Deploy an EDR Sensor Agent

  • Updated on Jan 16, 2026
  • 2 minute(s) read
Prev Next

Installation Requirements

Linux System

Supported architectures

Supported server distributions

Supported kernel versions

x86_64

aarch64 (ARM 64-bit)

Amazon Linux

Ubuntu 

CentOS 

RHEL

Debian

Fedora

SUSE/openSUSE

Oracle Linux (RHEL & UEK kernels)

3.2 and above (mainline)

Support and installation notes

  • We do not support systems that run software that employs the audit netlink socket.

  • Installation will disable the auditd.service and the systemd-journald-audit.socket. It will not change any configuration files for auditd. The previous system state will be restored if you choose to uninstall.

Network

Outbound network connectivity

  • https://cwp-ingest.redcanary.io (tcp/443) (Sensor telemetry sent to Red Canary's AWS account)

  • 34.160.81.0/32 (tcp/443) (Sentry proactive error monitoring)

  • 34.102.210.18/32 (tcp/443) (Sentry proactive error monitoring)

  • 2600:1901:0:5e8a::/64 (tcp/443) (Sentry proactive error monitoring)

  • 2600:1901:0:7edb::/64 (tcp/443) (Sentry proactive error monitoring)

To utilize a SOCKS proxy set the HTTPS_PROXY or HTTP_PROXY environment variables

Or,

Add the following to config.json: "http_proxy": "https://HOST:PORT"

Installation Instructions

Click Installation instructions for more information.

Note: If the Sensor Auto-Upgrade is enabled, replace canary-forwarder and the canary_forwarder below with cwp.

RPM

  1. Place the information below into a file titled redcanary.repo in /etc/yum.repos.d/.

    [RedCanary]
name=Red Canary Cloud Workload Protection
username=
password=
baseurl=https://redcanary.jfrog.io/artifactory/forwarder-rpm-prod-local/
enabled=1
gpgcheck=0
repo_gpgcheck=1 
gpgkey=https://.my.redcanary.co/keys/artifactory.gpg.public

  2. Run the following, sudo yum install canary_forwarder.

  3. Place the information below into a file titled config.json in /opt/redcanary/.

{
   "access_token":"xxxxxxxxxxxxxx",
   "outpost_auth_token":"xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx",
   "offload_target":"Outpost"
}

Debian

  1. Place the information below into a file titled redcanary.list in /etc/apt/sources.list.d/.

Note: Use the contents specific to the system whether it is x86_64/amd64 or AArch64/arm64.

x86_64/amd64

deb [arch=amd64] https://:@redcanary.jfrog.io/artifactory/forwarder-debian-prod-local main restricted

AArch64/arm64

deb [arch=arm64] https://:@redcanary.jfrog.io/artifactory/forwarder-debian-prod-local main restricted

2.  Place the information below into a file titled redcanary_auth.conf in /etc/apt/auth.conf.d/ :.

machine redcanary.jfrog.io
login 
password

3. Install the GPG key with the following command or place the contents of the following key into a temporary file titled redcanary.key

wget -qO - https://.my.redcanary.co/keys/artifactory.gpg.public | sudo gpg --dearmor -o /usr/share/keyrings/redcanary.gpg

4.  If copying key contents, run the following command from the same directory.

cat redcanary.key | sudo gpg --dearmor -o /usr/share/keyrings/redcanary.gpg

  1. Run the content below.

sudo apt-get update
sudo apt-get install canary-forwarder

6.  Place the information below into a file titled config.json in /opt/redcanary/.

{
  "access_token": "xxxxxxxxxxxxxx",
  "outpost_auth_token": "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx,
  "offload_target": "Outpost",
  "telemetry": {
      "source": "ebpf"
  }
}

7. (Optional) The above configuration tells the sensor to attempt to use eBPF as the telemetry source, defaulting to Audit if eBPF is unavailable. If you wish to instead try Audit first (e.g., you are using an older system that doesn't support eBPF) remove the telemetry key and object out of the config.json .

8. (Optional) After changes to config.json restart the sensor.

AMI/VM Setup

1. Start the instance.

2. Install Red Canary Linux EDR via the Debian or RPM instructions.

  • Follow the instructions from the RPM or Debian tabs. Place the config.json file into /opt/redcanary/.

3. Stop the cfsvcd service.

  • sudo systemctl stop cfsvcd or sudo initctl stop cfsvcd

4. Run the following to delete any saved state. sudo rm /opt/redcanary/state.json

5. Shut down the instance.

6. Create the AMI or clone from the VM instance.

Manual Setup

  1. Begin by downloading the relevant package.

  2. To find the download links in Red Canary, click the dropdown arrow next to Endpoints, and then click Deploy sensors

  3. Select your desired platform, and then select your desired sensor technology. 

  4. Scroll down to the Installation Instructions section and click Manual Setup.

  5. Find your desired operating system and reference Uninstalling the package.

Ubuntu 16.04 and Newer

Installing the package

sudo apt install ./canary-forwarder-1.2.1_amd64.deb

Uninstalling the package

sudo apt remove canary-forwarder

sudo apt autoremove

Debian 9 and Newer

Installing the package

sudo apt install ./canary-forwarder-1.2.1_amd64.deb

Uninstalling the package

sudo apt remove canary-forwarder

sudo apt autoremove

Debian 8 and Ubuntu 14.04

Installing the package

sudo dpkg -i canary-forwarder-1.2.1_amd64.deb

sudo apt-get -y --fix-broken install

Uninstalling the package

sudo apt-get -y remove canary-forwarder

sudo apt-get -y autoremove