Skip to content
KYRA MDR KYRA MDR Docs

Collector Installation

The KYRA Collector is a lightweight agent that runs inside your network. It collects, normalizes, and securely forwards security telemetry to the KYRA MDR platform.

Requirements:

  • Outbound HTTPS (port 443) to *.seekerslab.com
  • 1 vCPU, 512 MB RAM minimum
  • 1 GB disk space for log buffering

Linux Installation

Terminal window
curl -sSL https://install.kyra.ai/collector | sudo bash

This will:

  1. Detect your Linux distribution (Ubuntu, Debian, RHEL, CentOS, Amazon Linux)
  2. Download the latest collector binary
  3. Create the kyra-collector systemd service
  4. Generate a unique collector ID and register with your tenant
  5. Start the service and begin listening on syslog port 514

Manual Installation

If you prefer to install manually or operate in an air-gapped environment:

Terminal window
# Download the binary
wget https://releases.seekerslab.com/collector/latest/kyra-collector-linux-amd64.tar.gz


# Extract
tar -xzf kyra-collector-linux-amd64.tar.gz -C /opt/kyra/


# Copy the systemd unit file
sudo cp /opt/kyra/kyra-collector.service /etc/systemd/system/


# Edit the configuration
sudo vi /opt/kyra/config.yaml

Configuration File

The configuration file is located at /opt/kyra/config.yaml:

# KYRA Collector Configuration
tenant_id: "your-tenant-id"          # Found in Console > Settings > Organization
api_key: "your-collector-api-key"     # Generated in Console > Settings > Collectors
platform_url: "https://ingest.seekerslab.com"


# Syslog listener
syslog:
  enabled: true
  udp_port: 514
  tcp_port: 514


# Windows Event Log (Linux: disabled)
windows_events:
  enabled: false


# Log buffering
buffer:
  path: /var/lib/kyra/buffer
  max_size_mb: 500


# TLS settings
tls:
  verify: true
  ca_cert: /opt/kyra/certs/ca.pem

Start the Service

Terminal window
sudo systemctl daemon-reload
sudo systemctl enable kyra-collector
sudo systemctl start kyra-collector

Windows Installation

PowerShell Installer

Run PowerShell as Administrator:

Terminal window
# Download and run the installer
Invoke-WebRequest -Uri "https://install.kyra.ai/collector/windows" -OutFile "$env:TEMP\kyra-collector-setup.msi"
Start-Process msiexec.exe -ArgumentList "/i $env:TEMP\kyra-collector-setup.msi /quiet" -Wait

Manual Installation

  1. Download the MSI installer from the Console Downloads page
  2. Run the installer — it will prompt for your Tenant ID and API Key
  3. The installer creates a Windows service KYRA Collector

Windows Configuration

The configuration file is located at C:\Program Files\KYRA\Collector\config.yaml:

tenant_id: "your-tenant-id"
api_key: "your-collector-api-key"
platform_url: "https://ingest.seekerslab.com"


syslog:
  enabled: true
  udp_port: 514
  tcp_port: 514


windows_events:
  enabled: true
  channels:
    - Security
    - System
    - Application
    - Microsoft-Windows-Sysmon/Operational


buffer:
  path: "C:\\ProgramData\\KYRA\\buffer"
  max_size_mb: 500

Manage the Service

Terminal window
# Check status
Get-Service "KYRA Collector"


# Restart
Restart-Service "KYRA Collector"


# View logs
Get-Content "C:\ProgramData\KYRA\logs\collector.log" -Tail 50

Docker Installation

Docker Run

Terminal window
docker run -d \
  --name kyra-collector \
  --restart unless-stopped \
  -p 514:514/udp \
  -p 514:514/tcp \
  -e KYRA_TENANT_ID="your-tenant-id" \
  -e KYRA_API_KEY="your-collector-api-key" \
  -v kyra-buffer:/var/lib/kyra/buffer \
  kyra/collector:latest

Docker Compose

version: "3.8"
services:
  kyra-collector:
    image: kyra/collector:latest
    container_name: kyra-collector
    restart: unless-stopped
    ports:
      - "514:514/udp"
      - "514:514/tcp"
    environment:
      - KYRA_TENANT_ID=your-tenant-id
      - KYRA_API_KEY=your-collector-api-key
      - KYRA_PLATFORM_URL=https://ingest.seekerslab.com
    volumes:
      - kyra-buffer:/var/lib/kyra/buffer


volumes:
  kyra-buffer:

Verify Connection

After installation, verify the collector is connected:

1. Check Local Status

Terminal window
# Linux
sudo systemctl status kyra-collector
sudo journalctl -u kyra-collector --since "5 minutes ago"


# Docker
docker logs kyra-collector --tail 20

Look for:

INFO  Connected to KYRA platform (ingest.seekerslab.com)
INFO  Collector registered: collector-id=abc123
INFO  Syslog listener started on :514

2. Check in Console

  1. Open the KYRA MDR Console
  2. Go to Settings > Collectors
  3. Your collector should appear with a green Connected status
  4. The Last Seen timestamp should be within the last minute

3. Send a Test Event

Terminal window
# Send a test syslog message to the collector
logger -n 127.0.0.1 -P 514 "KYRA-TEST: Collector installation verified"

Check Log Search in the Console — the test message should appear within seconds.

Troubleshooting

Collector Not Starting

SymptomCauseFix
Permission deniedNot running as rootRun with sudo
Port 514 already in useAnother syslog daemon runningStop rsyslog: sudo systemctl stop rsyslog
Connection refusedFirewall blocking outboundAllow outbound HTTPS (443) to *.seekerslab.com

Collector Not Appearing in Console

  1. Check API key: Verify api_key in config.yaml matches the key in Console > Settings > Collectors
  2. Check network: curl -I https://ingest.seekerslab.com/health should return 200
  3. Check logs: journalctl -u kyra-collector -f for error messages
  4. Check DNS: Ensure ingest.seekerslab.com resolves correctly

Events Not Appearing

  1. Check source: Is the device actually sending syslog? Run tcpdump -i any port 514 on the collector host
  2. Check buffer: If the buffer is full, the collector will stop accepting events. Check disk space at /var/lib/kyra/buffer
  3. Check rate limits: FREE tier is limited to 50 EPS. Upgrade if you exceed this

Proxy Configuration

If your network requires an HTTP proxy:

# Add to config.yaml
proxy:
  http: "http://proxy.example.com:8080"
  https: "http://proxy.example.com:8080"
  no_proxy: "localhost,127.0.0.1"

Updating the Collector

Linux

Terminal window
# The collector auto-updates by default. To update manually:
curl -sSL https://install.kyra.ai/collector | sudo bash

Docker

Terminal window
docker pull kyra/collector:latest
docker stop kyra-collector && docker rm kyra-collector
# Re-run your docker run command

Uninstalling

Linux

Terminal window
sudo systemctl stop kyra-collector
sudo systemctl disable kyra-collector
sudo rm /etc/systemd/system/kyra-collector.service
sudo rm -rf /opt/kyra/
sudo rm -rf /var/lib/kyra/

Windows

Terminal window
# Via PowerShell (Admin)
Start-Process msiexec.exe -ArgumentList "/x {KYRA-COLLECTOR-PRODUCT-CODE} /quiet" -Wait

Or use Add/Remove Programs in Windows Settings.

Docker

Terminal window
docker stop kyra-collector && docker rm kyra-collector
docker volume rm kyra-buffer