A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
-bash/zsh: sysdig command not found # Windows (WSL2) sudo apt-get update sudo apt-get install sysdig # Debian apt-get install sysdig # Ubuntu apt-get install sysdig # Arch Linux pacman -S sysdig # OS X brew install sysdig # Raspbian apt-get install sysdig # Dockerfile dockerfile.run/sysdig
sysdig 是一个用于系统故障排除、分析和分析的工具勘探。 可用于捕获、过滤和解码系统调用和其他操作系统事件。 sysdig 均可用于检查实时系统,或生成可在以下位置进行分析的跟踪文件稍后的阶段。
sysdig 包含强大的过滤语言,具有可定制的输出,并且可以通过称为凿子的 Lua 脚本进行扩展。
默认情况下,sysdig 打印每个捕获事件的信息在一行上,格式如下:
*%evt.num - evt.num 是增量事件编号 %evt.time - evt.time 是事件时间戳 %evt.cpu - evt.cpu 是捕获事件的 CPU 编号 %proc.name - proc.name 是生成事件的进程的名称 (%thread.tid) - thread.tid id 生成事件的 TID,其中对应于单线程进程的 PID %evt.dir - evt.dir 是事件方向,> 表示输入事件,< 表示退出事件 %evt.type - evt.type 是事件的名称,例如 “打开”或“阅读” %evt.info - evt.args 是事件参数列表。 --------------------------------- 5352209 11:54:08.853479695 0 ssh-agent (13314) < getrusage 5352210 11:54:08.853481094 0 ssh-agent (13314) > clock_gettime 5352211 11:54:08.853482049 0 ssh-agent (13314) < clock_gettime 5352226 11:54:08.853510313 0 ssh-agent (13314) > getrusage 5352228 11:54:08.853511089 0 ssh-agent (13314) < getrusage 5352229 11:54:08.853511646 0 ssh-agent (13314) > clock_gettime 5352231 11:54:08.853512020 0 ssh-agent (13314) < clock_gettime 5352240 11:54:08.853530285 0 ssh-agent (13314) > stat 5352241 11:54:08.853532329 0 ssh-agent (13314) < stat res=0 path=/home/cizixs/.ssh 5352242 11:54:08.853533065 0 ssh-agent (13314) > stat 5352243 11:54:08.853533990 0 ssh-agent (13314) < stat res=0 path=/home/cizixs/.ssh/id_rsa.pub 5353954 11:54:08.857382204 0 ssh-agent (13314) > write fd=16 size=280
sysdig [option]... [filter]
-A, --print-ascii Only print the text portion of data buffers, and echo end-of-lines. This is useful to only display human- readable data. -b, --print-base64 Print data buffers in base64. This is useful for encoding binary data that needs to be used over media designed to handle textual data (i.e., terminal or json). -c chiselname chiselargs, --chisel=chiselname chiselargs run the specified chisel. If the chisel require arguments, they must be specified in the command line after the name. -C filesize Break a capture into separate files, and limit the size of each file based on the specified number of megabytes. The units of filesize are millions of bytes (10^6, not 2^20). Use in conjunction with -W to enable automatic file rotation. Otherwise, new files will continue to be created until the capture is manually stopped. Files will have the name specified by -w with a counter added starting at 0. -cl, --list-chisels lists the available chisels. Sysdig looks for chisels in the following directories: ./chisels, ~/.chisels and /usr/share/sysdig/chisels. -d, --displayflt Make the given filter a display one. Setting this option causes the events to be filtered after being parsed by the state system. Events are normally filtered before being analyzed, which is more efficient, but can cause state (e.g. FD names) to be lost. -D, --debug Capture events about sysdig itself, display internal events in addition to system events, and print additional logging on standard error. -E, --exclude-users Don't create the user/group tables by querying the OS when sysdig starts. This also means that no user or group info will be written to the tracefile by the -w flag. The user/group tables are necessary to use filter fields like user.name or group.name. However, creating them can increase sysdig's startup time. Moreover, they contain information that could be privacy sensitive. -e numevents Break a capture into separate files, and limit the size of each file based on the specified number of events. Use in conjunction with -W to enable automatic file rotation. Otherwise, new files will continue to be created until the capture is manually stopped. Files will have the name specified by -w with a counter added starting at 0. -F, --fatfile Enable fatfile mode. When writing in fatfile mode, the output file will contain events that will be invisible when reading the file, but that are necessary to fully reconstruct the state. Fatfile mode is useful when saving events to disk with an aggressive filter. The filter could drop events that would cause the state to be updated (e.g. clone() or open()). With fatfile mode, those events are still saved to file, but 'hidden' so that they won't appear when reading the file. Be aware that using this flag might generate substantially bigger traces files. --filter-proclist apply the filter to the process table. A full dump of /proc is typically included in any trace file to make sure all the state required to decode events is in the file. This could cause the file to contain unwanted or sensitive information. Using this flag causes the command line filter to be applied to the /proc dump as well. -G numseconds Break a capture into separate files, and limit the size of each file based on the specified number of seconds. Use in conjunction with -W to enable automatic file rotation. Otherwise, new files will continue to be created until the capture is manually stopped. Files will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, a counter will be used. -h, --help Print this page -H pluginname[:initconfig], --plugin pluginname[:initconfig] Registers a plugin, using the passed init config if present. A path can also be used as pluginname. The format of initconf is controlled by the plugin, refer to each plugin's documentation to learn about it. -I pluginname[:openparams], --input pluginname[:openparams] Capture events using the plugin with name pluginname, passing to the plugin the openparams string as parameters. The format of inputargs is controller by the plugin, refer to each plugin's documentation to learn about it. The event sources available for capture vary depending on which plugins have been installed. You can list the plugins that have been loaded by using the -Il flag. -Il, --list-inputs List the loaded plugins. Sysdig