Skip to main content

Install the Praxis collector on Linux

Run praxis-collector on bare metal or a VM when you are not using Kubernetes. The binary connects to Praxis with OpAMP over a secure WebSocket, receives the pipeline configuration from Praxis the same way the Kubernetes path does, and runs your sources, processors, and destinations on the host.

Pipelines, credentials, and the collector instance you attach in Praxis are still the source of truth; this page describes the host install and runtime expectations.

Before you begin

  • Prerequisites from Praxis — A published pipeline, an OpAMP URL (wss://.../v1/opamp or ws://... in non-production only), OAuth2 client key and secret for machine access, org ID, tenant ID, and pipeline ID. Praxis shows these when you add or enroll a Linux collector, or your administrator shares them in your runbook.
  • Network — The host must reach Praxis (OpAMP and token exchange) and any export destinations your pipeline uses (for example public cloud or corporate endpoints) according to your firewall rules.
  • Privileges — Plan to run the collector with the least privilege that still allows your chosen sources (for example file tailing under /var/log may require read access to specific paths or group membership).

Install (script pattern)

Your environment may show a copy-paste command from Praxis. It typically:

  1. Downloads an install script from the download location your organization or Praxis provides.
  2. Passes --url, --key, --secret, --org, --tenant, and --pipeline (and optionally --version / --image where applicable).
  3. Installs a system service that starts the collector and reconnects to Praxis on boot.

A representative shape (placeholders only — use the exact command and URL from your Praxis UI or runbook):

sudo bash -c '$(curl -k -L https://<artifact-host>/path/linux_install.sh)' -- \
  --url wss://<praxis-host>/v1/opamp \
  --secret <oauth2-client-secret> \
  --key <oauth2-client-key> \
  --org <org-id> \
  --tenant <tenant-id> \
  --pipeline <pipeline-id>
note

Some distributions ship curl without TLS verification flags on the download step; if your security policy disallows that, download the script, inspect it, and run it from disk instead of piping to bash, the same way described in the Kubernetes install guide.

After install

  • Confirm the service is active and logs show a healthy OpAMP session to Praxis.
  • In Praxis, confirm the collector instance is online and the pipeline is attached as you expect.
  • If you are not on Kubernetes, ignore Kubernetes-only receiver RBAC; on Linux use the right file, syslog, journald, or OTLP sources for the host.

Behind an HTTP/HTTPS Proxy

If the host's egress to Praxis or to your destinations must traverse a corporate proxy, configure the collector with the standard Go HTTP proxy environment variables — HTTPS_PROXY, HTTP_PROXY, and NO_PROXY.

The Linux installer accepts proxy flags directly. It writes a systemd drop-in at /etc/systemd/system/praxis-collector.service.d/proxy.conf that survives package upgrades, then starts the service with the proxy already applied.

sudo bash -c '$(curl -k -L https://<artifact-host>/path/linux_install.sh)' -- \
  --url wss://<praxis-host>/v1/opamp \
  --secret <oauth2-client-secret> --key <oauth2-client-key> \
  --org <org-id> --tenant <tenant-id> --pipeline <pipeline-id> \
  --https-proxy http://proxy.corp.local:3128 \
  --no-proxy "localhost,127.0.0.1,::1,.corp.local,169.254.169.254"

If --no-proxy is omitted but --https-proxy (or --http-proxy) is set, a sensible loopback/IMDS default is applied automatically.

After install (manual)

To add or change proxy settings on an existing install, write the drop-in yourself:

sudo mkdir -p /etc/systemd/system/praxis-collector.service.d

sudo tee /etc/systemd/system/praxis-collector.service.d/proxy.conf >/dev/null <<'EOF'
[Service]
Environment="HTTPS_PROXY=http://proxy.corp.local:3128"
Environment="HTTP_PROXY=http://proxy.corp.local:3128"
Environment="NO_PROXY=localhost,127.0.0.1,::1,.corp.local,169.254.169.254"
EOF

sudo systemctl daemon-reload
sudo systemctl restart praxis-collector

Verify the env is applied and the OpAMP session reconnects:

sudo systemctl show praxis-collector -p Environment
sudo journalctl -u praxis-collector -f | grep -iE "proxy|dial|connect"

NO_PROXY checklist

Always include localhost, 127.0.0.1, ::1, 169.254.169.254 (cloud instance metadata), and the internal hostnames/CIDRs of any LAN log sources (for example a local syslog or HEC source) the collector connects to.

Auth-required proxies

Use HTTPS_PROXY=http://user:[email protected]:3128. URL-encode any special characters in the password.

TLS-inspecting (MITM) proxies

Install the corporate root CA into the OS trust store so outbound TLS handshakes validate.

# Debian/Ubuntu
sudo cp corp-root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# RHEL/CentOS/Rocky
sudo cp corp-root-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

sudo systemctl restart praxis-collector
note

All outbound paths honor the standard proxy env vars, including the OpAMP WebSocket (collector ↔ Praxis), the OAuth2 token endpoint, the Google SecOps HTTP and gRPC exporters, Splunk HEC, Snowflake, M365, the GitHub receiver, and other confighttp-based exporters.

The Google SecOps gRPC path uses gRPC-Go's built-in CONNECT tunneling, which inspects HTTPS_PROXY / https_proxy only — never HTTP_PROXY. Always set HTTPS_PROXY when proxying Chronicle gRPC traffic, even if you also set HTTP_PROXY for HTTP-based exporters.

Uninstall

Use the uninstall script or package command in Praxis or in your runbook (often a companion linux_uninstall.sh style script), or remove the package the install step registered. Stopping the service before removal avoids orphaned processes.