### Docker Installation - Install and start Docker (RHEL-like) Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Installs and starts the Docker service on RHEL-based systems. ```bash yum install docker ``` ```bash systemctl start docker ``` -------------------------------- ### Docker Installation - Install and start Docker (Debian-like) Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Installs and starts the Docker service on Debian-based systems. ```bash apt-get install docker ``` ```bash systemctl start docker ``` -------------------------------- ### Running csysdig Source: https://github.com/draios/sysdig/wiki/Getting-Started The easiest way to get started using sysdig is with csysdig, a curses UI for sysdig. ```bash ~$ csysdig ``` -------------------------------- ### Native Installation Output Example Source: https://github.com/draios/sysdig/wiki/eBPF Example output when running Sysdig with eBPF in native installation mode. ```bash gianluca@sid:~$ sudo sysdig -B * Mounting debugfs Found kernel config at /boot/config-4.15.0-1006-gcp * Trying to compile BPF probe sysdig-probe-bpf (sysdig-probe-bpf-0.1.1dev-x86_64-4.15.0-1006-gcp-610846bd0fce75bc94cba8639ca7347b.o) * BPF probe located, it's now possible to start sysdig 16 17:31:24.809317422 0 sysdig (18052) > switch next=0 pgft_maj=0 pgft_min=1039 vm_size=75220 vm_rss=9192 vm_swap=0 ... ``` -------------------------------- ### Connect Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a connect event. ```text > connect(FD fd) ``` -------------------------------- ### Listen Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a listen event. ```text > listen(FD fd, UINT32 backlog) ``` -------------------------------- ### Bind Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a bind event. ```text > bind(FD fd) ``` -------------------------------- ### HTTP GET Requests Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples See all the GET HTTP requests made by the machine. ```bash sudo sysdig -s 2000 -A -c echo_fds fd.port=80 and evt.buffer contains GET ``` -------------------------------- ### Send Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a send event. ```text > send(FD fd, UINT32 size) ``` -------------------------------- ### Listen Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a listen event exit. ```text < listen(ERRNO res) ``` -------------------------------- ### Read Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a read event. ```text > read(FD fd, UINT32 size) ``` -------------------------------- ### Connect Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a connect event exit. ```text < connect(ERRNO res, SOCKTUPLE tuple) ``` -------------------------------- ### Open Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for an open event. ```text > open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) ``` -------------------------------- ### Running sysdig in raw form Source: https://github.com/draios/sysdig/wiki/Getting-Started You can also run sysdig in its raw form without the UI. ```bash ~$ sysdig ``` -------------------------------- ### Write Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a write event. ```text > write(FD fd, UINT32 size) ``` -------------------------------- ### Project Setup Source: https://github.com/draios/sysdig/blob/dev/CMakeLists.txt Basic CMake project setup, including minimum version, project name, and options. ```cmake cmake_minimum_required(VERSION 3.12) project(sysdig) option(MUSL_OPTIMIZED_BUILD "Enable if you want a musl optimized build" OFF) option(USE_BUNDLED_DEPS "Enable bundled dependencies instead of using the system ones" ON) ``` -------------------------------- ### Socket Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a socket event. ```text > socket(FLAGS32 domain, UINT32 type, UINT32 proto) ``` -------------------------------- ### Example Filter: Incoming Network Connections Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide This example demonstrates how to filter for incoming network connections, excluding those related to the 'apache' process. ```bash >$ sysdig evt.type=accept and proc.name!=apache ``` -------------------------------- ### Standard Installation Commands Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-from-the-Source-Code These commands are used to build and install sysdig after downloading the repository. ```bash mkdir build cd build cmake .. make make install ``` -------------------------------- ### Bind Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a bind event exit. ```text < bind(ERRNO res, SOCKADDR addr) ``` -------------------------------- ### Open Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for an open event exit. ```text < open(ERRNO res, BYTEBUF data) ``` -------------------------------- ### Syscall Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a syscall enter event. ```text > syscall(SYSCALLID ID, UINT16 nativeID) ``` -------------------------------- ### Read Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a read event exit. ```text < read(ERRNO res, BYTEBUF data) ``` -------------------------------- ### Write Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a write event