                The slim agent is a lighter version of the Sysdig agent that is created by splitting the regular agent image into two components responsible for different functions. The slim agent reduces the surface area of attack for potential vulnerabilities and is, therefore, more secure.

                                                                                You install the slim agent package as two separate containers:

                                                                                • agent-kmodule: Responsible for downloading and building the kernel module. The image is short-lived. The container exits after the kernel module is loaded. The transient nature of the container reduces the time and opportunities for exploiting any potential vulnerabilities present in the container image.

                                                                                  Prerequisites: The package depends on Dynamic Kernel Module Support (DKMS) and requires the compiler and kernel headers installed if you are using the agent-kmodule to build the kernel probe. Alternatively, you can use it without the kernel headers. In such cases, the agent-kmodule will attempt to download a pre-built kernel probe if it is present in the Sysdig probe repository.

                                                                                  The module contains:

                                                                                  • The driver sources

                                                                                  • A post-install script that builds the module upon installation

                                                                                • agent-slim: Responsible for running the agent module once the kernel module has been loaded. When the slim agent is up and running it functions the same way as the regular agent.

                                                                                Install Slim Agent in a Non-Orchestrated Environment

                                                                                The agent is installed by running sysdig/agent-kmodule first, followed by running sysdig/agent-slim.

                                                                                Every host restart requires subsequent running of agent-kmodule and agent-slim containers.

                                                                                1. Build and load the kernel module:

                                                                                  docker run -it --privileged --rm --name sysdig-agent-kmodule -v /usr:/host/usr:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro sysdig/agent-kmodule
                                                                                  
                                                                                2. Run the agent module:

                                                                                  docker run -d --name sysdig-agent \
                                                                                  --privileged \
                                                                                  --net host \
                                                                                  --pid host\
                                                                                  -e ACCESS_KEY=[ACCESS_KEY] \
                                                                                  -e COLLECTOR=[COLLECTOR_ADDRESS] \
                                                                                  -v /var/run/docker.sock:/host/var/run/docker.sock \
                                                                                  -v /dev:/host/dev \
                                                                                  -v /proc:/host/proc:ro \
                                                                                  -v /boot:/host/boot:ro \
                                                                                  sysdig/agent-slim
                                                                                  

                                                                                Install Slim Agent on Kubernetes

                                                                                The agent is installed by scheduling both the agent-kmodule and agent-slim containers into a single daemonset. The agent-kmodule container is defined as an init container, which ensures that it runs first and must succeed in order for the other containers to run.

                                                                                The slim agent is not supported on GKE clusters running on COS (Container Optimized OS).

                                                                                1. Download sysdig-agent-slim-daemonset-v2.yaml, edit it as required, and deploy.

                                                                                  An example daemonset is given below:

                                                                                  ### WARNING: this file is supported from Sysdig Agent 0.80.0
                                                                                  # apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
                                                                                  apiVersion: apps/v1
                                                                                  kind: DaemonSet
                                                                                  metadata:
                                                                                    name: sysdig-agent
                                                                                    labels:
                                                                                      app: sysdig-agent
                                                                                  spec:
                                                                                    selector:
                                                                                      matchLabels:
                                                                                        app: sysdig-agent
                                                                                    updateStrategy:
                                                                                      type: RollingUpdate
                                                                                    template:
                                                                                      metadata:
                                                                                        labels:
                                                                                          app: sysdig-agent
                                                                                      spec:
                                                                                        volumes:
                                                                                        - name: modprobe-d
                                                                                          hostPath:
                                                                                            path: /etc/modprobe.d
                                                                                        - name: dshm
                                                                                          emptyDir:
                                                                                            medium: Memory
                                                                                        - name: dev-vol
                                                                                          hostPath:
                                                                                            path: /dev
                                                                                        - name: proc-vol
                                                                                          hostPath:
                                                                                            path: /proc
                                                                                        - name: boot-vol
                                                                                          hostPath:
                                                                                            path: /boot
                                                                                        - name: modules-vol
                                                                                          hostPath:
                                                                                            path: /lib/modules
                                                                                        - name: usr-vol
                                                                                          hostPath:
                                                                                            path: /usr
                                                                                        - name: run-vol
                                                                                          hostPath:
                                                                                            path: /run
                                                                                        - name: varrun-vol
                                                                                          hostPath:
                                                                                            path: /var/run
                                                                                        - name: sysdig-agent-config
                                                                                          configMap:
                                                                                            name: sysdig-agent
                                                                                            optional: true
                                                                                        - name: sysdig-agent-secrets
                                                                                          secret:
                                                                                            secretName: sysdig-agent
                                                                                        hostNetwork: true
                                                                                        hostPID: true
                                                                                        tolerations:
                                                                                          - effect: NoSchedule
                                                                                            key: node-role.kubernetes.io/master
                                                                                        # The following line is necessary for RBAC
                                                                                        serviceAccount: sysdig-agent
                                                                                        terminationGracePeriodSeconds: 5
                                                                                        initContainers:
                                                                                        - name: sysdig-agent-kmodule
                                                                                          image: sysdig/agent-kmodule
                                                                                          imagePullPolicy: Always
                                                                                          securityContext:
                                                                                            privileged: true
                                                                                          resources:
                                                                                            requests:
                                                                                              cpu: 1000m
                                                                                              memory: 384Mi
                                                                                            limits:
                                                                                              memory: 512Mi
                                                                                          volumeMounts:
                                                                                          - mountPath: /etc/modprobe.d
                                                                                            name: modprobe-d
                                                                                            readOnly: true
                                                                                          - mountPath: /host/boot
                                                                                            name: boot-vol
                                                                                            readOnly: true
                                                                                          - mountPath: /host/lib/modules
                                                                                            name: modules-vol
                                                                                            readOnly: true
                                                                                          - mountPath: /host/usr
                                                                                            name: usr-vol
                                                                                            readOnly: true
                                                                                        containers:
                                                                                        - name: sysdig-agent
                                                                                          # WARNING: the agent-slim release is currently dependent on the above
                                                                                          # initContainer and thus only functions correctly in a kubernetes cluster
                                                                                          image: sysdig/agent-slim
                                                                                          imagePullPolicy: Always
                                                                                          securityContext:
                                                                                            privileged: true
                                                                                          resources:
                                                                                            # Resources needed are subjective to the actual workload.
                                                                                            # Please refer to Sysdig Support for more info.
                                                                                            requests:
                                                                                              cpu: 600m
                                                                                              memory: 512Mi
                                                                                            limits:
                                                                                              cpu: 2000m
                                                                                              memory: 1536Mi
                                                                                          readinessProbe:
                                                                                            exec:
                                                                                              command: [ "test", "-e", "/opt/draios/logs/running" ]
                                                                                            initialDelaySeconds: 10
                                                                                          volumeMounts:
                                                                                          - mountPath: /host/dev
                                                                                            name: dev-vol
                                                                                            readOnly: false
                                                                                          - mountPath: /host/proc
                                                                                            name: proc-vol
                                                                                            readOnly: true
                                                                                          - mountPath: /host/run
                                                                                            name: run-vol
                                                                                          - mountPath: /host/var/run
                                                                                            name: varrun-vol
                                                                                          - mountPath: /dev/shm
                                                                                            name: dshm
                                                                                          - mountPath: /opt/draios/etc/kubernetes/config
                                                                                            name: sysdig-agent-config
                                                                                          - mountPath: /opt/draios/etc/kubernetes/secrets
                                                                                            name: sysdig-agent-secrets
                                                                                  

                                                                                  See Sysdig Cloud Scripts for the latest daemonset.

                                                                                2. Create a namespace to use for the Sysdig agent.

                                                                                  # kubectl create ns sysdig-agent
                                                                                  

                                                                                  You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account. The default service account name was automatically defined in sysdig-agent-slim-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

                                                                                3. Create a secret key:

                                                                                  # kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                                                                  
                                                                                4. Create a cluster role and service account, and define the cluster role binding that grants the Sysdig agent rules in the cluster role, using the commands:

                                                                                  # kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
                                                                                  # kubectl create serviceaccount sysdig-agent -n sysdig-agent
                                                                                  # kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
                                                                                  
                                                                                5. Edit sysdig-agent-configmap.yaml to add the collector``address``` and portand theSSL/TLS` information :

                                                                                  collector:
                                                                                  collector_port:
                                                                                  ssl: #true or false
                                                                                  check_certificate: #true or false
                                                                                  
                                                                                6. Apply the configuration changes:

                                                                                  # kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                7. Deploy the kernel module and slim agent containers using the daemonset:

                                                                                  # kubectl apply -f sysdig-agent-slim-daemonset-v2.yaml -n sysdig-agent
                                                                                  

                                                                                The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described in the following sections:Getting Started with Sysdig Monitor

                                                                                Install Slim Agent on GKE

                                                                                The agent is installed by scheduling both the agent-kmodule and agent-slim containers into a single daemonset. The agent-kmodule container is defined as an init container, which ensures that it runs first and must succeed in order for the other containers to run.

                                                                                1. Download sysdig-agent-slim-daemonset-v2.yaml.

                                                                                  An example daemonset is given below:

                                                                                  ### WARNING: this file is supported from Sysdig Agent 0.80.0
                                                                                  # apiVersion: extensions/v1beta1  # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
                                                                                  apiVersion: apps/v1
                                                                                  kind: DaemonSet
                                                                                  metadata:
                                                                                    name: sysdig-agent
                                                                                    labels:
                                                                                      app: sysdig-agent
                                                                                  spec:
                                                                                    selector:
                                                                                      matchLabels:
                                                                                        app: sysdig-agent
                                                                                    updateStrategy:
                                                                                      type: RollingUpdate
                                                                                    template:
                                                                                      metadata:
                                                                                        labels:
                                                                                          app: sysdig-agent
                                                                                      spec:
                                                                                        volumes:
                                                                                        - name: modprobe-d
                                                                                          hostPath:
                                                                                            path: /etc/modprobe.d
                                                                                  ### uncomment for minikube
                                                                                  #      - name: etc-version
                                                                                  #        hostPath:
                                                                                  #          path: /etc/VERSION
                                                                                  #          type: FileOrCreate
                                                                                        - name: dshm
                                                                                          emptyDir:
                                                                                            medium: Memory
                                                                                        - name: dev-vol
                                                                                          hostPath:
                                                                                            path: /dev
                                                                                        - name: proc-vol
                                                                                          hostPath:
                                                                                            path: /proc
                                                                                        - name: boot-vol
                                                                                          hostPath:
                                                                                            path: /boot
                                                                                        - name: modules-vol
                                                                                          hostPath:
                                                                                            path: /lib/modules
                                                                                        - name: usr-vol
                                                                                          hostPath:
                                                                                            path: /usr
                                                                                        - name: run-vol
                                                                                          hostPath:
                                                                                            path: /run
                                                                                        - name: varrun-vol
                                                                                          hostPath:
                                                                                            path: /var/run
                                                                                        - name: sysdig-agent-config
                                                                                          configMap:
                                                                                            name: sysdig-agent
                                                                                            optional: true
                                                                                        - name: sysdig-agent-secrets
                                                                                          secret:
                                                                                            secretName: sysdig-agent
                                                                                        # This section is for eBPF support. Please refer to Sysdig Support before
                                                                                        # uncommenting, as eBPF is recommended for only a few configurations.
                                                                                        - name: bpf-probes
                                                                                          emptyDir: {}
                                                                                        - name: osrel
                                                                                          hostPath:
                                                                                            path: /etc/os-release
                                                                                            type: FileOrCreate
                                                                                        hostNetwork: true
                                                                                        hostPID: true
                                                                                        tolerations:
                                                                                          - effect: NoSchedule
                                                                                            key: node-role.kubernetes.io/master
                                                                                        # The following line is necessary for RBAC
                                                                                        serviceAccount: sysdig-agent
                                                                                        terminationGracePeriodSeconds: 5
                                                                                        initContainers:
                                                                                        - name: sysdig-agent-kmodule
                                                                                          image: quay.io/sysdig/agent-kmodule
                                                                                          imagePullPolicy: Always
                                                                                          securityContext:
                                                                                            privileged: true
                                                                                          resources:
                                                                                            requests:
                                                                                              cpu: 1000m
                                                                                              memory: 384Mi
                                                                                            limits:
                                                                                              memory: 512Mi
                                                                                          # This section is for eBPF support. Please refer to Sysdig Support before
                                                                                          # uncommenting, as eBPF is recommended for only a few configurations.
                                                                                          env:
                                                                                            - name: SYSDIG_BPF_PROBE
                                                                                              value: ""
                                                                                          volumeMounts:
                                                                                          - mountPath: /etc/modprobe.d
                                                                                            name: modprobe-d
                                                                                            readOnly: true
                                                                                  ### uncomment for minikube
                                                                                  #        - mountPath: /host/etc/VERSION
                                                                                  #          name: etc-version
                                                                                  #          readOnly: true
                                                                                          - mountPath: /host/boot
                                                                                            name: boot-vol
                                                                                            readOnly: true
                                                                                          - mountPath: /host/lib/modules
                                                                                            name: modules-vol
                                                                                            readOnly: true
                                                                                          - mountPath: /host/usr
                                                                                            name: usr-vol
                                                                                            readOnly: true
                                                                                          # This section is for eBPF support. Please refer to Sysdig Support before
                                                                                          # uncommenting, as eBPF is recommended for only a few configurations.
                                                                                          - mountPath: /root/.sysdig
                                                                                            name: bpf-probes
                                                                                          - mountPath: /host/etc/os-release
                                                                                            name: osrel
                                                                                            readOnly: true
                                                                                        containers:
                                                                                        - name: sysdig-agent
                                                                                          # WARNING: the agent-slim release is currently dependent on the above
                                                                                          # initContainer and thus only functions correctly in a kubernetes cluster
                                                                                          image: quay.io/sysdig/agent-slim
                                                                                          imagePullPolicy: Always
                                                                                          securityContext:
                                                                                            privileged: true
                                                                                          resources:
                                                                                            # Resources needed are subjective to the actual workload.
                                                                                            # Please refer to Sysdig Support for more info.
                                                                                            requests:
                                                                                              cpu: 600m
                                                                                              memory: 512Mi
                                                                                            limits:
                                                                                              cpu: 2000m
                                                                                              memory: 1536Mi
                                                                                          readinessProbe:
                                                                                            exec:
                                                                                              command: [ "test", "-e", "/opt/draios/logs/running" ]
                                                                                            initialDelaySeconds: 10
                                                                                          # This section is for eBPF support. Please refer to Sysdig Support before
                                                                                          # uncommenting, as eBPF is recommended for only a few configurations.
                                                                                          env:
                                                                                           - name: SYSDIG_BPF_PROBE
                                                                                              value: ""
                                                                                          volumeMounts:
                                                                                          - mountPath: /host/dev
                                                                                            name: dev-vol
                                                                                            readOnly: false
                                                                                          - mountPath: /host/proc
                                                                                            name: proc-vol
                                                                                            readOnly: true
                                                                                          - mountPath: /host/run
                                                                                            name: run-vol
                                                                                          - mountPath: /host/var/run
                                                                                            name: varrun-vol
                                                                                          - mountPath: /dev/shm
                                                                                            name: dshm
                                                                                          - mountPath: /opt/draios/etc/kubernetes/config
                                                                                            name: sysdig-agent-config
                                                                                          - mountPath: /opt/draios/etc/kubernetes/secrets
                                                                                            name: sysdig-agent-secrets
                                                                                          # This section is for eBPF support. Please refer to Sysdig Support before
                                                                                          # uncommenting, as eBPF is recommended for only a few configurations.
                                                                                          - mountPath: /root/.sysdig
                                                                                            name: bpf-probes
                                                                                  
                                                                                2. Either use the single-line command from the Getting Started section of the Sysdig application or continue with the step 3 through 7.

                                                                                  $ curl -s https://download.sysdig.com/stable/install-agent-kubernetes | sudo bash -s -- --access_key 84d1d241-cde3-4ecc-9ecf-9a735ed0df45 --collector collector-staging.sysdigcloud.com --collector_port 6443 --nodeanalyzer --api_endpoint secure-staging.sysdig.com
                                                                                  
                                                                                3. Ensure that you uncomment the following sections:

                                                                                  • eBPF Probes under spec volume:

                                                                                    - name: bpf-probes
                                                                                      emptyDir: {}
                                                                                    - name: osrel
                                                                                      hostPath:
                                                                                         path: /etc/os-release
                                                                                         type: FileOrCreate
                                                                                    
                                                                                  • Environment variable for eBPF under initContainers:

                                                                                    env:
                                                                                      - name: SYSDIG_BPF_PROBE
                                                                                        value: ""
                                                                                    
                                                                                  • Mount path for eBPF under initContainers:

                                                                                    - mountPath: /root/.sysdig
                                                                                      name: bpf-probes
                                                                                    - mountPath: /host/etc/os-release
                                                                                      name: osrel
                                                                                      readOnly: true
                                                                                    
                                                                                  • Environment variable for eBPF under sysdig-agent:

                                                                                    env:
                                                                                     - name: SYSDIG_BPF_PROBE
                                                                                       value: ""
                                                                                    
                                                                                  • Mount path for eBPF under volume mounts

                                                                                    - mountPath: /root/.sysdig
                                                                                      name: bpf-probesenv:
                                                                                    
                                                                                4. Create a namespace to use for the Sysdig agent.

                                                                                  $ kubectl create ns sysdig-agent
                                                                                  

                                                                                  You can use whatever naming you prefer. In this document, we used sysdig-agent for both the namespace and the service account. The default service account name was automatically defined in sysdig-agent-slim-daemonset-v2.yaml, at the line: serviceAccount: sysdig-agent.

