Remote Configuration
Configuration Modal
Click Configure on any agent to open the Remote Configuration modal. Changes are stored server-side and delivered within 30 seconds. Server-side config always overrides the local AgentConfig.json.
ETW Providers Tab
- Level Filter: Minimum ETW level (Verbose, Informational, Warning, Error, Critical)
- Kernel Provider Checkboxes: 30+ individual providers to toggle
- Excluded Paths: File paths to exclude (one per line, supports wildcards)
Metrics Tab
Toggle which health metrics the agent collects: CPU Usage, Memory Usage, Disk Space, Process List, Service Status, Event Logs.
Performance Tab
- Batch Size: Events to batch before processing/sending
- Timeout: Max wait before sending a partial batch
Tip: Increase batch size for high-volume environments; decrease for time-sensitive diagnostics.
Configuration Presets
Standard (Baseline)
- File I/O, Process/Thread, Registry, Network, .NET Runtime, DNS
- 100–500 events/sec; 2–5% CPU, 50–100 MB RAM
Comprehensive
- All Standard plus Memory, Handles, Drivers, WER, Shell
- 500–2,000 events/sec; 5–10% CPU, 100–150 MB RAM
Maximum
- All providers; 5,000–10,000+ events/sec; 10–15% CPU, 150–200 MB RAM
- Short-term diagnostic sessions only
Linux Agent: journald & auditd Capture
The Linux agent’s eBPF backend sees kernel syscalls but is blind to the structured signal that lives in journald (failed service starts, OOM kills, sudo/su sessions, SSH login chains, kernel WARN_ON dumps) and auditd (file-watch hits, capability use, AVC denials from SELinux/AppArmor, login records). Both readers can be enabled per-host via AgentConfig.json on the agent or pushed remotely.
journald reader
| Flag | Default | Notes |
|---|---|---|
EnableJournaldCapture | false | Master switch. When true, the agent tails journalctl --output=json --follow and feeds entries into the same SystemEvent pipeline as eBPF. |
JournaldUnits | [] | Optional list of systemd units to subscribe to (e.g. ["nginx", "postgresql"]). Empty means “all units”. |
JournaldMinPriority | 4 | Syslog priority floor (0=emerg, 7=debug). Default 4 ships warnings-and-worse, matching the Windows “Warning or higher” default. |
JournaldMaxLinesPerMinute | 1000 | Throttle. Excess lines are dropped and a single Linux.Journald.Throttled marker is emitted per minute so the AI prompt knows lines went missing. |
auditd reader
| Flag | Default | Notes |
|---|---|---|
EnableAuditdCapture | false | Master switch. Polls ausearch --raw --start checkpoint --interpret on a timer and emits each record as a SystemEvent. |
AuditdRules | Identity-file watches (/etc/passwd, /etc/shadow, /etc/sudoers) | Rules pushed via auditctl at startup. Leave empty if you manage rules via /etc/audit/rules.d. |
AuditdPollIntervalSeconds | 30 | Cadence of ausearch drain. Matches the eBPF batch cadence. |
The systemd unit needs AmbientCapabilities=CAP_AUDIT_READ (and CAP_AUDIT_CONTROL if you want the agent to install rules). On hosts without auditd or journalctl installed, the reader logs a single warning and exits cleanly — safe to leave the flag enabled in a mixed fleet.
Both readers are opt-in because a quiet host shouldn’t suddenly start shipping every log line. Operators flip them on when they want richer Inflection RCA prompts — the AI sees journald narratives and auditd file-watch hits as evidence alongside eBPF syscalls.