Hosts
Prerequisites
- Review
- Collect the following:
For more information on agent configuration, see Configure Sysdig Agent.
Use the Quick Start Wizard
This option provides a script for installing the agent and is appropriate for quick trial installations to get Sysdig up and running.
Install as a Container
Log in to Sysdig Monitor as an administrator.
Select Integrations > Sysdig Agent.
Click +Add Account and select Docker.
As prompted by the screen, enter the list of tags. For example,
env:production
,cluster:east-cluster-a
.
The Wizard will autopopulate a code snippet with autodetected Sysdig Monitor endpoint and the agent access key.
Copy and run the script.
This will install the Sysdig agent.
Install as a Package
Log in to Sysdig Monitor as an administrator.
Select Integrations > Sysdig Agent.
Click +Add Account and select Linux.
As prompted by the screen, enter the list of tags. For example,
env:production
,cluster:east-cluster-a
.
The Wizard will autopopulate a code snippet with autodetected Sysdig Monitor endpoint and the agent access key.
Copy and run the script.
This will install the Sysdig agent.
Customized Installation
This option can be integrated with your enterprise deployment methods at a production scale.
Install as a Container
- Google Kubernetes Engine (GKE) Container-Optimized OS (COS) environments require the eBPF or Universal eBPF driver to run the Sysdig Agent.
- Agent versions 12.17.0 and newer ship with a pre-built Universal eBPF object embedded in the agent binary. It is not necessary to run the
sysdig-agent-kmodule
container when using the Universal eBPF driver.
- Build and load the kernel module or eBPF object file, kernel module and eBPF drivers, only:
If you are using the kernel module driver, run:
docker run -it --privileged --rm --name sysdig-agent-kmodule \ -v /usr:/host/usr:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules \ quay.io/sysdig/agent-kmodule
If you are using the eBPF driver, run:
docker run -it --privileged --rm --name sysdig-agent-kmodule \ -e SYSDIG_BPF_PROBE="" \ -v /usr:/host/usr:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro \ -v /etc/os-release:/host/etc/os-release:ro \ -v /root/.sysdig:/root/.sysdig \ quay.io/sysdig/agent-kmodule
Configure the kernel module to load during system boot. Skip eBPF and Universal eBPF:
sudo mkdir -p /etc/modules-load.d sudo bash -c "echo sysdigcloud-probe > /etc/modules-load.d/sysdigcloud-probe.conf"
Run the agent container providing the access key and, optionally, user-defined tags:
If you are using kernel module, run:
docker run -d --name sysdig-agent \ --restart always \ --privileged \ --net host \ --pid host \ -e ACCESS_KEY=<ACCESS_KEY> \ -e COLLECTOR=<COLLECTOR_ADDRESS> \ [-e TAGS=<TAGS>] \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ --shm-size=512m \ quay.io/sysdig/agent-slim
If you are using eBPF, run:
docker run -d --name sysdig-agent \ --restart always \ --privileged \ --net host \ --pid host \ -e SYSDIG_BPF_PROBE="" \ -e ACCESS_KEY=<ACCESS_KEY> \ -e COLLECTOR=<COLLECTOR_ADDRESS> \ [-e TAGS=<TAGS> ] \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /sys/kernel/debug:/sys/kernel/debug:ro \ -v /root/.sysdig:/root/.sysdig \ --shm-size=512m \ quay.io/sysdig/agent-slim
If you are using Universal eBPF, run:
docker run -d --name sysdig-agent \ --restart always \ --privileged \ --net host \ --pid host \ -e SYSDIG_AGENT_DRIVER=universal_ebpf \ -e ACCESS_KEY=<ACCESS_KEY> \ -e COLLECTOR=<COLLECTOR_ADDRESS> \ [-e TAGS=<TAGS> ] \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /sys/kernel/debug:/sys/kernel/debug:ro \ --shm-size=512m \ quay.io/sysdig/agent-slim
Replace <ACCESS_KEY>
and <COLLECTOR_ADDRESS>
with the access key and collector address associated with your account. <TAGS>
is optional. You can use it to add custom tags to your metrics. For example, env:production
, cluster:east-cluster-a
.
- Verify that Sysdig Agent is running:
docker ps
You should see the sysdig-agent
container listed in the output.
The Sysdig Agent is now installed and running on your host. You can begin monitoring your system, and view dashboards and alerts on the Sysdig Monitor UI.