                                                                                5. Create a secret key:

                                                                                  $ kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
                                                                                  
                                                                                6. Create a cluster role and service account, and define the cluster role binding that grants the Sysdig agent rules in the cluster role, using the commands:

                                                                                  $ kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
                                                                                  $ kubectl create serviceaccount sysdig-agent -n sysdig-agent
                                                                                  $ kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
                                                                                  
                                                                                7. Edit sysdig-agent-configmap.yaml to add the collector``address``` and portand theSSL/TLS` information :

                                                                                  collector:
                                                                                  collector_port:
                                                                                  ssl: #true or false
                                                                                  check_certificate: #true or false
                                                                                  
                                                                                8. Apply the configuration changes:

                                                                                  $ kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
                                                                                  
                                                                                9. Deploy the kernel module and slim agent containers using the daemonset:

                                                                                  # kubectl apply -f sysdig-agent-slim-daemonset-v2.yaml -n sysdig-agent
                                                                                  

                                                                                The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described in the following sections:Getting Started with Sysdig Monitor

                                                                                1.6 -

                                                                                Agent Install: Manual Linux Installation

                                                                                Manual installation of the native Linux agent is recommended in the following cases:

                                                                                • Full control over the deployment process

                                                                                • Integration with configuration management tools

                                                                                • Custom kernel

                                                                                • Unsupported distribution (within Debian/Fedora flavors)

                                                                                Otherwise, you may want to just follow the standard Installation Guide:

                                                                                NOTE: If you are installing the Sysdig agent in an orchestrated infrastructure such as Kubernetes, Mesos/Marathon, use the respective Installation Guides:

                                                                                Run the commands as root or with sudo.

                                                                                Installation Options

                                                                                Review the Host Requirements for Agent Installation. Then follow the steps for the appropriate Linux distribution, below.

                                                                                Debian, Ubuntu

                                                                                1. Trust the Sysdig Monitor GPG key, configure the apt repository, and update the package list:

                                                                                  curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | apt-key add -
                                                                                  curl -s -o /etc/apt/sources.list.d/draios.list http://download.sysdig.com/stable/deb/draios.list
                                                                                  apt-get update
                                                                                  
                                                                                2. Install kernel development files.

                                                                                  The following command might not work with every kernel. Make sure to customize the name of the package properly.

                                                                                  apt-get -y install linux-headers-$(uname -r)
                                                                                  
                                                                                3. Install, configure, and restart the Sysdig agent.

                                                                                  apt-get -y install draios-agent
                                                                                  echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
                                                                                  echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
                                                                                  service dragent restart
                                                                                  

                                                                                  Replace ACCESS_KEY with your unique access key string. Inability to retrieve the key indicates that the administrator of your instance might have it turned off for non-admin users. Please contact your Sysdig administrator to receive the key. If you still have issues please contact Sysdig support.

                                                                                  [TAGS] is an optional parameter you can use to list one or more tags for this host (see below).

                                                                                CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2

                                                                                1. Trust the Sysdig Monitor GPG key, configure the yum repository.

                                                                                  $ rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public
                                                                                  $ curl -s -o /etc/yum.repos.d/draios.repo http://download.sysdig.com/stable/rpm/draios.repo
                                                                                  
                                                                                2. Install the EPEL repository

                                                                                  The following command is required only if DKMS is not available in the distribution. You can verify if DKMS is available with yum list dkms

                                                                                  The command below contains a sample release number; be sure to update with the correct release.

                                                                                  $ rpm -i http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
                                                                                  
                                                                                3. Install kernel development files.

                                                                                  The following command might not work with every kernel. Make sure to customize the name of the package properly.

                                                                                  $ yum -y install kernel-devel-$(uname -r)
                                                                                  
                                                                                4. Install, configure, and start the Sysdig agent.

                                                                                  $ yum -y install draios-agent
                                                                                  $ echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
                                                                                  $ echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
                                                                                  $ sudo systemctl enable dragent
                                                                                  $ sudo systemctl start dragent
                                                                                  

                                                                                  Replace ACCESS_KEY with your unique access key string. Inability to retrieve the key indicates that the administrator of your instance might have it turned off for non-admin users. Please contact your Sysdig administrator to receive the key. If you still have issues please contact Sysdig support.

                                                                                  [TAGS] is an optional parameter you can use to list one or more tags for this host (see below).

                                                                                  If you using a non-systemd Linux distribution, use the service command to start dragent.

                                                                                  $ service dragent restart
                                                                                  

                                                                                Other Linux Distributions

                                                                                The Sysdig Agent is unsupported outside of the Debian, Fedora, and Amazon distributions.

                                                                                Agent Tags

                                                                                Tagging your hosts is highly recommended. Agent Tags allow you to sort nodes of your infrastructure into custom groups in Sysdig Monitor.

                                                                                Replace the [TAGS] parameter above with a comma-separated list of TAG_NAME:TAG_VALUE .

                                                                                For example: role:webserver,location:europe

                                                                                1.7 -

                                                                                Agent Install: IKS (IBM Cloud with Sysdig)

                                                                                IBM maintains the documentation for Sysdig agent installation on IBM Cloud Kubernetes Service (IKS).

                                                                                For more information, see the IBM Cloud Monitoring with Sysdig documentation:

                                                                                1.8 -

                                                                                Agent Install: Mesos | Marathon | DCOS

                                                                                Marathon is the container orchestration platform for Mesosphere’s Datacenter Operating System (DC/OS) and Apache Mesos.

                                                                                This guide describes how to install the Sysdig agent container on each underlying host in your Mesos cluster. Once installed, the agent will automatically connect to the Mesos and Marathon APIs to pull relevant metadata about the environment and will begin monitoring all of your hosts, apps, containers, and frameworks.

                                                                                Standard Installation Instructions

                                                                                Review the Host Requirements for Agent Installation.

                                                                                In this three-part installation, you:

                                                                                • Deploy the Sysdig agent on all Mesos Agent (aka “Slave”) nodes, either automatically or by creating and posting a .json file to the leader Marathon API server.

                                                                                • Deploy the Sysdig agent on the Mesos Master nodes.

                                                                                • Special configuration steps: modify the Sysdig agent config file to monitor Marathon instances.

                                                                                Deploy the Sysdig agent on your Mesos Agent nodes

                                                                                Preferred Option: Automatic install (DC/OS 1.11+)

                                                                                If you’re using DC/OS 1.8 or higher, then you can find Sysdig in the Mesosphere Universe marketplace and install it from there.

                                                                                It will automatically deploy the Sysdig agent container on each of your Mesos Agent nodes as a Marathon app.

                                                                                Proceed to Deploy the Sysdig Agent.

                                                                                Alternate Option: Post a .json file

                                                                                If you are using a version of DC/OS earlier than 1.8 then:

                                                                                1. Create a JSON file for Marathon, in the following format.

                                                                                  The COLLECTOR address comes from your own environment in on-prem installations. For SaaS installations, find the collector endpoint for your region listed here.

                                                                                  COLLECTOR_PORT, SECURE, and CHECK_CERT are used in environments with Sysdig’s on-premises backend installed.

                                                                                  {
                                                                                    "backoffFactor": 1.15,
                                                                                    "backoffSeconds": 1,
                                                                                    "constraints": [
                                                                                      [
                                                                                        "hostname",
                                                                                        "UNIQUE"
                                                                                      ]
                                                                                    ],
                                                                                    "container": {
                                                                                      "docker": {
                                                                                        "forcePullImage": true,
                                                                                        "image": "sysdig/agent",
                                                                                        "parameters": [],
                                                                                        "privileged": true
                                                                                      },
                                                                                      "type": "DOCKER",
                                                                                      "volumes": [
                                                                                        {
                                                                                          "containerPath": "/host/var/run/docker.sock",
                                                                                          "hostPath": "/var/run/docker.sock",
                                                                                          "mode": "RW"
                                                                                        },
                                                                                        {
                                                                                          "containerPath": "/host/dev",
                                                                                          "hostPath": "/dev",
                                                                                          "mode": "RW"
                                                                                        },
                                                                                        {
                                                                                          "containerPath": "/host/proc",
                                                                                          "hostPath": "/proc",
                                                                                          "mode": "RO"
                                                                                        },
                                                                                        {
                                                                                          "containerPath": "/host/boot",
                                                                                          "hostPath": "/boot",
                                                                                          "mode": "RO"
                                                                                        },
                                                                                        {
                                                                                          "containerPath": "/host/lib/modules",
                                                                                          "hostPath": "/lib/modules",
                                                                                          "mode": "RO"
                                                                                        },
                                                                                        {
                                                                                          "containerPath": "/host/usr",
                                                                                          "hostPath": "/usr",
                                                                                          "mode": "RO"
                                                                                        }
                                                                                      ]
                                                                                    },
                                                                                    "cpus": 1,
                                                                                    "deployments": [],
                                                                                    "disk": 0,
                                                                                    "env": {
                                                                                      "ACCESS_KEY": "ACCESS_KEY=YOUR-ACCESS-KEY-HERE",
                                                                                      "CHECK_CERT": "false",
                                                                                      "SECURE": "true",
                                                                                      "TAGS": "example_tag:example_value",
                                                                                      "name": "sdc-agent",
                                                                                      "pid": "host",
                                                                                      "role": "monitoring",
                                                                                      "shm-size": "350m"
                                                                                    },
                                                                                    "executor": "",
                                                                                    "gpus": 0,
                                                                                    "id": "/sysdig-agent",
                                                                                    "instances": 1,
                                                                                    "killSelection": "YOUNGEST_FIRST",
                                                                                    "labels": {},
                                                                                    "lastTaskFailure": {
                                                                                      "appId": "/sysdig-agent",
                                                                                      "host": "YOUR-HOST",
                                                                                      "message": "Container exited with status 70",
                                                                                      "slaveId": "1fa6f2fc-95b0-445f-8b97-7f91c1321250-S2",
                                                                                      "state": "TASK_FAILED",
                                                                                      "taskId": "sysdig-agent.3bb0759d-3fa3-11e9-b446-c60a7a2ee871",
                                                                                      "timestamp": "2019-03-06T00:03:16.234Z",
                                                                                      "version": "2019-03-06T00:01:57.182Z"
                                                                                    },
                                                                                    "maxLaunchDelaySeconds": 3600,
                                                                                    "mem": 850,
                                                                                    "networks": [
                                                                                      {
                                                                                        "mode": "host"
                                                                                      }
                                                                                    ],
                                                                                    "portDefinitions": [
                                                                                      {
                                                                                        "name": "default",
                                                                                        "port": 10101,
                                                                                        "protocol": "tcp"
                                                                                      }
                                                                                    ],
                                                                                    "requirePorts": false,
                                                                                    "tasks": [
                                                                                      {
                                                                                        "appId": "/sysdig-agent",
                                                                                        "healthCheckResults": [],
                                                                                        "host": "YOUR-HOST-IP",
                                                                                        "id": "sysdig-agent.0d5436f4-3fa4-11e9-b446-c60a7a2ee871",
                                                                                        "ipAddresses": [
                                                                                          {
                                                                                            "ipAddress": "YOUR-HOST-IP",
                                                                                            "protocol": "IPv4"
                                                                                          }
                                                                                        ],
                                                                                        "localVolumes": [],
                                                                                        "ports": [
                                                                                          4764
                                                                                        ],
                                                                                        "servicePorts": [],
                                                                                        "slaveId": "1fa6f2fc-95b0-445f-8b97-7f91c1321250-S2",
                                                                                        "stagedAt": "2019-03-06T00:09:04.232Z",
                                                                                        "startedAt": "2019-03-06T00:09:06.912Z",
                                                                                        "state": "TASK_RUNNING",
                                                                                        "version": "2019-03-06T00:09:04.182Z"
                                                                                      }
                                                                                    ],
                                                                                    "tasksHealthy": 0,
                                                                                    "tasksRunning": 1,
                                                                                    "tasksStaged": 0,
                                                                                    "tasksUnhealthy": 0,
                                                                                    "unreachableStrategy": {
                                                                                      "expungeAfterSeconds": 0,
                                                                                      "inactiveAfterSeconds": 0
                                                                                    },
                                                                                    "upgradeStrategy": {
                                                                                      "maximumOverCapacity": 1,
                                                                                      "minimumHealthCapacity": 1
                                                                                    },
                                                                                    "version": "2019-03-06T00:09:04.182Z",
                                                                                    "versionInfo": {
                                                                                      "lastConfigChangeAt": "2019-03-06T00:09:04.182Z",
                                                                                      "lastScalingAt": "2019-03-06T00:09:04.182Z"
                                                                                    }
                                                                                  }
                                                                                  
                                                                                  

                                                                                  See Table 1: Environment Variables for Agent Config Filef or the Sysdig name:value definitions.

                                                                                  Complete the “cpus”, “mem” and “labels” (i.e. Marathon labels) entries to fit the capacity and requirements of the cluster environment.

                                                                                2. Update the created.json file to the leader Marathon API server:

                                                                                  $ $curl -X POST http://$(hostname -i):8080/v2/apps -d @sysdig.json -H "Content-type: application/json"
                                                                                  

                                                                                Deploy the Sysdig Agent

                                                                                After deploying the agent to the Mesos Agent nodes, you will install agents on each of the Mesos Master nodes as well.

                                                                                If any cluster node has both Mesos Master and Mesos Agent roles, do not perform this installation step on that node. It already will have a Sysdig agent installed from the procedure in step A. Running duplicate Sysdig agents on a node will cause errors.

                                                                                Use the Agent Install: Non-Orchestrated instructions to install the agent directly on each of your Mesos Master nodes.

                                                                                When the Sysdig agent is successfully installed on the master nodes, it will automatically connect to the local Mesos and Marathon (if available) API servers via http://localhost:5050 and http://localhost:8080 respectively, to collect cluster configuration and current state metadata in addition to host metrics.

                                                                                Special Configuration Steps

                                                                                In certains situations, you may need to add additional configurations to the dragent.yaml file:

                                                                                • If the Sysdig agent cannot be run directly on the Mesos API server

                                                                                • If the API server is protected with a username/password.

                                                                                Descriptions and examples are shown below.

                                                                                If the Sysdig Agent Cannot Run On the Mesos API Server

                                                                                Mesos allows multiple masters. If the API server can not be instrumented with a Sysdig agent, simply delegate ONE other node with an agent installed to remotely receive infrastructure information from the API server.

                                                                                NOTE: If you manually configure the agent to point to a master with a static configuration file entry, then automatic detection/following of leader changes will no longer be enabled.

                                                                                Add the following Mesos parameter to the delegated agent’s dragent.yaml file to allow it to connect to the remote API server and authenticate, either by:

                                                                                a. Directly editing dragent.yaml on the host, or

                                                                                b. Converting the YAML code to a single-line format and adding it as an ADDITIONAL_CONF argument in a Docker command.

                                                                                See Understanding the Agent Config Files for details.

                                                                                Specify the API server’s connection method, address, and port. Also specify credentials if necessary.

                                                                                YAML example:

                                                                                mesos_state_uri: http://[acct:passwd@][hostname][:port]
                                                                                marathon_uris:
                                                                                  - http://[acct:passwd@][hostname][:port]
                                                                                

                                                                                Although marathon_uris: is an array, currently only a single “root” Marathon framework per cluster is supported. Multiple side-by-side Marathon frameworks should not be configured in order for our agent to function properly. Multiple side-by-side “root” Marathon frameworks on the same cluster are currently not supported. The only supported multiple-Marathon configuration is with one “root” Marathon and other Marathon frameworks as its apps.

                                                                                If the Mesos API server requires authentication

                                                                                If the agent is installed on the API server but the API server uses a different port or requires authentication, those parameters must be explicitly specified.

                                                                                Add the following Mesos parameters to the API server’s dragent.yaml to make it connect to the API server and authenticate with any unique account and password, either by:

                                                                                a. Directly editing dragent.yaml on the host, or

                                                                                b. Converting the YAML code to a single-line format and adding it as an ADDITIONAL_CONF argument in a Docker command.

                                                                                See Understanding the Agent Config Files for details.

                                                                                Specify the API server’s protocol, user credentials, and port:

                                                                                mesos_state_uri: http://[username:password@][hostname][:port]
                                                                                marathon_uris:
                                                                                  - http://[acct:passwd@][hostname][:port]
                                                                                

                                                                                *HTTPS protocol is also supported.

