diff --git a/dist/common/kernel_conf/post_install.sh b/dist/common/kernel_conf/post_install.sh
index 05196a69b5..6b28acd675 100644
--- a/dist/common/kernel_conf/post_install.sh
+++ b/dist/common/kernel_conf/post_install.sh
@@ -7,6 +7,28 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 #
 
+version_ge() {
+    [  "$2" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
+}
+
+KERNEL_VER=$(uname -r)
+
+if ! version_ge $KERNEL_VER 5.8; then
+    # On older kernel environment, we have to relax perf_event_paranoid setting
+    # since there is no CAP_PERFMON.
+    PERF_EVENT_PARANOID=1
+elif [ $(cat /proc/sys/kernel/perf_event_paranoid) -ge 3  ]; then
+    # On Debian/Ubuntu, it deny access from non-root even with CAP_PERFMON
+    # It requires to set perf_event_paranoid=2 to use CAP_PERFMON with non-root
+    PERF_EVENT_PARANOID=2
+fi
+if [ -n "$PERF_EVENT_PARANOID" ]; then
+    cat << EOS > /etc/sysctl.d/99-scylla-perfevent.conf
+kernel.perf_event_paranoid = $PERF_EVENT_PARANOID
+EOS
+    sysctl -p /etc/sysctl.d/99-scylla-perfevent.conf
+fi
+
 if [ ! -d /run/systemd/system ]; then
     exit 0
 fi
diff --git a/dist/debian/debian/scylla-kernel-conf.postrm b/dist/debian/debian/scylla-kernel-conf.postrm
index c2c2cdf206..01c476d62f 100644
--- a/dist/debian/debian/scylla-kernel-conf.postrm
+++ b/dist/debian/debian/scylla-kernel-conf.postrm
@@ -2,6 +2,14 @@
 
 set -e
 
+case "$1" in
+    purge|remove)
+        if [ "$1" = "purge" ]; then
+            rm -f /etc/sysctl.d/99-scylla-perfevent.conf
+        fi
+        ;;
+esac
+
 if [ -d /run/systemd/system ]; then
     systemctl --system daemon-reload >/dev/null || true
 fi
diff --git a/dist/redhat/scylla.spec b/dist/redhat/scylla.spec
index 8587ae1dcc..55d42e23f5 100644
--- a/dist/redhat/scylla.spec
+++ b/dist/redhat/scylla.spec
@@ -228,6 +228,7 @@ fi
 %{_sysctldir}/*.conf
 %{_unitdir}/scylla-tune-sched.service
 /opt/scylladb/kernel_conf/*
+%ghost /etc/sysctl.d/99-scylla-perfevent.conf
 
 
 %package node-exporter
diff --git a/scylla_post_install.sh b/scylla_post_install.sh
index 604e85cbdc..3bdcc14f3a 100755
--- a/scylla_post_install.sh
+++ b/scylla_post_install.sh
@@ -11,6 +11,10 @@ if [ ! -d /run/systemd/system ]; then
     exit 0
 fi
 
+version_ge() {
+    [  "$2" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
+}
+
 # Install capabilities.conf when AmbientCapabilities supported
 . /etc/os-release
 
@@ -26,13 +30,20 @@ fi
 
 AMB_SUPPORT=`grep -c ^CapAmb: /proc/self/status`
 
+KERNEL_VER=$(uname -r)
+
 # AmbientCapabilities supported from v229 but it backported to v219-33 on RHEL7
 if [ $SYSTEMD_VER -ge 229 ] || [[ $SYSTEMD_VER -eq 219 && $SYSTEMD_REL -ge 33 ]]; then
     if [ $AMB_SUPPORT -eq 1 ]; then
+        AMB_CAPABILITIES="CAP_SYS_NICE CAP_IPC_LOCK"
+        # CAP_PERFMON is only available on linux-5.8+
+        if version_ge $KERNEL_VER 5.8; then
+            AMB_CAPABILITIES="$AMB_CAPABILITIES CAP_PERFMON"
+        fi
         mkdir -p /etc/systemd/system/scylla-server.service.d/
         cat << EOS > /etc/systemd/system/scylla-server.service.d/capabilities.conf
 [Service]
-AmbientCapabilities=CAP_SYS_NICE CAP_IPC_LOCK
+AmbientCapabilities=$AMB_CAPABILITIES
 EOS
     fi
 fi