====== Introduction ======

Sysdig is a universal system visibility tool with native support for containers.

Csysdig is a simple, intuitive, and fully customizable curses UI for sysdig.

Sysdig is a simple tool for deep system visibility, with native support for containers.

We built sysdig to give you easy access to the actual behavior of your Linux systems and containers. Honestly, the best way to understand sysdig is to try it - its super easy!

Far too often, system-level monitoring and troubleshooting still involves logging into a machine with SSH and using a plethora of dated tools with very inconsistent interfaces. And many of these classic Linux tools breakdown completely in containerized environments. Sysdig unites your Linux toolkit into a single, consistent, easy-to-use interface. And sysdig's unique architecture allows deep inspection into containers, right out of the box, without having to instrument the containers themselves in any way.

Sysdig instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. Sysdig also makes it possible to create trace files for system activity, similarly to what you can do for networks with tools like tcpdump and Wireshark. This way, problems can be analyzed at a later time, without losing important information. Rich system state is stored in the trace files, so that the captured activity can be put into full context.

Sysdig provides additional value by focusing on a few key principles:

  * offering native support for all Linux container technologies, including Docker, LXC, etc <
  * offering unified, coherent, and granular visibility into the storage, processing, network, and memory subsystems <
  * making it possible to create trace files for system activity, similarly to what you can do for networks with tools like tcpdump and Wireshark, so that the problem can be analyzed at a later time, without losing important information <
  * including rich system state in the trace files, so that the captured activity can be put into full context <
  * offering a filtering language to dig into the information in a natural and interactive way <
  * including a rich library of Lua scripts to solve common problems, which we call chisels (to carve up the data you unearthed... get it?). <
  * offering an simple, intuitive, and fully customizable curses-based UI called csysdig <

Think about sysdig as strace + tcpdump + htop + iftop + lsof + ...awesome sauce.

====== Links ======

===== General =====

[[https://sysdig.com/opensource/]]\\
[[https://github.com/draios/sysdig]]\\

====== Docs ======

[[https://github.com/draios/sysdig/wiki]]\\
[[https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux]]\\
[[https://github.com/draios/sysdig/wiki/Chisels-User-Guide]]\\

====== Files and Directories ======

===== General Files and Directories =====

None

===== Configuration Files =====

None

====== Getting Help ======

//sysdig// Manual pages: 

<cli>
user@host:~$ man sysdig
</cli>

//csysdig// Manual pages: 

<cli>
user@host:~$ man csysdig
</cli>

Command line help:

<cli>
user@host:~$ sysdig -h
</cli>

Chisel help:

<cli>
user@host:~$ sysdig -cl
</cli>

Help file: 

<cli>
user@host:~$ zless /usr/share/doc/sysdig/README.md.gz
</cli>

====== Install ======

To install //sysdig// on Debian: 

<cli>
root@host:~$ curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -
root@host:~$ curl -s -o /etc/apt/sources.list.d/draios.list https://s3.amazonaws.com/download.draios.com/stable/deb/draios.list  
root@host:~$ apt-get update
root@host:~$ apt-get -y install linux-headers-$(uname -r)
root@host:~$ apt-get -y install sysdig
</cli> 

====== Configuration ======

None

====== Usage ======

===== General Usage =====

<cli>
root@host:~$ sysdig
</cli>

===== Command Line Parameters =====

==== General Command Line Parameters ====

^ Option         ^ Description                                                                               ^
| ''-h''         | Print this page                                                                           |
| ''-l''         | List the fields that can be used for filtering and output formatting.                     |
| ''-lv''        | Get additional information for each field.                                                |
| ''-q''         | Don't print events on the screen Useful when dumping to disk.                             |
| ''-v''         | Verbose output.                                                                           |
| ''<nowiki>--version</nowiki>''  | Print version number.                                                                     |
| ''-D''         | Capture events about sysdig itself and print additional logging on standard error.        |
| ''-L''         | List the events that the engine supports.                                                 |
| ''-P''         | Print progress on stderr while processing trace files.                                    |
| ''-S''         | Print the event summary (i.e. the list of the top events) when the capture ends.          |

