DaemonEye Installation Guide#
This guide provides comprehensive installation instructions for DaemonEye across different platforms and deployment scenarios.
Table of Contents#
[TOC]
System Requirements#
Minimum Requirements#
Operating System:
- Linux: Ubuntu 20.04+ LTS, RHEL/CentOS 8+, Debian 11+
- macOS: 14.0+ (Sonoma or later)
- Windows: Windows 10+, Server 2019+
Hardware:
- CPU: x86_64 or ARM64 processor
- RAM: 512MB available memory
- Disk: 1GB free space
- Network: Internet access for initial setup (optional)
Privileges:
- Linux:
CAP_SYS_PTRACEcapability or root access - Windows:
SeDebugPrivilegeor Administrator access - macOS: Appropriate entitlements or root access
Recommended Requirements#
Operating System:
- Linux: Kernel 4.15+ (Ubuntu 18.04+, RHEL 8+, Debian 10+)
- macOS: 11+ (Big Sur or later)
- Windows: Windows 11+ or Windows Server 2019+
Hardware:
- CPU: 2+ cores
- RAM: 2GB+ available memory
- Disk: 10GB+ free space
- Network: Stable internet connection
Enhanced Features (Enterprise Tier):
- Linux: Kernel 4.7+ for eBPF support
- Windows: Windows 7+ for ETW support
- macOS: 10.15+ for EndpointSecurity support
Installation Methods#
Method 1: Pre-built Binaries (Recommended)#
Download Latest Release:
# Linux x86_64
wget https://github.com/EvilBit-Labs/DaemonEye/releases/latest/download/daemoneye-linux-x86_64.tar.gz
tar -xzf daemoneye-linux-x86_64.tar.gz
# Linux ARM64
wget https://github.com/EvilBit-Labs/DaemonEye/releases/latest/download/daemoneye-linux-aarch64.tar.gz
tar -xzf daemoneye-linux-aarch64.tar.gz
# macOS x86_64
curl -L https://github.com/EvilBit-Labs/DaemonEye/releases/latest/download/daemoneye-macos-x86_64.tar.gz | tar -xz
# macOS ARM64 (Apple Silicon)
curl -L https://github.com/EvilBit-Labs/DaemonEye/releases/latest/download/daemoneye-macos-aarch64.tar.gz | tar -xz
# Windows x86_64
# Download from GitHub releases and extract
Install to System Directories:
# Linux/macOS
sudo cp procmond daemoneye-agent daemoneye-cli /usr/local/bin/
sudo chmod +x /usr/local/bin/procmond /usr/local/bin/daemoneye-agent /usr/local/bin/daemoneye-cli
# Create system directories
sudo mkdir -p /etc/daemoneye
sudo mkdir -p /var/lib/daemoneye
sudo mkdir -p /var/log/daemoneye
# Set ownership
sudo chown -R $USER:$USER /etc/daemoneye
sudo chown -R $USER:$USER /var/lib/daemoneye
sudo chown -R $USER:$USER /var/log/daemoneye
# Windows
# Copy to C:\Program Files\DaemonEye\
# Add to PATH environment variable
Method 2: Package Managers (Planned)#
Status: Not yet available. Package manager support (Homebrew, APT, YUM/DNF, Chocolatey) is under development and will be available in a future release.
For now, use one of the following installation methods:
- Pre-built Binaries (Method 1) - Recommended for most users
- Build from Source (Method 3) - For developers and advanced users
Method 3: Build from Source#
Install Rust (1.91+):
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env
rustup update
Clone and Build:
# Clone repository
git clone https://github.com/EvilBit-Labs/DaemonEye.git
cd DaemonEye
# Build in release mode
cargo build --release
# Install built binaries
sudo cp target/release/procmond target/release/daemoneye-agent target/release/daemoneye-cli /usr/local/bin/
sudo chmod +x /usr/local/bin/procmond /usr/local/bin/daemoneye-agent /usr/local/bin/daemoneye-cli
Cross-Platform Building:
# Install cross-compilation toolchain
rustup target add x86_64-unknown-linux-gnu
rustup target add aarch64-unknown-linux-gnu
rustup target add x86_64-apple-darwin
rustup target add aarch64-apple-darwin
# Build for different targets
cargo build --release --target x86_64-unknown-linux-gnu
cargo build --release --target aarch64-unknown-linux-gnu
cargo build --release --target x86_64-apple-darwin
cargo build --release --target aarch64-apple-darwin
Method 4: Using GoReleaser (Release Tooling)#
DaemonEye uses GoReleaser for automated cross-platform building, packaging, and releasing. This is the recommended method for developers and contributors who want to build release-quality binaries.
