How to Install and Use Sysdig from Linux Command Line

September 22, 2014 | By
| Reply More

Sysdig is a tool that gives admins and developers unprecedented visibility into the behavior of their systems. The team that develops it wants to improve the way system-level monitoring and troubleshooting is done by offering a unified, coherent, and granular visibility into the storage, processing, network, and memory subsystems making it possible to create trace files for system activity so you can easily analyze it at any time. They have also build a a filtering language to dig into the information in a natural and interactive way and also a rich library of Lua scripts to solve common problems, that they call chisels. Think about this application as strace + tcpdump + lsof on steroids. In short, it is a powerful performance monitoring tool to analyse system state and its activities.

How to Install Sysdig

Sysdig was tested on and supports the following Linux distributions Debian, Ubuntu, CentOS, RHEL, Fedora, Amazon Linux, Oracle Linux and Linux Mint.

It can be installed in one step using the automatic installation script, you can do it by running the following command:

# curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

The output should look like this:

sysdig install

Note: In case curl is not installed you will be prompted to install it using the command "sudo apt-get install curl"

This is all you have to do to install the application on your system.

Basic usage

In the most simple form you can just run the program without any argument, this will output to standard output every system call. The format is event number, event time, event cpu number, name of the process (PID), event direction for out, event type, event arguments. The output looks like this:

sysdig basic

Note: Not all of the system calls are currently decoded by sysdig. Non-decoded system calls are still shown in the output, but with no arguments.

Filtering

All this output is huge and mostly not very useful by itself, so you can filter the results using the powerful and versatile filtering system. For example to filter the process vim you can use proc.name argument like this:

# sysdig proc.name=vim

sysdig proc name

You can use a combination of arguments using operators such as "or" and "and". For example to list all the incoming connections that are not served by apache you can use:

# sysdig -p"%proc.name %fd.name" "evt.type=accept and proc.name!=httpd"

Or to show the directories that the user "root" visits you can use:

# sysdig evt.type=chdir and user.name=root

The output will look like this:

sysdig root chdir

For quick reference keep in mind that you can use the -l argument to list all the fields you can use and -L for a list of all events:

# sysdig -l
# sysdig -L

A few more examples

These are some popular examples taken from the website wiki:

1) List the top processes in order of network bandwidth usage

# sysdig -c topprocs_net

2) List the top local server ports in terms of established connections:

# sysdig -c fdcount_by fd.sport "evt.type=accept"

3) List all the incoming connections that are not served by apache.

# sysdig -p"%proc.name %fd.name" "evt.type=accept and proc.name!=httpd"

sysdig net1

sysdig net2

4) List the top processes in terms of disk bandwidth usage:

# sysdig -c topprocs_file

5) List the processes that are using a high number of files

# sysdig -c fdcount_by proc.name "fd.type=file"

6) Basic opensnoop: snoop file opens as they occur

# sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open

sysdig io

7) See the top processes in terms of CPU usage

# sysdig -c topprocs_cpu

8) See the top processes for CPU 0

# sysdig -c topprocs_cpu evt.cpu=0

sysdig cpu

9) Show the directories that the user "root" visits

# sysdig -p"%evt.arg.path" "evt.type=chdir and user.name=root"

10) Show every file open that happens in /etc

# sysdig evt.type=open and fd.name contains /etc

sysdig security

The possibilities of using sysdig are endless and depend on what you want to find out, but it's a very useful and versatile tool to have around.

For more information you can visit the sysdig website.

Filed Under : LINUX HOWTO, OPEN SOURCE TOOLS

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.