                                                                                Troubleshooting: Turning Off Metadata Reception

                                                                                In troubleshooting cases where auto-detection and reporting of your Mesos infrastructure needs to be temporarily turned off in a designated agent:

                                                                                1. Comment out the Mesos parameter entries in the agent’s dragent.yaml file.

                                                                                  Example parameters to disable: mesos_state_uri, marathon_uris

                                                                                2. If the agent is running on the API server (Master node) and auto-detecting a default configuration, you can add the line:

                                                                                  mesos_autodetect: false

                                                                                  either directly in the dragent.yaml file or as an ADDITIONAL_CONF parameter in a Docker command.

                                                                                3. Restart the agent.

                                                                                1.9 -

                                                                                Airgapped Agent Installation

                                                                                Airgapped environments are those that do not have the network access to pull images from the container repository. Agent installation requires sysdigcloud-probe and you cannot download a pre-compiled module in an airgapped environment. Therefore, ensure that you compile your own sysdigcloud-probe before installing the agent.

                                                                                Prepare the Sysdig Probe Builder Images

                                                                                On a machine with internet connectivity, build the Sysdig probe container and create a tar file of the image.

                                                                                1. Get the probe builder artifacts from the repository:

                                                                                  $ git clone https://github.com/draios/sysdig
                                                                                  $ git checkout probe-builder
                                                                                  $ cd sysdig
                                                                                  
                                                                                2. Build the container image:

                                                                                  $ docker build -t airgap/sysdig-probe-builder probe-builder/
                                                                                  
                                                                                3. Create the container and run:

                                                                                  $ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock airgap/sysdig-probe-builder:latest -P -b airgap/
                                                                                  
                                                                                4. Save the images to a tar archive:

                                                                                  $ docker save airgap/sysdig-probe-builder | gzip > builders.tar.gz
                                                                                  

                                                                                  Ensure that you make this tar available to the airgapped machines where you intend to install the Sysdig agent.

                                                                                Set Up Kernel Module

                                                                                1. Set up a local repository to host the pre-compiled kernel module:

                                                                                  $ kubectl run my-nginx --image=nginx --port=80
                                                                                  $ kubectl expose deployment my-nginx --port=80 --type=NodePort
                                                                                  
                                                                                2. Copy sysdigcloud-probe to the repository you have created:

                                                                                  $ kubectl cp sysdigcloud-probe-<version> my-nginx-xxxxxxxx-xxxx:/usr/share/nginx
                                                                                  

                                                                                Install Agent in Docker Environment

                                                                                1. Install Sysdig agent by pointing SYSDIG_PROBE_URL to the local repository:

                                                                                  For docker-based installations:

                                                                                  $ docker run -d --name sysdig-agent --restart always --privileged --net host --pid host -e ACCESS_KEY=WWWWW-YYYY-XXXX-ZZZZ-123456789 -e SECURE=true -e SYSDIG_PROBE_URL=http://www.mywebserver.net:80/ -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --shm-size=512m sysdig/agent
                                                                                  

                                                                                  Where -e SYSDIG_PROBE_URL=http://www.mywebserver:80/ is the local nginx pod with the loaded module.

                                                                                  To use secure communication with a self-signed or untrusted certificate, apply the -e SYSDIG_PROBE_INSECURE_DOWNLOAD=true environment variable.

                                                                                2. Check the agent log. You will see a similar message:

                                                                                  Found custom module URL http://mywebserver:80/, will use it * Trying to download precompiled module from http://mywebserver:80/sysdigcloud-probe-<version>
                                                                                  
                                                                                3. Continue with the instructions in Agent Install: Non-Orchestrated.

                                                                                Install Agent in Kubernetes Environment

                                                                                1. Open your agent daemonset and update the SYSDIG_PROBE_URL to point to the local repository:

                                                                                  - name: SYSDIG_PROBE_URL
                                                                                    value: http://www.mywebserver:80/
                                                                                  

                                                                                  If you would like to use secure communication with a self-signed or untrusted certificate, apply the SYSDIG_PROBE_INSECURE_DOWNLOAD environment variable.

                                                                                  - name: SYSDIG_PROBE_INSECURE_DOWNLOAD
                                                                                    value: true
                                                                                  
                                                                                2. Continue with the instructions in Agent Install: Kubernetes.

                                                                                1.10 -

                                                                                Troubleshooting Agent Installation

                                                                                This section describes methods for troubleshooting two types of issue:

                                                                                • Disconnecting Agents

                                                                                • Can’t See Metrics After Agent Install

                                                                                Disconnecting Agents

                                                                                If agents are disconnecting, there could be problems with addresses that need to be resolved in the agent configuration files. See also Understanding the Agent Config Files.

                                                                                Check for Duplicate MAC addresses

                                                                                The Sysdig agent will use the eth0 MAC address to identify the different hosts within an infrastructure. In a virtualized environment, you should confirm each of your VM’s eth0 MAC addresses are unique.

                                                                                If a unique address cannot be configured, you can supply an additional parameter in the Sysdig agent’s dragent.yaml configuration file: machine_id_prefix: prefix

                                                                                The prefix text can be any string and will be prepended to the MAC address as reported in the Sysdig Monitor web interface’s Explore tables.

                                                                                Example: (using ADDITIONAL_CONF rather than Kubernetes Configmap)

                                                                                Here is an example Docker run command installing the parameter via the ADDITIONAL_CONF parameter

                                                                                docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=abc123-1234-abcd-4321-abc123def456 -e TAGS=tag1:value1 -e ADDITIONAL_CONF="machine_id_prefix: MyPrefix123-" -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent
                                                                                

                                                                                The resulting /opt/draios/etc/dragent.yaml config file would look like this:

                                                                                customerid:abc123-1234-abcd-4321-abc123def456
                                                                                tags: tag1:value1
                                                                                machine_id_prefix: MyPrefix123-
                                                                                

                                                                                You will then see all of your hosts, provided that all the prefixes are unique. The prefix will be visible whenever the MAC address is displayed in any view.

                                                                                See also: Agent Configuration.

                                                                                Check for Conflicting MAC addresses in GKE environments

                                                                                In Google Container Engine (GKE) environments, MAC addresses could be repeated across multiple hosts. This would cause some hosts running Sysdig agents not to appear in your web interface.

                                                                                To address this, add a unique machine ID prefix to each config you use to deploy the agent to a given cluster (i.e. each sysdig-daemonset.yaml file).

                                                                                Note: This example uses the (v1) ADDITIONAL_CONF, rather than (v2) Configmap method.

                                                                                - name: ADDITIONAL_CONF value: "machine_id_prefix: mycluster1-prefix-"

                                                                                Can’t See Metrics After Agent Install

                                                                                If agents were successfully installed, you could log in to the Sysdig Monitor UI, but no metrics are displayed in the Explore panel, first confirm that the agent license count has not been exceeded. Then check for any proxy, firewall, or host security policies preventing proper agent communication to the Sysdig Monitor backend infrastructure.

                                                                                Check License Count

                                                                                If network connectivity is good, the agent will connect to the backend but will be disconnected after a few seconds if the license count has been exceeded.

                                                                                To check whether you are over-subscribed, go to Settings > Subscription.

                                                                                See Subscription for details.

                                                                                Check Network Policy

                                                                                Agent Connection Port

                                                                                Check your service provider VPC security groups to verify that network ACLs are set to allow the agent’s outbound traffic over TCP ports. See Sysdig Collector Ports for the supported TCP ports for each region.

                                                                                Outbound IP Addresses

                                                                                Due to the distributed nature of the Sysdig Monitor infrastructure, the agent must be open for outbound connections to collector.sysdigcloud.com on all outbound IP addresses.

                                                                                Check Amazon’s public IP ranges file to see all the potential IP addresses the Sysdig agent can use to communicate with the Sysdig backend databases.

                                                                                AWS Metadata Endpoint

                                                                                AWS metadata is used for gathering information about the instance itself, such as instance id, public IP address, etc.

                                                                                When running on an AWS instance, access to the following AWS metadata endpoint is also needed: 169.254.169.254

                                                                                Check Local Host Policy

                                                                                The agent requires access to the following local system resources in order to gather metrics:

                                                                                • Read/Write access to /dev/sysdig devices.

                                                                                • Read access to all the files under /proc file system.

                                                                                • For container support, the Docker API endpoint /var/run/docker.sock

                                                                                If any settings or firewall modifications are made, you may need to restart the agent service. In a shell on the affected instances issue the following command:

                                                                                sudo service dragent restart
                                                                                
                                                                                

                                                                                1.11 -

                                                                                Identify Agent Version

                                                                                Use one of the following methods to determine the version of the agents installed in your environment:

                                                                                Explore

                                                                                Segmenting metrics by using agent.version shows the installed versions of agents in your environment. For example, segment the uptime metric across your environment by using agent.version . Hover over the graph to see the list of agent versions.

                                                                                The image shows the list of agent versions in n/a.

                                                                                Dashboard

                                                                                Use the Sysdig Agent Health Dashboard to determine the agent versions:

                                                                                1. Log in to the Sysdig Monitor.

                                                                                2. Select Dashboards and expand Host Infrastructure Dashboards.

                                                                                3. Open the Sysdig Agent Health & Status template or create your own from the template.

                                                                                  The Sysdig Agent and Health & Status Dashboard shows the agent version corresponding to each host in your environment.

                                                                                1.12 -

                                                                                Using Node Leases

                                                                                The Sysdig agent uses Kubernetes Lease to control how and when connections are made to the Kubernetes API Server. This mechanism prevents overloading the Kubernetes API server with connection requests during agent bootup.

                                                                                Kubernetes node leases are automatically created for agent version 12.0.0 and above. On versions prior to 12.0.0, you must configure node leases as given in the KB article.

                                                                                Prerequisites

                                                                                • Sysdig Agent v11.3.0 or above

                                                                                • Kubernetes v1.14 or above

                                                                                Types of Leases

                                                                                The agent creates the following leases:

                                                                                Cold Start

                                                                                During boot up, the Sysdig agent connects to the Kubernetes API server to retrieve Kubernetes metadata and build a cache. The cold-start leases control the number of agents that build up this cache at any given time. An agent will grab a lease, build its cache, and then release the lease so that another agent can build its cache. This mechanism prevents agents from creating a “boot storm” which can overwhelm the API server in large clusters.

                                                                                Delegation

                                                                                In Kubernetes environments, two agents are marked as delegated in each cluster. The delegated agents are the designated agents to request more data from the API server and produce KubeState metrics. The delegation leases will not be released until the agent is terminated.

                                                                                View Leases

                                                                                To view the leases, run the following:

                                                                                $ kubectl get leases -n sysdig-agent
                                                                                

                                                                                You will see an output similar to the following:

                                                                                NAME           HOLDER             AGE
                                                                                cold-start-0                      20m
                                                                                cold-start-1                      20m
                                                                                cold-start-2                      21m
                                                                                cold-start-3   ip-10-20-51-167    21m
                                                                                cold-start-4                      21m
                                                                                cold-start-5                      21m
                                                                                cold-start-6                      20m
                                                                                cold-start-7                      21m
                                                                                cold-start-8                      20m
                                                                                cold-start-9   ip-10-20-51-166   21m
                                                                                delegation-0   ip-10-20-52-53    21m
                                                                                delegation-1   ip-10-20-51-98    21m
                                                                                

                                                                                Troubleshoot Leases

                                                                                Verify Configuration

                                                                                When lease-based delegation is working as expected, the agent logs show one of the following:

                                                                                • Getting pods only for node <node>

                                                                                • Getting pods for all nodes.

                                                                                • Both (occasionally on the delegated nodes)

                                                                                Run the following to confirm that it is working:

                                                                                $ kubectl logs sysdig-agent-9l2gf -n sysdig-agent | grep -i "getting pods"
                                                                                

                                                                                The configuration is working as expected if the output on a pod is similar to the following:

                                                                                2021-05-05 02:48:32.877, 15732.15765, Information, cointerface[15738]: Only getting pods for node ip-10-20-51-166.ec2.internal
                                                                                

                                                                                Unable to Create Leases

                                                                                The latest Sysdig ClusterRole is required for the agent to create leases. If you do not have the latest ClusterRole or if you have not configured the ClusterRole correctly, the logs show the following error:

                                                                                Error, lease_pool_manager[2989554]: Cannot access leases objects: leases.coordination.k8s.io is forbidden: User "system:serviceaccount:sysdig-agent:sysdig-agent" cannot list resource "leases" in API group "coordination.k8s.io" in the namespace "sysdig-agent"
                                                                                

                                                                                Contact Sysdig Support for help.

                                                                                Optional Agent Configuration

                                                                                Several configuration options exist for leases. It is recommended to not change the default settings unless prompted by Sysdig Customer Support.

                                                                                Configuration

                                                                                Default

                                                                                Description

                                                                                k8s_coldstart:
                                                                                  enabled: <true/false>

                                                                                true above agent versions 12.0.0

                                                                                When true, the agent will attempt to create cold-start leases to control the number of agents which are allowed to build their cache at one time.

                                                                                k8s_coldstart:
                                                                                  max_parallel_cold_starts: <int>

                                                                                10

                                                                                The number of cold-start leases to be created. This is the number of agents that can connect to the API Server simultaneously during agent initialization.

                                                                                k8s_coldstart:
                                                                                  namespace: <string>

                                                                                sysdig-agent

                                                                                The namespace to be created. This shouldn’t be needed in agent version 12.0.0 because the DownwardAPI in the ClusterRole will provide the appropriate namespace.

                                                                                k8s_coldstart:
                                                                                  enforce_leader_election: <true/false>

                                                                                false

                                                                                When true, the agent will not fall back to the previous method if it cannot create leases.This can be useful if the previous method caused API Server problems.

                                                                                k8s_delegation_election: <true/false>

                                                                                true above agent versions 12.0.0

                                                                                When true, the agent will create delegation leases to control which set of agents generate global cluster metrics.

                                                                                2 -

                                                                                Agent Configuration

                                                                                Out of the box, the Sysdig agent will gather and report on a wide variety of pre-defined metrics. It can also accommodate any number of custom parameters for additional metrics collection.

                                                                                Use this section when you need to change the default or pre-defined settings by editing the agent configuration files, or for other special circumstances.

                                                                                Integrations for Sysdig Monitor also require editing the agent config files.

                                                                                By default, the Sysdig agent is configured to collect metric data from a range of platforms and applications. You can edit the agent config files to extend the default behavior, including additional metrics for JMX, StatsD, Prometheus, or a wide range of other applications. You can also monitor log files for targeted text strings.

                                                                                2.1 -

                                                                                Understand the Agent Configuration

                                                                                Out of the box, the Sysdig agent will gather and report on a wide variety of pre-defined metrics. It can also accommodate any number of custom parameters for additional metrics collection.

                                                                                The agent relies on a pair of configuration files to define metrics collection parameters:

                                                                                dragent.default.yaml

                                                                                The core configuration file. You can look at it to understand more about the default configurations provided.

                                                                                Location: "/opt/draios/etc/dragent.default.yaml."

                                                                                CAUTION. This file should never be edited.

                                                                                dragent.yaml or configmap.yaml (Kubernetes)

                                                                                The configuration file where parameters can be added, either directly in YAML as name/value pairs, or using environment variables such as 'ADDITIONAL_CONF." Location: "/opt/draios/etc/dragent.yaml."

                                                                                The “dragent.yaml” file can be accessed and edited in several ways, depending on how the agent was installed. This document describes how to modify dragent.yaml.

                                                                                One additional file, dragent.auto.yaml is also created and used in special circumstances. See Optional: Agent Auto-Config for more detail.

                                                                                Access and Edit the Config File

                                                                                There are various ways to add or edit parameters indragent.yaml.

                                                                                Option 1: With dragent.yaml (for testing)

                                                                                It is possible to edit the container’s file directly on the host.

                                                                                Add parameters directly in YAML.

                                                                                1. Access dragent.yamldirectly at"/opt/draios/etc/dragent.yaml."

                                                                                2. Edit the file. Use proper YAML syntax.

                                                                                  See the examples at the bottom of the page.

                                                                                3. Restart the agent for changes to take effect

                                                                                • Native agent: service dragent restart

                                                                                • Container agent: docker restart sysdig-agent

                                                                                Option 2: With configmap.yaml(Kubernetes)

                                                                                Configmap.yaml is the configuration file where parameters can be added, either directly in YAML as name/value pairs, or using environment variables such as ‘ADDTIONAL_CONF."

                                                                                If you install agents as DaemonSets on a system running Kubernetes, you use configmap.yaml to connect with and manipulate the underlyingdragent.yamlfile.

                                                                                See also: Agent Install: Kubernetes | GKE | OpenShift | IBM

                                                                                Add parameters directly in YAML.

                                                                                Edit the files locally and apply with the changes withkubectl -f.

                                                                                1. Access theconfigmap.yaml.

                                                                                2. Edit the file as needed.

                                                                                3. Apply the changes:

                                                                                  kubectl apply -f sysdig-agent-configmap.yaml

                                                                                Running agents will automatically pick the new configuration after Kubernetes pushes the changes across all the nodes in the cluster.

                                                                                Option 3: With Docker Run (Docker)

                                                                                Add-e ADDITIONAL_CONF=”<VARIABLES>”to a Docker run command, where <VARIABLES> contains all the customized parameters you want to include, in a single-line format.