Local build with GoReleaser:
# Validate configuration
just goreleaser-check
# Build binaries locally (snapshot, no publish)
just goreleaser-build
# Run a full snapshot release (build + package, no publish)
just goreleaser-snapshot
Release with cargo-release:
# Dry run to see what would be changed
cargo release --dry-run
# Prepare a new release (updates version, creates tag)
cargo release --execute
# Release with specific version
cargo release 1.0.0 --execute
GoReleaser Configuration:
The project includes platform-specific GoReleaser configs (.goreleaser-linux.yaml, .goreleaser-macos.yaml, .goreleaser-windows.yaml) that define:
- Supported platforms: Linux (x86_64, aarch64), macOS (x86_64, aarch64), Windows (x86_64, aarch64)
- Package formats:
.tar.gzfor Unix,.zipfor Windows - Binaries: procmond, daemoneye-agent, daemoneye-cli
- Signing: Cosign keyless signing via GitHub Actions OIDC
Release Workflow:
# 1. Update version and create tag
cargo release --execute
# 2. Push tag to trigger CI release
git push --tags
# 3. GoReleaser builds, packages, signs, and publishes to GitHub Releases
Note
For Contributors: Use just goreleaser-build to create release-quality binaries that match the official distribution format.
Platform-Specific Installation#
Linux Installation#
Ubuntu/Debian - Build from Source:
# Update system
sudo apt update && sudo apt upgrade -y
# Install dependencies
sudo apt install -y ca-certificates curl wget build-essential
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env
# Clone and build
git clone https://github.com/EvilBit-Labs/DaemonEye.git
cd DaemonEye
cargo build --release
# Install binaries
sudo cp target/release/procmond target/release/daemoneye-agent target/release/daemoneye-cli /usr/local/bin/
sudo chmod +x /usr/local/bin/procmond /usr/local/bin/daemoneye-agent /usr/local/bin/daemoneye-cli
# Create system directories
sudo mkdir -p /etc/daemoneye /var/lib/daemoneye /var/log/daemoneye
sudo chown -R $USER:$USER /etc/daemoneye /var/lib/daemoneye /var/log/daemoneye
# Configure service
sudo systemctl enable daemoneye
sudo systemctl start daemoneye
RHEL/CentOS - Build from Source:
# Update system
sudo yum update -y
# Install dependencies
sudo yum install -y ca-certificates curl wget gcc g++ make
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env
# Clone and build
git clone https://github.com/EvilBit-Labs/DaemonEye.git
cd DaemonEye
cargo build --release
# Install binaries
sudo cp target/release/procmond target/release/daemoneye-agent target/release/daemoneye-cli /usr/local/bin/
sudo chmod +x /usr/local/bin/procmond /usr/local/bin/daemoneye-agent /usr/local/bin/daemoneye-cli
# Create system directories
sudo mkdir -p /etc/daemoneye /var/lib/daemoneye /var/log/daemoneye
sudo chown -R $USER:$USER /etc/daemoneye /var/lib/daemoneye /var/log/daemoneye
# Configure service
sudo systemctl enable daemoneye
sudo systemctl start daemoneye
Arch Linux - Build from Source:
# Install dependencies
sudo pacman -S --needed base-devel rust
# Clone and build
git clone https://github.com/EvilBit-Labs/DaemonEye.git
cd DaemonEye
cargo build --release
# Install binaries
sudo install -Dm755 target/release/procmond /usr/local/bin/procmond
sudo install -Dm755 target/release/daemoneye-agent /usr/local/bin/daemoneye-agent
sudo install -Dm755 target/release/daemoneye-cli /usr/local/bin/daemoneye-cli
# Create system directories
sudo mkdir -p /etc/daemoneye /var/lib/daemoneye /var/log/daemoneye
macOS Installation#
Using Homebrew (Planned):
Homebrew package support for DaemonEye is coming soon. For now, please use the build from source or manual installation methods below.
