Dosu Logo
Home
Documents
DaemonEye Configuration Guide
DaemonEye Configuration Guide
Type
External
Status
Published
Created
Apr 18, 2026
Updated
Apr 18, 2026
Updated by
Dosu Bot
Source
View

DaemonEye Configuration#

Guide
This guide provides comprehensive information about configuring
DaemonEye for different deployment scenarios and requirements.

Table of Contents#

Configuration Overview#

DaemonEye uses a hierarchical configuration system that allows you to
override settings at different levels. The configuration is loaded in
the following order (later sources override earlier ones):

  1. Embedded defaults (lowest precedence)
  2. System configuration files
    (/etc/daemoneye/config.yaml)
  3. User configuration files
    (~/.config/daemoneye/config.yaml)
  4. Environment variables
    (DAEMONEYE_*)
  5. Command-line flags (highest precedence)

Configuration Hierarchy#

File Locations#

System Configuration:

  • Linux: /etc/daemoneye/config.yaml
  • macOS:
    /Library/Application Support/DaemonEye/config.yaml
  • Windows: C:\ProgramData\DaemonEye\config.yaml
    User Configuration:
  • Linux/macOS: ~/.config/daemoneye/config.yaml
  • Windows: %APPDATA%\DaemonEye\config.yaml
    Component-Specific Configuration:
  • Components use the same configuration file with component-specific
    sections
  • Environment variables can override specific component settings
  • Command-line flags provide the highest precedence overrides

Configuration Formats#

DaemonEye supports multiple configuration formats:

  • YAML (recommended): Human-readable, supports
    comments
  • JSON: Machine-readable, no comments
  • TOML: Alternative human-readable format

Core Configuration#

Application Settings#

app: # Scan interval in millisecondsscan_interval_ms:30000 # Batch size for process collectionbatch_size:1000 # Log level: debug, info, warn, errorlog_level: info # Data retention period in daysretention_days:30 # Maximum memory usage in MBmax_memory_mb:512 # Enable performance monitoringenable_metrics:true # Metrics collection interval in secondsmetrics_interval_secs:60# EventBus broker configuration (daemoneye-agent)broker: # Unix socket path for EventBus brokersocket_path: /tmp/daemoneye-eventbus.sock # Broker startup timeout in secondsstartup_timeout_seconds:30 # Maximum message buffer sizemax_message_buffer_size:10000 # Message processing timeout in millisecondsmessage_timeout_ms:5000

Process Collection Settings#

collection: # Enable process enumerationenable_process_collection:true # Enable executable hashingenable_hash_computation:true # Hash algorithm (sha256, sha1, md5)hash_algorithm: sha256 # Skip hashing for system processesskip_system_processes:true # Skip hashing for temporary filesskip_temp_files:true # Maximum hash computation time per process (ms)max_hash_time_ms:5000 # Enable enhanced process metadata collectionenable_enhanced_metadata:false

Detection Engine Settings#

detection: # Path to detection rules directoryrules_path: /etc/daemoneye/rules # Enable rule hot-reloadingenable_hot_reload:true # Rule execution timeout in secondsrule_timeout_secs:30 # Maximum memory per rule execution (MB)max_rule_memory_mb:128 # Enable rule performance monitoringenable_rule_metrics:true # Rule execution concurrencymax_concurrent_rules:10 # Enable rule validationenable_rule_validation:true

Alerting Configuration#

Alert Sinks#

alerting: # Enable alertingenabled:true # Alert deduplication window in minutesdedupe_window_minutes:60 # Maximum alert queue sizemax_queue_size:10000 # Alert processing concurrencymax_concurrent_deliveries:5 # Sink configurationssinks: # Standard output sink-type: stdoutenabled:trueformat: json # json, text, csv # File output sink-type: fileenabled:falsepath: /var/log/daemoneye/alerts.jsonformat: jsonrotation:max_size_mb:100max_files:10 # Syslog sink-type: syslogenabled:truefacility: daemontag: daemoneyehost: localhostport:514protocol: udp # udp, tcp # Webhook sink-type: webhookenabled:falseurl: https://your-siem.com/webhookmethod: POSTheaders:Authorization: Bearer ${WEBHOOK_TOKEN}Content-Type: application/jsontimeout_secs:30retry_attempts:3retry_delay_ms:1000 # Email sink-type: emailenabled:falsesmtp_host: smtp.example.comsmtp_port:587smtp_username: ${SMTP_USERNAME}smtp_password: ${SMTP_PASSWORD}smtp_tls:truefrom: daemoneye@example.comto:[security@example.com]subject:'DaemonEye Alert: {severity} - {title}'
Additional sink types (Splunk HEC, Elasticsearch, Kafka, and others)
are available in commercial tiers.

