Sysdig Agent

Sysdig supports installing the Sysdig Agent using containers.

Use the Quick Start Wizard

This option provides a script for installing the agent, and is appropriate for quick trial installations to get Sysdig up and running.

  1. Log in to Sysdig Secure as admin and select Integrations > Data Sources|Sysdig Agent.

  2. Click +Add Account and select Docker.

  3. As prompted by the Wizard screen, enter:

    • Tags: For identifying your container installation.
  4. The Wizard will autopopulate a code snippet with autodetected Sysdig Secure endpoint and agent access keyinformation.

  5. Copy and run the script. This will install the Sysdig agent and give you runtime threat detection.

Customized Deployment

This option can be integrated with your enterprise deployment methods at production scale.

Before you begin: Collect your agent access key and collector address.

  1. Build and load the kernel module by running the following command in a terminal:

    • If you are not using eBPF:

      docker run -it --privileged --rm --name sysdig-agent-kmodule \
      -v /usr:/host/usr:ro \
      -v /boot:/host/boot:ro \
      -v /lib/modules:/host/lib/modules \
    • OR, if you ARE using eBPF:

      docker run -it --privileged --rm --name sysdig-agent-kmodule \
      -e SYSDIG_BPF_PROBE="" \
      -v /etc/os-release:/host/etc/os-release:ro \
      -v /root/.sysdig:/root/.sysdig \
      -v /usr:/host/usr:ro \
      -v /boot:/host/boot:ro \
      -v /lib/modules:/host/lib/modules:ro \
  2. Configure the kernel module to load during system boot by running the following commands:

    sudo mkdir -p /etc/modules-load.d
    sudo bash -c "echo sysdigcloud-probe > /etc/modules-load.d/sysdigcloud-probe.conf"
  3. Run the agent module providing the access key and, optionally, user-defined tags by running the following command:

    docker run -d --name sysdig-agent \
    --restart always \
    --privileged \
    --net host \
    --pid host \
    [-e TAGS=[TAGS]]
    -v /var/run/docker.sock:/host/var/run/docker.sock \
    -v /dev:/host/dev \
    -v /proc:/host/proc:ro \
    -v /boot:/host/boot:ro \
    --shm-size=512m \

    Note: Replace [ACCESS_KEY] and [COLLECTOR_ADDRESS] with the access key and collector address collected in Prerequisites. [TAGS] is optional.

  4. Verify that the Sysdig Agent is running by running the following command:

    docker ps

    You should see the sysdig-agent container listed in the output.

For additional configuration options, including on-premise, using a proxy etc., see Agent Configuration.

Next Steps

Install the Host Scanner as a container

Install the Rapid Response as a container