Build from Source:
# Clone the repository
git clone https://github.com/EvilBit-Labs/DaemonEye.git
cd DaemonEye
# Install Rust if not already installed
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source "$HOME/.cargo/env"
# Build DaemonEye
cargo build --release
# Install binaries (macOS-compatible: mkdir -p + install -m 755)
sudo mkdir -p /usr/local/bin
sudo install -m 755 target/release/procmond /usr/local/bin/procmond
sudo install -m 755 target/release/daemoneye-agent /usr/local/bin/daemoneye-agent
sudo install -m 755 target/release/daemoneye-cli /usr/local/bin/daemoneye-cli
# Create system directories
sudo mkdir -p /etc/daemoneye /var/lib/daemoneye /var/log/daemoneye
Manual Installation:
# Download and extract
curl -L https://github.com/EvilBit-Labs/DaemonEye/releases/latest/download/daemoneye-macos-x86_64.tar.gz | tar -xz
# Install to system directories
sudo cp procmond daemoneye-agent daemoneye-cli /usr/local/bin/
sudo chmod +x /usr/local/bin/procmond /usr/local/bin/daemoneye-agent /usr/local/bin/daemoneye-cli
# Create directories
sudo mkdir -p /Library/Application\ Support/DaemonEye
sudo mkdir -p /var/lib/daemoneye
sudo mkdir -p /var/log/daemoneye
# Set ownership
sudo chown -R $(whoami):staff /Library/Application\ Support/DaemonEye
sudo chown -R $(whoami):staff /var/lib/daemoneye
sudo chown -R $(whoami):staff /var/log/daemoneye
Windows Installation#
Using Chocolatey (Planned):
Chocolatey package support for DaemonEye is coming soon. For now, please use the build from source or manual installation methods below.
Build from Source:
# Install Rust (from https://rustup.rs/)
# Download and run rustup-init.exe, or use:
# iwr https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe -OutFile rustup-init.exe
# .\rustup-init.exe -y
# Clone the repository
git clone https://github.com/EvilBit-Labs/DaemonEye.git
cd DaemonEye
# Build DaemonEye
cargo build --release
# Create installation directory
New-Item -ItemType Directory -Path "C:\Program Files\DaemonEye" -Force
# Install binaries
Copy-Item "target\release\procmond.exe" "C:\Program Files\DaemonEye\"
Copy-Item "target\release\daemoneye-agent.exe" "C:\Program Files\DaemonEye\"
Copy-Item "target\release\daemoneye-cli.exe" "C:\Program Files\DaemonEye\"
# Add to PATH (run as Administrator)
[Environment]::SetEnvironmentVariable("PATH", "$env:PATH;C:\Program Files\DaemonEye", [EnvironmentVariableTarget]::Machine)
# Create data directories
New-Item -ItemType Directory -Path "C:\ProgramData\DaemonEye" -Force
New-Item -ItemType Directory -Path "C:\ProgramData\DaemonEye\data" -Force
New-Item -ItemType Directory -Path "C:\ProgramData\DaemonEye\logs" -Force
Manual Installation:
# Download from GitHub releases
# https://github.com/EvilBit-Labs/DaemonEye/releases
# Extract to C:\Program Files\DaemonEye\
# Add to PATH (run as Administrator)
[Environment]::SetEnvironmentVariable("PATH", "$env:PATH;C:\Program Files\DaemonEye", [EnvironmentVariableTarget]::Machine)
# Create data directories
New-Item -ItemType Directory -Path "C:\ProgramData\DaemonEye" -Force
New-Item -ItemType Directory -Path "C:\ProgramData\DaemonEye\data" -Force
New-Item -ItemType Directory -Path "C:\ProgramData\DaemonEye\logs" -Force
Service Configuration#
Linux (systemd)#
Create Service File:
sudo tee /etc/systemd/system/daemoneye.service << 'EOF'
[Unit]
Description=DaemonEye Security Monitoring Agent
Documentation=https://docs.daemoneye.com
After=network.target
Wants=network.target