Alert Filtering#

alerting: # Global alert filtersfilters: # Minimum severity levelmin_severity: low # low, medium, high, critical # Exclude specific rulesexclude_rules:[test-rule, debug-rule] # Include only specific rulesinclude_rules:[] # Empty means all rules # Exclude specific hostsexclude_hosts:[test-server, dev-workstation] # Include only specific hostsinclude_hosts:[] # Empty means all hosts # Time-based filteringtime_filters: # Exclude alerts during maintenance windowsmaintenance_windows:-start: 02:00end: 04:00days:[sunday]-start:12:00end:13:00days:[monday, tuesday, wednesday, thursday, friday]

Database Configuration#

Database Configuration (redb)#

database: # Database file pathpath: /var/lib/daemoneye/events.redb # Data retention period in daysretention_days:30 # Maximum database size in MBmax_size_mb:10240 # Enable automatic cleanupenable_cleanup:true # Cleanup interval in hourscleanup_interval_hours:24 # Cleanup batch sizecleanup_batch_size:1000

Platform-Specific#

Configuration

Linux Configuration#

platform:linux: # Enable process namespace monitoringenable_namespace_monitoring:true # Enable cgroup monitoringenable_cgroup_monitoring:true # Process collection methodcollection_method: sysinfo # Privilege requirementsprivileges: # Required capabilitiescapabilities:[SYS_PTRACE] # Drop privileges after initializationdrop_privileges:true # Privilege drop timeout in secondsprivilege_drop_timeout_secs:30
Kernel-level collection (eBPF) is available in commercial tiers.

Windows Configuration#

platform:windows: # Enable registry monitoringenable_registry_monitoring:false # Enable file system monitoringenable_filesystem_monitoring:false # Process collection methodcollection_method: sysinfo # Privilege requirementsprivileges: # Required privilegesprivileges:[SeDebugPrivilege] # Drop privileges after initializationdrop_privileges:true
Kernel-level collection (ETW) is available in commercial tiers.

macOS Configuration#

platform:macos: # Enable file system monitoringenable_filesystem_monitoring:false # Enable network monitoringenable_network_monitoring:false # Process collection methodcollection_method: sysinfo # Privilege requirementsprivileges: # Required entitlementsentitlements:[com.apple.security.cs.allow-jit] # Drop privileges after initializationdrop_privileges:true
Kernel-level collection (EndpointSecurity) is available in commercial
tiers.

Environment Variables#

Core Variables#

# Application settingsexportDAEMONEYE_LOG_LEVEL=infoexportDAEMONEYE_SCAN_INTERVAL_MS=30000exportDAEMONEYE_BATCH_SIZE=1000exportDAEMONEYE_RETENTION_DAYS=30# Database settingsexportDAEMONEYE_DATABASE_PATH=/var/lib/daemoneye/events.redbexportDAEMONEYE_AUDIT_LEDGER_PATH=/var/lib/daemoneye/audit.sqlite# Alerting settingsexportDAEMONEYE_ALERTING_ENABLED=trueexportDAEMONEYE_WEBHOOK_URL=https://your-siem.com/webhookexportDAEMONEYE_WEBHOOK_TOKEN=your-webhook-token# Platform settingsexportDAEMONEYE_ENABLE_EBPF=falseexportDAEMONEYE_ENABLE_ETW=falseexportDAEMONEYE_ENABLE_ENDPOINT_SECURITY=false

Configuration Examples#

Basic Production#

Configuration
# /etc/daemoneye/config.yamlapp:scan_interval_ms:30000batch_size:1000log_level: infodatabase:path: /var/lib/daemoneye/events.redbretention_days:30max_size_mb:10240enable_cleanup:true# EventBus broker configurationbroker:socket_path: /tmp/daemoneye-eventbus.sockstartup_timeout_seconds:30max_message_buffer_size:10000# Platform-specific settingsplatform:linux:enable_ebpf:falsewindows:enable_etw:falsemacos:enable_endpoint_security:false