==== Capture Parameters ====

^ Option            ^ Description                                                                               ^
| ''-e events''     | Write the captured events to a file with at most the number of ''events'' events.         |
| ''-n events''     | Stop capturing after a number of ''events'' events.                                       |
| ''-r file''       | Read the events from file ''file''.                                                       |
| ''-s length''     | Capture the first ''length'' bytes of each I/O buffer. Default: 80.                       |
| ''-w file''       | Write the captured events to file ''file''.                                               |
| ''-z''            | Used with -w, enables compression for tracefiles.                                         |
| ''-C size''       | Write the captured events to a file of the maximum size ''size'' in million bytes.        |
| ''-F''            | Enable fatfile mode. Capture but don't display dependent but filtered events.             |
| ''-G seconds''    | Rotate the output file for captured events after ''seconds''.                             |
| ''-M seconds''    | Stop collecting after ''seconds''.                                                        |
| ''-W num''        | Limit the number of files written to ''num'' when the ''-C'' option is used.              |

==== Output Formatting ====

^ Option            ^ Description                                                                               ^
| ''-A''            | Only print the text portion of data buffers.                                              |
| ''-b''            | Print data buffers in base64.                                                             |
| ''-j''            | Emit output as json, data buffer encoding will depend from the print format selected.     |
| ''<nowiki>--unbuffered</nowiki>''  | Turn off output buffering.                                                                |
| ''-t type''       | Change the way event time is displayed. \\ ''h'' for human-readable string \\ ''a'' for absolute timestamp from epoch \\ ''r'' for relative time from the beginning of the capture \\ ''d'' for delta between event enter and exit \\ ''D'' for delta from the previous event     |
| ''-x''            | Print data buffers in hex.                                                                |
| ''-N''            | Don't convert port numbers to names.                                                      |
| ''-X''            | Print data buffers in hex and ASCII.                                                      |

==== Filter Options ====

^ Option                    ^ Description                                                                               ^
| ''-d''                    | Make the given filter a display filter. Capture events first and apply filter later. Less efficient, but ensures no events are lost.  |
| ''<nowiki>--filter-proclist</nowiki>''     | Apply the filter to the process table. This hides possibly sensitive information.         |
| ''-E''                    | Don't create the user/group tables by querying the OS when sysdig starts.                 |
| ''-T''                    | Tell the driver to make sure full buffers are captured from /dev/null, to make sure that tracers are completely captured.     |

==== Chisel Options ====

^ Option            ^ Description                                                                               ^
| ''-c name args''  | Run the specified chisel. If the chisel require arguments, they must be specified in the command line after the name.     |
| ''-cl''           | Lists the available chisels.                                                              |
| ''-i name''       | Get a longer description and the arguments associated with a chisel found in the -cl option list.     |

===== Example Usage =====

To capture all the events from the live system and print them to screen:

<cli>
root@host:~$ sysdig
</cli>

To capture all the events from the live system and save them to disk:

<cli>
root@host:~$ sysdig -w dumpfile.scap
</cli>

To read events from a file and print them to screen:

<cli>
root@host:~$ sysdig -r dumpfile.scap
</cli>

To print all the ''open()'' system calls invoked by the ''cat'' command:

<cli>
root@host:~$ sysdig proc.name=cat and evt.type=open
</cli>

To print the name of the files opened by the ''cat'' command:

<cli>
root@host:~$ sysdig -p"%evt.arg.name" proc.name=cat and evt.type=open
</cli>

===== Status Check =====

None

====== Recipies ======

[[https://github.com/draios/sysdig/wiki/Sysdig-Examples]]\\

<nspages .:recipies -subns -pagesInNs -simpleList -title -hideNoSubns -hideNoPages -textNS="" -exclude:start>

====== Known Issues ======

None