sysdig

Capture all the events from the live system and print them to screen

$ sysdig

$ sysdig [[-w|--write]] [path/to/file].scap

$ sysdig [[-r|--read]] [path/to/file].scap

$ sysdig proc.name=cat and evt.type=open

$ sysdig -I dummy:'[parameter]'

$ sysdig [[-cl|--list-chisels]]

$ sysdig [[-c|--chisel]] spy_ip [ip_address]

sysdig [options] [filter]

-h, --help
    Display help message and exit.

-i capturefile, --input capturefile
    Read events from the specified capture file instead of live capturing. Useful for analyzing previously captured data.

-w capturefile, --write capturefile
    Write the captured events to the specified capture file.

-n number, --number number
    Capture only the specified number of events. The default is to capture until interrupted.

-p format, --print format
    Use the specified format string to print event information. Allows customization of the output.

-c chiselfile, --chiselfile chiselfile
    Load and run the specified chisel (Lua script). Chisels provide pre-defined analysis and reporting capabilities.

-l , --list
    List available chisels.

-A bytes, --after bytes
    Specify the number of bytes to print after the event for file I/O events.

-B bytes, --before bytes
    Specify the number of bytes to print before the event for file I/O events.

-d, --debug
    Enable debug output.

-v, --verbose
    Enable verbose output.

--unbuffered
    Disable output buffering.

filter
    Apply a filter to the captured events. Sysdig supports a rich filtering syntax based on system call arguments, process information, container metadata, etc.

Sysdig is a powerful open-source system-level exploration and troubleshooting tool for Linux. It captures system calls and other OS events, allowing users to analyze application behavior and system performance. Unlike traditional tools like `tcpdump` or `strace`, Sysdig operates at the kernel level, providing a comprehensive view of system activity without requiring code instrumentation. It can filter events based on various criteria (e.g., process name, file path, network connection) and provides a rich set of chisels (Lua scripts) to analyze the captured data. Sysdig is invaluable for tasks such as identifying performance bottlenecks, diagnosing application errors, debugging security issues, and understanding system resource usage. It is especially useful in containerized environments like Docker and Kubernetes, where it can provide insight into the behavior of individual containers. Furthermore, Sysdig integrates with Falco, a cloud-native runtime security tool, for detecting anomalous behavior based on system calls and other events. Sysdig's capabilities enable a deep dive into system activity, making it an essential tool for system administrators, developers, and security professionals.

Sysdig requires root privileges or specific kernel capabilities to access system call information.
The performance impact of running Sysdig can be significant, especially when capturing a large number of events or using complex filters.
When capturing a large number of events use a ringbuffer to avoid disk exhaustion.

Sysdig uses a powerful filtering language based on system call arguments, process attributes, container metadata, etc.
Examples include `proc.name=httpd`, `fd.name contains /var/log`, and `container.id=...`. Filtering can significantly reduce the amount of data captured and improve analysis efficiency.

Chisels are Lua scripts that provide pre-defined analysis and reporting capabilities.
Sysdig comes with a variety of built-in chisels for tasks such as monitoring network activity, analyzing file I/O, and identifying performance bottlenecks.
Users can also create their own custom chisels to tailor the analysis to their specific needs.

Sysdig was originally developed by Loris Degioanni and Gianluca Borello, and was initially released as open source software.
It has since evolved into a widely adopted tool for system exploration and troubleshooting, particularly in cloud-native environments. The project was acquired by Sysdig, Inc., which continues to develop and maintain the tool, and integrated it into a larger security and monitoring platform.
The integration with Falco has significantly enhanced its security capabilities.

tcpdump(1), strace(1), lsof(8), perf(1)