High-Performance#

Configuration
# /etc/daemoneye/config.yamlapp:scan_interval_ms:15000 # More frequent scanningbatch_size:2000 # Larger batcheslog_level: warn # Less verbose loggingretention_days:7 # Shorter retentionmax_memory_mb:1024 # More memoryenable_metrics:truecollection:enable_process_collection:trueenable_hash_computation:truehash_algorithm: sha256skip_system_processes:truemax_hash_time_ms:2000 # Faster hash computationdetection:rules_path: /etc/daemoneye/rulesenable_hot_reload:truerule_timeout_secs:15 # Faster rule executionmax_concurrent_rules:20 # More concurrent rulesmax_rule_memory_mb:64 # Less memory per rulealerting:enabled:truededupe_window_minutes:30max_concurrent_deliveries:10sinks:-type: syslogenabled:truefacility: daemontag: daemoneye-type: kafkaenabled:truebrokers:[kafka.example.com:9092]topic: daemoneye.alertsbatch_size:100batch_timeout_ms:1000database:event_store:path: /var/lib/daemoneye/events.redbmax_size_mb:20480wal_mode:truewal_checkpoint_interval_secs:60max_connections:20retention:process_data_days:7alert_data_days:30enable_cleanup:truecleanup_interval_hours:6

Airgapped Environment#

Configuration
# /etc/daemoneye/config.yamlapp:scan_interval_ms:60000 # Less frequent scanningbatch_size:500 # Smaller batcheslog_level: inforetention_days:90 # Longer retentionenable_metrics:truecollection:enable_process_collection:trueenable_hash_computation:truehash_algorithm: sha256skip_system_processes:truedetection:rules_path: /etc/daemoneye/rulesenable_hot_reload:false # Disable hot reloadrule_timeout_secs:60max_concurrent_rules:5alerting:enabled:truededupe_window_minutes:120sinks:-type: fileenabled:truepath: /var/log/daemoneye/alerts.jsonformat: jsonrotation:max_size_mb:50max_files:20-type: syslogenabled:truefacility: daemontag: daemoneyedatabase:event_store:path: /var/lib/daemoneye/events.redbmax_size_mb:5120wal_mode:trueaudit_ledger:path: /var/lib/daemoneye/audit.sqlitewal_mode:truesynchronous: FULLjournal_mode: WAL

Troubleshooting#

Configuration Validation#

# Validate configuration filedaemoneye-cli config validate /etc/daemoneye/config.yaml# Validate current configurationdaemoneye-cli config validate# Check for configuration issuesdaemoneye-cli config check# Show effective configurationdaemoneye-cli config show --include-defaults

Common Configuration Issues#

Invalid YAML Syntax:
# Check YAML syntaxpython-c"import yaml; yaml.safe_load(open('/etc/daemoneye/config.yaml'))"# Use online YAML validator# https://www.yamllint.com/
Missing Required Fields:
# Check for missing required fieldsdaemoneye-cli config check --strict# Show configuration with defaultsdaemoneye-cli config show --include-defaults
Permission Issues:
# Check file permissionsls-la /etc/daemoneye/config.yamlls-la /var/lib/daemoneye/# Fix permissionssudo chown daemoneye:daemoneye /var/lib/daemoneye/sudo chmod 755 /var/lib/daemoneye/
Environment Variable Issues:
# Check environment variablesenv|grep DAEMONEYE# Test environment variable substitutiondaemoneye-cli config show --environment

Configuration Debugging#

Enable Debug Logging:
app:log_level: debug
Configuration Loading Debug:
# Show configuration loading processdaemoneye-cli config debug# Show configuration sourcesdaemoneye-cli config sources
Test Configuration Changes:
# Test configuration without applyingdaemoneye-cli config test /path/to/new-config.yaml# Apply configuration with validationdaemoneye-cli config apply /path/to/new-config.yaml --validate

This configuration guide provides comprehensive information about
configuring DaemonEye for different deployment scenarios. For additional
help, consult the troubleshooting section or contact support.

Source note: Populated from the public repo
(docs/src/user-guides/configuration.md) on 2026-04-18. This
page was previously empty; the content above mirrors the repo at the
time of sync.