Sensor on AWS Fargate
Prerequisites
Before installing the PCAP sensor, ensure you have:
- AWS profile access key and secret access key saved at path
~/.aws/credentials - The profile should have all the required permissions as listed here
- Existing ECS Task Definition: The PCAP sensor is installed as a sidecar into an existing application task
- Task Family Name: The name of your application's ECS task definition (e.g.,
my-app-task,httpbin,api-service) - Find it in: AWS Console → ECS → Task Definitions, or run
aws ecs list-task-definition-families --region <region>
- Task Family Name: The name of your application's ECS task definition (e.g.,
- Levo Satellite URL: The endpoint where your Levo Satellite is running
- Format:
http://<satellite-ip>:8080orhttps://<satellite-domain>:8080 - Get it from: Satellite installation output or AWS Console → ECS → Clusters → Tasks → Network bindings
- Example:
http://10.0.0.1:8080(private IP) orhttp://52.32.232.165:8080(public IP)
- Format:
- IAM Role (Application Task): Your application's ECS task must have an IAM role with permissions for SQS (sending traces), CloudWatch Logs (logging), and ECR (pulling images). The PCAP sensor runs as a sidecar and automatically inherits this IAM role - no separate role is needed for the sensor.
The PCAP sensor does not require its own IAM role. It automatically inherits the IAM role from your application task. If your application task already has an IAM role with SQS, CloudWatch Logs, and ECR permissions, you're all set. If not, you can use the same IAM role created during Satellite installation or create one with the required permissions.
- For CLI: AWS CLI v2 and jq installed
- For Terraform: Terraform CLI installed
Install
The PCAP Sensor is installed as a sidecar on an existing ECS task definition. Choose the method that fits your workflow:
- AWS Console (JSON)
- Terraform
- CLI (One-Click)
Add the PCAP Sensor as a sidecar to an existing task definition via the AWS Console:
- Go to Task Definitions
- Select the required task definition
- Click on Create revision with JSON
- Add the given JSON object under
containerDefinitions - Replace the values for
satellite-url,levo-env, andlevoai-org-idinentryPoint - Replace the values for
environmentandlogConfigurationas per your requirement - Set the cpu limit as number of CPU Units (Note: 1 core = 1024 CPU Units)
- Set the memory limit in MiB (Note: memory should not exceed the Task memory limit)
{
"name": "levo-pcap-sensor",
"image": "levoai/pcap-sensor:0.4.8",
"cpu": 512,
"memory": 512,
"portMappings": [],
"essential": false,
"entryPoint": [
"./bin/init",
"apidump",
"--satellite-url",
"< INSERT SATELLITE URL (http(s)://hostname|IP:port) >",
"--levo-env",
"<INSERT APPLICATION ENVIRONMENT (staging, production etc.)>",
"--levoai-org-id",
"< INSERT LEVO ORG ID >",
"--rate-limit",
"<INSERT NUMBER OF TRACES PER MINUTE>"
],
"environment": [
{
"name": "LEVO_AWS_REGION",
"value": "< INSERT AWS REGION (us-west-2) >"
}
],
"mountPoints": [],
"volumesFrom": [],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "< INSERT LOGS IDENTIFIER (/ecs/your-application-pcap) >",
"awslogs-create-group": "true",
"awslogs-region": "< INSERT AWS REGION (us-west-2) >",
"awslogs-stream-prefix": "ecs-pcap"
}
}
}
Download the
curl -O https://docs.levo.ai/artifacts/pcap-sensor/main.tf
Run the following commands:
terraform init
terraform plan
terraform apply
Enter values for all the prompts, which include aws-region, task-name, satellite-url, levo-env, org-id, etc.
Or edit the variables in the Terraform script and add the required values as defaults.
The script will create a new revision of the task definition with the PCAP Sensor as a sidecar.
To configure CPU and memory given to the container, update the cpu_percentage_limit and memory_percentage_limit variables in the Terraform script.
Note: The default values are set to 5% CPU and memory of the total given to the task.
