Overview
The LiteSOC Sentinel is an open-source, single-binary agent written in Go. It tails system log files, parses SSH authentication events using battle-tested regex patterns, and forwards them to the api.litesoc.io/collect endpoint in real-time. A 60-second heartbeat keeps your dashboard showing the server as Active.
< 20 MB RAM
Kernel-driven inotify — zero polling loops
SOC 2 Ready
Key stored in chmod 600 env file, never logged
60s Heartbeat
Dashboard shows real-time agent status
How It Works
Watch
Opens the configured log files (e.g. /var/log/auth.log) using inotify — no polling, no wasted CPU.
Parse
Each new line is matched against OpenSSH regex patterns to classify it as a login failure, success, or logout.
Forward
A structured JSON payload is POST-ed to api.litesoc.io/collect. The API key is sent in X-API-Key — never in the body.
Heartbeat
Every 60 seconds a lightweight ping is sent to api.litesoc.io/agent/heartbeat so the dashboard reflects the server's live status.
Requirements
| Requirement | Details |
|---|---|
| OS | Linux (amd64, arm64, armv7). macOS build available for local testing. |
| Init system | systemd (required for the installer — otherwise run the binary directly) |
| Privileges | Must install as root. The service runs as the dedicated litesoc user after install. |
| Tools | curl and tar must be present (standard on all distros) |
| Outbound network | HTTPS to api.litesoc.io:443 |
| Log files | /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/Fedora) |
One-Line Install
Run as root
/usr/local/bin, /etc/litesoc, and installs a systemd unit. Prefix with sudo bash if you are not already root.Copy your Agent Key from the LiteSOC dashboard under Settings → API Keys, then run:
curl -sSL https://litesoc.io/install.sh | LITESOC_KEY=lsoc_live_your_key bashThe script will detect your architecture, download the correct binary, create the litesoc system user, write the systemd unit, and start the service automatically.
Pin to a specific version
curl -sSL https://litesoc.io/install.sh | \
LITESOC_KEY=lsoc_live_your_key \
LITESOC_AGENT_VERSION=v1.2.0 \
bashBuild from source
git clone https://github.com/litesoc/litesoc-agent.git
cd litesoc-agent
make build # builds bin/litesoc-agent for the host platform
make build-all # cross-compiles for linux/amd64, arm64, darwinConfiguration
The installer writes a default config to /etc/litesoc/config.yaml. Edit it to add more log files or change the heartbeat interval, then restart the service.
# /etc/litesoc/config.yaml
# Base URL for the LiteSOC API (no trailing slash)
api_endpoint: https://api.litesoc.io
# How often (seconds) the agent sends a heartbeat ping
heartbeat_interval: 60
# Log files to monitor
log_watchers:
# Debian / Ubuntu
- path: /var/log/auth.log
type: sshd
# Fedora / RHEL / CentOS — uncomment if applicable:
# - path: /var/log/secure
# type: sshd| Key | Type | Default | Description |
|---|---|---|---|
| api_endpoint | string | https://api.litesoc.io | LiteSOC ingestion API base URL |
| heartbeat_interval | int | 60 | Seconds between heartbeat pings |
| log_watchers[].path | string | — | Absolute path to a log file |
| log_watchers[].type | string | sshd | Parser type. Only "sshd" is currently supported |
API Key
/etc/litesoc/agent.env (chmod 600, root-only) via the systemd EnvironmentFile= directive.Security Events
The agent maps sshd log patterns to LiteSOC standard events. All forwarded events include actor_ip, actor_identifier (username), and a metadata object with the port and reason.
| sshd Log Pattern | Event Name | Reason (metadata) |
|---|---|---|
| Failed password for … from IP port N | auth.login_failed | failed_password |
| Invalid user X from IP port N | auth.login_failed | invalid_user |
| Accepted publickey/password for … from IP port N | auth.login_success | — |
| Disconnected from [user] … IP port N | auth.logout | — |
Example payload
{
"event": "auth.login_failed",
"user_ip": "203.0.113.42",
"actor": { "id": "root" },
"metadata": {
"source": "sshd",
"log_file": "/var/log/auth.log",
"reason": "failed_password",
"port": "22"
}
}Heartbeat & Dashboard Status
Every 60 seconds the agent POSTs to POST /agent/heartbeat. If the dashboard shows Inactive, the server has not sent a heartbeat within 2 × the configured interval.
// POST https://api.litesoc.io/agent/heartbeat
// Headers: X-API-Key: lsoc_live_...
{
"agent_version": "1.0.0"
}The heartbeat is also fired immediately on startup so the dashboard reflects the new agent within seconds, without waiting for the first 60-second tick.
Managing the Service
View live logs
journalctl -u litesoc-agent -fCheck status
systemctl status litesoc-agentRestart after config change
systemctl restart litesoc-agentStop / disable
systemctl stop litesoc-agent
systemctl disable litesoc-agentUpdate the API key
# Edit the key — file is root-only (chmod 600)
nano /etc/litesoc/agent.env
systemctl restart litesoc-agentUninstall
systemctl stop litesoc-agent
systemctl disable litesoc-agent
rm /etc/systemd/system/litesoc-agent.service
rm /usr/local/bin/litesoc-agent
rm -rf /etc/litesoc
userdel litesoc
systemctl daemon-reloadTroubleshooting
journalctl -u litesoc-agent -n 50 --no-pagersystemctl is-active litesoc-agent
curl -I https://api.litesoc.io/health# Check which file exists on your system
ls -lh /var/log/auth.log /var/log/secure 2>/dev/null# Replace key and restart
echo 'LITESOC_KEY=lsoc_live_newkey' > /etc/litesoc/agent.env
chmod 600 /etc/litesoc/agent.env
systemctl restart litesoc-agentsystemctl show litesoc-agent | grep -E 'MemoryCurrent|CPUUsage'Continue exploring