Back to all articles
Announcement

Introducing the LiteSOC Server Agent, Real-Time SSH Monitoring in One Line

Stream SSH security events from your servers to LiteSOC in real-time. Zero polling, zero dependencies, just one curl command to install.

Amirol AhmadAmirol Ahmad
April 12, 2026
4 min read
Share on X
Introducing the LiteSOC Server Agent, Real-Time SSH Monitoring in One Line

Until today, LiteSOC monitored your application layer, login attempts, MFA changes, admin actions flowing through your SDKs and integrations. But there's been a blind spot: the servers themselves.

SSH brute-force attacks, unauthorized logins, and suspicious session activity all happen at the OS level, below your application code. If someone is hammering your server with failed SSH attempts at 3 AM, your app-layer monitoring won't catch it.

Today we're closing that gap.

Meet litesoc-agent

The LiteSOC Server Agent is a lightweight, open-source Go binary that runs as a background service on your Linux or macOS servers. It tails your system authentication logs in real-time and streams structured security events directly to LiteSOC with zero polling overhead.

No runtime dependencies. No interpreters. No sidecars. Just a single static binary.

⚡ One-Line Install

Get up and running in seconds:

curl -sSL https://litesoc.io/install.sh | LITESOC_KEY=lsoc_live_xxx bash

The installer automatically:

  1. Detects your OS and architecture
  2. Downloads the correct pre-built binary
  3. Writes /etc/litesoc/config.yaml
  4. Stores your API key securely in /etc/litesoc/agent.env (mode 0600)
  5. Installs and enables a systemd service

That's it. Events start flowing within seconds.

🔍 What It Detects

The agent parses OpenSSH log entries and emits three event types that map directly to LiteSOC's standard event taxonomy:

EventTrigger
auth.login_failedFailed SSH login attempt
auth.login_successSuccessful SSH authentication
auth.logoutSSH session disconnected

Every event includes rich metadata username, client IP (IPv4 and IPv6), SSH port, and authentication method giving LiteSOC's Behavioral AI the full context it needs to detect impossible travel, geo-anomalies, and brute-force patterns across your infrastructure.

💓 Heartbeat Monitoring

The agent pings LiteSOC every 60 seconds with its hostname, IP address, version, and recent activity. If an agent goes silent maybe the server crashed, or someone killed the process your dashboard flags it immediately.

No more "we didn't realize the server was down for 6 hours."

🔄 Built for Production

We designed the agent for environments where reliability is non-negotiable:

  • Log-rotation aware: Handles logrotate via inotify/kqueue ReOpen. Zero missed events after rotation.
  • Systemd integration: Ships with a service unit that auto-restarts on failure.
  • Multi-architecture: Pre-built binaries for linux/amd64, linux/arm64, linux/arm, darwin/amd64, and darwin/arm64.
  • 100% test coverage: Every function tested, race-condition verified.

🛡️ Security by Design

Your API key is never stored in the config file. It lives exclusively in /etc/litesoc/agent.env with 0600 permissions, read only by the agent process via the LITESOC_KEY environment variable.

The config itself is minimal and transparent:

# /etc/litesoc/config.yaml
api_endpoint: https://api.litesoc.io
heartbeat_interval: 60

log_watchers:
  - path: /var/log/auth.log
    type: sshd

The agent supports all major Linux distributions out of the box:

DistributionLog Path
Debian / Ubuntu/var/log/auth.log
RHEL / CentOS / Fedora / Amazon Linux/var/log/secure
Alpine/var/log/messages

The Full Picture

With the server agent, LiteSOC now monitors security across your entire stack:

  • Application layer: SDK events from your Next.js, Node, Python, or PHP backend
  • Auth provider layer: Native integrations with Supabase, Auth0, and n8n
  • Infrastructure layer: Real-time SSH monitoring via litesoc-agent

All events feed into the same Behavioral AI engine. An auth.login_success from your app and an auth.login_success from SSH are correlated together giving you a unified forensic timeline across every surface.

Get Started

Install the agent on your first server in under 30 seconds:

curl -sSL https://litesoc.io/install.sh | LITESOC_KEY=lsoc_live_xxx bash

Then check your LiteSOC dashboard you'll see events streaming in real-time.

The agent is fully open-source. Browse the code, file issues, or contribute on GitHub.

Read the full docs →

Stay Updated

Get the latest security insights and product updates delivered to your inbox. No spam, unsubscribe anytime.

Back to all articles