Back to Getting Started
Getting Started

Installing the LiteSOC Server Agent

Deploy the open-source LiteSOC Agent on your servers for real-time SSH log forwarding and infrastructure monitoring.

Last updated: 2026-04-11

Installing the LiteSOC Server Agent

The LiteSOC Agent is a lightweight, open-source Go binary that runs on your servers. It tails system authentication logs in real-time, parses SSH events, and forwards structured security events to LiteSOC. It also sends heartbeats so you can monitor server health from your dashboard.

What the Agent Does

  • Real-time SSH log parsing — detects auth.login_failed, auth.login_success, and auth.logout events from OpenSSH logs
  • Heartbeat monitoring — sends a health check every 60 seconds with hostname, OS, CPU, and RAM metrics
  • Zero dependencies — single static binary, no interpreter or runtime needed
  • Log rotation safe — handles logrotate via inotify/kqueue with no missed events

Prerequisites

  • Linux (Debian, Ubuntu, RHEL, Fedora, CentOS, Amazon Linux, Alpine) or macOS
  • curl and tar installed
  • A LiteSOC API key from Settings → API Keys
  • systemd (optional, for service management)

One-Line Install (Recommended)

Run this command on your server:

curl -sSL https://litesoc.io/install.sh | LITESOC_KEY=lsoc_live_your_key bash

The installer will:

  1. Detect your OS and architecture
  2. Download the pre-built binary from GitHub Releases
  3. Write the config file to /etc/litesoc/config.yaml
  4. Store your API key securely in /etc/litesoc/agent.env (mode 0600)
  5. Install and enable a systemd service

You can also copy the install command directly from your Infrastructure Dashboard — it pre-fills your API key and project ID.

Configuration

The config file lives at /etc/litesoc/config.yaml:

api_endpoint: https://api.litesoc.io
heartbeat_interval: 60   # seconds
log_watchers:
  - path: /var/log/auth.log    # Debian/Ubuntu
    type: sshd
  # - path: /var/log/secure    # RHEL/Fedora/CentOS
  #   type: sshd
FieldDefaultDescription
api_endpointhttps://api.litesoc.ioLiteSOC ingestion URL
heartbeat_interval60Heartbeat frequency in seconds
log_watchers[].pathAbsolute path to the log file
log_watchers[].typeParser type (currently sshd)

Security: The API key is never stored in the config file — it is read from the LITESOC_KEY environment variable.

Supported Architectures

OSArchitectures
Linuxamd64, arm64, arm
macOSamd64 (Intel), arm64 (Apple Silicon)

Events Emitted

EventTriggerData
auth.login_failedFailed password or invalid useractor, source IP, port, reason
auth.login_successAccepted password/publickeyactor, source IP, port
auth.logoutDisconnected fromactor, source IP, port

Managing the Service

# Check status
sudo systemctl status litesoc-agent

# View logs
sudo journalctl -u litesoc-agent -f

# Restart after config change
sudo systemctl restart litesoc-agent

Building from Source

git clone https://github.com/litesoc/litesoc-agent.git
cd litesoc-agent
make build        # → bin/litesoc-agent
make build-all    # cross-compile all targets

Run manually:

export LITESOC_KEY=lsoc_live_your_key
./bin/litesoc-agent /etc/litesoc/config.yaml

Verifying the Installation

After installing, check your Infrastructure Dashboard at litesoc.io/dashboard/infrastructure. Your server should appear within 60 seconds with a green "Online" badge.

Next Steps

Need help? Contact our support team or check our API documentation.

Related Articles

Installing the LiteSOC Node.js SDK

Learn how to install and configure the LiteSOC Node.js SDK in your application.

Sending Your First Security Event

A step-by-step guide to tracking your first authentication event with LiteSOC.

Was this article helpful? Need more assistance?

Contact Support →API Documentation →