# sysdig: System-level exploration tool


Installing
# curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

Listing chisels
# sysdig -cl

Listing fields to filter
# sysdig -l

Using a chisel
# sysdig -c topprocs_cpu

Writing events to file
# sysdig -z -w tracefile.scap.gz

Reading events from file and use a chisel
# sysdig -z -r tracefile.scap.gz -c topprocs_cpu

Filtering events for a specific process
# sysdig proc.name=sshd

Filtering events for a specific file
# sysdig fd.name=/var/log/auth.log

Filtering events for files that contain /etc
# sysdig fd.name contains /etc
# sysdig evt.args contains /bin/ls
# sysdig fd.ip=1.2.3.4
# sysdig fd.l4proto=udp

Formating the output
# sysdig -p '%evt.arg.path' 'evt.type=chdir and user.name=root'

Information about all chisels
# sysdig -cl | grep -P '^\w' | awk '{print $1}' | grep -v -e Category -e Use | xargs -L 1 sysdig -i

Interesting chisels
# sysdig -c topprocs_cpu
# sysdig -c echo_fds -s 2000 -A proc.name=httpd
# sysdig -c echo_fds -s 2000 -A fd.port=80 and evt.buffer contains GET
# sysdig -c spy_file 'RW /var/log/syslog'
# sysdig -c spy_logs
# sysdig -c spy_syslog
# sysdig -c spy_ip 1.2.3.4
# sysdig -c spy_port 443
# sysdig -c topconns
# sysdig -c topprocs_net
# sysdig -c spy_users 0|1
# sysdig -c lsof
# sysdig -c netstat
# sysdig -c ps
# sysdig -c topfiles_bytes proc.name contains tar
# sysdig -c list_login_shells ncat
# sysdig -c spy_users proc.loginshellid=1234
# sysdig -c stdin -c stdout proc.name=cat

Reference

https://github.com/draios/sysdig/wiki

No comments: