Sandfly Security

Sandfly Security Documentation

Welcome to the Sandfly Security documentation hub. Sandfly is an agentless compromise and intrusion detection system for Linux.

Sandfly automates security investigation and forensic evidence collection on Linux. Sandfly constantly searches for intruders 24 hours a day on your network without needing to load any agents on your endpoints.

Get Started

Installation Requirements

Installation Requirements

Sandfly uses a server to manage the user interface and database. Scanning nodes are used to do the actual connection to remote systems to hunt for intruders on your network.

In order to get the best performance, we recommend the following.

Server Requirements

The server runs Docker containers that contain a web interface and Elasticsearch database. The Elasticsearch database likes lots of RAM and CPU for best performance.

The server containers have been tested to work on Ubuntu 16, Ubuntu 18, and Centos 7. Other Linux distributions may work, but you must run the latest version of Docker in all cases. Old Docker versions are not compatible with Sandfly and will fail.

We recommend you have a system with at least 8GB of RAM and two or more CPUs dedicated to it. More RAM is better and an SSD drive is recommended for best performance.

If you are running a very large number of systems you will need to scale this figure up appropriately.

A server that is underpowered will have database timeout issues. If the User Interface is taking a long time to load data, then you have too little resources and need to upgrade the RAM and CPU.

Latest Version of Docker Required

Regardless of what version of Linux you want to use to run the Server and Node, they must be running the latest version of Docker. Some Linux distributions have very old versions of Docker in their package repositories. Please use the Sandfly Docker install scripts to be sure you are running only the latest version of Docker and not an out of date version.

Node Requirements

The scanning nodes are Docker containers that are multi-threaded. You can run multiple node containers on a single system instance.

The node containers have been tested to work on Ubuntu 16, Ubuntu 18 and Centos 7 running Docker. Other Linux distributions may work, but you must run the latest version of Docker in all cases.

For best performance we recommend your system instances have at least 2GB of RAM.

Under the above configuration you can run 4 scanning node containers. Each scanning node container has 500 threads running. Therefore, running 4 node containers will give you 2000 scanning threads available to monitor hosts on your enterprise.

Of course you can increase RAM even more to add more scanning node containers. Or you can start a second virtual machine instance and run nodes there for even more redundancy in case one is taken offline for whatever reason.

The nodes connect back to the server over the Rabbit messaging protocol (AMQP). This is a high performance messaging system that does connection and load management automatically. As long as the node containers can see the server then they will organize themselves correctly regardless of where they are running.

Installation Requirements


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.