WatchU is a Linux eBPF-based collector for observing agent activities from the host.

It is designed for people who want a local collector that can capture high-value runtime signals such as:

• process execs
• file operations
• TLS plaintext HTTP traffic (OpenSSL & BoringSSL)
• TCP connects
• Postgres client queries
• stdio/MCP traffic

Requirements

Current expected runtime environment:

• Linux amd64 or arm64 with kernel version >= 5.8
• Permissions to load eBPF programs and attach fentry/uprobe/tracepoints

Quick Start

Build:

make build

Run with debug logging:

sudo ./bin/app -debug

Run with the terminal UI:

sudo ./bin/app -tui

Export events to a local JSONL file:

sudo ./bin/app -export file:///tmp/watchu.jsonl

Docker Quick Start

Build the image:

docker buildx build -t watchu -f Dockerfile --load .

Run it:

docker run --rm \
  --cap-add=CAP_SYS_ADMIN \
  --cap-add=CAP_SYS_PTRACE \
  --cap-add=CAP_BPF \
  --cap-add=CAP_PERFMON \
  -v /sys/kernel/debug:/sys/kernel/debug:ro \
  --pid=host \
  --security-opt apparmor=unconfined \
  watchu

Development

Check the CONTRIBUTING.md guide.