Install as a Package
Installing agent as a package is supported on the following :
- Debian, Ubuntu
- CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2
Starting with agent version 13.1.0, separate packages will have to be installed depending on the driver to be used. Please see the table below.
Package Reference
Driver | Main Package | Dependency Packages |
---|---|---|
kmod (compatibility mode) | draios-agent | draios-agent-slim, draios-agent-kmodule |
kmod (recommended) | draios-agent-kmodule | draios-agent-slim |
legacy_ebpf | draios-agent-legacy-ebpf | draios-agent-slim |
universal_ebpf | draios-agent-slim |
Debian and Ubuntu
Trust the Sysdig Monitor GNU Privacy Guard (GPG) key, configure the apt repository, and update the package list:
curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public -o /usr/share/keyrings/sysdig-keyring.asc echo 'deb [signed-by=/usr/share/keyrings/sysdig-keyring.asc] https://download.sysdig.com/stable/deb stable-$(ARCH)/' | tee /etc/apt/sources.list.d/sysdig.list > /dev/null apt-get update
Install kernel development files, (kernel module and eBPF drivers, only):
sudo apt-get -y install linux-headers-$(uname -r)
Install, configure, and restart the Sysdig agent:
Install the agent and specify the agent driver:
- To select the kernel module driver:Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in
sudo apt-get -y install draios-agent-kmodule cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"
/etc/default/dragent
is optional. - To select the eBPF driver:
sudo apt-get -y install draios-agent-legacy-ebpf cat > /etc/default/dragent <<< 'SYSDIG_BPF_PROBE=""' cat >> /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"
- To select the Universal eBPF driver:
sudo apt-get -y install draios-agent-slim cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"
- To select the kernel module driver:
Configure
dragent.yaml
:sudo bash -c `echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml` sudo bash -c `echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml` sudo bash -c `echo collector: COLLECTOR_ADDRESS >> /opt/draios/etc/dragent.yaml`
Replace
ACCESS_KEY
andCOLLECTOR_ADDRESS
with the access key and collector address associated with your account.[TAGS]
are optional and can be used to add custom tags to the agent’s metrics.Restart the agent:
sudo systemctl enable dragent sudo systemctl start dragent
CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2
Trust the Sysdig Monitor GPG key and configure the yum repository:
sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && sudo curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
Install the Extra Packages for Enterprise Linux (EPEL) repository, (kernel module and eBPF drivers, only):
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
This command is required only if Dynamic Kernel Module Support (DKMS) is not available in the base distribution.
Install the kernel development files, (kernel module and eBPF drivers, only):
sudo yum -y install kernel-devel-$(uname -r)
Install, configure, and start the Sysdig Agent:
- Install the agent and specify the agent driver:
- To select the kernel module driver:Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in
yum -y install draios-agent-kmodule cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"
/etc/sysconfig/dragent
is optional. - To select the legacy eBPF driver
yum -y install draios-agent-legacy-ebpf cat > /etc/sysconfig/dragent <<< 'SYSDIG_BPF_PROBE=""' cat >> /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"
- To select the Universal eBPF driver:
yum -y install draios-agent-slim cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"
- To select the kernel module driver:
- Configure
dragent.yaml
:Replaceecho customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml echo collector: COLLECTOR_ADDRESS >> /opt/draios/etc/dragent.yaml
ACCESS_KEY
andCOLLECTOR_ADDRESS
with installation-specific values.[TAGS]
is optional and can be used to add custom tags to your metrics. For example,env:production
,cluster:east-cluster-a
. - Start the agent:
sudo systemctl enable dragent sudo systemctl start dragent
Uninstall Agent
Container
If Sysdig Agent was installed as a container, remove it using the standard container commands.
Debian and Ubuntu
To uninstall the agent from Debian Linux distributions, including Ubuntu:
Run the following command in a terminal on each host:
sudo apt-get purge -y draios-agent
Fedora, CentOS, RHEL, Amazon AMI, Amazon Linux 2
To uninstall the agent from Fedora Linux distributions, run the following command in a terminal on each host:
sudo yum -y erase draios-agent
- Install the agent and specify the agent driver:
Install As a Single Container (Legacy)
The legacy way of installing an agent involves running it as a single container. It includes the components for downloading and building the kernel module, as well as for gathering and reporting on a wide variety of pre-defined metrics and events.
SaaS
Collect the necessary environment variables.
