Sysdig is a universal system visibility tool with native support for containers.
Csysdig is a simple, intuitive, and fully customizable curses UI for sysdig.
Sysdig is a simple tool for deep system visibility, with native support for containers.
We built sysdig to give you easy access to the actual behavior of your Linux systems and containers. Honestly, the best way to understand sysdig is to try it - its super easy!
Far too often, system-level monitoring and troubleshooting still involves logging into a machine with SSH and using a plethora of dated tools with very inconsistent interfaces. And many of these classic Linux tools breakdown completely in containerized environments. Sysdig unites your Linux toolkit into a single, consistent, easy-to-use interface. And sysdig's unique architecture allows deep inspection into containers, right out of the box, without having to instrument the containers themselves in any way.
Sysdig instruments your physical and virtual machines at the OS level by installing into the Linux kernel and capturing system calls and other OS events. Sysdig also makes it possible to create trace files for system activity, similarly to what you can do for networks with tools like tcpdump and Wireshark. This way, problems can be analyzed at a later time, without losing important information. Rich system state is stored in the trace files, so that the captured activity can be put into full context.
Sysdig provides additional value by focusing on a few key principles:
offering native support for all Linux container technologies, including Docker, LXC, etc
offering unified, coherent, and granular visibility into the storage, processing, network, and memory subsystems
making it possible to create trace files for system activity, similarly to what you can do for networks with tools like tcpdump and Wireshark, so that the problem can be analyzed at a later time, without losing important information
including rich system state in the trace files, so that the captured activity can be put into full context
offering a filtering language to dig into the information in a natural and interactive way
including a rich library of Lua scripts to solve common problems, which we call chisels (to carve up the data you unearthed… get it?).
offering an simple, intuitive, and fully customizable curses-based UI called csysdig
Think about sysdig as strace + tcpdump + htop + iftop + lsof + …awesome sauce.
https://github.com/draios/sysdig/wiki
https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux
https://github.com/draios/sysdig/wiki/Chisels-User-Guide
None
None
sysdig Manual pages:
user@host:~$ man sysdig
csysdig Manual pages:
user@host:~$ man csysdig
Command line help:
user@host:~$ sysdig -h
Chisel help:
user@host:~$ sysdig -cl
Help file:
user@host:~$ zless /usr/share/doc/sysdig/README.md.gz
To install sysdig on Debian:
root@host:~$ curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add - root@host:~$ curl -s -o /etc/apt/sources.list.d/draios.list https://s3.amazonaws.com/download.draios.com/stable/deb/draios.list root@host:~$ apt-get update root@host:~$ apt-get -y install linux-headers-$(uname -r) root@host:~$ apt-get -y install sysdig
None
root@host:~$ sysdig
| Option | Description |
|---|---|
-h | Print this page |
-l | List the fields that can be used for filtering and output formatting. |
-lv | Get additional information for each field. |
-q | Don't print events on the screen Useful when dumping to disk. |
-v | Verbose output. |
--version | Print version number. |
-D | Capture events about sysdig itself and print additional logging on standard error. |
-L | List the events that the engine supports. |
-P | Print progress on stderr while processing trace files. |
-S | Print the event summary (i.e. the list of the top events) when the capture ends. |
| Option | Description |
|---|---|
-e events | Write the captured events to a file with at most the number of events events. |
-n events | Stop capturing after a number of events events. |
-r file | Read the events from file file. |
-s length | Capture the first length bytes of each I/O buffer. Default: 80. |
-w file | Write the captured events to file file. |
-z | Used with -w, enables compression for tracefiles. |
-C size | Write the captured events to a file of the maximum size size in million bytes. |
-F | Enable fatfile mode. Capture but don't display dependent but filtered events. |
-G seconds | Rotate the output file for captured events after seconds. |
-M seconds | Stop collecting after seconds. |
-W num | Limit the number of files written to num when the -C option is used. |
| Option | Description |
|---|---|
-A | Only print the text portion of data buffers. |
-b | Print data buffers in base64. |
-j | Emit output as json, data buffer encoding will depend from the print format selected. |
--unbuffered | Turn off output buffering. |
-t type | Change the way event time is displayed. h for human-readable string a for absolute timestamp from epoch r for relative time from the beginning of the capture d for delta between event enter and exit D for delta from the previous event |
-x | Print data buffers in hex. |
-N | Don't convert port numbers to names. |
-X | Print data buffers in hex and ASCII. |
| Option | Description |
|---|---|
-d | Make the given filter a display filter. Capture events first and apply filter later. Less efficient, but ensures no events are lost. |
--filter-proclist | Apply the filter to the process table. This hides possibly sensitive information. |
-E | Don't create the user/group tables by querying the OS when sysdig starts. |
-T | Tell the driver to make sure full buffers are captured from /dev/null, to make sure that tracers are completely captured. |
| Option | Description |
|---|---|
-c name args | Run the specified chisel. If the chisel require arguments, they must be specified in the command line after the name. |
-cl | Lists the available chisels. |
-i name | Get a longer description and the arguments associated with a chisel found in the -cl option list. |
To capture all the events from the live system and print them to screen:
root@host:~$ sysdig
To capture all the events from the live system and save them to disk:
root@host:~$ sysdig -w dumpfile.scap
To read events from a file and print them to screen:
root@host:~$ sysdig -r dumpfile.scap
To print all the open() system calls invoked by the cat command:
root@host:~$ sysdig proc.name=cat and evt.type=open
To print the name of the files opened by the cat command:
root@host:~$ sysdig -p"%evt.arg.name" proc.name=cat and evt.type=open
None
https://github.com/draios/sysdig/wiki/Sysdig-Examples
None