Logira: Secure Runtime Auditing for AI Agents

Logira: Secure Runtime Auditing for AI Agents

What Is Logira?

Logira is a Linux command-line tool that uses eBPF to track runtime activity during automation tasks. It records process execution, file changes, and network connections in real time, storing data locally for post-run analysis. Designed for auditing AI agent runs (like Codex or Claude), it helps identify risky behavior patterns while maintaining an immutable execution trail.

Why Use Logira?

Traditional automation tools lack visibility into what actually happens during execution. Logira fills this gap by:

  • Tracking AI agent actions without modifying workflows
  • Detecting credential access, destructive commands, and network anomalies
  • Providing searchable JSON/SQLite storage for forensic review
  • Supporting custom detection rules via YAML

Key Features

Logira offers:

  • Run-scoped tracking via cgroup v2
  • Observe-only mode (no enforcement or blocking)
  • Default detection rules for credential access, persistence changes, and suspicious network activity
  • Lightweight auditing with minimal performance impact

Getting Started with Logira

Installation Options

Choose from three installation methods:

  1. Script install: curl -fsSL https://raw.githubusercontent.com/melonattacker/logira/main/install.sh | sudo bash
  2. Manual install: Extract tarball and run install-local.sh
  3. From source: make build followed by sudo ./logirad

Basic Usage

Run commands under audit with:

./logira run -- bash -lc 'echo hi > x.txt'

Check results using:

./logira view last
./logira explain last

Where Is Data Stored?

Logira stores audit data in ~/.logira/runs/ by default. Each run includes:

  • events.jsonl – Timeline of all recorded events
  • index.sqlite – Queryable database for fast analysis
  • meta.json – Run metadata

Advanced Detection Rules

Logira ships with built-in rules for:

  • Credential file access
  • System persistence changes
  • Temp file creation
  • Dangerous command patterns
  • Cloud metadata endpoint access

Custom rules can be added with --rules flag.

Requirements

  • Linux kernel 5.8+
  • systemd for daemon management
  • cgroup v2 enabled
  • Root daemon running for tracing

Conclusion

Logira provides critical visibility into automation workflows while maintaining security and compliance. Its eBPF-based architecture ensures low overhead, making it ideal for both development and production environments. Start auditing your AI agent runs today to uncover hidden risks and improve operational transparency.