Shadow Configuration
The Shadow agent can be configured via command-line flags or environment variables.
Command-line Options
| Flag | Environment Variable | Description |
|---|---|---|
-t, --org-token |
SHADOW_ORG_TOKEN |
Organization enrollment token (required) |
-s, --server |
SHADOW_SERVER_HOST |
Server hostname (default: hyprwatch.cloud) |
-d, --data-dir |
SHADOW_DATA_DIR |
Data directory for osquery database |
-o, --osqueryd-path |
OSQUERYD_PATH |
Path to osqueryd binary (skips auto-download) |
-v, --verbose |
SHADOW_VERBOSE |
Enable verbose logging |
--host-identifier |
SHADOW_HOST_IDENTIFIER |
uuid or instance (default: uuid) |
--distributed-interval |
- | Query polling interval in seconds (default: 10) |
Host Identifier Modes
uuid (default)
Uses the hardware UUID from the system. Best for physical machines where the UUID is unique.
instance
Uses a randomly generated instance ID. Best for containers or VMs where hardware UUIDs may be duplicated.
Data Directory
The Shadow agent stores osquery's database and logs in the data directory:
| Platform | Default Location |
|---|---|
| Linux (root) | /var/lib/shadow |
| Linux (user) | ~/.local/share/shadow |
| macOS | ~/Library/Application Support/shadow |