CLI Reference#
This document provides comprehensive reference information for all
DaemonEye command-line interfaces.
Table of Contents#
[TOC]
Overview#
DaemonEye provides three main command-line tools:
- procmond: Privileged process collector daemon
- daemoneye-agent: Detection orchestrator and
lifecycle manager - daemoneye-cli: Command-line interface for queries
and management
procmond#
The privileged process monitoring daemon that collects process
information with minimal attack surface.
Usage#
procmond[OPTIONS]
Options#
| Option | Short | Default | Description |
|---|---|---|---|
--database | -d | /var/lib/daemoneye/processes.db | Database path for storing process data |
--log-level | -l | info | Log level (debug, info, warn, error) |
--interval | -i | 30 | Collection interval in seconds (5-3600) |
--max-processes | 0 | Maximum processes per cycle (0 = unlimited) | |
--enhanced-metadata | Enable enhanced metadata collection | ||
--compute-hashes | Enable executable hashing for integrity | ||
--help | -h | Print help information | |
--version | -V | Print version information |
Examples#
# Basic process monitoring with 30-second intervalsprocmond--database /var/lib/daemoneye/processes.db --interval 30# Enhanced collection with metadata and hashingprocmond--enhanced-metadata--compute-hashes--interval 60# Debug mode with verbose loggingprocmond--log-level debug --interval 10# Limited collection for testingprocmond--max-processes 100 --interval 5
Configuration#
procmond is orchestrated by
daemoneye-agent; collectors do not consume
component-specific configuration files. When the binary is launched
directly (for example during development or troubleshooting) it honours
the following sources:
- Command-line flags (highest precedence)
- Environment variables (
PROCMOND_*) typically injected
by the agent - System DaemonEye configuration file
(/etc/daemoneye/config.toml) - Embedded defaults (lowest precedence)
Per-user configuration is not supported for collectors; only the
operator-facing CLI honours user-scoped overrides when invoked
directly.
Operators should configure collection behaviour through the agent,
which materialises these settings when spawning the collector.
Exit Codes#
| Code | Description |
|---|---|
| 0 | Success |
| 1 | Unhandled error returned from the runtime (includes configuration, permission, database) |
| 2 | CLI argument parsing failure reported by clap |
daemoneye-agent#
The detection orchestrator that manages procmond lifecycle, executes
detection rules, and handles alerting.
Usage#
daemoneye-agent[OPTIONS]
Options#
| Option | Short | Default | Description |
|---|---|---|---|
--database | -d | /var/lib/daemoneye/processes.db | Database path for process data |
--log-level | -l | info | Log level (debug, info, warn, error) |
--help | -h | Print help information | |
--version | -V | Print version information |
Examples#
# Start orchestrator with default settingsdaemoneye-agent# Use custom database locationdaemoneye-agent--database /custom/path/processes.db# Enable debug loggingdaemoneye-agent--log-level debug# Test mode (exits immediately for integration tests)DAEMONEYE_AGENT_TEST_MODE=1 daemoneye-agent
Environment Variables#
| Variable | Description |
|---|---|
DAEMONEYE_AGENT_TEST_MODE | Set to 1 to enable test mode (immediate exit) |
Features#
- Embedded EventBus Broker: Runs daemoneye-eventbus
broker for multi-collector coordination - IPC Server: Provides IPC server for CLI
communication via protobuf over Unix sockets/named pipes - IPC Client: Communicates with procmond via protobuf
over Unix sockets/named pipes - Detection Engine: Executes SQL-based detection
rules against collected data - Alert Management: Multi-channel alert delivery
(stdout, syslog, webhooks, email) - Graceful Shutdown: Handles SIGTERM/SIGINT for clean
shutdown
Configuration#
daemoneye-agent supports hierarchical configuration loading:
- Command-line flags (highest precedence)
- Environment variables (
DAEMONEYE_AGENT_*) - User configuration file
(~/.config/daemoneye-agent/config.yaml) - System configuration file
(/etc/daemoneye-agent/config.yaml) - Embedded defaults (lowest precedence)
daemoneye-cli#
The command-line interface for querying database statistics, health
checks, and system management.
