Advanced Setup

Enhance Panguard's detection capabilities with optional external tools. All tools are optional -- Panguard works fully without them.

Graceful Degradation Architecture

Panguard's AI analysis follows a three-tier degradation strategy: Cloud AI (Claude/OpenAI) > Local LLM (Ollama) > Rule Engine (Sigma + YARA). Each tier is independent. Even with all external tools offline, 3,155 Sigma rules and 5,895 YARA rules still provide full protection.

Ollama -- Local AI Analysis

Install Ollama to run AI threat analysis locally without cloud APIs. Ideal for air-gapped environments or data privacy requirements.

# Install Ollama
curl -fsSL https://ollama.ai/install.sh | sh

# Pull a model
ollama pull llama3

# Verify it's running
curl http://localhost:11434/api/tags

Panguard auto-detects Ollama (default http://localhost:11434). No additional configuration needed after install.

Falco -- eBPF Kernel Monitoring

Falco provides Linux kernel-level syscall monitoring. Once installed, Guard automatically integrates and reads Falco's JSON alerts. Ideal for deep behavioral detection.

# Ubuntu/Debian
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
sudo apt update && sudo apt install -y falco

# Start Falco
sudo systemctl enable falco && sudo systemctl start falco

Linux only. Falco requires root. Guard auto-detects alert files under /var/log/falco/.

Suricata -- Network Traffic Analysis

Suricata is a network-layer IDS/IPS that provides advanced network traffic analysis. Once installed, Guard automatically reads Suricata's eve.json.

# Ubuntu/Debian
sudo apt install -y suricata

# Start Suricata
sudo systemctl enable suricata && sudo systemctl start suricata

Linux only. Suricata requires root. Guard auto-detects /var/log/suricata/eve.json.

Environment Variables Reference

The following environment variables customize Panguard's behavior. All are optional.