                                                                                Convert YAML Parameters to Single-Line Format

                                                                                To insert ADDITIONAL_CONF parameters in a Docker run command or a daemonset file, you must convert the YAML code into a single-line format.

                                                                                You can do the conversion manually for short snippets. To convert longer portions of YAML, use echo|sed commands.

                                                                                In earlier versions, the Sysdig Agent connected to port 6666. This behavior has been deprecated, as the Sysdig agent now connects to port 6443.

                                                                                The basic procedure:

                                                                                1. Write your configuration in YAML, as it would be entered directly in dragent.yaml.

                                                                                2. In a bash shell, use echo and sed to convert to a single line.

                                                                                  sed script: " | sed -e ‘:a’ -e ‘N’ -e ‘$!ba’ -e ’s/\n/\\n/g’

                                                                                3. Insert the resulting line into a Docker run command or add it to the daemonset file as an ADDITIONAL_CONF.

                                                                                Example: simple

                                                                                Insert parameters to turn off StatsD collection and blacklist port 6443.

                                                                                YAML format

                                                                                statsd enabled: false blackisted_ports: - 6443

                                                                                Single-line format (manual)

                                                                                Use spaces, hyphens, and \n correctly when manually converting to a single line:

                                                                                ADDITIONAL_CONF="statsd:\n disabled: false\nblacklisted_ports:\n - 6443"

                                                                                Here the single line is incorporated into a full agent startup Docker command.

                                                                                docker run --name sysdig-agent  --privileged --net host --pid host -e ACCESS_KEY=1234-your-key-here-1234 -e TAGS=dept:sales,local:NYC -e ADDITIONAL_CONF="statsd:\n  enabled: false\nblacklisted_ports:\n  - 6443" -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent
                                                                                
                                                                                Example: complex

                                                                                Insert parameters to override the default configuration for a RabbitMQ app check.

                                                                                YAML format

                                                                                app_checks:
                                                                                  - name: rabbitmq
                                                                                    pattern:
                                                                                      port: 15672
                                                                                    conf:
                                                                                      rabbitmq_api_url: "http://localhost:15672/api/"
                                                                                      rabbitmq_user: myuser
                                                                                      rabbitmq_pass: mypassword
                                                                                      queues:
                                                                                        - MyQueue1
                                                                                        - MyQueue2
                                                                                

                                                                                Single-line format (echo |sed)

                                                                                From a bash shell, issue the echo command and sed script.

                                                                                echo "app_checks:
                                                                                  - name: rabbitmq
                                                                                    pattern:
                                                                                      port: 15672
                                                                                    conf:
                                                                                      rabbitmq_api_url: "http://localhost:15672/api/"
                                                                                      rabbitmq_user: myuser
                                                                                      rabbitmq_pass: mypassword
                                                                                      queues:
                                                                                        - MyQueue1
                                                                                        - MyQueue2
                                                                                " | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g'
                                                                                

                                                                                This results in the single-line format to be used with ADDITIONAL_CONF in a Docker command or daemonset file.

                                                                                "app_checks:\n - name: rabbitmq\n  pattern:\n    port: 15672\n  conf:\n    rabbitmq_api_url: http://localhost:15672/api/\n    rabbitmq_user: myuser\n    rabbitmq_pass: mypassword\n    queues:\n      - MyQueue1\n      - MyQueue2\n"
                                                                                

                                                                                Option 4: With HELM Format

                                                                                If you installed the Sysdig agent in Kubernetes using a Helm chart, then no configmap.yaml file was downloaded. You edit dragent.yaml using Helm syntax:

                                                                                Example

                                                                                $helm install --name sysdig-agent-1 --set
                                                                                sysdig.settings.tags='linux:ubuntu,dept:dev,local:nyc' --set
                                                                                sysdig.settings.k8s_cluster_name='my_cluster' stable/sysdig
                                                                                

                                                                                Will be transformed into

                                                                                data:
                                                                                 dragent.yaml: |
                                                                                  tags: linux:ubuntu,dept:dev,local:nyc
                                                                                  k8s_cluster_name: my_cluster
                                                                                

                                                                                Table 1: Environment Variables for Agent Config File

                                                                                Name

                                                                                Value

                                                                                Description

                                                                                ACCESS_KEY

                                                                                <your Sysdig access key>

                                                                                Required

                                                                                TAGS

                                                                                <meaningful tags you want applied to your instances>

                                                                                Optional. These are displayed in Sysdig Monitor for ease of use.

                                                                                For example:

                                                                                tags: linux:ubuntu,dept:dev,local:nyc

                                                                                See sysdig-agent-configmap.yaml.

                                                                                COLLECTOR

                                                                                <collector-hostname.com> or 111.222.333.400

                                                                                Enter the host name or IP address of the Sysdig collector service. Note that when used within dragent.yaml, must be lowercase collector.

                                                                                For SaaS regions, see: SaaS Regions and IP Ranges.

                                                                                COLLECTOR_PORT

                                                                                6443

                                                                                On-prem only. The port used by the Sysdig collector service; default 6443.

                                                                                SECURE

                                                                                "true"

                                                                                On-prem only. If using SSL/TLS to connect to collector service value = "true" otherwise "false."

                                                                                CHECK_CERTIFICATE

                                                                                "false"

                                                                                On-prem only. Set to "true" when using SSL/TLS to connect to the collector service and should check for valid SSL/TLS certificate.

                                                                                ADDITIONAL_CONF

                                                                                Optional. A place to provide custom configuration values to the agent as environment variables .

                                                                                SYSDIG_PROBE_URL

                                                                                Optional. An alternative URL to download precompiled kernel module.

                                                                                Sample Docker Command Using Variables

                                                                                docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=3e762f9a-3936-4c60-9cf4-c67e7ce5793b -e COLLECTOR=mycollector.elb.us-west-1.amazonaws.com -e COLLECTOR_PORT=6443 -e CHECK_CERTIFICATE=false -e TAGS=my_tag:some_value -e ADDITIONAL_CONF="log:\n file_priority: debug\n console_priority: error"
                                                                                -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --shm-size=350m sysdig/agent
                                                                                
                                                                                

                                                                                2.2 -

                                                                                Configure Agent Modes

                                                                                Agent modes provide the ability to control metric collection to fit your scale and specific requirement. You can choose one of the following modes to do so:

                                                                                • Monitor

                                                                                • Monitor Light

                                                                                • Troubleshooting

                                                                                • Secure

                                                                                Using a stripped-down mode limits collection of unneeded metrics, which in turn prevents the consumption of excess resources and helps reduce expenses.

                                                                                Monitor

                                                                                The Monitor mode offers an extensive collection of metrics. We recommend this mode to monitor enterprise environments.

                                                                                monitor is the default mode if you are running the Enterprise tier. To switch back to the Monitor mode from a different mode, do one of the following:

                                                                                • Add the following to the dragent.yaml file and restart the agent:

                                                                                  feature:
                                                                                    mode: monitor
                                                                                  
                                                                                • Remove the parameter related to the existing mode from the dragent.yaml file and restart the agent. For example, to switch from troubleshooting mode to monitor, delete the following lines:

                                                                                  feature:
                                                                                    mode: troubleshooting
                                                                                  

                                                                                Monitor Light

                                                                                Monitor Light caters to the users that run agents in a resource-restrictive environment, or to those who are interested only in a limited set of metrics.

                                                                                Monitor Light provides CPU, Memory, File, File system, and Network metrics. For more information, see Metrics Available in Monitor Light.

                                                                                Enable Monitor Light Mode

                                                                                To switch to the Monitor Light mode, edit the dragent.yaml file:

                                                                                1. Open the dragent.yaml file.

                                                                                2. Add the following configuration parameter:

                                                                                  feature:
                                                                                    mode: monitor_light
                                                                                  
                                                                                3. Restart the agent.

                                                                                Troubleshooting

                                                                                Troubleshooting mode offers sophisticated metrics with detailed diagnostic capabilities. Some of these metrics are heuristic in nature.

                                                                                In addition to the extensive metrics available in the Monitor mode, Troubleshooting mode provides additional metrics such as net.sql and additional segmentation for file and network metrics. For more information, see Additional Metrics Values Available in Troubleshooting.

                                                                                Enable Troubleshooting Mode

                                                                                To switch to the Troubleshooting mode, edit the dragent.yaml file:

                                                                                1. Open the dragent.yaml file.

                                                                                2. Add the following configuration parameter:

                                                                                  feature:
                                                                                    mode: troubleshooting
                                                                                  
                                                                                3. Restart the agent.

                                                                                Secure Mode

                                                                                The secure mode supports only Sysdig Secure features.

                                                                                Sysdig agent collects no metrics in the secure mode, which, in turn, minimizes network consumption and storage requirement in the Sysdig backend. Lower resource usage can help reduce costs and improve performance.

                                                                                In the Secure mode, the Monitor UI shows no data because no metrics are sent to the collector.

                                                                                This feature requires agent v10.5.0 or above.

                                                                                Enabling Secure Mode

                                                                                1. Open the dragent``.yaml file.

                                                                                2. Add the following:

                                                                                  feature:
                                                                                    mode: secure
                                                                                  
                                                                                3. Restart the agent.

                                                                                2.2.1 -

                                                                                Metrics Available in Monitor Light

                                                                                Monitor Light provides cpu, memory, file, file system, and network metrics.

                                                                                MetricsDescription
                                                                                cpu.cores.usedSee System.System
                                                                                cpu.cores.used.percent
                                                                                cpu.idle.percent
                                                                                cpu.iowait.percent
                                                                                cpu.nice.percent
                                                                                cpu.stolen.percent
                                                                                cpu.system.percent
                                                                                cpu.used.percent
                                                                                cpu.user.percent
                                                                                load.average.percpu.1m
                                                                                load.average.percpu.5m
                                                                                load.average.percpu.15m
                                                                                memory.bytes.available
                                                                                memory.bytes.total
                                                                                memory.bytes.used
                                                                                memory.bytes.used
                                                                                memory.bytes.virtual
                                                                                memory.pageFault.major
                                                                                memory.pageFault.minor
                                                                                memory.swap.bytes.available
                                                                                memory.swap.bytes.total
                                                                                memory.swap.bytes.used
                                                                                memory.swap.used.percent
                                                                                memory.used.percent
                                                                                file.bytes.in
                                                                                file.bytes.out
                                                                                file.bytes.total
                                                                                file.iops.in
                                                                                file.iops.out
                                                                                file.iops.total
                                                                                file.open.count
                                                                                file.time.in
                                                                                file.time.out
                                                                                file.time.total
                                                                                fs.bytes.free
                                                                                fs.bytes.total
                                                                                fs.bytes.used
                                                                                fs.free.percent
                                                                                fs.inodes.total.count
                                                                                fs.inodes.used.count
                                                                                fs.inodes.used.percent
                                                                                fs.largest.used.percent
                                                                                fs.root.used.percent
                                                                                fs.used.percent
                                                                                net.bytes.in
                                                                                net.bytes.out
                                                                                net.bytes.total
                                                                                proc.count
                                                                                thread.count
                                                                                container.count
                                                                                system.uptime
                                                                                uptime

                                                                                2.2.2 -

                                                                                Additional Metrics Values Available in Troubleshooting

                                                                                In addition to the extensive set of metrics available in the monitor mode, additional metrics, such as net.sql and net.mongodb, as well as additional segmentations for file and network metrics are available.

                                                                                MetricsAdditional Metrics Values Available When Segmented bySupported Agent Versions
                                                                                file.error.total.countfile.name and file.mount labelsVersion 10.1.0 or above
                                                                                file.bytes.total
                                                                                file.bytes.in
                                                                                file.bytes.out
                                                                                file.open.count
                                                                                file.time.total
                                                                                host.count
                                                                                host.error.count
                                                                                proc.count
                                                                                proc.start.count
                                                                                net.mongodb.collectionallVersion 10.2.0 or above
                                                                                net.mongodb.error.count
                                                                                net.mongodb.operation
                                                                                net.mongodb.request.count
                                                                                net.mongodb.request.time
                                                                                net.sql.queryall
                                                                                net.sql.error.count
                                                                                net.sql.query.type
                                                                                net.sql.request.count
                                                                                net.sql.request.time
                                                                                net.sql.table
                                                                                net.http.error.countnet.http.urlVersion 10.3.0 or above
                                                                                net.http.method
                                                                                net.http.request.count
                                                                                net.http.request.time
                                                                                net.bytes.in
                                                                                net.bytes.out
                                                                                net.request.time.worst.out
                                                                                net.request.count
                                                                                net.request.time
                                                                                net.bytes.total
                                                                                net.http.request.time.worstall

                                                                                2.2.3 -

                                                                                Metrics Not Available in Essentials Mode

                                                                                The following metrics will not be reported in the essentials mode when compared with monitor mode:

                                                                                MetricsSegmented By
                                                                                net.bytes.innet.connection.server, net.connection.direction, net.connection.l4proto , and net.connection.client labels
                                                                                net.bytes.out
                                                                                net.connection.count.total
                                                                                net.connection.count.in
                                                                                net.connection.count.out
                                                                                net.request.count
                                                                                net.request.count.in
                                                                                net.request.count.out
                                                                                net.request.time
                                                                                net.request.time.in
                                                                                net.request.time.out
                                                                                net.bytes.total
                                                                                net.mongodb.collectionall
                                                                                net.mongodb.error.count
                                                                                net.mongodb.operation
                                                                                net.mongodb.request.count
                                                                                net.mongodb.request.time
                                                                                net.sql.queryall
                                                                                net.sql.error.count
                                                                                net.sql.query.type
                                                                                net.sql.request.count
                                                                                net.sql.request.time
                                                                                net.sql.table
                                                                                net.sql.queryall
                                                                                net.sql.error.count
                                                                                net.sql.query.type
                                                                                net.sql.request.count
                                                                                net.sql.request.time
                                                                                net.sql.table
                                                                                net.http.method
                                                                                net.http.request.count
                                                                                net.http.request.time
                                                                                net.http.statusCode
                                                                                net.http.url

                                                                                2.3 -

                                                                                Enable HTTP Proxy for Agents

                                                                                You can configure the agent to allow it to communicate with the Sysdig collector through an HTTP proxy. HTTP proxy is usually configured to offer greater visibility and better management of the network.

                                                                                Agent Behaviour

                                                                                The agent can connect to the collector through an HTTP proxy by sending an HTTP CONNECT message and receiving a response. The proxy then initiates a TCP connection to the collector. These two connections form a tunnel that acts like one logical connection.

                                                                                By default, the agent will encrypt all messages sent through this tunnel. This means that after the initial CONNECT message and response, all the communication on that tunnel is encrypted by SSL end-to-end. This encryption is controlled by the top-level ssl parameter in the agent configuration.

                                                                                Optionally, the agent can add a second layer of encryption, securing the CONNECT message and response. This second layer of encryption may be desired in the case of HTTP authentication if there is a concern that network packet sniffing could be used to determine the user’s credentials. This second layer of encryption is enabled by setting the ssl parameter to true in the http_proxy section of the agent configuration. See Examples for details.

                                                                                Configuration

                                                                                You specify the following parameters at the same level as http_proxy in the dragent.yaml file. These existing configuration options affect the communication between the agent and collector (both with and without a proxy.

                                                                                • ssl: If set to true, the metrics sent from the agent to the collector are encrypted.

                                                                                • ssl_verify_certificate: Determines whether the agent verifies the SSL certificate sent from the collector.

                                                                                The following configuration options affect the behavior of the HTTP Proxy setting. You specify them under the http_proxy heading in the dragent.yaml file.

                                                                                • proxy_host: Indicates the hostname of the proxy server. The default is an empty string, which implies communication through an HTTP proxy is disabled.

                                                                                • proxy_port: Specifies the port on the proxy server the agent should connect to. The default is 0, which indicates that the HTTP proxy is disabled.

                                                                                • proxy_user : Required if HTTP authentication is configured. This option specifies the username for the HTTP authentication. The default is an empty string, which indicates that authentication is not configured.

                                                                                • proxy_password : Required if HTTP authentication is configured. This option specifies the password for the HTTP authentication. The default is an empty string. Specifying proxy_user with no proxy_password is allowed.

                                                                                • ssl: If set to true, the connection between the agent and the proxy server is encrypted.

                                                                                  Note that this parameter requires the top-level ssl parameter to be enabled, as the agent does not support SSL to the proxy but unencrypted traffic to the collector. This additional security prevents you from misconfiguring the agent assuming the metrics are as well encrypted end-to-end when they are not.

                                                                                • ssl_verify_certificate: Determines whether the agent will verify the certificate presented by the proxy.

                                                                                  This option is configured independently of the top-level ssl_verify_certificate parameter. This option is enabled by default. If the provided certificate is not correct, this option can cause the connection to the proxy server to fail.

                                                                                • ca_certificate: The path to the CA certificate for the proxy server. If ssl_verify_certificate is enabled, the CA certificate must be signed appropriately.

                                                                                Examples

                                                                                No SSL

                                                                                The following example shows no SSL connection between the agent and the proxy server as well as between the proxy server and the collector.