Usage#
daemoneye-cli[OPTIONS]
Options#
| Option | Short | Default | Description |
|---|---|---|---|
--database | -d | /var/lib/daemoneye/processes.db | Database path for queries |
--format | -f | human | Output format (human, json) |
--help | -h | Print help information | |
--version | -V | Print version information |
Examples#
# View database statistics in human-readable formatdaemoneye-cli--database /var/lib/daemoneye/processes.db --format human# Get statistics in JSON format for scriptingdaemoneye-cli--database /var/lib/daemoneye/processes.db --format json# Use default database locationdaemoneye-cli--format json
Output Formats#
Human Format#
`DaemonEye Database Statistics#
Processes: 1234
Rules: 5
Alerts: 42
System Info: 1
Scans: 100
Health status: Healthy`
JSON Format#
{"processes":1234,"rules":5,"alerts":42,"system_info":1,"scans":100,"health_status":"Healthy"}
Configuration#
daemoneye-cli supports hierarchical configuration loading:
- Command-line flags (highest precedence)
- Environment variables (
DAEMONEYE_CLI_*) - User configuration file
(~/.config/daemoneye-cli/config.yaml) - System configuration file
(/etc/daemoneye-cli/config.yaml) - Embedded defaults (lowest precedence)
Common Patterns#
Basic Monitoring Setup#
# Terminal 1: Start the orchestratordaemoneye-agent--log-level info# Terminal 2: Monitor database statisticswatch-n 5 'daemoneye-cli --format json'# Terminal 3: Run procmond directly (optional)procmond--enhanced-metadata--compute-hashes
Testing and Development#
# Test procmond collectionprocmond--interval 5 --max-processes 10 --log-level debug# Test agent in test modeDAEMONEYE_AGENT_TEST_MODE=1 daemoneye-agent# Check database growthdaemoneye-cli--format json |jq'.processes'
Production Deployment#
# Start agent as servicesystemctl start daemoneye-agent# Monitor healthdaemoneye-cli--format json |jq'.processes, .alerts'# Check logsjournalctl-u daemoneye-agent -f
Shell Completions#
All DaemonEye CLI tools support shell completions for bash, zsh,
fish, and PowerShell.
Generate Completions#
# Bashdaemoneye-cli--generate-completion bash > /etc/bash_completion.d/daemoneye-cli# Zshdaemoneye-cli--generate-completion zsh > ~/.zsh/completions/_daemoneye-cli# Fishdaemoneye-cli--generate-completion fish > ~/.config/fish/completions/daemoneye-cli.fish# PowerShelldaemoneye-cli--generate-completion powershell > DaemonEye.ps1
Error Handling#
All CLI tools follow consistent error handling patterns:
- Exit Code 0: Success
- Exit Code 1: General error
- Exit Code 2: CLI argument parsing failure
- Exit Code 3: Permission denied
- Exit Code 4: Database error
Common Error Messages#
| Error | Cause | Solution |
|---|---|---|
Permission denied | Insufficient privileges | Run with appropriate privileges or check file permissions |
Database locked | Another process is using the database | Stop other DaemonEye processes or check for stale locks |
Invalid interval | Interval outside 5-3600 range | Use interval between 5 and 3600 seconds |
Configuration error | Invalid configuration file | Check configuration syntax and values |
Environment Variables#
Global Environment Variables#
| Variable | Description | Default |
|---|---|---|
NO_COLOR | Disable colored output | Not set |
TERM | Terminal type (affects color detection) | System default |
RUST_LOG | Rust logging configuration | Not set |
RUST_BACKTRACE | Enable Rust backtraces | Not set |
Component-Specific Variables#
procmond#
| Variable | Description | Default |
|---|---|---|
PROCMOND_DATABASE | Database path | /var/lib/daemoneye/processes.db |
PROCMOND_LOG_LEVEL | Log level | info |
PROCMOND_INTERVAL | Collection interval | 30 |
daemoneye-agent#
| Variable | Description | Default |
|---|---|---|
DAEMONEYE_AGENT_DATABASE | Database path | /var/lib/daemoneye/processes.db |
DAEMONEYE_AGENT_LOG_LEVEL | Log level | info |
DAEMONEYE_AGENT_TEST_MODE | Enable test mode | Not set |
daemoneye-cli#
| Variable | Description | Default |
|---|---|---|
DAEMONEYE_CLI_DATABASE | Database path | /var/lib/daemoneye/processes.db |
DAEMONEYE_CLI_FORMAT | Output format | human |
Integration Examples#
Systemd Service#
[Unit]Description=DaemonEye AgentAfter=network.target[Service]Type=simpleUser=daemoneyeGroup=daemoneyeExecStart=/usr/local/bin/daemoneye-agent --database /var/lib/daemoneye/processes.dbRestart=alwaysRestartSec=5[Install]WantedBy=multi-user.target
Docker Deployment#
FROM rust:1.91-slim as builderCOPY . /appWORKDIR /appRUNcargo build --releaseFROM debian:bookworm-slimRUNapt-get update &&apt-get install -y ca-certificates &&rm-rf /var/lib/apt/lists/*COPY--from=builder /app/target/release/daemoneye-agent /usr/local/bin/COPY--from=builder /app/target/release/daemoneye-cli /usr/local/bin/COPY--from=builder /app/target/release/procmond /usr/local/bin/VOLUME ["/data"]CMD ["daemoneye-agent", "--database", "/data/processes.db"]
Kubernetes DaemonSet#
apiVersion: apps/v1kind: DaemonSetmetadata:name: daemoneyespec:selector:matchLabels:app: daemoneyetemplate:metadata:labels:app: daemoneyespec:hostPID:truecontainers:-name: daemoneye-agentimage: daemoneye/daemoneye:latestsecurityContext:privileged:truevolumeMounts:-name: datamountPath: /data-name: procmountPath: /host/procreadOnly:truevolumes:-name: datahostPath:path: /var/lib/daemoneye-name: prochostPath:path: /proc
This CLI reference provides comprehensive information for using
DaemonEye command-line tools. For additional help, use the
--help flag with any command or consult the user
guides.
Source note: Populated from the public repo
(docs/src/cli-reference.md) on 2026-04-18. This page was
previously empty; the content above mirrors the repo at the time of
sync.
