Sysdig Agent

You can install Sysdig Agent as a Linux package on Debian, Ubuntu, CentOS, RHEL, Fedora, Amazon AMI, and Amazon Linux 2.

Use the Quick Start Wizard

This option provides a bash script for installing the agent and is appropriate for quick trial installations to get Sysdig up and running.

  1. Log in to Sysdig Secure as an administrator and select Integrations > Data Sources|Sysdig Agent.

  2. Click +Add Agent and select Linux.

  3. As prompted by the Wizard screen, enter:

    • Tags: Enter any tags you like, so you can identify this specific agent later.
  4. The Wizard will auto-populate a code snippet with any tags, as well as autodetected Sysdig Secure endpoint and agent access key information.

  5. Copy and run the script. This will install the Sysdig agent and give you runtime threat detection.

Customized Deployments

Prerequisites

Supported Distributions

Installing agent as a package is supported on the following :

  • Debian, Ubuntu
  • CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2

Starting with agent version 13.1.0, separate packages will have to be installed depending on the driver to be used. See the table below.

Package Reference

DriverMain PackageDependency Packages
kmod (compatibility mode)draios-agentdraios-agent-slim, draios-agent-kmodule
kmod (recommended)draios-agent-kmoduledraios-agent-slim
legacy_ebpfdraios-agent-legacy-ebpfdraios-agent-slim
universal_ebpfdraios-agent-slim

For Debian and Ubuntu

  1. Trust the Sysdig GNU Privacy Guard (GPG) key, configure the apt repository, and update the package list by running the following commands:

    curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public -o /usr/share/keyrings/sysdig-keyring.asc
    echo 'deb [signed-by=/usr/share/keyrings/sysdig-keyring.asc] https://download.sysdig.com/stable/deb stable-$(ARCH)/' | tee /etc/apt/sources.list.d/sysdig.list > /dev/null
    apt-get update
    
  2. Install kernel development files, (kernel module and eBPF drivers, only):

    sudo apt-get -y install linux-headers-$(uname -r)
    
  3. Install, configure, and restart the Sysdig agent:

  • Install the agent:

    sudo apt-get -y install draios-agent
    
  • Specify the agent driver:

    • To select the eBPF driver:
      cat > /etc/default/dragent <<< 'export SYSDIG_BPF_PROBE=""'
      cat >> /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"
      
    • To select the Universal eBPF driver:
      cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"
      
    • To select the kernel module driver:
      cat > /etc/default/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"
      
      Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in /etc/default/dragent is optional.
  • Configure dragent.yaml:

    sudo bash -c `echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml`
    sudo bash -c `echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml`
    sudo bash -c `echo collector: COLLECTOR_ADDRESS >> /opt/draios/etc/dragent.yaml`
    

    Replace ACCESS_KEY and COLLECTOR_ADDRESS with the access key and collector address associated with your account. <TAGS> is optional and can be used to add custom tags to your metrics.

  • Restart the agent:

    sudo service dragent restart
    

For CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2

  1. Trust the Sysdig GPG key and configure the yum repository:

    sudo rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public && sudo curl -s -o /etc/yum.repos.d/draios.repo https://download.sysdig.com/stable/rpm/draios.repo
    
  2. Install the EPEL repository, (kernel module and eBPF drivers, only):

    sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
    

    This command is required only if DKMS is not available in the base distribution.

  3. Install the kernel development files, (kernel module and eBPF drivers, only):

    sudo yum -y install kernel-devel-$(uname -r)
    
  4. Install, configure, and start the Sysdig Agent:

    • Install the agent:
      yum -y install draios-agent
      
    • Specify the agent driver:
      • To select the kernel module driver:
        cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=kmod"
        
        Note: On new installations, the kernel module driver is selected by default, and specifying it explicitly in /etc/sysconfig/dragent is optional.
      • To select the eBPF driver
        cat > /etc/sysconfig/dragent <<< 'export SYSDIG_BPF_PROBE=""'
        cat >> /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=legacy_ebpf"
        
      • To select the Universal eBPF driver:
        cat > /etc/sysconfig/dragent <<< "SYSDIG_AGENT_DRIVER=universal_ebpf"
        
    • Configure dragent.yaml:
      echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
      echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
      echo collector: COLLECTOR_ADDRESS >> /opt/draios/etc/dragent.yaml
      
      Replace ACCESS_KEY and COLLECTOR_ADDRESS with your own configuration parameters. [TAGS] is optional and can be used to add custom tags to the agent’s metrics. For example, env:production, cluster:east-cluster-a.
    • Start the agent:
      sudo systemctl enable dragent
      sudo systemctl start dragent
      

Next Steps

Install the Host Scanner using a package