looks for plugins in the following directories: ./plugins, ~/.plugins, /usr/share/sysdig/plugins. --plugin-config-file Load the plugin configuration from a Falco- compatible yaml config file. Mixing this option with '-H' or '-I' is unsupported. See the plugin section in <https://falco.org/docs/configuration/> for additional informations. -i chiselname, --chisel-info=_chiselname_ Get a longer description and the arguments associated with a chisel found in the -cl option list. -j, --json Emit output as json, data buffer encoding will depend from the print format selected. -k, --k8s-api Enable Kubernetes support by connecting to the API server specified as argument. E.g. "<http://admin:password@127.0.0.1:8080>". The API server can also be specified via the environment variable SYSDIG_K8S_API. -K btfile | certfile:keyfile[#password][:cacertfile], --k8s-api- cert=_btfile | certfile:keyfile[#password][:cacertfile]_ Use the provided files names to authenticate user and (optionally) verify the K8S API server identity. Each entry must specify full (absolute, or relative to the current directory) path to the respective file. Private key password is optional (needed only if key is password protected). CA certificate is optional. For all files, only PEM file format is supported. Specifying CA certificate only is obsoleted - when single entry is provided for this option, it will be interpreted as the name of a file containing bearer token. Note that the format of this command- line option prohibits use of files whose names contain ':' or '#' characters in the file name. Option can also be provided via the environment variable SYSDIG_K8S_API_CERT. -L, --list-events List the events that the engine supports -l, --list List the fields that can be used for filtering and output formatting. Use -lv to get additional information for each field. --list-markdown Like -l, but produces markdown output -m url[,marathon-url], --mesos-api=_url[,marathon-url]_ Enable Mesos support by connecting to the API server specified as argument (e.g. <http://admin:password@127.0.0.1:5050>). Mesos url is required. Marathon url is optional, defaulting to auto- follow - if Marathon API server is not provided, sysdig will attempt to retrieve (and subsequently follow, if it migrates) the location of Marathon API server from the Mesos master. Note that, with auto-follow, sysdig will likely receive a cluster internal IP address for Marathon API server, so running sysdig with Marathon auto-follow from a node that is not part of Mesos cluster may not work. Additionally, running sysdig with Mesos support on a node that has no containers managed by Mesos is of limited use because, although cluster metadata will be collected, there will be no Mesos/Marathon filtering capability. The API servers can also be specified via the environment variable SYSDIG_MESOS_API. -M num_seconds Stop collecting after reaching -n num, --numevents=num Stop capturing after num events --page-faults Capture user/kernel major/minor page faults -P, --progress Print progress on stderr while processing trace files. -p outputformat, --print=outputformat Specify the format to be used when printing the events. With -pc or -pcontainer will use a container-friendly format. With -pk or -pkubernetes will use a kubernetes-friendly format. With -pm or -pmesos will use a mesos-friendly format. Specifying -pp on the command line will cause sysdig to print the default command line format and exit. -q, --quiet Don't print events on the screen. Useful when dumping to disk. -r readfile, --read=readfile Read the events from readfile. -R, --resolve-ports Resolve port numbers to names. -S, --summary print the event summary (i.e. the list of the top events) when the capture ends. -s len, --snaplen=len Capture the first len bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files. -t timetype, --timetype=timetype Change the way event time is displayed. Accepted values are h for human-readable string, a for absolute timestamp from epoch, r for relative time from the first displayed event, d for delta between event enter and exit, and D for delta from the previous event. -T, --force-tracers-capture Tell the driver to make sure full buffers are captured from /dev/null, to make sure that tracers are completely captured. Note that sysdig will enable extended /dev/null capture by itself after detecting that tracers are written there, but that could result in the truncation of some tracers at the beginning of the capture. This option allows preventing that. --unbuffered Turn off output buffering. This causes every single line emitted by sysdig to be flushed, which generates higher CPU usage but is useful when piping sysdig's output into another process or into a script. -v, --verbose Verbose output. This flag will cause the full content of text and binary buffers to be printed on screen, instead of being truncated to 40 characters. Note that data buffers length is still limited by the snaplen (refer to the -s flag documentation) -v will also make sysdig print some summary information at the end of the capture. --version Print version number. -w writefile, --write=writefile Write the captured events to writefile. -W num Turn on file rotation for continuous capture, and limit the number of files created to the specified number. Once the cap is reached, older files will be overwritten (ring buffer). Use in conjunction with the -C / -G / -e options to limit the size of each file based on number of megabytes, seconds, and/or events (respectively). -x, --print-hex Print data buffers in hex. -X, --print-hex-ascii Print data buffers in hex and ASCII. -z, --compress Used with -w, enables compression for tracefiles.
sysdig 从实时系统捕获所有事件并将其打印到屏幕上:
sysdig
sysdig 从实时系统捕获所有事件并将它们保存到磁盘:
sysdig -w dumpfile.scap
sysdig 捕捉最近24小时内的所有事件并保存到磁盘按文件组织,每个文件包含 1 小时的系统活动:
sysdig -G 3600 -W 24 -w dumpfile.scap
sysdig 从文件中读取事件并将其打印到屏幕上:
sysdig -r dumpfile.scap
sysdig 列出可用的 chisels:
sysdig -cl