                                                                                collector_port: 6667
                                                                                ssl: false
                                                                                http_proxy:
                                                                                        proxy_host: squid.yourdomain.com
                                                                                        proxy_port: 3128
                                                                                        ssl: false
                                                                                

                                                                                SSL Between Proxy and Collector

                                                                                In this example, SSL is enabled only between the proxy server and the collector.

                                                                                collector_port: 6443
                                                                                ssl: true
                                                                                ssl_verify_certificate: true
                                                                                http_proxy:
                                                                                        proxy_host: squid.yourdomain.com
                                                                                        proxy_port: 3128
                                                                                

                                                                                SSL

                                                                                The following example shows SSL is enabled between the agent and the proxy server as well as between the proxy server and the collector.

                                                                                collector_port: 6443
                                                                                ssl: true
                                                                                http_proxy:
                                                                                        proxy_host: squid.yourdomain.com
                                                                                        proxy_port: 3129
                                                                                        ssl: true
                                                                                        ssl_verify_certificate: true
                                                                                        ca_certificate: /usr/proxy/proxy.crt
                                                                                

                                                                                SSL with Username and Password

                                                                                The following configuration instructs the agent to connect to a proxy server located at squid.yourdomain.com on port 3128. The agent will request the proxy server to establish an HTTP tunnel to the Sysdig collector at collector-your.sysdigcloud.com on port 6443. The agent will authenticate with the proxy server using the given user and password combination.

                                                                                collector: collector-your.sysdigcloud.com
                                                                                collector_port: 6443
                                                                                http_proxy:
                                                                                    proxy_host: squid.yourdomain.com
                                                                                    proxy_port: 3128
                                                                                    proxy_user: sysdig_customer
                                                                                    proxy_password: 12345
                                                                                        ssl: true
                                                                                    ssl_verify_certificate: true
                                                                                    ca_certificate: /usr/proxy/proxy_cert.crt
                                                                                
                                                                                

                                                                                2.4 -

                                                                                Filter Data

                                                                                The dragent.yaml file elements are wide-reaching. This section describes the parameters to edit in dragent.yaml to perform a range of activities:

                                                                                2.4.1 -

                                                                                Blacklist Ports

                                                                                Use the blacklisted_ports parameter in the agent configuration file to block network traffic and metrics from unnecessary network ports.

                                                                                Note: Port 53 (DNS) is always blacklisted.

                                                                                1. Access the agent configuration file, using one of the options listed.

                                                                                2. Add blacklisted_ports with desired port numbers.

                                                                                  Example (YAML):

                                                                                  blacklisted_ports:

                                                                                  - 6443

                                                                                  - 6379

                                                                                3. Restart the agent (if editing dragent.yaml file directly), using either the service dragent restart or docker restart sysdig-agent command as appropriate.

                                                                                2.4.2 -

                                                                                Enable/Disable Event Data

                                                                                Sysdig Monitor supports event integrations with certain applications by default. The Sysdig agent will automatically discover these services and begin collecting event data from them.

                                                                                The following applications are currently supported:

                                                                                • Docker

                                                                                • Kubernetes

                                                                                Other methods of ingesting custom events into Sysdig Monitor are touched upon in Custom Events.

                                                                                By default, only a limited set of events is collected for a supported application, and are listed in the agent’s default settings configuration file (/opt/draios/etc/dragent.default.yaml).

                                                                                To enable collecting other supported events, add an events entry to dragent.yaml.

                                                                                You can also change log entry in dragent.yaml to filter events by severity.

                                                                                Learn more about it in the following sections.

                                                                                Supported Application Events

                                                                                Events marked with * are enabled by default; see the dragent.default.yaml file.

                                                                                Docker Events

                                                                                The following Docker events are supported.

                                                                                  docker:
                                                                                    container:
                                                                                      - attach       # Container Attached      (information)
                                                                                      - commit       # Container Committed     (information)
                                                                                      - copy         # Container Copied        (information)
                                                                                      - create       # Container Created       (information)
                                                                                      - destroy      # Container Destroyed     (warning)
                                                                                      - die          # Container Died          (warning)
                                                                                      - exec_create  # Container Exec Created  (information)
                                                                                      - exec_start   # Container Exec Started  (information)
                                                                                      - export       # Container Exported      (information)
                                                                                      - kill         # Container Killed        (warning)*
                                                                                      - oom          # Container Out of Memory (warning)*
                                                                                      - pause        # Container Paused        (information)
                                                                                      - rename       # Container Renamed       (information)
                                                                                      - resize       # Container Resized       (information)
                                                                                      - restart      # Container Restarted     (warning)
                                                                                      - start        # Container Started       (information)
                                                                                      - stop         # Container Stopped       (information)
                                                                                      - top          # Container Top           (information)
                                                                                      - unpause      # Container Unpaused      (information)
                                                                                      - update       # Container Updated       (information)
                                                                                    image:
                                                                                      - delete # Image Deleted  (information)
                                                                                      - import # Image Imported (information)
                                                                                      - pull   # Image Pulled   (information)
                                                                                      - push   # Image Pushed   (information)
                                                                                      - tag    # Image Tagged   (information)
                                                                                      - untag  # Image Untaged  (information)
                                                                                    volume:
                                                                                      - create  # Volume Created    (information)
                                                                                      - mount   # Volume Mounted    (information)
                                                                                      - unmount # Volume Unmounted  (information)
                                                                                      - destroy # Volume Destroyed  (information)
                                                                                    network:
                                                                                      - create     # Network Created       (information)
                                                                                      - connect    # Network Connected     (information)
                                                                                      - disconnect # Network Disconnected  (information)
                                                                                      - destroy    # Network Destroyed     (information)
                                                                                

                                                                                Kubernetes Events

                                                                                The following Kubernetes events are supported.

                                                                                  kubernetes:
                                                                                    node:
                                                                                      - TerminatedAllPods       # Terminated All Pods      (information)
                                                                                      - RegisteredNode          # Node Registered          (information)*
                                                                                      - RemovingNode            # Removing Node            (information)*
                                                                                      - DeletingNode            # Deleting Node            (information)*
                                                                                      - DeletingAllPods         # Deleting All Pods        (information)
                                                                                      - TerminatingEvictedPod   # Terminating Evicted Pod  (information)*
                                                                                      - NodeReady               # Node Ready               (information)*
                                                                                      - NodeNotReady            # Node not Ready           (information)*
                                                                                      - NodeSchedulable         # Node is Schedulable      (information)*
                                                                                      - NodeNotSchedulable      # Node is not Schedulable  (information)*
                                                                                      - CIDRNotAvailable        # CIDR not Available       (information)*
                                                                                      - CIDRAssignmentFailed    # CIDR Assignment Failed   (information)*
                                                                                      - Starting                # Starting Kubelet         (information)*
                                                                                      - KubeletSetupFailed      # Kubelet Setup Failed     (warning)*
                                                                                      - FailedMount             # Volume Mount Failed      (warning)*
                                                                                      - NodeSelectorMismatching # Node Selector Mismatch   (warning)*
                                                                                      - InsufficientFreeCPU     # Insufficient Free CPU    (warning)*
                                                                                      - InsufficientFreeMemory  # Insufficient Free Mem    (warning)*
                                                                                      - OutOfDisk               # Out of Disk              (information)*
                                                                                      - HostNetworkNotSupported # Host Ntw not Supported   (warning)*
                                                                                      - NilShaper               # Undefined Shaper         (warning)*
                                                                                      - Rebooted                # Node Rebooted            (warning)*
                                                                                      - NodeHasSufficientDisk   # Node Has Sufficient Disk (information)*
                                                                                      - NodeOutOfDisk           # Node Out of Disk Space   (information)*
                                                                                      - InvalidDiskCapacity     # Invalid Disk Capacity    (warning)*
                                                                                      - FreeDiskSpaceFailed     # Free Disk Space Failed   (warning)*
                                                                                    pod:
                                                                                      - Pulling           # Pulling Container Image          (information)
                                                                                      - Pulled            # Ctr Img Pulled                   (information)
                                                                                      - Failed            # Ctr Img Pull/Create/Start Fail   (warning)*
                                                                                      - InspectFailed     # Ctr Img Inspect Failed           (warning)*
                                                                                      - ErrImageNeverPull # Ctr Img NeverPull Policy Violate (warning)*
                                                                                      - BackOff           # Back Off Ctr Start, Image Pull   (warning)
                                                                                      - Created           # Container Created                (information)
                                                                                      - Started           # Container Started                (information)
                                                                                      - Killing           # Killing Container                (information)*
                                                                                      - Unhealthy         # Container Unhealthy              (warning)
                                                                                      - FailedSync        # Pod Sync Failed                  (warning)
                                                                                      - FailedValidation  # Failed Pod Config Validation     (warning)
                                                                                      - OutOfDisk         # Out of Disk                      (information)*
                                                                                      - HostPortConflict  # Host/Port Conflict               (warning)*
                                                                                    replicationController:
                                                                                      - SuccessfulCreate    # Pod Created        (information)*
                                                                                      - FailedCreate        # Pod Create Failed  (warning)*
                                                                                      - SuccessfulDelete    # Pod Deleted        (information)*
                                                                                      - FailedDelete        # Pod Delete Failed  (warning)*
                                                                                

                                                                                Enable/Disable Events Collection with events Parameter

                                                                                To customize the default events collected for a specific application (by either enabling or disabling events), add an events entry to dragent.yaml as described in the examples below.

                                                                                An entry in a section in dragent.yaml overrides the entire section in the default configuration.

                                                                                For example, the Pulling entry below will permit only kubernetes pod Pulling events to be collected and all other kubernetes pod events settings in dragent.default.yaml will be ignored.

                                                                                However, other kubernetes sections - node and replicationController- remain intact and will be used as specified in dragent.default.yaml.

                                                                                Example 1: Collect Only Certain Events

                                                                                Collect only ‘Pulling’ events from Kubernetes for pods:

                                                                                events:
                                                                                  kubernetes:
                                                                                    pod:
                                                                                       - Pulling
                                                                                

                                                                                Example 2: Disable All Events in a Section

                                                                                To disable all events in a section, set the event section to none:

                                                                                events:
                                                                                  kubernetes: none
                                                                                  docker: none
                                                                                

                                                                                Example 3: Combine Methods

                                                                                These methods can be combined. For example, disable all kubernetes node and docker image events and limit docker container events to [attach, commit, copy] (components events in other sections will be collected as specified by default):

                                                                                events:
                                                                                  kubernetes:
                                                                                    node: none
                                                                                  docker:
                                                                                    image: none
                                                                                    container:
                                                                                      - attach
                                                                                      - commit
                                                                                      - copy
                                                                                

                                                                                Note: Format Sequences as List or Single Line

                                                                                In addition to bulleted lists, sequences can also be specified in a bracketed single line, eg.:

                                                                                events:
                                                                                  kubernetes:
                                                                                    pod: [Pulling, Pulled, Failed]
                                                                                

                                                                                So, the following two settings are equivalent, permitting only Pulling, Pulled, Failed events for pods to be emitted:

                                                                                events:
                                                                                  kubernetes:
                                                                                    pod: [Pulling, Pulled, Failed]
                                                                                
                                                                                events:
                                                                                  kubernetes:
                                                                                    pod:
                                                                                      - Pulling
                                                                                      - Pulled
                                                                                      - Failed
                                                                                

                                                                                Change Event Collection by Severity with log Parameter

                                                                                Events are limited globally at the agent level based on severity, using the log settings in dragent.yaml.

                                                                                The default setting for the events severity filter is information (only warning and higher severity events are transmitted).

                                                                                Valid severity levels are: none, emergency, alert, critical, error, warning, notice, information, debug.

                                                                                Example 1: Block Low-Severity Messages

                                                                                Block all low-severity messages (notice, information, debug):

                                                                                log:
                                                                                  event_priority: warning
                                                                                

                                                                                Example 2: Block All Event Collection

                                                                                Block all event collection:

                                                                                log:
                                                                                  event_priority: none
                                                                                

                                                                                For other uses of the log settings see Optional: Change the Agent Log Level.

                                                                                2.4.3 -

                                                                                Include/Exclude Custom Metrics

                                                                                For more information, see Integrate Applications (Default App Checks).

                                                                                It is possible to filter custom metrics in the following ways:

                                                                                • Ability to include/exclude custom metrics using configurable patterns,

                                                                                • Ability to log which custom metrics are exceeding limits

                                                                                After you identify those key custom metrics that must be received, use the new ‘include’ and ‘exclude’ filtering parameters to make sure you receive them before the metrics limit is hit.

                                                                                Filter Metrics Example

                                                                                Here is an example configuration entry that would be put into the agent config file: (/opt/draios/etc/dragent.yaml)

                                                                                metrics_filter:
                                                                                  - include: test.*
                                                                                  - exclude: test.*
                                                                                  - include: haproxy.backend.*
                                                                                  - exclude: haproxy.*
                                                                                  - exclude: redis.*
                                                                                

                                                                                Given the config entry above, this is the action for these metrics:

                                                                                test.* → send

                                                                                haproxy.backend.request → send

                                                                                haproxy.frontend.bytes → drop

                                                                                redis.keys → drop

                                                                                The semantic is: whenever the agent is reading metrics, they are filtered according to configured filters and the filtering rule order - the first rule that matches will be applied. Thus since the inclusion item for test.* was listed first it will be followed and that second ‘exclude’ rule for the same exact metric entry will be ignored.

                                                                                Logging Accepted/Dropped Metrics

                                                                                Logging is disabled by default. You can enable logging to see which metrics are accepted or dropped by adding the following configuration entry into the dragent.yaml config file:

                                                                                metrics_excess_log: true
                                                                                

                                                                                When logging of excess metrics is enabled, logging occurs at INFO-level, every 30 seconds and lasts for 10 seconds. The entries that can be seen in /opt/draios/logs/draios.log will be formatted like this:

                                                                                +/-[type] [metric included/excluded]: metric.name (filter: +/-[metric.filter])
                                                                                

                                                                                The first ‘+’ or ‘-’, followed by ‘type’ provides an easy way to quickly scan the list of metrics and spot which are included or excluded ('+' means “included”, ‘-’ means “excluded”).

                                                                                The second entry specifies metric type (“statsd”, “app_check”, “service_check”, or “jmx”).

                                                                                A third entry spells out whether “included” or “excluded”, followed by the metric name. Finally, inside the last entry (in parentheses), there is information about filter applied and its effect ('+' or ‘-’, meaning “include” or “exclude”).

                                                                                With this example filter rule set:

                                                                                metrics_filter:
                                                                                  - include: mongo.statsd.net*
                                                                                  - exclude: mongo.statsd.*
                                                                                

                                                                                We might see the following INFO-level log entries (timestamps stripped):

                                                                                -[statsd] metric excluded: mongo.statsd.vsize (filter: -[mongo.statsd.*])
                                                                                +[statsd] metric included: mongo.statsd.netIn (filter: +[mongo.statsd.net*])
                                                                                
                                                                                

                                                                                2.4.4 -

                                                                                Prioritize Designated Containers

                                                                                To get the most out of Sysdig Monitor, you may want to customize the way in which container data is prioritized and reported. Use this page to understand the default behavior and sorting rules, and to implement custom behavior when and where you need it. This can help reduce agent and backend load by not monitoring unnecessary containers, or– if encountering backend limits for containers– you can filter to ensure that the important containers are always reported.

                                                                                Overview

                                                                                By default, a Sysdig agent will collect metrics from all containers it detects in an environment. When reporting to the Monitor interface, it uses default sorting behavior to prioritize what container information to display first.

                                                                                Understand Default Behavior

                                                                                Out of the box, it chooses the containers with the highest

                                                                                • CPU

                                                                                • Memory

                                                                                • File IO

                                                                                • Net IO

                                                                                and allocates approximately 1/4 of the total limit to each stat type.

                                                                                Understand Simple Container Filtering

                                                                                As of agent version 0.86, it is possible set a use_container_filter parameter in the agent config file, tag/label specific containers, and set include/exclude rules to push those containers to the top of the reporting hierarchy.

                                                                                This is an effective sorting tool when:

                                                                                • You can manually mark each container with an include or exclude tag, AND

                                                                                • The number of includes is small (say, less than 100)

                                                                                In this case, the containers that explicitly match the include rules will take top priority.

                                                                                Understand Smart Container Reporting

                                                                                In some enterprises, the number of containers is too high to tag with simple filtering rules, and/or the include_all group is too large to ensure that the most-desired containers are consistently reported. As of Sysdig agent version 0.91, you can append another parameter to the agent config file, smart_container_reporting.

                                                                                This is an effective sorting tool when:

                                                                                • The number of containers is large and you can’t or won’t mark each one with include/exclude tags, AND

                                                                                • There are certain containers you would like to always prioritize

                                                                                This helps ensure that even when there are thousands of containers in an environment, the most-desired containers are consistently reported.

                                                                                Container filtering and smart container reporting affect the monitoring of all the processes/metrics within a container, including StatsD, JMX, app-checks, and built-in metrics.

                                                                                Prometheus metrics are attached to processes, rather than containers, and are therefore handled differently.

