Monitor Types

The Guard agent supports 10 monitor types organized into two tiers. Built-in monitors are available on all platforms with zero dependencies. Advanced monitors require specific OS versions or external tools but provide deeper visibility. All monitors emit normalized SecurityEvent objects that feed into the DARE pipeline.

Built-in Monitors

These 4 monitors ship with @panguard-ai/core and work on macOS, Linux, and Windows out of the box.

Log Monitor

Field	Details
Source	`core/monitors`
Platforms	Linux, macOS, Windows
Data sources	syslog (`/var/log/syslog`, `/var/log/auth.log`), Windows Event Log, application log files
Capabilities	Reads and normalizes log entries to `SecurityEvent` format. Supports tailing for real-time monitoring.

Network Monitor

Field	Details
Source	`core/monitors`
Platforms	Linux, macOS, Windows
Data sources	`/proc/net/tcp` (Linux), `netstat` (cross-platform)
Capabilities	Monitors active network connections. Detects new connections, unusual ports, traffic to known-bad IPs, and anomalous connection patterns.

Process Monitor

Field	Details
Source	`core/monitors`
Platforms	Linux, macOS, Windows
Data sources	`/proc` filesystem (Linux), OS APIs (macOS/Windows)
Capabilities	Scans running processes. Detects new/unusual process spawning, suspicious command lines, and privilege changes.

File Monitor

Field	Details
Source	`core/monitors`
Platforms	Linux, macOS, Windows
Data sources	inotify (Linux), FSEvents (macOS), ReadDirectoryChangesW (Windows)
Capabilities	Watches critical filesystem paths for modifications. Tracks file creation, modification, deletion, and permission changes.

Advanced Monitors

These 6 monitors ship with @panguard-ai/panguard-guard and provide kernel-level or specialized visibility. All gracefully degrade when their dependencies are not installed.

Falco Monitor

Field	Details
Source	`falco-monitor.ts`
Dependency	Falco >= 0.35
Data source	`/var/log/falco/alerts.json`
Capabilities	Reads Falco alerts for container escapes, privilege escalation, anomalous system calls, and namespace breakouts.
Event types	Container security, syscall anomalies, privilege changes

Suricata Monitor

Field	Details
Source	`suricata-monitor.ts`
Dependency	Suricata >= 7.0
Data source	`/var/log/suricata/eve.json` (EVE JSON format)
Capabilities	Network IDS with protocol-aware deep packet analysis. Detects known exploit patterns, malware communication, and policy violations.
Event types	Network intrusion, protocol anomalies, malware signatures

Syscall Monitor (eBPF)

Field	Details
Source	`syscall-monitor.ts`
Dependency	Linux Kernel 4.18+
Data source	`/proc` polling for process and network activity
Capabilities	Detects suspicious processes, privilege escalation attempts, and C2 (command-and-control) connections at the syscall level.
Event types	Process creation, privilege changes, network syscalls

Memory Scanner

Field	Details
Source	`memory-scanner.ts`
Dependency	`CAP_SYS_PTRACE` capability
Capabilities	Scans process memory regions for fileless malware signatures, injected code, and suspicious memory patterns. Detects threats that never touch the filesystem.
Event types	Memory injection, fileless malware, process hollowing

DPI Monitor (Deep Packet Inspection)

Field	Details
Source	`dpi-monitor.ts`
Dependency	None (userspace implementation)
Capabilities	Protocol-level traffic analysis. Detects C2 beacons, DNS tunneling, encrypted traffic anomalies, and protocol misuse without requiring hardware acceleration.
Event types	C2 communication, DNS tunneling, protocol anomalies

Rootkit Detector

Field	Details
Source	`rootkit-detector.ts`
Dependency	Linux
Capabilities	Checks for hidden processes (comparing `/proc` with `ps` output), hidden kernel modules, modified system binaries (checksum verification), and `LD_PRELOAD` injections.
Event types	Hidden processes, kernel module tampering, binary modification

Monitor Architecture

                    SecurityEvent
                         ^
                         |
  ┌──────────┬──────────┬──────────┬──────────┐
  |   Log    | Network  | Process  |   File   |    Built-in
  └──────────┴──────────┴──────────┴──────────┘
  ┌──────────┬──────────┬──────────┐
  |  Falco   | Suricata |  eBPF    |           Advanced
  ├──────────┼──────────┼──────────┤
  |  Memory  |   DPI    | Rootkit  |
  └──────────┴──────────┴──────────┘

All monitors feed events into the MonitorEngine, which forwards them to the GuardEngine for DARE pipeline processing.

Advanced monitors are optional. Guard operates fully with built-in monitors alone. Enable advanced monitors when you need kernel-level visibility or have the required dependencies installed.

Products

Panguard Scan

Panguard Guard

Panguard Chat

Panguard Trap

Panguard Report

Panguard MCP

Panguard Manager

Panguard Skill Auditor

Threat Cloud

Built-in Monitors

Log Monitor

Network Monitor

Process Monitor

File Monitor

Advanced Monitors

Falco Monitor

Suricata Monitor

Syscall Monitor (eBPF)

Memory Scanner

DPI Monitor (Deep Packet Inspection)

Rootkit Detector

Monitor Architecture

Products

Panguard Scan

Panguard Guard

Panguard Chat

Panguard Trap

Panguard Report

Panguard MCP

Panguard Manager

Panguard Skill Auditor

Threat Cloud

​Built-in Monitors

​Log Monitor

​Network Monitor

​Process Monitor

​File Monitor

​Advanced Monitors

​Falco Monitor

​Suricata Monitor

​Syscall Monitor (eBPF)

​Memory Scanner

​DPI Monitor (Deep Packet Inspection)

​Rootkit Detector

​Monitor Architecture

Built-in Monitors

Log Monitor

Network Monitor

Process Monitor

File Monitor

Advanced Monitors

Falco Monitor

Suricata Monitor

Syscall Monitor (eBPF)

Memory Scanner

DPI Monitor (Deep Packet Inspection)

Rootkit Detector

Monitor Architecture