Dosu Logo
Home
Documents
DaemonEye Configuration Guide
DaemonEye Configuration Guide
Type
External
Status
Published
Created
Mar 8, 2026
Updated
Apr 3, 2026
Updated by
Dosu Bot

This guide provides comprehensive information about configuring DaemonEye for different deployment scenarios and requirements.

Configuration Overview#

DaemonEye uses a hierarchical configuration system that allows you to override settings at different levels:

  1. Embedded defaults (lowest precedence)
  2. System configuration files (/etc/daemoneye/config.yaml)
  3. User configuration files (~/.config/daemoneye/config.yaml)
  4. Environment variables (DAEMONEYE_*)
  5. Command-line flags (highest precedence)

Configuration Hierarchy#

File Locations#

System Configuration:

  • Linux: /etc/daemoneye/config.yaml
  • macOS: /Library/Application Support/DaemonEye/config.yaml
  • Windows: C.yaml
    User Configuration:
  • Linux/macOS: ~/.config/daemoneye/config.yaml
  • Windows: %APPDATA%DaemonEyeconfig.yaml

Core Configuration#

Application Settings#

app:
  scan_interval_ms: 30000
  batch_size: 1000
  log_level: info
  retention_days: 30
  max_memory_mb: 512
  enable_metrics: true
  broker:
    socket_path: /tmp/daemoneye-eventbus.sock
    startup_timeout_seconds: 30
    max_message_buffer_size: 10000

Process Collection#

collection:
  enable_process_collection: true
  enable_hash_computation: true
  hash_algorithm: sha256
  skip_system_processes: true
  max_hash_time_ms: 5000

Detection Engine#

detection:
  rules_path: /etc/daemoneye/rules
  enable_hot_reload: true
  rule_timeout_secs: 30
  max_concurrent_rules: 10

Alerting Configuration#

alerting:
  enabled: true
  dedupe_window_minutes: 60
  max_queue_size: 10000
  sinks:
    - type: syslog
      enabled: true
      facility: daemon
      tag: daemoneye
    - type: webhook
      enabled: false
      url: https://your-siem.com/webhook
      headers:
        Authorization: Bearer ${WEBHOOK_TOKEN}
    - type: file
      enabled: false
      path: /var/log/daemoneye/alerts.json
      format: json
    - type: splunk_hec # Business Tier
      enabled: false
      endpoint: https://splunk.example.com:8088/services/collector
      token: ${SPLUNK_HEC_TOKEN}
    - type: elasticsearch # Business Tier
      enabled: false
      hosts: [https://elastic.example.com:9200]
    - type: kafka # Business Tier
      enabled: false
      brokers: [kafka.example.com:9092]
      topic: daemoneye.alerts
  filters:
    min_severity: low
    exclude_rules: [test-rule, debug-rule]

Database Configuration#

database:
  path: /var/lib/daemoneye/events.redb
  retention_days: 30
  max_size_mb: 10240
  enable_cleanup: true
  cleanup_interval_hours: 24

Platform-Specific Configuration#

Linux#

platform:
  linux:
    enable_ebpf: false # Enterprise Tier
    enable_namespace_monitoring: true
    collection_method: sysinfo
    privileges:
      capabilities: [SYS_PTRACE]
      drop_privileges: true

Windows#

platform:
  windows:
    enable_etw: false # Enterprise Tier
    etw_session_name: DaemonEye
    collection_method: sysinfo
    privileges:
      privileges: [SeDebugPrivilege]
      drop_privileges: true

macOS#

platform:
  macos:
    enable_endpoint_security: false # Enterprise Tier
    collection_method: sysinfo
    privileges:
      drop_privileges: true

Business Tier Configuration#

business_tier:
  license:
    key: ${DAEMONEYE_LICENSE_KEY}
    offline_only: true
  security_center:
    enabled: false
    endpoint: https://security-center.example.com:8443
    client_cert_path: /etc/daemoneye/agent.crt
    heartbeat_interval_secs: 30
  rule_packs:
    auto_update: true
    update_interval_hours: 24
    signature_validation:
      enabled: true
      strict_mode: true

Enterprise Tier Configuration#

Kernel Monitoring#

enterprise_tier:
  kernel_monitoring:
    enabled: false
    method: auto # auto, ebpf, etw, endpoint_security

Federation#

enterprise_tier:
  federation:
    enabled: false
    tier: agent
    sync:
      interval_minutes: 5
      compression: true
      encryption: true

STIX/TAXII Integration#

enterprise_tier:
  stix_taxii:
    enabled: false
    servers:
      - name: threat-intel-server
        url: https://threat-intel.example.com/taxii2/
        collections: [malware-indicators, attack-patterns]
    polling:
      interval_minutes: 60
      min_confidence: 50
    conversion:
      auto_convert: true

Environment Variables#

# Core
export DAEMONEYE_LOG_LEVEL=info
export DAEMONEYE_SCAN_INTERVAL_MS=30000
export DAEMONEYE_DATABASE_PATH=/var/lib/daemoneye/events.redb
export DAEMONEYE_ALERTING_ENABLED=true

# Business Tier
export DAEMONEYE_SECURITY_CENTER_ENABLED=false
export SPLUNK_HEC_TOKEN=your-splunk-token

# Enterprise Tier
export DAEMONEYE_KERNEL_MONITORING_ENABLED=false
export DAEMONEYE_FEDERATION_ENABLED=false

Troubleshooting#

daemoneye-cli config validate /etc/daemoneye/config.yaml
daemoneye-cli config check
daemoneye-cli config show --include-defaults

This configuration guide provides comprehensive information about configuring DaemonEye. For additional help, consult the troubleshooting section or contact support.