                                                                                The container limit is set in dragent.yaml under containers:limit:

                                                                                Understand Sysdig Aggregated Container

                                                                                The sydig_aggregated parameter is automatically activated when smart container reporting is enabled, to capture the most-desired metrics from the containers that were excluded by smart filtering and report them under a single entity. It appears like any other container in the Sysdig Monitor UI, with the name “sysdig_aggregated.

                                                                                Sysdig_aggregated can report on a wide array of metrics; see Sysdig_aggregated Container Metrics. However, because this is not a regular container, certain limitations apply:

                                                                                • container_id and container_image do not exist.

                                                                                • The aggregated container cannot be segmented by certain metrics that are excluded, such as process.

                                                                                • Some default dashboards associated with the aggregated container may have some empty graphs.

                                                                                Use Simple Container Filtering

                                                                                By default, the filtering feature is turned off. It can be enabled by adding the following line to the agent configuration:

                                                                                • use_container_filter: true

                                                                                When enabled, the agent will follow include/exclude filtering rules based on:

                                                                                • container image

                                                                                • container name

                                                                                • container label

                                                                                • Kubernetes annotation or label

                                                                                The default behavior in default.dragent.yaml excludes based on a container label (com.sysdig.report) and/or a Kubernetes pod annotation (.sysdig.com/report ).

                                                                                Container Condition Parameters and Rules

                                                                                Parameters

                                                                                The condition parameters are described in the following table:

                                                                                Pattern name

                                                                                Description

                                                                                Example

                                                                                container.image

                                                                                Matches if the process is running inside a container running the specified image

                                                                                - include:

                                                                                container.image: luca3m/prometheus-java-app

                                                                                container.name

                                                                                Matches if the process is running inside a container with the specified name

                                                                                - include:

                                                                                container.name: my-java-app

                                                                                container.label.*

                                                                                Matches if the process is running in a container that has a Label matching the given value

                                                                                - include:

                                                                                container.label.class: exporter

                                                                                kubernetes.<object>.annotation.* kubernetes.<object>.label.*

                                                                                Matches if the process is attached to a Kubernetes object (Pod, Namespace, etc.) that is marked with the Annotation/Label matching the given value.

                                                                                - include:

                                                                                kubernetes.pod.annotation.prometheus.io/scrape: true

                                                                                all

                                                                                Matches all. Use as last rule to determine default behavior.

                                                                                - include:

                                                                                all

                                                                                Rules

                                                                                Once enabled (when use_container_filter: true is set), the agent will follow filtering rules from the container_filter section.

                                                                                • Each rule is an include or exclude rule which can contain one or more conditions.

                                                                                • The first matching rule in the list will determine if the container is included or excluded.

                                                                                • The conditions consist of a key name and a value. If the given key for a container matches the value, the rule will be matched.

                                                                                • If a rule contains multiple conditions they all need to match for the rule to be considered a match.

                                                                                Default Configuraton

                                                                                The dragent.default.yaml contains the following default configuration for container filters:

                                                                                use_container_filter: false
                                                                                
                                                                                container_filter:
                                                                                  - include:
                                                                                      container.label.com.sysdig.report: true
                                                                                  - exclude:
                                                                                      container.label.com.sysdig.report: false
                                                                                  - include:
                                                                                      kubernetes.pod.annotation.sysdig.com/report: true
                                                                                  - exclude:
                                                                                      kubernetes.pod.annotation.sysdig.com/report: false
                                                                                  - include:
                                                                                        all
                                                                                

                                                                                Note that it excludes via a container.label and by a kubernetes.pod.annotation.

                                                                                The examples on this page show how to edit in the dragent.yaml file directly. Convert the examples to Docker or Helm commands, if applicable for your situation.

                                                                                Enable Container Filtering in the Agent Config File

                                                                                Option 1: Use the Default Configuration

                                                                                To enable container filtering using the default configuration in default.dragent.yaml (above), follow the steps below.

                                                                                1. Apply Labels and/or Annotations to Designated Containers

                                                                                To set up, decide which containers should be excluded from automatic monitoring.

                                                                                Apply the container label .com.sysdig.report and/or the Kubernetes pod annotation sysdig.com/report to the designated containers.

                                                                                2. Edit the Agent Configuration

                                                                                Add the following line to dragent.yaml to turn on the default functionality:

                                                                                use_container_filter: true
                                                                                

                                                                                Option 2: Define Your Own Rules

                                                                                You can also edit dragent.yaml to apply your own container filtering rules.

                                                                                1. Designate Containers

                                                                                To set up, decide which containers should be excluded from automatic monitoring.

                                                                                Note the image, name, label, or Kubernetes pod information as appropriate, and build your rule set accordingly.

                                                                                2. Edit the Agent Configuration

                                                                                For example:

                                                                                use_container_filter: true
                                                                                
                                                                                container_filter:
                                                                                  - include:
                                                                                      container.name: my-app
                                                                                  - include:
                                                                                      container.label.com.sysdig.report: true
                                                                                  - exclude:
                                                                                      kubernetes.namespace.name: kube-system
                                                                                      container.image: "gcr.io*"
                                                                                  - include:
                                                                                      all
                                                                                

                                                                                The above example shows a container_filter with 3 include rules and 1 exclude rule.

                                                                                • If the container name is “my-app” it will be included.

                                                                                • Likewise, if the container has a label with the key “com.sysdig.report” and with the value “true”.

                                                                                • If neither of those rules is true, and the container is part of a Kubernetes hierarchy within the “kube-system” namespace and the container image starts with “gcr.io”, it will be excluded.

                                                                                • The last rule includes all, so any containers not matching an earlier rule will be monitored and metrics for them will be sent to the backend.

                                                                                Use Smart Container Reporting

                                                                                As of Sysdig agent version 0.91, you can add another parameter to the config file: smart_container_reporting = true

                                                                                This enables several new prioritization checks:

                                                                                • container_filter (you would enable and set include/exclude rules, as described above)

                                                                                • container age

                                                                                • high stats

                                                                                • legacy patterns

                                                                                The sort is modified with the following rules in priority order:

                                                                                1. User-specified containers come before others

                                                                                2. Containers reported previously should be reported before those which have never been reported

                                                                                3. Containers with higher usage by each of the 4 default stats should come before those with lower usage

                                                                                Enable Smart Container Reporting and sysdig_aggregated

                                                                                1. Set up any simple container filtering rules you need, following either Option 1 or Option 2, above.

                                                                                2. Edit the agent configuration:

                                                                                  smart_container_reporting: true
                                                                                  
                                                                                3. This turns on both smart_container_reporting and sysdig_aggregated. The changes will be visible in the Sysdig Monitor UI.

                                                                                  See also Sysdig_aggregated Container Metrics..

                                                                                Logging

                                                                                When the log level is set to DEBUG, the following messages may be found in the logs:

                                                                                messagemeaning
                                                                                container <id>, no filter configuredcontainer filtering is not enabled
                                                                                container <id>, include in reportcontainer is included
                                                                                container <id>, exclude in reportcontainer is excluded
                                                                                Not reporting thread <thread-id> in container <id>Process thread is excluded

                                                                                See also: Optional: Change the Agent Log Level.

                                                                                2.4.4.1 -

                                                                                Sysdig Aggregated Container Metrics

                                                                                Sysdig_aggregated containers can report on the following metrics:

                                                                                • tcounters

                                                                                  • other

                                                                                    • time_ns

                                                                                    • time_percentage

                                                                                    • count

                                                                                  • io_file

                                                                                    • time_ns_in

                                                                                    • time_ns_out

                                                                                    • time_ns_other

                                                                                    • time_percentage_in

                                                                                    • time_percentage_out

                                                                                    • time_percentage_other

                                                                                    • count_in

                                                                                    • count_out

                                                                                    • count_other

                                                                                    • bytes_in

                                                                                    • bytes_out

                                                                                    • bytes_other

                                                                                  • io_net

                                                                                    • time_ns_in

                                                                                    • time_ns_out

                                                                                    • time_ns_other

                                                                                    • time_percentage_in

                                                                                    • time_percentage_out

                                                                                    • time_percentage_other

                                                                                    • count_in

                                                                                    • count_out

                                                                                    • count_other

                                                                                    • bytes_in

                                                                                    • bytes_out

                                                                                    • bytes_other

                                                                                  • processing

                                                                                    • time_ns

                                                                                    • time_percentage

                                                                                    • count

                                                                                • reqcounters

                                                                                  • other

                                                                                    • time_ns

                                                                                    • time_percentage

                                                                                    • count

                                                                                  • io_file

                                                                                    • time_ns_in

                                                                                    • time_ns_out

                                                                                    • time_ns_other

                                                                                    • time_percentage_in

                                                                                    • time_percentage_out

                                                                                    • time_percentage_other

                                                                                    • count_in

                                                                                    • count_out

                                                                                    • count_other

                                                                                    • bytes_in

                                                                                    • bytes_out

                                                                                    • bytes_other

                                                                                  • io_net

                                                                                    • time_ns_in

                                                                                    • time_ns_out

                                                                                    • time_ns_other

                                                                                    • time_percentage_in

                                                                                    • time_percentage_out

                                                                                    • time_percentage_other

                                                                                    • count_in

                                                                                    • count_out

                                                                                    • count_other

                                                                                    • bytes_in

                                                                                    • bytes_out

                                                                                    • bytes_other

                                                                                  • processing

                                                                                    • time_ns

                                                                                    • time_percentage

                                                                                    • count

                                                                                • max_transaction_counters

                                                                                  • time_ns_in

                                                                                  • time_ns_out

                                                                                  • count_in

                                                                                  • count_out

                                                                                • resource_counters

                                                                                  • connection_queue_usage_pct

                                                                                  • fd_usage_pct

                                                                                  • cpu_pct

                                                                                  • resident_memory_usage_kb

                                                                                  • swap_memory_usage_kb

                                                                                  • major_pagefaults

                                                                                  • minor_pagefaults

                                                                                  • fd_count

                                                                                  • cpu_shares

                                                                                  • memory_limit_kb

                                                                                  • swap_limit_kb

                                                                                  • count_processes

                                                                                  • proc_start_count

                                                                                  • threads_count

                                                                                • syscall_errors

                                                                                  • count

                                                                                  • count_file

                                                                                  • count_file_opened

                                                                                  • count_net

                                                                                • protos

                                                                                  • http

                                                                                    • server_totals

                                                                                      • ncalls

                                                                                      • time_tot

                                                                                      • time_max

                                                                                      • bytes_in

                                                                                      • bytes_out

                                                                                      • nerrors

                                                                                    • client_totals

                                                                                      • ncalls

                                                                                      • time_tot

                                                                                      • time_max

                                                                                      • bytes_in

                                                                                      • bytes_out

                                                                                      • nerrors

                                                                                  • mysql

                                                                                    • server_totals

                                                                                      • ncalls

                                                                                      • time_tot

                                                                                      • time_max

                                                                                      • bytes_in

                                                                                      • bytes_out

                                                                                      • nerrors

                                                                                    • client_totals

                                                                                      • ncalls

                                                                                      • time_tot

                                                                                      • time_max

                                                                                      • bytes_in

                                                                                      • bytes_out

                                                                                      • nerrors

                                                                                  • postgres

                                                                                    • server_totals

                                                                                      • ncalls

                                                                                      • time_tot

                                                                                      • time_max

                                                                                      • bytes_in

                                                                                      • bytes_out

                                                                                      • nerrors

                                                                                    • client_totals

                                                                                      • ncalls

                                                                                      • time_tot

                                                                                      • time_max

                                                                                      • bytes_in

                                                                                      • bytes_out

                                                                                      • nerrors

                                                                                  • mongodb

                                                                                    • server_totals

                                                                                      • ncalls

                                                                                      • time_tot

                                                                                      • time_max

                                                                                      • bytes_in

                                                                                      • bytes_out

                                                                                      • nerrors

                                                                                    • client_totals

                                                                                      • ncalls

                                                                                      • time_tot

                                                                                      • time_max

                                                                                      • bytes_in

                                                                                      • bytes_out

                                                                                      • nerrors

                                                                                • names

                                                                                • transaction_counters

                                                                                  • time_ns_in

                                                                                  • time_ns_out

                                                                                  • count_in

                                                                                  • count_out

                                                                                2.4.5 -

                                                                                Include/Exclude Processes

                                                                                In addition to filtering data by container, it is also possible to filter independently by process. Broadly speaking, this refinement helps ensure that relevant data is reported while noise is reduced. More specifically, use cases for process filtering may include: 

                                                                                • Wanting to alert reliably whenever a given process goes down.  The total number of processes can exceed the reporting limit; when that happens, some processes are not reported. In this case, an unreported process could be misinterpreted as being “down.” Specify a filter for 30-40 processes to guarantee that they will always be reported.

                                                                                • Wanting to limit the number of noisy but inessential processes being reported, for example: sed, awk, grep, and similar tools that may be used infrequently.

                                                                                • Wanting to prioritize workload-specific processes, perhaps from integrated applications such as NGINX, Supervisord or PHP-FPM.

                                                                                Note that you can report on processes and containers independently; the including/excluding of one does not affect the including/excluding of the other.

                                                                                Prerequisites_Processes

                                                                                This feature requires the following Sysdig  component versions: 

                                                                                • Sysdig agent version 0.91 or higher

                                                                                • For on-premises installations: version 3.2.0.2540 or higher

                                                                                Understand Process Filtering Behavior

                                                                                By default, processes are reported according to internal criteria such as resource usage (CPU/memory/file and net IO) and container count.

                                                                                If you choose to enable process filtering, processes in the include list will be given preference over other internal criteria.

                                                                                Processes are filtered based on a standard priority filter description already used in Sysdig yaml files. It is comprised of -include and -exclude statements which are matched in order, with evaluation ceasing with the first matched statement. Statements are considered matched if EACH of the conditions in the statement is met.

                                                                                Use Process Filtering

                                                                                Edit dragent.yaml per the following patterns to implement the filtering you need.

                                                                                Process Condition Parameters and Rules

                                                                                The process: condition parameters and rules are described below.

                                                                                NameValueDescription
                                                                                app_checks_always_send:true/falseLegacy config that causes the agent to emit any process with app check. With process filtering, this translates to an extra “include” clause at the head of the process filter which matches a process with any app check, thereby overriding any exclusions. Still subject to limit.
                                                                                flush_filter:Definition of process filter to be used if flush_filter_enabled == true. Defaults to -include all
                                                                                flush_filter_enabled:true/falseDefaults to false (default process reporting behavior). Set to true to use the rest of the process filtering options.
                                                                                limit:N (chosen number)Defines the approximate limit of processes to emit to the backend, within 10 processes or so. Default is 250 processes.
                                                                                top_n_per_container:N (chosen number)Defines how many of the top processes per resource category per emitted container to report after included processes. Still subject to limit. Defaults to 1.
                                                                                top_n_per_host:N (chosen number)Defines how many of the top processes per resource category per host are reported before included processes. Still subject to limit. Defaults to 1.

                                                                                The process: Condition Parameters

                                                                                Rules

                                                                                • container.image: my_container_image  Validates whether the container image associated with the process is a wild card match of the provided image name

                                                                                • container.name: my_container_name  Validates whether the container name associated with the process is a wild card match of the provided image name

                                                                                • container.label.XYZ: value  Validates whether the label XYZ of the container associated with the process is a wildcard match of the provided value

                                                                                • process.name: my_process_name  Validates whether the name of the process is a wild card match of the provided value

                                                                                • process.cmdline: value  Checks whether the executable name of a process contains the specified value, or any argument to the process is a wildcard match of the provided value

                                                                                • appcheck.match: value  Checks whether the process has any appcheck which is a wildcard match of the given value

                                                                                • all  Matches all processes, but does not whitelist them, nor does it blacklist them. If no filter is provided, the default is -include all. However, if a filter is provided and no match is made otherwise, then all unmatched processes will be blacklisted. In most cases, the definition of a process filter should end with -include: all.

                                                                                Examples

                                                                                Block All Processes from a Container

                                                                                Block all processes from a given container. No processes from some_container_name will be reported.

                                                                                process:
                                                                                  flush_filter_enabled: true
                                                                                  flush_filter:
                                                                                  - exclude:
                                                                                      container.name: some_container_name
                                                                                  - include:
                                                                                      allprocess:   flush_filter: - exclude: container.name: some_container_name - include: all
                                                                                

                                                                                Prioritize Processes from a Container

                                                                                Send all processes from a given container at high priority.

                                                                                process:
                                                                                  flush_filter_enabled: true
                                                                                  flush_filter:
                                                                                    - include:
                                                                                        container.name: some_container_name
                                                                                    - include:
                                                                                        all
                                                                                

                                                                                Prioritize “java” Processes

                                                                                Send all processes that contain ‘java" in the name at high priority.

                                                                                process:
                                                                                  flush_filter_enabled: true
                                                                                  flush_filter:
                                                                                    - include:
                                                                                        process.name: java
                                                                                    - include:
                                                                                        all
                                                                                

                                                                                Prioritize “java” Processes from a Particular Container

                                                                                Send processes containing “java” from a given container at high priority.