exit. ```text < write(ERRNO res, BYTEBUF data) ``` -------------------------------- ### Close Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a close event. ```text > close(FD fd) ``` -------------------------------- ### SQL Select Queries Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples See all the SQL select queries made by the machine. ```bash sudo sysdig -s 2000 -A -c echo_fds evt.buffer contains SELECT ``` -------------------------------- ### Socket Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a socket event exit. ```text < socket(FD fd) ``` -------------------------------- ### Basic Sysdig Commands Source: https://github.com/draios/sysdig/wiki/Sysdig-Quick-Reference-Guide Examples of common Sysdig command-line usage for capturing and filtering events. ```bash sysdig ``` ```bash sysdig -qw dumpfile.scap ``` ```bash sysdig -r dumpfile.scap ``` ```bash sysdig proc.name=cat and evt.type=open ``` ```bash ./sysdig -p"%evt.arg.name" proc.name=cat and evt.type=open ``` ```bash ./sysdig -cl ``` ```bash sysdig –c spy_ip 192.168.1.157 ``` -------------------------------- ### Saving capture files Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Examples of saving captured events to disk with various options. ```bash >$ sysdig –w myfile.scap ``` ```bash >$ sysdig –n 100 –w myfile.scap ``` ```bash sudo sysdig -C 1 -w dump.scap ``` ```bash sudo sysdig -C 1 -W 5 -w dump.scap ``` -------------------------------- ### Syscall Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a syscall exit event. ```text < syscall(SYSCALLID ID) ``` -------------------------------- ### Install Commands Source: https://github.com/draios/sysdig/blob/dev/scripts/CMakeLists.txt These commands specify how to install various files and programs as part of the build process, including shell completions and a driver loader. ```cmake install(FILES completions/bash/sysdig DESTINATION "${DIR_ETC}/bash_completion.d" COMPONENT "${SYSDIG_COMPONENT_NAME}") install(FILES completions/zsh/_sysdig DESTINATION share/zsh/vendor-completions COMPONENT "${SYSDIG_COMPONENT_NAME}") install(FILES completions/zsh/_sysdig DESTINATION share/zsh/site-functions COMPONENT "${SYSDIG_COMPONENT_NAME}") install(PROGRAMS "${CMAKE_BINARY_DIR}/scripts/scap-driver-loader" DESTINATION bin COMPONENT "${SYSDIG_COMPONENT_NAME}") ``` -------------------------------- ### Example Filter: Programs Run by Interactive Users Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide This example shows how to filter for 'execve' system calls where the parent process is 'bash', effectively listing programs executed by interactive users. ```bash >$ sysdig evt.type=execve and evt.arg.ptid=bash ``` -------------------------------- ### Basic Opensnoop Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples Snoop file opens as they occur. ```bash sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open ``` -------------------------------- ### Installation Prefix and Build Type Source: https://github.com/draios/sysdig/blob/dev/CMakeLists.txt Sets default installation directory for configuration files and ensures a build type is set. ```cmake if(NOT DEFINED DIR_ETC) set(DIR_ETC "${CMAKE_INSTALL_PREFIX}/etc") endif() if(NOT CMAKE_BUILD_TYPE) SET(CMAKE_BUILD_TYPE Release) endif() ``` -------------------------------- ### Manual Installation - Debian/Ubuntu: Trust GPG key, configure repository, update package list Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Steps to add the Draios GPG key, set up the APT repository, and refresh the package list for Debian and Ubuntu systems. ```bash curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | sudo apt-key add - ``` ```bash sudo curl -s -o /etc/apt/sources.list.d/draios.list https://download.sysdig.com/stable/deb/draios.list ``` ```bash sudo apt-get update ``` -------------------------------- ### Running a Chisel Source: https://github.com/draios/sysdig/blob/dev/userspace/sysdig/man/sysdig.md Example of running a chisel named 'topfiles_bytes'. ```bash $ sysdig -c topfiles_bytes ``` -------------------------------- ### Running a Chisel with Arguments Source: https://github.com/draios/sysdig/blob/dev/userspace/sysdig/man/sysdig.md Example of running a chisel that requires arguments. ```bash $ sysdig -c spy_ip 192.168.1.157 ``` -------------------------------- ### Automatic Installation Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux This command automatically installs sysdig by downloading and executing a script from the Draios repository. It's the recommended method. ```bash curl -s https://download.sysdig.com/stable/install-sysdig | sudo bash ``` -------------------------------- ### I/O Activity by FD Type Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples Display I/O activity by FD type. ```bash sysdig -c fdbytes_by fd.type ``` -------------------------------- ### Tracing: Measure Website Latency Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples Creates a trace to measure website latency. ```bash echo ">::website-latency::" > /dev/null curl -s http://sysdig.org > /dev/null echo "<::website-latency::" > /dev/null ``` -------------------------------- ### Development Build