Run the agent container providing the access key and, optionally, user-defined tags:
To use the kernel module driver:
docker run -d --name sysdig-agent \ --restart always \ --privileged \ --net host \ --pid host \ -e ACCESS_KEY=<ACCESS_KEY> \ -e COLLECTOR=<COLLECTOR_ADDRESS> \ [-e TAGS=[TAGS]] \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro \ -v /usr:/host/usr:ro \ --shm-size=512m \ -v /etc/modprobe.d:/etc/modprobe.d \ quay.io/sysdig/agent
To use the eBPF driver:
docker run -d --name sysdig-agent \ --restart always \ --privileged \ --net host \ --pid host \ -e ACCESS_KEY=<ACCESS_KEY> \ -e COLLECTOR=<COLLECTOR_ADDRESS> \ [-e TAGS=<TAGS>] \ -e SYSDIG_BPF_PROBE="" \ -v /sys/kernel/debug:/sys/kernel/debug:ro \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro \ -v /usr:/host/usr:ro \ --shm-size=512m \ -v /etc/modprobe.d:/etc/modprobe.d \ quay.io/sysdig/agent
To use the Universal eBPF driver:
docker run -d --name sysdig-agent \ --restart always \ --privileged \ --net host \ --pid host \ -e ACCESS_KEY=<ACCESS_KEY? \ -e COLLECTOR=<COLLECTOR_ADDRESS> \ [-e TAGS=<TAGS>] \ -e SYSDIG_AGENT_DRIVER=universal_ebpf \ -v /sys/kernel/debug:/sys/kernel/debug:ro \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ --shm-size=512m \ quay.io/sysdig/agent-slim
On-Premises
Collect the necessary environment variables.
Run the agent container providing the access key and, optionally, user-defined tags:
To use the kernel module driver:
docker run -d --name sysdig-agent \ --restart always \ --privileged \ --net host \ --pid host \ -e ACCESS_KEY=<ACCESS_KEY> \ -e COLLECTOR=<COLLECTOR_ADDRESS> \ -e SECURE=true \ -e CHECK_CERTIFICATE=true \ [-e TAGS=<TAGS>] -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro \ -v /usr:/host/usr:ro \ --shm-size=512m \ quay.io/sysdig/agent
To use the eBPF driver:
docker run -d --name sysdig-agent \ --restart always \ --privileged \ --net host \ --pid host \ -e ACCESS_KEY=<ACCESS_KEY> \ -e COLLECTOR=<COLLECTOR_ADDRESS> \ -e SECURE=true \ -e CHECK_CERTIFICATE=true \ [-e TAGS=<TAGS>] -e SYSDIG_BPF_PROBE="" \ -v /sys/kernel/debug:/sys/kernel/debug:ro \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro \ -v /usr:/host/usr:ro \ --shm-size=512m \ quay.io/sysdig/agent
To use the Universal eBPF driver:
docker run -d --name sysdig-agent \ --restart always \ --privileged \ --net host \ --pid host \ -e ACCESS_KEY=<ACCESS_KEY> \ -e COLLECTOR=<COLLECTOR_ADDRESS> \ -e SECURE=true \ -e CHECK_CERTIFICATE=true \ [-e TAGS=<TAGS>] -e SYSDIG_AGENT_DRIVER=universal_ebpf \ -v /sys/kernel/debug:/sys/kernel/debug:ro \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /dev:/host/dev \ -v /proc:/host/proc:ro \ --shm-size=512m \ quay.io/sysdig/agent-slim
Common Environment Variables for Agent Containers
Option | Description |
---|---|
ACCESS_KEY | The agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure. |
TAGS | The list of tags for the host where the agent is installed. For example: role:webserver , location:europe |
COLLECTOR | The collector URL for Sysdig Monitor or Sysdig Secure. This value is region-dependent in SaaS and is auto-completed on the Get Started page in the Monitor UI or Data Sources page in Secure. It is a custom value in on-prem installations. See SaaS Regions and IP Ranges. |
COLLECTOR_PORT | The default is 6443. |
ADDITIONAL_CONF | Optional. Use this option to provide custom configuration values to the agent as environment variables. If provided, will be appended to the agent configuration file. |
SYSDIG_AGENT_DRIVER | Optional. The syscall capture driver that is used by the agent. Valid values are kmod , universal_ebpf , and legacy_ebpf . Agent defaults to kmod if this environment variable is not set |
SYSDIG_BPF_PROBE | Optional. Deprecated and superseded by Note: The agent will exit with an error if |
See Understand the Agent Configuration for additional information on agent and container environment variables.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.