Overview
The Ravenxcope Sensor is a single Go binary (ravenxcope-sensor) that runs on every sensor host. It is the only RavenXcope component that executes directly on sensor machines.
It supersedes two older components that used to be deployed separately:
ravenxcope-sensor-agent— the old enrollment + heartbeat agent.- the client mode of
ravenxcope-sensor-suricata— the old eve.json relay.
Both are now folded into this one binary.
Responsibilities
- Enrollment & PKI — Redeems a one-time claim code, enrolls with the Defense Center backend, and obtains an mTLS client certificate. See Enrollment & PKI.
- Suricata supervision — Launches and manages a local Suricata instance through a pluggable launcher (Docker or systemd). See Suricata Supervision.
- Alert relay — Reads Suricata
eve.jsonfrom a unix socket, de-duplicates/queues events, and streams them over gRPC to the data collector. See Data Collector and the Data Plane scenario. - Heartbeat — Periodically reports host metrics (CPU, memory, interfaces) to the backend. See Heartbeat & Configuration.
- Control — Maintains a NATS connection to receive backend commands (start/stop Suricata) and publish status. NATS carries control traffic only — never alert data.
Place in the architecture
Internal package map
| Package | Responsibility |
|---|---|
cmd/{enroll,run}.go | CLI entrypoints: one-time enroll, long-running run (daemon). |
internal/enrollment | Claim-code redeem + agent enroll HTTP client; CSR submission. |
internal/pki | Key generation, CSR, mTLS certificate storage. |
internal/suricata | socket_reader, parser, queue — read and de-duplicate eve.json. |
internal/transport | gRPC StreamManager (mTLS or insecure) to the data collector. |
internal/launcher | Detect() + Docker/systemd launchers that run Suricata locally. |
internal/supervisor | Applies NATS commands to the launcher; reports status. |
internal/control | NATS client (commands in, status out). |
internal/heartbeat | CPU/memory/interface sampling via gopsutil. |
internal/config | Env/flag configuration with file-over-env precedence. |
Key design principles
- Single binary, two modes —
enrollruns once to onboard;runis the long-lived daemon. - Claim-code onboarding only —
enroll --code RXC-XXXX-YYYY-ZZZZis the only supported entrypoint. Direct install-token configuration is intentionally unsupported. - mTLS for data — alert streaming uses a client certificate issued during enrollment.
- Launcher auto-detection — adapts to the host without manual wiring (see Suricata Supervision).
- Resilient loops — failed heartbeats and transient stream errors are logged and retried, not fatal.