Installing #curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash
Listing chisels #sysdig -cl
Listing fields to filter #sysdig -l
Using a chisel #sysdig -c topprocs_cpu
Writing events to file #sysdig -z -w tracefile.scap.gz
Reading events from file and use a chisel #sysdig -z -r tracefile.scap.gz -c topprocs_cpu
Filtering events for a specific process #sysdig proc.name=sshd
Filtering events for a specific file #sysdig fd.name=/var/log/auth.log
Filtering events for files that contain /etc #sysdig fd.name contains /etc
#sysdig evt.args contains /bin/ls
#sysdig fd.ip=1.2.3.4
#sysdig fd.l4proto=udp
Formating the output #sysdig -p '%evt.arg.path' 'evt.type=chdir and user.name=root'
Information about all chisels #sysdig -cl | grep -P '^\w' | awk '{print $1}' | grep -v -e Category -e Use | xargs -L 1 sysdig -i
Interesting chisels #sysdig -c topprocs_cpu
#sysdig -c echo_fds -s 2000 -A proc.name=httpd
#sysdig -c echo_fds -s 2000 -A fd.port=80 and evt.buffer contains GET
#sysdig -c spy_file 'RW /var/log/syslog'
#sysdig -c spy_logs
#sysdig -c spy_syslog
#sysdig -c spy_ip 1.2.3.4
#sysdig -c spy_port 443
#sysdig -c topconns
#sysdig -c topprocs_net
#sysdig -c spy_users 0|1
#sysdig -c lsof
#sysdig -c netstat
#sysdig -c ps
#sysdig -c topfiles_bytes proc.name contains tar
#sysdig -c list_login_shells ncat
#sysdig -c spy_users proc.loginshellid=1234
#sysdig -c stdin -c stdout proc.name=cat
Reference
https://github.com/draios/sysdig/wiki
No comments:
Post a Comment