Sysdig Agent Release Notes

Here are the most recent release notes for Sysdig Agent. Review the entries to learn about the latest features, defect fixes, and known issues.

13.2.0 May 21, 2024

  • Supported sysdig-deploy version: 1.53.0
  • Supported Falco Engine version: 1000.25.0

Feature Enhancements

Suse Linux Enterprise Server Support

You can now install the Sysdig Agent on SLES 12 and SLES 15.

  • SLES12 only supports the kernel module driver

  • If you want to enable legacy eBPF on an x86_64-based SLES15 Server, install clang manually using SUSEConnect:

    SUSEConnect --product PackageHub/15.5/x86_64

Capture Non-Interactive Commands in Activity Audit

Activity audit can now capture and report non-interactive commands. To enable this feature:

  • Use the secure_audit_streams.commands_include_non_interactive parameter with a list of non-interactive commands. For example:

            - 'sshd'
  • Set secure_audit_streams.executed_commands to true

Support for Adding Labels to JMX Metrics

Added support for labels on JMX metrics collected by the agent. For more information, see Collect JMX Labels.

Defect Fixes

Fixed Debian Package Upgrade

On debian-based native installations, upgrading from an older version might result in the agent packages being accidentally marked as unneeded dependencies and subsequently uninstalled by autoremove. This issue has been fixed.

Fixed Metadata Requests in Proxy Environments

When the agent had the http_proxy environment, obtaining the instance information for machines running in AWS, Azure, or GCP did not work. This issue has been fixed.

RPM Install Honors CPU Quota

Fixed the issue where RPM installation was not honoring the CPU quota for subprocess_resource_limits.

Fixed Limit Settings for Subprocess Resources

Fixed the issue where the subprocess_resource_limits setting was not working for some distro with cgroup v2.

13.1.1 May 08, 2024

  • Supported sysdig-deploy version: 1.52.4
  • Supported Falco Engine version: 1000.24.0

This hotfix addresses the following:

Feature Enhancements

Support for Malware Detection and Prevention

Malware Detection and Prevention is now available for Hosts and Containers.

This feature is enabled by default for Containers.

Malware Detection and Prevention is disabled by default for Hosts. To enable it, use this configuration:

    enable_detection_on_host: true
    enable_prevention_on_host: false

For more information, see Malware Detection.

On-Demand Security Policy Loading

The agent now requests security policies only on start, or if the security policies are modified on the Sysdig backend. This should result in a significant reduction in network bandwidth consumption, while also reducing the performance impact of periodically updating security policies.

Defect Fixes

Added Flatcar Support in Legacy eBPF Mode

In earlier versions, the legacy eBPF driver failed to compile on recent 6.8 kernels for Flatcar Container Linux. This issue has now been fixed.

13.1.0 April 19, 2024

  • Supported sysdig-deploy version: 1.51.0
  • Supported Falco Engine version: 1000.24.0

Feature Enhancements

Activity Audit Support for Network and File Activity in Secure Light Mode

Sysdig Agent configured in secure_light mode will now support tracking network and file activity as part of the Activity Audit feature, in addition to the existing monitoring of command line activity.

Native Package enhancements

Native package installation has undergone a major revamping resulting in the following changes.

Switched supervisor from SysV to systemd

The agent now runs through a systemd service unit as opposed to a SysV init script.

Fine-grained packages depending on the driver

Depending on the driver you intend to use (kmod, legacy_ebpf or universal_ebpf) you should now install a specific package with a smaller set of dependencies. The install script and the ansible role have been adapted accordingly. Please refer to Package Reference for more details.

Uptime Metrics for Agent Sub-Processes

Added agent health metrics to the prometheus exporter showing the uptime of agent sub-processes.

Feature-Enabled Metrics

Sysdig agent can now collect feature-enabled metrics using prometheus exporter when health metrics are enabled. See Agent Health Metrics for more information.

kube_configmap_info Metric

Added kube_configmap_info metric to provide information on the agent configmap. For more information, see ConfigMap Metrics.

Enriched sysdig_agent_info with Linux Information

The sysdig_agent_info metric now is enriched with Linux kernel and distribution information.

Ability to Configure kube_node_annotations

Added the ability to configure the kube_node_annotations metric. For more information, see Enable Node Annotations.

Defect Fixes

Fixed Repeated Warning Log

Fixed the issue where a warning log was being repeated frequently in both debug and warning modes.

Fixed Automatic Unloading of the Kernel Module

In the case of native installations on Debian-based systems, stopping the service or uninstalling the package might leave the kernel module loaded. This has been fixed.

No longer inserting the Kernel Module when legacy_ebpf or universal_ebpf are selected

In the case of native installations, the kernel module would be built and loaded even when not strictly needed (i.e. when legacy_ebpf or universal_ebpf is selected). Provided the appropriate package is selected, this is no longer the case.

13.0.4 April 12, 2024

  • Supportedsysdig-deploy helm chart version: 1.49.8
  • Supported Falco Engine version: 1000.23.0

This hotfix addresses the following:

  • Fixed a defect that prevented the agent upgrade from v12.20 to v13.0 on EKS Bottlerocket
  • Delivered a preventative change that removes Sysdig Agent’s impact on node stability due to GKE PDCSI Driver Defect. All the code paths that can potentially surface the GKE issue have been replaced with alternate logic.