                                                                                process:
                                                                                  flush_filter_enabled: true
                                                                                  flush_filter:
                                                                                    - include:
                                                                                        container.name: some_container_name
                                                                                        process.name: java
                                                                                    - include:
                                                                                        all
                                                                                

                                                                                Prioritize “java” Processes not in a Particular Container

                                                                                Send all processes that contain “java” in the name that are not in container some_container_nane.

                                                                                process:
                                                                                  flush_filter_enabled: true
                                                                                  flush_filter:
                                                                                    - exclude:
                                                                                        container.name: some_container_name
                                                                                    - include:
                                                                                        process.name: java
                                                                                    - include:
                                                                                        all
                                                                                

                                                                                Prioritize “java” Processes even from an Excluded Container

                                                                                Send all processes containing “java” in the name. If a process does not contain “java” in the name and if the container within which the process runs is named  some_container_name,  then exclude it.

                                                                                Note that each include/exclude rule is handled sequentially and hierarchically so that even if the container is excluded, it can still report “java” processes.

                                                                                flush_filter:
                                                                                   - flush_filter_enabled: true
                                                                                   - include:
                                                                                       process.name: java
                                                                                   - exclude:
                                                                                      container.name: some_container_name
                                                                                   - include:
                                                                                      all
                                                                                

                                                                                Prioritize “java” Processes and “sql” Processes from Different Containers

                                                                                Send Java processes from one container and SQL processes from another at high priority.

                                                                                process:
                                                                                  flush_filter:
                                                                                    - flush_filter_enabled: true
                                                                                    - include:
                                                                                       container.name: java_container_name
                                                                                       process.name: java
                                                                                    - include
                                                                                       container.name: sql_container_name
                                                                                       process.name: sql
                                                                                    - include
                                                                                        all
                                                                                

                                                                                Report ONLY Processes in a Particular Container

                                                                                Only send processes running in a container with a given label.

                                                                                process:
                                                                                  flush_filter:
                                                                                     - flush_filter_enabled: true
                                                                                     - include:
                                                                                 =container.label.report_processes_from_this_container_example_label: true
                                                                                     - exclude:
                                                                                         all
                                                                                
                                                                                

                                                                                2.4.6 -

                                                                                Collect Metrics from Remote File Systems

                                                                                Sysdig agent does not automatically discover and collect metrics from external file systems, such as NFS, by default. To enable collecting these metrics, add the following entry to the dragent.yaml file:

                                                                                remotefs.enabled = true
                                                                                

                                                                                In addition to the remote file systems, the following mount types are also excluded because they cause high load.

                                                                                mounts_filter:
                                                                                  - exclude: "*|autofs|*"
                                                                                  - exclude: "*|proc|*"
                                                                                  - exclude: "*|cgroup|*"
                                                                                  - exclude: "*|subfs|*"
                                                                                  - exclude: "*|debugfs|*"
                                                                                  - exclude: "*|devpts|*"
                                                                                  - exclude: "*|fusectl|*"
                                                                                  - exclude: "*|mqueue|*"
                                                                                  - exclude: "*|rpc_pipefs|*"
                                                                                  - exclude: "*|sysfs|*"
                                                                                  - exclude: "*|devfs|*"
                                                                                  - exclude: "*|devtmpfs|*"
                                                                                  - exclude: "*|kernfs|*"
                                                                                  - exclude: "*|ignore|*"
                                                                                  - exclude: "*|rootfs|*"
                                                                                  - exclude: "*|none|*"
                                                                                  - exclude: "*|tmpfs|*"
                                                                                  - exclude: "*|pstore|*"
                                                                                  - exclude: "*|hugetlbfs|*"
                                                                                  - exclude: "*|*|/etc/resolv.conf"
                                                                                  - exclude: "*|*|/etc/hostname"
                                                                                  - exclude: "*|*|/etc/hosts"
                                                                                  - exclude: "*|*|/var/lib/rkt/pods/*"
                                                                                  - exclude: "overlay|*|/opt/stage2/*"
                                                                                  - exclude: "/dev/mapper/cl-root*|*|/opt/stage2/*"
                                                                                  - exclude: "*|*|/dev/termination-log*"
                                                                                  - include: "*|*|/var/lib/docker"
                                                                                  - exclude: "*|*|/var/lib/docker/*"
                                                                                  - exclude: "*|*|/var/lib/kubelet/pods/*"
                                                                                  - exclude: "*|*|/run/secrets"
                                                                                  - exclude: "*|*|/run/containerd/*"
                                                                                  - include: "*|*|*"
                                                                                

                                                                                To include a mount type:

                                                                                1. Open the dragent.yaml file.

                                                                                2. Remove the corresponding line from the exclude list in the mount_filter.

                                                                                3. Add the file mount to the include list under mount_filter .

                                                                                  The format is:

                                                                                  # format of a mount filter is:
                                                                                  # ```
                                                                                  # mounts_filter:
                                                                                  #   - exclude: "device|filesystem|mount_directory"
                                                                                  #   - include: "pattern1|pattern2|pattern3"
                                                                                  

                                                                                  For example:

                                                                                  mounts_filter:
                                                                                    - include: "*|autofs|*"mounts_filter:
                                                                                    - include: "overlay|*|/opt/stage2/*"
                                                                                    - include: "/dev/mapper/cl-root*|*|/opt/stage2/*"
                                                                                  
                                                                                4. Save the configuration changes and restart the agent.

                                                                                2.4.7 -

                                                                                Disable Captures

                                                                                Sometimes, security requirements dictate that capture functionality should NOT be triggered at all (for example, PCI compliance for payment information).

                                                                                To disable Captures altogether:

                                                                                1. Access using one of the options listed.

                                                                                  This example accesses dragent.yaml directly. ``

                                                                                2. Set the parameter:

                                                                                  sysdig_capture_enabled: false
                                                                                  
                                                                                3. Restart the agent, using the command: ``

                                                                                  service dragent restart
                                                                                  

                                                                                See Captures for more information on the feature

                                                                                2.5 -

                                                                                Reduce Memory Consumption in Agent

                                                                                Sysdig provides a configuration option called Thin Cointerface to reduce the memory footprint in the agent. When the agent is installed as a Kubernetes daemonset, you can optionally enable the Thin Cointerface in the sysdig-agent configmap.

                                                                                In a typical Kubernetes cluster, two instances of agent daemonset are installed to retrieve the data. They are automatically connected to the Kubernetes API server to retrieve the metadata associated with the entities running on the cluster and sends the global Kubernetes state to the Sysdig backend. Sysdig uses this data to generate Kube State Metrics.

                                                                                A delegated agent will not have a higher CPU or memory footprint than a non-delegated agent.

                                                                                On very large Kubernetes clusters (in the range of 10,000 pods) or clusters with several Replication Controllers, the agent’s data ingestion can have a significant memory footprint on itself and on the Kubernetes API server. Thin Cointerface is provided to reduce this impact.

                                                                                Enabling this option changes the way the agent communicates with the API server and reduces the need to cache data, which in turn reduces the overall memory usage. Thin Cointerface does this by moving some processing from the agent’s cointerface process to the dragent process. This change does not alter the data which is ultimately sent to the backend nor will it impact any Sysdig feature.

                                                                                The thin cointerface feature is disabled by default.

                                                                                To enable:

                                                                                1. Add the following in either the sysdig-agent’s configmap or via the dragent.yaml file:

                                                                                  thin_cointerface_enabled: true
                                                                                  
                                                                                2. Restart the agent.

                                                                                2.6 -

                                                                                Enable Kube State Metrics

                                                                                Updated versions of the Sysdig agent can collect HPA, PVS, and other kube state metrics with the parameter k8s_extra_resources.

                                                                                First, you must edit the agent config file, dragent.yaml, as follows:

                                                                                k8s_extra_resources:
                                                                                    include:
                                                                                      - services
                                                                                      - resourcequotas
                                                                                      - persistentvolumes
                                                                                      - persistentvolumeclaims
                                                                                      - horizontalpodautoscalers
                                                                                

                                                                                See also: Understanding the Agent Config Files.

                                                                                2.7 -

                                                                                Process Kubernetes Events

                                                                                Use Go to Process Kubernetes Events

                                                                                Required: Sysdig agent version 92.1 or higher.

                                                                                As of agent version 9.5.0, go_k8s_user_events:true is the default setting. Set to false to use the older, C++-based version.

                                                                                To streamline Sysdig agent processing times and reduce CPU load, you can use an updated processing engine written in Go.

                                                                                To do so, edit the following code in dragent.yaml:

                                                                                go_k8s_user_events: true
                                                                                

                                                                                Kubernetes Audit Events

                                                                                The agent listens on /k8s-audit for Kubernetes audit events. Configure the path using the following configuration option:

                                                                                security:{k8s_audit_server_path_uris: [path1, path2]}
                                                                                

                                                                                For more information, see Kubernetes Audit Logging.

                                                                                2.8 -

                                                                                Manage Agent Log Levels

                                                                                Sysdig allows you to configure file log levels for agents globally and granularly.

                                                                                2.8.1 -

                                                                                Change Agent Log Level Globally

                                                                                The Sysdig agent generates log entries in /opt/draios/logs/draios.log. The agent will rotate the log file when it reaches 10MB in size, keeping the 10 most recent log files archived with a date-stamp appended to the filename.

                                                                                In order of increasing detail, the log levels available are: [ none | critical| error | warning |notice | info | debug | trace ].

                                                                                The default level (info) creates an entry for each aggregated metrics transmission to the backend servers, once per second, in addition to entries for any warnings and errors.

                                                                                Setting the value lower than info may prohibit troubleshooting agent-related issues.

                                                                                The type and amount of logging can be changed by adding parameters and log level arguments shown below to the agent’s user settings configuration file here:

                                                                                /opt/draios/etc/dragent.yaml

                                                                                After editing the dragent.yaml file, restart the agent at the shell with: service dragent restart to affect changes.

                                                                                Note that dragent.yaml code can be written in both YAML and JSON. The examples below use YAML.

                                                                                File Log Level

                                                                                When troubleshooting agent behavior, increase the logging to debug for full detail:

                                                                                log:
                                                                                  file_priority: debug
                                                                                

                                                                                If you wish to reduce log messages going to the /opt/draios/logs/draios.log file, add the log: parameter with one of the following arguments under it and indented two spaces: [ none | error | warning | info | debug | trace ]

                                                                                log:
                                                                                  file_priority: error
                                                                                

                                                                                Container Console Logging

                                                                                If you are running the containerized agent, you can also reduce container console output by adding the additional parameter console_priority:with the same arguments [ none | error | warning | info | debug | trace ]

                                                                                log:
                                                                                  console_priority: warning
                                                                                

                                                                                Note that troubleshooting a host with less than the default ‘info’ level will be more difficult or not possible. You should revert to ‘info’ when you are done troubleshooting the agent.

                                                                                A level of ‘error’ will generate the fewest log entries, a level of ‘trace’ will give the most, ‘info’ is the default if no entry exists.

                                                                                Example in dragent.yaml

                                                                                customerid: 831f3-Your-Access-Key-9401
                                                                                tags: local:sf,acct:eng,svc:websvr
                                                                                log:
                                                                                 file_priority: warning
                                                                                 console_priority: info
                                                                                

                                                                                OR

                                                                                customerid: 831f3-Your-Access-Key-9401
                                                                                tags: local:sf,acct:eng,svc:websvr
                                                                                log: { file_priority: debug, console_priority: debug }
                                                                                

                                                                                Docker run command

                                                                                If you are using the “ADDITIONAL_CONF” parameter to start a Docker containerized agent, you would specify this entry in the Docker run command:

                                                                                -e ADDITIONAL_CONF=“log:  { file_priority: error, console_priority: none }”
                                                                                -e ADDITIONAL_CONF="log:\n  file_priority: error\n  console_priority: none"
                                                                                

                                                                                Kubernetes Infrastructure

                                                                                When running in a Kubernetes infrastructure (installed using the v1 method, comment in the “ADDITIONAL_CONF” line in the agent sysdig-daemonset.yaml manifest file, and modify as needed:

                                                                                - name: ADDITIONAL_CONF #OPTIONAL pass additional parameters to the agent
                                                                                  value: "log:\n file_priority: debug\n console_priority: error"
                                                                                
                                                                                

                                                                                2.8.2 -

                                                                                Manage File Logging for Agent Components

                                                                                Sysdig Agent provides the ability to set component-wise log levels that override the global file logging level controlled by the file_priority configuration option. The components represent internal software modules and can be found in /opt/draios/logs/draios.log.

                                                                                By controlling logging at the fine-grained component level, you can avoid excessive logging from certain components in draios.log or enable extra logging from specific components for troubleshooting.

                                                                                To set component-level logging:

                                                                                1. Determine the agent component you want to set the log level:

                                                                                  To do so,

                                                                                  1. Open the /opt/draios/logs/draios.log file.

                                                                                  2. Copy the component name.

                                                                                    The format of the log entry is:

                                                                                    <timestamp>, <<pid>.<tid>>, <log level>, <component>[pid]:[line]: <message>
                                                                                    

                                                                                    For example, the given snippet from a sample log file shows log messages from sdjagent, mountedfs_reader, watchdog_runnable, protobuf_file_emitter, connection_manager, and dragent.

                                                                                    2020-09-07 17:56:01.173, 27979.28018, Information, sdjagent[27980]: Java classpath: /opt/draios/share/sdjagent.jar
                                                                                    2020-09-07 17:56:01.173, 27979.28018, Information, mountedfs_reader: Starting mounted_fs_reader with pid 27984
                                                                                    2020-09-07 17:56:01.174, 27979.28019, Information, watchdog_runnable:105: connection_manager starting
                                                                                    2020-09-07 17:56:01.174, 27979.28019, Information, protobuf_file_emitter:64: Will save protobufs for all message types
                                                                                    2020-09-07 17:56:01.174, 27979.28019, Information, connection_manager:282: Initiating connection to collector
                                                                                    2020-09-07 17:56:01.175, 27979.27979, Information, dragent:1243: Created Sysdig inspector
                                                                                    
                                                                                2. Open /opt/draios/etc/dragent.yaml.

                                                                                3. Edit the dragent.yaml file and add the desired components:

                                                                                  In this example, you are setting the global level to notice and component log levels for sdjagent, watchdog_runnable, protobuf_file_emitter, and connection_manager.

                                                                                  log:
                                                                                    file_priority: notice
                                                                                    file_priority_by_component:
                                                                                      - "connection_manager: debug"
                                                                                      - "protobuf_file_emitter: notice"
                                                                                      - "watchdog_runnable: warning"
                                                                                      - "sdjagent: error"
                                                                                  

                                                                                  The log levels specified for components override global settings.

                                                                                4. Restart the agent.

                                                                                  For example, if you have installed the agent as a service, then run:

                                                                                  $ service dragent restart
                                                                                  
                                                                                  

                                                                                2.8.3 -

                                                                                Manage Console Logging for Agent Components

                                                                                Sysdig Agent provides the ability to set component-wise log levels that override the global console logging level controlled by the console_priority configuration option. The components represent internal software modules and can be found in /opt/draios/logs/draios.log.

                                                                                By controlling logging at the fine-grained component level, you can avoid excessive logging from certain components in draios.log or enable extra logging from specific components for troubleshooting.

                                                                                To set component-level logging:

                                                                                1. Determine the agent component you want to set the log level:

                                                                                  To do so,

                                                                                  1. Look at the console output.

                                                                                    If you’re using an orchestrator like Kubernetes, the log viewer facility, such as the kubectl log command, shows the console log output.

                                                                                  2. Copy the component name.

                                                                                    The format of the log entry is:

                                                                                    <timestamp>, <<pid>.<tid>>, <log level>, <component>[pid]:[line]: <message>
                                                                                    

                                                                                    For example, the given snippet from a sample log file shows log messages from sdjagent, mountedfs_reader, watchdog_runnable, protobuf_file_emitter, connection_manager, and dragent.

                                                                                    2020-09-07 17:56:01.173, 27979.28018, Information, sdjagent[27980]: Java classpath: /opt/draios/share/sdjagent.jar
                                                                                    2020-09-07 17:56:01.173, 27979.28018, Information, mountedfs_reader: Starting mounted_fs_reader with pid 27984
                                                                                    2020-09-07 17:56:01.174, 27979.28019, Information, watchdog_runnable:105: connection_manager starting
                                                                                    2020-09-07 17:56:01.174, 27979.28019, Information, protobuf_file_emitter:64: Will save protobufs for all message types
                                                                                    2020-09-07 17:56:01.174, 27979.28019, Information, connection_manager:282: Initiating connection to collector
                                                                                    2020-09-07 17:56:01.175, 27979.27979, Information, dragent:1243: Created Sysdig inspector
                                                                                    
                                                                                2. Open /opt/draios/etc/dragent.yaml.

                                                                                3. Edit the dragent.yaml file and add the desired components:

                                                                                  In this example, you are setting the global level to notice and component log levels for sdjagent, watchdog_runnable, protobuf_file_emitter, and connection_manager.

                                                                                  log:
                                                                                    console_priority: notice
                                                                                    console_priority_by_component:
                                                                                      - "connection_manager: debug"
                                                                                      - "protobuf_file_emitter: notice"
                                                                                      - "watchdog_runnable: warning"
                                                                                      - "sdjagent: error"
                                                                                  

                                                                                  The log levels specified for components override global settings.