[Service]
Type=notify
User=daemoneye
Group=daemoneye
ExecStart=/usr/local/bin/daemoneye-agent --config /etc/daemoneye/config.yaml
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
KillSignal=SIGTERM
TimeoutStopSec=30
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal
SyslogIdentifier=daemoneye
# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/daemoneye /var/log/daemoneye
CapabilityBoundingSet=CAP_SYS_PTRACE
AmbientCapabilities=CAP_SYS_PTRACE
[Install]
WantedBy=multi-user.target
EOF
Create User and Directories:
# Create daemoneye user
sudo useradd -r -s /bin/false -d /var/lib/daemoneye daemoneye
# Set ownership
sudo chown -R daemoneye:daemoneye /var/lib/daemoneye
sudo chown -R daemoneye:daemoneye /var/log/daemoneye
sudo chown -R daemoneye:daemoneye /etc/daemoneye
# Reload systemd and start service
sudo systemctl daemon-reload
sudo systemctl enable daemoneye
sudo systemctl start daemoneye
macOS (launchd)#
Create LaunchDaemon:
sudo tee /Library/LaunchDaemons/com.daemoneye.agent.plist << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.daemoneye.agent</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/daemoneye-agent</string>
<string>--config</string>
<string>/Library/Application Support/DaemonEye/config.yaml</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>StandardOutPath</key>
<string>/var/log/daemoneye/agent.log</string>
<key>StandardErrorPath</key>
<string>/var/log/daemoneye/agent.error.log</string>
<key>UserName</key>
<string>daemoneye</string>
<key>GroupName</key>
<string>staff</string>
</dict>
</plist>
EOF
Load and Start Service:
# Load service
sudo launchctl load /Library/LaunchDaemons/com.daemoneye.agent.plist
# Check status
sudo launchctl list | grep daemoneye
Windows (Service)#
Create Service:
# Create service
New-Service -Name "DaemonEye Agent" -BinaryPathName "C:\Program Files\DaemonEye\daemoneye-agent.exe --config C:\ProgramData\DaemonEye\config.yaml" -DisplayName "DaemonEye Security Monitoring Agent" -StartupType Automatic
# Start service
Start-Service "DaemonEye Agent"
# Check status
Get-Service "DaemonEye Agent"
Post-Installation Setup#
Generate Initial Configuration#
# Generate default configuration
daemoneye-cli config init --output /etc/daemoneye/config.yaml
# Or for user-specific configuration
daemoneye-cli config init --output ~/.config/daemoneye/config.yaml
Create Data Directories#
# Linux/macOS
sudo mkdir -p /var/lib/daemoneye
sudo mkdir -p /var/log/daemoneye
sudo chown -R $USER:$USER /var/lib/daemoneye
sudo chown -R $USER:$USER /var/log/daemoneye
# Windows
mkdir "C:\ProgramData\DaemonEye\data"
mkdir "C:\ProgramData\DaemonEye\logs"
Set Up Basic Rules#
# Create rules directory
mkdir -p /etc/daemoneye/rules
# Create a basic rule
cat > /etc/daemoneye/rules/suspicious-processes.sql << 'EOF'
-- Detect processes with suspicious names
SELECT
pid,
name,
executable_path,
command_line,
collection_time
FROM processes
WHERE
name IN ('malware.exe', 'backdoor.exe', 'trojan.exe')
OR name LIKE '%suspicious%'
OR executable_path LIKE '%temp%'
ORDER BY collection_time DESC;
EOF
# Validate the rule
daemoneye-cli rules validate /etc/daemoneye/rules/suspicious-processes.sql
Configure Alerting#
# Enable syslog alerts
daemoneye-cli config set alerting.sinks[0].enabled true
daemoneye-cli config set alerting.sinks[0].type syslog
daemoneye-cli config set alerting.sinks[0].facility daemon
# Enable webhook alerts (if SIEM is available)
daemoneye-cli config set alerting.sinks[1].enabled true
