Use eBPF as the Default Telemetry Source

Updated on 22 Mar 2024
1 Minute to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

You can configure your endpoints to collect telemetry using eBPF instead of AuditD.

Overview

Before making any changes to your sensors, check the system and network requirements to determine whether eBPF data collection is supported for your endpoints.

Enable eBPF

Update the sensor configuration file.
Optionally disable the DebugFS automount feature.
Restart the sensor.

Update the sensor configuration file

Go to /opt/redcanary/.
Open config.json, and add the following lines:
```
"telemetry": {
    "source": "ebpf"
}
```
Save the file.

Note: If the eBPF initialization fails, the sensor defaults to using AuditD. If you’d prefer the sensor to turn off by default, add “restricted": true to the "telemetry" object.

Optional: Disable DebugFS automount

In order to collect telemetry using eBPF, your endpoint must be able to access the debug file system, also known as DebugFS. DebugFS is mounted by default on most Linux systems. If DebugFS isn’t already mounted, the sensor will try to mount it for you. You can disable the automount feature by adding "automount": false to the "telemetry" object.

Restart the sensor

Your configuration changes won’t take effect until you restart the sensor. For instructions on restarting the Linux EDR sensor service, see performance debugging.

Was this article helpful?

What's Next

Linux FAQ

Table of contents

Overview
Enable eBPF
Update the sensor configuration file
Optional: Disable DebugFS automount
Restart the sensor