                                                                                4. Restart the agent.

                                                                                  For example, if you have installed the agent as a service, then run:

                                                                                  $ service dragent restart
                                                                                  
                                                                                  

                                                                                2.9 -

                                                                                Agent Auto-Config

                                                                                Introduction

                                                                                If you want to maintain centralized control over the configuration of your Sysdig agents, one of the following approaches is typically ideal:

                                                                                1. Via an orchestration system, such as using Kubernetes or Mesos/Marathon.

                                                                                2. Using a configuration management system, such as Chef or Ansible.

                                                                                However, if these approaches are not viable for your environment, or to further augment your Agent configurations via central control, Sysdig Monitor provides an Auto-Config option for agents. The feature allows you to upload fragments of YAML configuration to Sysdig Monitor that will be automatically pushed and applied to some/all of your Agents based on your requirements.

                                                                                Enable Agent Auto-Config

                                                                                Independent of the Auto-Config feature, typical Agent configuration lives in /opt/draios/etc and is derived from a combination of base config in the dragent.default.yaml file and any overrides that may be present in dragent.yaml. See also Understanding the Agent Config Files.

                                                                                Agent Auto-Config adds a middle layer of possible overrides in an additional file dragent.auto.yaml.When present, the the order of config application from highest precedence to lowest now becomes:

                                                                                1. dragent.yaml

                                                                                2. dragent.auto.yaml

                                                                                3. dragent.default.yaml

                                                                                While all Agents are by default prepared to receive and make use of Auto-Config data, the file dragent.auto.yaml will not be present on an Agent until you’ve pushed central Auto-Config data to be applied to that Agent.

                                                                                Auto-Config settings are performed via Sysdig Monitor’s REST API. Simplified examples are available that use the Python client library to get or set current Auto-Config settings. Detailed examples using the REST API are shown below.

                                                                                The REST endpoint for Auto-Config is /api/agents/config. Use the GET method to review the current configuration. The following example shows the initial empty settings that result in no dragent.auto.yaml files being present on your Agents.

                                                                                curl -X GET \
                                                                                       --header "Authorization: Bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
                                                                                       https://app.sysdigcloud.com/api/agents/config
                                                                                
                                                                                
                                                                                Output:
                                                                                {
                                                                                    "files": []
                                                                                }
                                                                                

                                                                                Use the PUT method to centrally push YAML that will be distributed and applied to your Agents as dragent.auto.yaml files. The content parameter must contain syntactically-correct YAML. The filter option is used to specify if the config should be sent to one agent or all of them, such as in this example to globally enable Debug logging on all Agents:

                                                                                curl -X PUT \
                                                                                       --header "Content-Type: application/json" \
                                                                                       --header "Authorization: Bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
                                                                                       https://app.sysdigcloud.com/api/agents/config -d '
                                                                                {
                                                                                  "files": [
                                                                                    {
                                                                                      "filter": "*",
                                                                                      "content": "log:\n  console_priority: debug"
                                                                                    }
                                                                                  ]
                                                                                }'
                                                                                

                                                                                Alternatively, the filter can specify a hardware MAC address for a single Agent that should receive a certain YAML config. All MAC-specific configs should appear at the top of the JSON object and are not additive to any global Auto-Config specified with “filter”: “*" at the bottom. For example, when the following config is applied, the one Agent that has the MySQL app check configured would not have Debug logging enabled, but all others would.

                                                                                curl -X PUT \
                                                                                       --header "Content-Type: application/json" \
                                                                                       --header "Authorization: Bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
                                                                                       https://app.sysdigcloud.com/api/agents/config -d '
                                                                                {
                                                                                  "files": [
                                                                                    {
                                                                                      "filter": "host.mac = \"08:00:27:de:5b:b9\"",
                                                                                      "content": "app_checks:\n  - name: mysql\n    pattern:\n      comm: mysqld\n    conf:\n      server: 127.0.0.1\n      user: sysdig-cloud\n      pass: sysdig-cloud-password"
                                                                                    },
                                                                                    {
                                                                                      "filter": "*",
                                                                                      "content": "log:\n  console_priority: debug"
                                                                                    }
                                                                                  ]
                                                                                }'
                                                                                

                                                                                To update the active central Auto-Config settings, simply PUT a complete replacement JSON object.

                                                                                All connected Agents will receive centrally-pushed Auto-Config updates that apply to them based on the filter settings. Any Agent whose Auto-Config is enabled/disabled/changed based on the centrally-pushed settings will immediately restart, putting the new configuration into effect. Any central Auto-Config settings that would result in a particular Agent’s Auto-Config remaining the same will not trigger a restart.

                                                                                Disable Agent Auto-Config

                                                                                To clear all Agent Auto-Configs, use the PUTmethod to upload the original blank config setting of '{ “files”: [] }'.

                                                                                It is also possible to override active Auto-Config on an individual Agent. To do so, follow these steps for your Agent:

                                                                                1. Add the following config directly to the dragent.yaml file: auto_config: false.

                                                                                2. Delete the file /opt/draios/etc/dragent.auto.yaml.

                                                                                3. Restart the Agent.

                                                                                For such an Agent to opt-in to Auto-Config again, remove auto_config: false from the dragent.yaml and restart the Agent.

                                                                                Restrictions

                                                                                To prevent the possibility of pushing Auto-Config that would damage an Agent’s ability to connect, the following keys will not be accepted in the centrally-pushed YAML.

                                                                                • auto_config

                                                                                • customerid

                                                                                • collector

                                                                                • collector_port

                                                                                • ssl

                                                                                • ssl_verify_certificate

                                                                                • ca_certificate

                                                                                • compression

                                                                                2.10 -

                                                                                Tuning Sysdig Agent

                                                                                The resource requirements for the Sysdig agent are subjective to the size and load of the host. Increased activity equates to higher resource requirements. At a minimum, the agent requires 2% of the total CPU and 512 MiB of memory.

                                                                                You might see 5 to 20 KiB/s of bandwidth consumed. Different variables can increase the throughput required. For example:

                                                                                • The number of metrics

                                                                                • The number of events

                                                                                • Kubernetes objects

                                                                                • Products and features enabled

                                                                                When a Sysdig Capture is being collected, you can expect to see a spike in the bandwidth while the capture file is being ingested.

                                                                                Sysdig does not recommend placing bandwidth shaping or caps on the agent to ensure that data is sent to the Sysdig Collection service.

                                                                                In general, in larger clusters, the agent requires more memory, and in servers with a high number of cores, the agent requires more CPU cores to monitor all the system calls. You will use CPU cores on the host and the Kubernetes nodes visible to the agent as proxies for the rate of events processed in the agent.

                                                                                Similarly, there are different factors that are at play, and considering all the factors, we recommend the following:

                                                                                Small: CPU core count <= 8. Kubernetes nodes <=10

                                                                                Medium: 8 < CPU core count <= 32. 10 < Kubernetes nodes <= 100

                                                                                Large: CPU core count > 32. Kubernetes nodes > 100

                                                                                While you can expect the behavior with the given numbers to be better than simply using the default values, Sysdig cannot guarantee that resource allocation will be correct for all the cases.

                                                                                Cluster SizeSmallMediumLarge
                                                                                Kubernetes CPU Request135
                                                                                Kubernetes CPU Limit135
                                                                                Kubernetes Memory Request1024 MB3072 MB6144 MB
                                                                                Kubernetes Memory Limit1024 MB3072 MB6144 MB
                                                                                Dragent Memory Watchdog512 MB1024 MB2048 MB
                                                                                Cointerface Memory Watchdog512 MB2048 MB4096 MB

                                                                                Note that the agent has its own memory watchdog to prevent runaway memory consumption on the host in case of memory leaks. The default values of the watchdog are specified in the following agent configuration file.

                                                                                watchdog:
                                                                                  max_memory_usage_mb: 1024
                                                                                  max_memory_usage_subprocesses:
                                                                                    sdchecks: 128
                                                                                    sdjagent: 256
                                                                                    mountedfs_reader: 32
                                                                                    statsite_forwarder: 32
                                                                                    cointerface: 512
                                                                                

                                                                                max_memory_usage_mb corresponds to the dragent process in the agent. All the values are given in MiB.

                                                                                For example, to match the agent watchdog settings with large values, the agent configuration would be:

                                                                                watchdog:
                                                                                  max_memory_usage_mb: 2048
                                                                                  max_memory_usage_subprocesses:
                                                                                    sdchecks: 128
                                                                                    sdjagent: 256
                                                                                    mountedfs_reader: 32
                                                                                    statsite_forwarder: 32
                                                                                    cointerface: 4096
                                                                                
                                                                                

                                                                                2.11 -

                                                                                Using the Agent Console

                                                                                Sysdig provides an Agent Console to interact with the Sysdig agent. This is a troubleshooting tool to help you view configuration files and investigate agent configuration problems quickly.

                                                                                Access Agent Console

                                                                                1. From Explore click the Groupings drop-down.

                                                                                2. Select Hosts & Container or Nodes.

                                                                                3. Click the desired host to investigate the corresponding agent configuration.

                                                                                4. Click Options (three dots) on the right upper corner of the Explore tab.

                                                                                5. Click Agent Console.

                                                                                Agent Console Commands

                                                                                View Help

                                                                                The ? command displays the commands to manage Prometheus configuration and targets monitored by the Sysdig agent.

                                                                                $ prometheus ?
                                                                                $ prometheus config ?
                                                                                $ prometheus config show ?
                                                                                

                                                                                Command Syntax

                                                                                The syntax of the Agent Console commands is as follows:

                                                                                directory command
                                                                                directory sub-directory command
                                                                                directory sub-directory sub-sub-directory command
                                                                                

                                                                                View Version

                                                                                Run the following to find the version of the agent running in your environment:

                                                                                $ version
                                                                                

                                                                                An example output:

                                                                                12.0.0
                                                                                

                                                                                Troubleshoot Prometheus Metrics Collection

                                                                                These commands help troubleshoot Prometheus targets configured in your environment.

                                                                                For example, the following commands display and scrape the Prometheus endpoints respectively.

                                                                                $ prometheus target show
                                                                                $ prometheus target scrape
                                                                                

                                                                                Sub-Directory Commands

                                                                                The Promscrape CLI consists of the following sections.

                                                                                • config: Manages Sysdig agent-specific Prometheus configuration.

                                                                                • metadata: Manages metadata associated with the Prometheus targets monitored by the Sysdig agent.

                                                                                • stats: Helps view the global- and job-specific Prometheus statistics.

                                                                                • target: Manages Prometheus endpoints monitored by Sysdig agent.

                                                                                Prometheus Commands

                                                                                Show

                                                                                The show command displays the information about the subsection. For example, the following example displays the configuration of the Prometheus server.

                                                                                $ prometheus config show
                                                                                
                                                                                5  Configuration      Value
                                                                                6  Enabled            True
                                                                                7  Target discovery   Prometheus service discovery
                                                                                8  Scraper            Promscrape v2
                                                                                9  Ingest raw         True
                                                                                10  Ingest calculated  True
                                                                                11  Metric limit       2000
                                                                                
                                                                                Scrape

                                                                                The scrape command scrapes a Prometheus target and displays the information. The syntax is:

                                                                                $ prometheus target scrape -url <URL>
                                                                                

                                                                                For example:

                                                                                $ prometheus target scrape -url http://99.99.99.3:10055/metrics
                                                                                
                                                                                # HELP go_gc_duration_seconds A summary of the GC invocation durations.
                                                                                7  # TYPE go_gc_duration_seconds summary
                                                                                8  go_gc_duration_seconds{quantile="0"} 7.5018e-05
                                                                                9  go_gc_duration_seconds{quantile="0.25"} 0.000118155
                                                                                10  go_gc_duration_seconds{quantile="0.5"} 0.000141586
                                                                                11  go_gc_duration_seconds{quantile="0.75"} 0.000171626
                                                                                12  go_gc_duration_seconds{quantile="1"} 0.00945638
                                                                                13  go_gc_duration_seconds_sum 0.114420898
                                                                                14  go_gc_duration_seconds_count 607
                                                                                

                                                                                View Agent Configuration

                                                                                The Agent configuration commands have a different syntax.

                                                                                Run the following to view the configuration of the agent running in your environment:

                                                                                $ configuration show-dragent-yaml
                                                                                $ configuration show-configmap-yaml
                                                                                $ configuration show-default-yaml
                                                                                $ configuration show-backend-yaml 
                                                                                 
                                                                                

                                                                                The output displays the configuration file. Sensitive data, such as the credentials, are obfuscated.

                                                                                customerid: "********"
                                                                                watchdog:
                                                                                  max_memory_usage_mb: 2048
                                                                                

                                                                                Security Considerations

                                                                                • User-sensitive configuration is obfuscated and not visible through the CLI.

                                                                                • All the information is read-only. You cannot currently change any configuration by using the Agent console.

                                                                                • Runs completely inside the agent. It does not use bash or any other Linux terminals to prevent the risk of command injection.

                                                                                • Runs only via a TLS connection with the Sysdig backend.

                                                                                Disable Agent Console

                                                                                This is currently turned on by default. To turn off Agent Console for a particular team:

                                                                                1. Navigate to Settings > Teams.

                                                                                2. Select the team that you want to disable Agent Console for.

                                                                                3. From Additional Permissions, Deselect Agent Console.

                                                                                4. Click Save.

                                                                                To turn it off in your environment, edit the following in the dragent.yaml file:

                                                                                command_line:
                                                                                  enabled: false
                                                                                
                                                                                

                                                                                3 -

                                                                                Agent Upgrade

                                                                                The steps to upgrade an agent differ depending on whether the agent was originally installed as a Docker container or as a service.

                                                                                This section describes how to check the current version of the installed agents, and then how to upgrade them.

                                                                                It is highly recommended to follow upgrade best practices:

                                                                                • Keep upgrades current

                                                                                • Upgrade progressively without skipping versions, and

                                                                                • Test upgrades in a non-mission-critical or staging environment before rolling in to production.

                                                                                Agent Version Check

                                                                                Container/Docker Installation

                                                                                If the agent is installed as container, run a command similar to:

                                                                                docker exec sysdig-agent /opt/draios/bin/dragent --version
                                                                                

                                                                                Service Installation

                                                                                If the agent is installed as a service, run:

                                                                                /opt/draios/bin/dragent --version
                                                                                

                                                                                The agent version can also be found in the agent log file: /opt/draios/logs/draios.log.

                                                                                Look for the “Agent starting” message, which is logged whenever the agent restarts.

                                                                                Update Agent

                                                                                Update the containerized agent version as you normally update any container; the basic steps are below.

                                                                                Use the full run command as shown in the Settings > Agent Installation tab of your account. CoreOS users can use the fleet script also shown on the Agent Installation tab.

                                                                                Containerized Agent

                                                                                To see which agent versions are available see this link.

                                                                                Docker

                                                                                Basic Steps: stop the agent, remove it, pull the new agent, and install it.

                                                                                The exact Docker command can also be found in the Sysdig Settings > Agent Installation menu.

                                                                                docker stop sysdig-agent
                                                                                docker rm sysdig-agent
                                                                                docker pull sysdig/agent
                                                                                docker run . . .
                                                                                

                                                                                Kubernetes

                                                                                Check whether .yaml files must be updated:

                                                                                Updating the agent image does not overwrite the daemonset.yaml and sysdig-agent-configmap.yaml on your local system. Check the Sysdig Agent Release Notes to see if you need to download the latest .yaml files from GitHub.

                                                                                Perform update:

                                                                                kubectl set image ds/sysdig-agent sysdig-agent=sysdig/agent:<TAG>
                                                                                

                                                                                Watch update status:

                                                                                kubectl rollout status ds/sysdig-agent
                                                                                

                                                                                Service Agent

                                                                                For service (non-containerized) agent installations, updates are installed as part of the normal system upgrade available with `apt-get` or `yum`.

                                                                                Debian, Ubuntu

                                                                                apt-get update
                                                                                apt-get -y install draios-agent
                                                                                

                                                                                CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2

                                                                                yum clean expire-cache
                                                                                yum -y install draios-agent
                                                                                
                                                                                

                                                                                4 -

                                                                                Uninstall the Agent

                                                                                This section describes uninstalling the Sysdig agent when it was installed as a service.

                                                                                If the agent was installed as a container, remove it using standard container commands.

                                                                                If the agent was installed by an orchestrator, such as Kubernetes, remove it by using the standard orchestrator commands.

                                                                                Debian/Ubuntu Distributions

                                                                                To uninstall the agent from Debian Linux distributions, including Ubuntu:

                                                                                As the sudo user, run the following command in a terminal on each host:

                                                                                sudo apt-get remove draios-agent
                                                                                

                                                                                Fedora/CentOS/RHEL/Amazon AMI/ Amazon Linux 2 Distributions

                                                                                To uninstall the agent from Fedora Linux distributions, including CentOS, Red Hat Enterprise Linux, as well as Amazon AMI and Amazon Linux 2:

                                                                                As the sudo user, run the following command in a terminal on each host:

                                                                                sudo yum erase draios-agent