Download the
curl -O https://docs.levo.ai/artifacts/pcap-sensor/install-pcap-sensor.sh
chmod +x install-pcap-sensor.sh
Option 1: Install using service name (recommended — auto-detects task family and redeploys)
./install-pcap-sensor.sh \
--region us-east-1 \
--cluster my-ecs-cluster \
--service-name my-app-service \
--satellite-url http://10.0.0.1:8080 \
--levo-env staging \
--org-id 6ffd1178-9643-42f0-8930-3447fb7b0908
This approach:
- Auto-detects the task family from the service
- Registers a new task definition revision
- Automatically redeploys the service with the new revision
- Waits for the service to stabilize
Option 2: Install using task family name
./install-pcap-sensor.sh \
--region <AWS_REGION> \
--task-family <YOUR_TASK_FAMILY> \
--satellite-url <SATELLITE_URL> \
--levo-env <staging|production> \
--org-id <YOUR_ORG_ID>
Option 3: Install with task family and manual service redeployment
./install-pcap-sensor.sh \
--region us-east-1 \
--task-family my-app-task \
--satellite-url http://10.0.0.1:8080 \
--levo-env staging \
--org-id 6ffd1178-9643-42f0-8930-3447fb7b0908 \
--cluster my-ecs-cluster \
--service-name my-app-service
TIP: Run with
--dry-runfirst to preview all AWS CLI commands without making any changes.
Options
| Flag | Default | Description |
|---|---|---|
--region | (required) | AWS region (e.g., us-east-1) |
--task-family | (optional) | Existing ECS task definition family name (auto-detected if --service-name is provided) |
--service-name | (optional) | ECS service name — auto-detects task family and redeploys service (requires --cluster) |
--cluster | (optional) | ECS cluster name (required when --service-name is used) |
--satellite-url | (required) | Satellite URL (e.g., http://10.0.0.1:8080) |
--levo-env | (required) | Application environment (staging, production, etc.) |
--org-id | (required) | Levo.ai Organization ID |
--rate-limit | 1000 | Max traces per minute |
--filter | (none) | BPF filter (e.g., not port 8888) |
--cpu-percentage | 5 | CPU % of task total allocated to the sensor |
--memory-percentage | 5 | Memory % of task total allocated to the sensor |
--log-group | (inherit from app) | CloudWatch log group (defaults to application container's log group) |
--sensor-image | levoai/pcap-sensor:0.4.8 | PCAP sensor Docker image |
--dry-run | false | Preview commands without executing |
The script will:
- Fetch your existing task definition (or auto-detect it from the service name)
- Inject the
levo-pcap-sensorsidecar container (idempotent — re-running updates the config) - Register a new task definition revision
- Optionally force-redeploy your ECS service (if
--service-nameis provided)
Using --service-name is the recommended approach as it:
- Automatically detects the task family from your running service
- Registers the new task definition revision
- Immediately redeploys the service with the sensor
- Waits for the deployment to stabilize
- Requires no manual steps in the AWS Console
Additional Flags
Specify additional flags in the sensor entrypoint (applicable to all installation methods):
--trace-export-interval # default 10s
--rate-limit # number of traces per minute
--filter # e.g., port 8080 and (not port 8081)
--host-allow # regex for allowed hosts
--path-allow # regex for allowed paths
--host-exclusions # regex for excluded hosts
--path-exclusions # regex for excluded paths
Configure Sensor Memory and CPU Resource Limits
- For normal/average use cases, use the default configuration (5% CPU and memory)
- For strict resource constraints, use the Low Resource JSON File
Filter Out Traffic
If you need to ignore traffic from other sidecars in the AWS task, use the --filter flag to ignore traffic on non-essential container ports.
