What Is Logira?
Logira is a Linux command-line tool that uses eBPF to track runtime activity during automation tasks. It records process execution, file changes, and network connections in real time, storing data locally for post-run analysis. Designed for auditing AI agent runs (like Codex or Claude), it helps identify risky behavior patterns while maintaining an immutable execution trail.
Why Use Logira?
Traditional automation tools lack visibility into what actually happens during execution. Logira fills this gap by:
- Tracking AI agent actions without modifying workflows
- Detecting credential access, destructive commands, and network anomalies
- Providing searchable JSON/SQLite storage for forensic review
- Supporting custom detection rules via YAML
Key Features
Logira offers:
- Run-scoped tracking via cgroup v2
- Observe-only mode (no enforcement or blocking)
- Default detection rules for credential access, persistence changes, and suspicious network activity
- Lightweight auditing with minimal performance impact
Getting Started with Logira
Installation Options
Choose from three installation methods:
- Script install:
curl -fsSL https://raw.githubusercontent.com/melonattacker/logira/main/install.sh | sudo bash - Manual install: Extract tarball and run
install-local.sh - From source:
make buildfollowed bysudo ./logirad
Basic Usage
Run commands under audit with:
./logira run -- bash -lc 'echo hi > x.txt'Check results using:
./logira view last
./logira explain lastWhere Is Data Stored?
Logira stores audit data in ~/.logira/runs/ by default. Each run includes:
events.jsonl– Timeline of all recorded eventsindex.sqlite– Queryable database for fast analysismeta.json– Run metadata
Advanced Detection Rules
Logira ships with built-in rules for:
- Credential file access
- System persistence changes
- Temp file creation
- Dangerous command patterns
- Cloud metadata endpoint access
Custom rules can be added with --rules flag.
Requirements
- Linux kernel 5.8+
- systemd for daemon management
- cgroup v2 enabled
- Root daemon running for tracing
Conclusion
Logira provides critical visibility into automation workflows while maintaining security and compliance. Its eBPF-based architecture ensures low overhead, making it ideal for both development and production environments. Start auditing your AI agent runs today to uncover hidden risks and improve operational transparency.








