Installation
Download, install, and run Exabeam Agent Sensor as a background service on macOS or Windows.
Prerequisites
- macOS: 11.0 (Big Sur) or later (x86_64 and Apple Silicon)
- Windows: Windows 10 (1803+) or Windows 11 (x86_64)
- Disk: ~100 MB
- Network: Port 4982 (hook server) must be available locally
- Runtime Dependency: curl — present by default on macOS and Windows 10 (1803+) / Windows 11. Verify:
curl --version(Windows:curl.exe --version).
Download
Download the binary for your platform from the Releases page.
| Platform | Binary filename |
|---|---|
| macOS Apple Silicon (M1/M2/M3) | agent-sensor-v{VERSION}-aarch64-apple-darwin |
| macOS Intel | agent-sensor-v{VERSION}-x86_64-apple-darwin |
| Windows x86_64 | agent-sensor-v{VERSION}-x86_64-pc-windows-gnu.exe |
macOS
Replace VERSION with the release you want (e.g. 1.0.4).
Apple Silicon (M1/M2/M3):
VERSION=1.0.4
sudo curl -fsSL https://github.com/ExabeamLabs/agent-sensor-dist/releases/download/v${VERSION}/agent-sensor-v${VERSION}-aarch64-apple-darwin \
-o /usr/local/bin/agent-sensor
sudo chmod +x /usr/local/bin/agent-sensorIntel:
VERSION=1.0.4
sudo curl -fsSL https://github.com/ExabeamLabs/agent-sensor-dist/releases/download/v${VERSION}/agent-sensor-v${VERSION}-x86_64-apple-darwin \
-o /usr/local/bin/agent-sensor
sudo chmod +x /usr/local/bin/agent-sensorVerify the download
Always confirm the download is a real binary and not a saved error page:
file /usr/local/bin/agent-sensor
# Expected: Mach-O 64-bit executable arm64 (Apple Silicon)
# Expected: Mach-O 64-bit executable x86_64 (Intel)
# If you see "ASCII text" — the download failed; retry the curl command.
agent-sensor --versionWindows
- Download
agent-sensor-v{VERSION}-x86_64-pc-windows-gnu.exefrom the Releases page. - Rename it to
agent-sensor.exe. - Move it to a directory on your
PATH(e.g.C:\\Program Files\\agent-sensor\\).
Verify in PowerShell:
agent-sensor --versionConfiguration
⚠
--auto-configis required. You must run--auto-configto install hooks for agent CLI and install agent-sensor default configuration. Update agent-sensor configurations before starting the agent-sensor. You must restart agent-sensor after running--auto-configor updating~/.agent-sensor/config.toml.
# Preview every change without applying
agent-sensor --auto-config --dry-run
# Apply
agent-sensor --auto-configThis installs hooks for Claude Code, Codex CLI, and Gemini CLI at ~/.claude, ~/.codex, and ~/.gemini. It also creates the default config file at ~/.agent-sensor/config.toml. Restart the agent-sensor to pick up the new hook configurations.
Configure Sinks
A JSONL sink is configured automatically with --auto-config. The JSONL sink stores the agent telemetry in a local file.
Configure a webhook sink in ~/.agent-sensor/config.toml to forward the agent telemetry to an Exabeam SIEM using the following steps.
- The admin creates an Exabeam webhook cloud-collector with
Format=Rawonce. - Obtain the Exabeam webhook collector
urlandtokensecurely. - Save the webhook token at
{HOME}/.agent-sensor/webhook.token. - Update the webhook sink url.
[sources]
[[sinks]]
kind = "jsonl"
path = "{HOME}/.agent-sensor/events.jsonl"
rotation_size_mb = 100
max_rotated_files = 5
# Uncomment to forward events to Exabeam or another SIEM:
[[sinks]]
kind = "webhook"
url = "{EXABEAM_WEBHOOK}"
token_file = "{HOME}/.agent-sensor/webhook.token"Restart agent-sensor after every change to ~/.agent-sensor/config.toml.
Install as a Background Service
macOS (launchd)
agent-sensor install-serviceWindows (scheduled task — no admin required)
agent-sensor install-service --use-scheduled-taskVerify Installation
# Check version
agent-sensor --version
# Check service status
agent-sensor status
# Service com.agent-sensor.forwarder: running
# Current version: 1.0.4
# Send a test event to the hook server
curl -X POST http://127.0.0.1:4982/claude \
-H "Content-Type: application/json" \
-d '{"hook":"SessionStart","sessionId":"test"}'
# Confirm the event was received (counter should be non-zero)
agent-sensor metrics | grep agent_sensor_hook_events_received_totalUpgrading
Repeat the download and install steps with the new version. The new binary replaces the old one at the same path. If the service is running, uninstall agent-sensor before saving the new binary.
# macOS
# Uninstall service before upgrade
agent-sensor uninstall-service
# After upgrade, start the service
agent-sensor install-service# Windows
# Uninstall service before upgrade
agent-sensor uninstall-service
# After upgrade, start the service
agent-sensor install-service --use-scheduled-taskRestarting
The agent-sensor needs to be restarted after any configuration changes to the hook configs or agent-sensor config.
# macOS
agent-sensor uninstall-service && agent-sensor install-service# Windows
agent-sensor uninstall-service
agent-sensor install-service --use-scheduled-taskUninstall
macOS
agent-sensor uninstall-service # Remove launchd service (if installed)
sudo rm /usr/local/bin/agent-sensor # Remove binary
rm -rf ~/.agent-sensor/ # Remove config and logs (optional)To also remove the CLI hook registrations:
rm -rf ~/.claude ~/.codex ~/.geminiWindows
agent-sensor uninstall-service # Remove scheduled task (if installed)
# Then delete agent-sensor.exe from its directory on your PATHTroubleshooting
Binary fails to run (exec format error or similar)
This usually means the downloaded file is an HTML error page rather than a real binary.
file ./agent-sensor
# Real binary: "Mach-O 64-bit executable"
# Saved error page: "ASCII text" or "HTML document text"Fix: delete the file and re-download.
Port already in use
Error: Address already in use (os error 48)lsof -i :4982 # Find what is using the port
agent-sensor --hook-port 4992 # Or use a different portNo events appearing
- Verify the agent-sensor is running:
lsof -i :4982 - Check hooks are installed:
grep hook-server ~/.claude/settings.json - Send a test event manually (see Verify Installation above)
macOS Gatekeeper blocks the binary
macOS may show a security warning the first time you run an unsigned binary. Right-click the binary in Finder, choose Open, and confirm when prompted — or run:
xattr -dr com.apple.quarantine /usr/local/bin/agent-sensor