Example: --filter "not port 8888"
AWS Permissions needed
Add the AmazonECS_FullAccess policy to get access to all the necessary permissions.
| Action | Resource | Purpose |
|---|---|---|
| ec2:DescribeRegions | * | Find the list of AWS regions you have enabled. (If not present, defaults to a precompiled list.) |
| ecs:ListClusters | * | Find the available ECS clusters. |
| ecs:DescribeClusters | *, or restricted to account like arn:aws:ecs:::cluster/* | Look up the names of the available ECS clusters. |
| ecs:ListTaskDefinitionFamilies | * | Find the available task definitions. |
| ecs:DescribeTaskDefinition | * | Read the existing task definition in order to copy it. |
| ecs:RegisterTaskDefinition | * | Write a new version of the task definition. |
| ecs:ListServices | * | Find the available services. |
| ecs:DescribeServices | *, or restricted to your account, or restricted to the cluster you selected | Identify which services are using the task definition you selected. |
| ecs:UpdateService | *, or restricted to your account, or restricted to the cluster you selected | Update and restart the service using the new task definition. |
| ecs:TagResource | *, or restricted to your account, or restricted to the cluster you selected | Mark the service as having been updated by Levo.ai. |
Viewing PCAP Sensor Logs
The PCAP Sensor writes logs to CloudWatch. By default, it automatically inherits the log configuration from your application container, ensuring logs are centralized in the same location.
How Log Configuration Works
The sensor uses the following logic to determine its log configuration:
- If
--log-groupis specified: Uses the custom log group you provide - If your application has a log configuration: Inherits the application's log group and settings, only changing the stream prefix to
ecs-pcapfor easy identification - If no log configuration exists: Falls back to
/ecs/<task-family>with auto-creation enabled
This means:
- ✅ Sensor logs appear in the same CloudWatch log group as your application
- ✅ Sensor logs use the same region and retention settings as your application
- ✅ Sensor logs are easily identifiable with the
ecs-pcapstream prefix
You don't need to configure logging for the sensor separately. It automatically inherits your application's CloudWatch log configuration, making it easy to view all logs in one place.
Log Location
- Log Group: Same as your application (e.g.,
/ecs/my-app-task,/ecs/httpbin) - Log Stream Prefix:
ecs-pcap/levo-pcap-sensor/ - Log Format: Timestamped INFO-level messages showing sensor health, trace capture, and export status
Using the Log Viewer Script (Recommended)
Download the log viewer script from the Satellite documentation:
curl -O https://docs.levo.ai/artifacts/satellite/levo-logs.sh
chmod +x levo-logs.sh
View PCAP sensor logs (replace <YOUR_CLUSTER>, <YOUR_LOG_GROUP>, and <YOUR_REGION> with your values):
# View sensor logs from your application's log group
./levo-logs.sh pcap-sensor \
--cluster <YOUR_CLUSTER> \
--log-group <YOUR_LOG_GROUP> \
--region <YOUR_REGION>
# Example: View httpbin sensor logs
./levo-logs.sh pcap-sensor \
--cluster my-ecs-cluster \
--log-group /ecs/httpbin \
--region us-east-1
# View logs from the last 10 minutes without following
./levo-logs.sh pcap-sensor \
--cluster my-ecs-cluster \
--log-group /ecs/httpbin \
--region us-east-1 \
--since 10m \
--no-follow
Using AWS CLI Directly
# View sensor logs only (replace <YOUR_LOG_GROUP> and <YOUR_REGION>)
aws logs tail <YOUR_LOG_GROUP> \
--log-stream-name-prefix ecs-pcap/levo-pcap-sensor/ \
--follow --format short --region <YOUR_REGION>
# Example
aws logs tail /ecs/httpbin \
--log-stream-name-prefix ecs-pcap/levo-pcap-sensor/ \
--follow --format short --region us-east-1
Using AWS Console
- Navigate to CloudWatch → Log groups
- Select your application's log group (e.g.,
/ecs/httpbin) - Use the filter dropdown to select streams starting with
ecs-pcap/levo-pcap-sensor/ - Or use the search bar to filter by text (e.g., "traces captured", "exported spans")
What to Look For
Healthy sensor logs:
[INFO] sensor-health: request successful, status 200
[INFO] 15 traces captured on interface eth1
[INFO] Successfully exported spans to satellite