Skip to main content

Install Linux Agent on a GCE Host

You can install the Lacework agent on a Google Compute Engine (GCE) host instance to monitor workloads. The workload portion provides process-aware threat and intrusion detection for your GCE environment and notifies you of any events through your chosen method.

Additionally, installing a Lacework agent requires obtaining or creating the installer script and access tokens. For more information, see Create Agent Access Token and Download Linux Agent Installer.

Unless you are installing the agent on a Container-Optimized OS (COS) instance, use your preferred deployment method detailed in Install the Linux Agent. For Container-Optimized OS instances, perform the following steps.

Install the Agent on the GCE Container-Optimized OS (COS) Instance

Install the datacollector on the host by running the script.

  1. Open a terminal on your host as a user with sudo privileges.

  2. Download the script onto your host by using the following command. You may specify a different location for your script to download. If you choose to do so, ensure that you update the path in Step 3.

    curl -o /tmp/
  3. Run the following command to install the Lacework agent

    sudo sh /tmp/

    If you need to use a different endpoint than the default endpoint (, specify the URL of the endpoint, as shown:

    sh /tmp/ -U API_SERVER_URL
  4. Verify the output of the command:

    Check connectivity to Lacework server
    Check Go Daddy root certificate
    Installing on cos (85)
    Using access token : 185e01a1f2c3df9f370568c5f137de ...
    Using server url :
    Writing configuration file
    + sh -c 'mkdir -p /var/lib/lacework/config'
    + sh -c Writing config.json in /var/lib/lacework/config
    + curl -fsSL
    Remounting /var/lib/lacework/ with exec permissions to start lacework agent.
    + mount -B /var/lib/lacework/ /var/lib/lacework/
    + mount -o remount,exec /var/lib/lacework/
    + systemctl stop datacollector.service
    + systemctl daemon-reload
    + systemctl enable datacollector.service
    Created symlink /etc/systemd/system/ → /etc/systemd/system/datacollector.service.
    + systemctl start datacollector.service
    Lacework successfully installed
  5. Once the agent is installed, verify that the Docker container is created successfully and has a Status of "Up" with the following command:

    docker ps

    A successful installation displays an output similar to the following:

    CONTAINER ID   IMAGE                           COMMAND                    CREATED              STATUS              PORTS     NAMES
    4c7e22aeacfa lacework/datacollector:latest "/var/lib/backup/dat..." About a minute ago Up About a minute datacollector
  6. Configure the instance to remount the /var/lib/lacework directory as an executable path. By default, COS mounts /var as noexec on boot. COS uses cloud-init for configuration operations and reads the user-data value out of the instance metadata as a cloud-config. Add the following metadata to the user-data key for the instance if no value is present or add the two mount statements to an existing cloud-config if present:

    - [/var/lib/lacework, /var/lib/lacework, "none", "bind", "0", "0"]
    - [/var/lib/lacework, /var/lib/lacework, "auto", "remount,exec,nosuid,nodev", "0", "1"]
  7. To validate, run the mount |grep lacework command on the host to ensure that the filesystem is mounted correctly after a reboot. You should see output similar to:

    /dev/sda1 on /var/lib/lacework type ext4 (rw,nosuid,nodev,relatime,commit=30)