13.0.3 March 27, 2024

  • Released in sysdig-deploy helm chart version: 1.46.2
  • Supported Falco Engine version: 1000.23.0

This hotfix addresses the following:

  • Fixed build failures of the legacy eBPF probe on the most recent 6.x kernels.
  • Fixed an issue where the Runtime Policy pausing Container Action was not working on environments with cgroup v1.

13.0.2 March 21, 2024

  • Released in sysdig-deploy helm chart version: 1.45.5
  • Supported Falco Engine version: 1000.23.0

This hotfix addresses the following:

  • Vulnerability fixes:

  • Fixed a build issue of the legacy_ebpf driver that impacted RHEL v5.14 kernels with RHEL subversion 410 or higher.

  • Fixed kernel module build for linux kernel 6.8.

13.0.1 March 11, 2024

  • Released in sysdig-deploy helm chart version: 1.42.3
  • Supported Falco Engine version: 1000.23.0

This hotfix fixed an issue where the Sysdig Agent could retain allocated UDP ports until reaching port saturation, occurring under specific combinations of the driver used and enabled features.

13.0.0 March 06, 2024

  • Released in sysdig-deploy helm chart version: 1.41.0
  • Supported Falco Engine version: 1000.23.0

We strongly recommend you to skip v13.0.0 and upgrade to Sysdig Agent v13.0.1. See Breaking Changes for more information.

Feature Enhancements

Updated Docker Image to UBI9

Sysdig Agent’s Universal Base Image has been upgraded from UBI8 to UBI9.

Added Agent Health Metrics in secure_light Mode

Added the following health metrics when the agent is running in secure_light mode:

  • sysdig_agent_analyzer_num_evts
  • sysdig_agent_analyzer_dropped_evts

Support for TLS and Basic Authentication in Agent Prometheus Exporter

Agent Prometheus Exporter now supports TLS and basic authentications.

Ability to Collect Subattributes from JMX metrics

Added ability to collect individual subattributes from CompositeData JMX metrics.

Availability of Promscrape in ARM64 in FIPS Mode

Sysdig Agent now includes FIPS-mode promscrape binary previously missing for ARM platforms.

Kill Process in Workload

In Threat Detection Policies, Workload and List Matching policies can now be configured to kill the event-triggering process. For details, see Workload.

Breaking Changes

As part of Sysdig Agent 13.0.0 release, and as anticipated in the release notes for the 12.20.0, Sysdig dropped the support for:

  • logwatcher
  • RHEL6 and CentOS6

All Sysdig users affected by these changes have been notified. If you haven’t received any communication from Sysdig, it means there is no impact on your usage.

Defect Fixes

Updated ssl_shim Configuration

The ssl_shim configuration has been changed to fix an issue where openssl.cnf bundled with the agent expected ssl_shim to select the FIPS or non-FIPS providers at startup time. This configuration broke other programs that are dynamically linked against OpenSSL v3.

Added a openssl_conf configuration flag to allow users to specify a custom openssl.cnf file for use with the agent. To include custom OpenSSL v3 library, you need to set the custom openssl_conf and your library path. This configuration is required when openssl_lib points the agent to a custom OpenSSL v3.x library. See openssl_lib for more information.

Support for Universal eBPF on 1-vcore Machines

Universal eBPF is now supported on 1-vcore machines.

Scoping Events to Containers on Specific Kubernetes Clusters

The host scope resolution now works correctly when additional scope predicates are specified along with the standard contauner_id="". For example, contauner_id="" and

Fixed Misleading Collector Reconnection Attempts Logs

Fixed an issue where agent report a large number of logs with “No further retries left for attach to container”.

12.20.0 January 31, 2024

  • Supported sysdig-deploy version: 1.37.11
  • Supported Falco Engine version: 1000.22.0

Feature Enhancements

Removed the sysdig_secure.enabled Tag

Removed the hardcoded sysdig_secure.enabled tag generated when runtime detection is enabled using the following configuration:

   enabled: true

Use the agent_secure_enabled label in the sysdig_agent_info metric instead to check if runtime detection is enabled.

Enhanced Kernel Sampling Ratio to Handle High Event Loads

The activation logic of the kernel sampling ratio has been improved. You may notice a change in sampling ratio metrics behavior after upgrading to v12.20.0. This behavior is intentional and indicative of a healthy system response.

The sampling ratio is a key tool for the agent to regulate performance during high workloads. Monitoring these metrics gives valuable insights into the overall health of the agent. Version 12.20.0 brings the improvement to optimize the agent’s adaptability to high event loads.

Support for Container Actions and Captures

Sysdig agent supports the following new actions in Container Drift policies and Malware policies:

  • The ability to create capture files
  • The ability to Kill/Pause/Stop a container

Malware policies are currently in Controlled Availability. Contact Sysdig Support for access to the Malware feature.

Defect Fixes

Updating Kernel No Longer Results in DKMS Failure

Fixed an issue where updating the kernel resulted in Dynamic Kernel Module Support(DKMS) failure in host installations with kmod.

Additional Log Lines No Longer Appear After Agent Update

Fixed an issue where policy events with associated actions could cause a significant increase in the number of lines logged.

Deprecation Notice

In the upcoming agent release, Sysdig will deprecate the support for logwatcher, RHEL6, and CentOS6.

Topics in This Section
2023 Archive

2023 Archive of Sysdig Agent release notes.

2022 Archive

2022 Archive of Sysdig Agent release notes.

2021 Archive

2021 Archive of Sysdig Agent release notes.

2020 Archive

2020 Archive of Sysdig Agent release notes.

2019 Archive

2019 Archive of Sysdig Agent release notes.