daemoneye-cli config set alerting.sinks[1].type webhook
daemoneye-cli config set alerting.sinks[1].url "https://your-siem.com/webhook"
daemoneye-cli config set alerting.sinks[1].headers.Authorization "Bearer ${WEBHOOK_TOKEN}"
Verification#
Check Installation#
# Check binary versions
procmond --version
daemoneye-agent --version
daemoneye-cli --version
# Check service status
# Linux
sudo systemctl status daemoneye
# macOS
sudo launchctl list | grep daemoneye
# Windows
Get-Service "DaemonEye Agent"
Test Basic Functionality#
# Check system health
daemoneye-cli health
# List recent processes
daemoneye-cli query "SELECT pid, name, executable_path FROM processes LIMIT 10"
# Check alerts
daemoneye-cli alerts list
# Test rule execution
daemoneye-cli rules test suspicious-processes
Performance Verification#
# Check system metrics
daemoneye-cli metrics
# Monitor process collection
daemoneye-cli watch processes --filter "cpu_usage > 10.0"
# Check database status
daemoneye-cli database status
Troubleshooting#
Common Installation Issues#
Permission Denied:
# Check file permissions
ls -la /usr/local/bin/procmond
ls -la /usr/local/bin/daemoneye-agent
ls -la /usr/local/bin/daemoneye-cli
# Fix permissions
sudo chmod +x /usr/local/bin/procmond /usr/local/bin/daemoneye-agent /usr/local/bin/daemoneye-cli
Service Won't Start:
# Check service logs
# Linux
sudo journalctl -u daemoneye -f
# macOS
sudo log show --predicate 'process == "daemoneye-agent"' --last 1h
# Windows
Get-EventLog -LogName Application -Source "DaemonEye" -Newest 10
Configuration Errors:
# Validate configuration
daemoneye-cli config validate
# Check configuration syntax
daemoneye-cli config check
# Show effective configuration
daemoneye-cli config show --include-defaults
Database Issues:
# Check database status
daemoneye-cli database status
# Check database integrity
daemoneye-cli database integrity-check
# Repair database
daemoneye-cli database repair
Debug Mode#
# Enable debug logging
daemoneye-cli config set app.log_level debug
# Restart service
# Linux
sudo systemctl restart daemoneye
# macOS
sudo launchctl unload /Library/LaunchDaemons/com.daemoneye.agent.plist
sudo launchctl load /Library/LaunchDaemons/com.daemoneye.agent.plist
# Windows
Restart-Service "DaemonEye Agent"
# Monitor debug logs
daemoneye-cli logs --level debug --tail 100
Performance Issues#
High CPU Usage:
# Check process collection rate
daemoneye-cli metrics --metric collection_rate
# Reduce scan interval
daemoneye-cli config set app.scan_interval_ms 60000
# Check for problematic rules
daemoneye-cli rules list --performance
High Memory Usage:
# Check memory usage
daemoneye-cli metrics --metric memory_usage
# Reduce batch size
daemoneye-cli config set app.batch_size 500
# Check database size
daemoneye-cli database size
Slow Queries:
# Check query performance
daemoneye-cli database query-stats
# Optimize database
daemoneye-cli database optimize
# Check for slow rules
daemoneye-cli rules list --slow
Getting Help#
- Documentation: Check the full documentation in
docs/ - Logs: Review logs with
daemoneye-cli logs - Health Checks: Use
daemoneye-cli healthfor system status - Community: Join discussions on GitHub or community forums
- Support: Contact support for commercial assistance
This installation guide provides comprehensive instructions for installing DaemonEye across different platforms. For additional help, consult the troubleshooting section or contact support.
