sysdig

Capture all the events from the live system and print them to screen

$ sysdig

$ sysdig [[-w|--write]] [path/to/file].scap

$ sysdig [[-r|--read]] [path/to/file].scap

$ sysdig proc.name=cat and evt.type=open

$ sysdig -I dummy:'[parameter]'

$ sysdig [[-cl|--list-chisels]]

$ sysdig [[-c|--chisel]] spy_ip [ip_address]

sysdig [options] [filter]
sysdig -c <chisel_name> [chisel_args] [filter]

-A
    Dump count events and then exit.

-c
    Run a specific chisel (Lua script) to analyze captured data.

-D
    Detach from the terminal and run sysdig in the background.

-l
    List all available chisels.

-p
    Pretty print the output, often in JSON format for easier parsing.

-r
    Read events from a previously saved sysdig capture file.

-S
    Print system statistics every second (e.g., CPU, memory, I/O).

-s
    Sleep for seconds after starting, useful for giving the system time to stabilize before capturing.

-w
    Write captured events to a file for later offline analysis.

-v
    Increase verbosity of output, providing more detailed information.

-h
    Display help information and exit.

sysdig is an open-source tool for deep system visibility and troubleshooting on Linux. It captures system state and activity from a running Linux instance by leveraging a kernel module or eBPF probes to intercept system calls and kernel events. Think of it as a powerful combination of strace, tcpdump, lsof, top, and netstat, but with advanced filtering, aggregation, and analysis capabilities.

Users can observe process activity, network connections, file I/O, and other system-wide events in real-time. sysdig allows for rich filtering of events using a powerful syntax, enabling users to focus on specific processes, network activity, or file operations. It also supports "chisels," which are Lua scripts providing higher-level, pre-built views and analysis of the captured data. Beyond real-time monitoring, sysdig can save captured events to a file for later offline analysis, making it invaluable for post-mortem forensics, performance troubleshooting, and security incident response in both traditional and containerized environments.

Requires root privileges or appropriate capabilities (e.g., CAP_SYS_ADMIN) to run due to its deep kernel interaction.
Installation typically involves a kernel module or eBPF, which may require compilation against specific kernel headers, potentially leading to compatibility issues across different kernel versions.
While generally low, there can be a performance overhead, especially under heavy system load or with very broad filters, as it intercepts every system call.
The powerful filtering language and chisels have a learning curve, requiring users to understand system call semantics and sysdig's event model.

Chisels are powerful Lua scripts that provide pre-built, high-level views and analysis of the raw system event stream. They transform low-level syscall data into actionable insights, such as "top processes by network I/O," "connections per process," or "files opened by a specific user." Users can also create custom chisels to tailor analysis to their specific needs, extending sysdig's functionality.

sysdig's powerful filtering language allows users to precisely specify which events to capture and display. Filters can be applied based on process properties (proc.name, proc.pid), file descriptors (fd.name, fd.type), event types (evt.type), and many more attributes. This enables highly granular observation, such as "sysdig proc.name=nginx and evt.type=open" to see all file open events specifically by the Nginx process. Filters support logical operators (AND, OR) and comparisons.

At its core, sysdig operates by inserting a kernel module or leveraging eBPF probes into the Linux kernel. This allows it to capture system calls, context switches, and other kernel events at a very low level without modifying applications. The collected data is then streamed to user space where sysdig applies filters, processes it with chisels, and presents it to the user. This approach provides unparalleled depth and detail in system monitoring by observing the system from the kernel's perspective.

sysdig was created by Loris Degioanni, who is also known for co-creating Wireshark and nmap. It was initially developed by Sysdig Inc. and open-sourced in 2014, quickly gaining traction in the DevOps and security communities. Its design aimed to provide unified observability for Linux systems, addressing the complexities of monitoring modern, distributed, and containerized applications. Over time, it evolved to support eBPF, reducing its reliance on a kernel module and improving compatibility and performance. It has become a foundational tool in the cloud-native security and observability stack.

strace(1), lsof(8), tcpdump(8), perf(1), top(1), netstat(8)