Commands Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-from-the-Source-Code Commands to build sysdig for development purposes without installing. ```bash mkdir build cd build cmake .. make ``` -------------------------------- ### Symlink asm headers for Ubuntu 10.04 Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Creates a symbolic link for asm headers required on Ubuntu 10.04 with customized kernels, followed by an apt-get install command. ```bash ln -nsf /usr/src/linux-headers-`uname -r`/include/asm-x86 /usr/src/linux-headers-`uname -r`/include/asm apt-get -y install ``` -------------------------------- ### Creating a Trace File Source: https://github.com/draios/sysdig/blob/dev/userspace/sysdig/man/sysdig.md Example of how to create a trace file using the -w switch. ```bash $ sysdig -w trace.scap ``` -------------------------------- ### Vagrantfile for Build Environment Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-from-the-Source-Code A basic Vagrantfile to set up an Ubuntu 13.10 build environment with necessary requirements. ```ruby # -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure(2) do |config| config.vm.box = "utopic64" #The following url might be different as the current version of ubuntu changes config.vm.box_url = "https://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64-vagrant-disk1.box" config.vm.provision "shell", inline: <<-SHELL sudo apt-get update sudo apt-get -y install linux-headers-$(uname -r) cmake g++ git SHELL end ``` -------------------------------- ### List Containers and Resource Usage Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples View the list of containers running on the machine and their resource usage. ```bash sudo csysdig -vcontainers ``` -------------------------------- ### List Processes with Container Context Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples View the list of processes with container context. ```bash sudo csysdig -pc ``` -------------------------------- ### Bring up the VM Source: https://github.com/draios/sysdig/wiki/Compiling-and-running-sysdig-through-a-vagrant-virtual-machine Command to start the Vagrant virtual machine. ```bash $ vagrant up ``` -------------------------------- ### Top Processes by Network Bandwidth Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples See the top processes in terms of network bandwidth usage. ```bash sysdig -c topprocs_net ``` -------------------------------- ### Top Processes by CPU Usage Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples See the top processes in terms of CPU usage. ```bash sysdig -c topprocs_cpu ``` -------------------------------- ### Close Event Format Example Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example format for a close event exit. ```text < close(ERRNO res) ``` -------------------------------- ### Showing user, command, and arguments for execve events Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Displays the user, command name, and arguments for every program launched by a real user (e.g., from bash). ```bash sysdig -p"%user.name) %proc.name %proc.args" evt.type=execve and evt.arg.ptid=bash ``` -------------------------------- ### Get detailed chisel description Source: https://github.com/draios/sysdig/wiki/Chisels-User-Guide Command to get a detailed description and arguments for a specific chisel. ```bash >$ sysdig -i spy_ip ``` -------------------------------- ### Example Filter: Specific I/O Error Code Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide This example demonstrates filtering for a specific I/O error code, 'ENOENT'. ```bash >$ sysdig evt.arg.res=ENOENT ``` -------------------------------- ### 64-bit Constants Example Source: https://github.com/draios/sysdig/blob/dev/coding_conventions.md Shows the correct way to define 64-bit constants by appending 'LL'. ```c++ x=0X00FF00000000000LL ``` -------------------------------- ### Top Client IPs (Established Connections) Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples See the top client IPs in terms of established connections. ```bash sysdig -c fdcount_by fd.cip "evt.type=accept" ``` -------------------------------- ### Example Filter: System Calls Producing Errors Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide This example filters for system calls that produced errors by checking for negative values in 'evt.rawarg.res' or 'evt.rawarg.fd'. ```bash >$ sysdig " evt.rawarg.res<0 or evt.rawarg.fd<0" ``` -------------------------------- ### Top Client IPs (Total Bytes) Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples See the top client IPs in terms of total bytes. ```bash sysdig -c fdbytes_by fd.cip ``` -------------------------------- ### Filtering with boolean operators Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Examples of combining filters using boolean operators. ```bash >$ sysdig proc.name=cat or proc.name=vi ``` ```bash >$ sysdig proc.name!=cat and evt.type=open ``` -------------------------------- ### Basic Chisel Structure Source: https://github.com/draios/sysdig/wiki/Writing-a-Sysdig-Chisel,-a-Tutorial The simplest possible running chisel, defining essential global variables and an event handler. ```lua -- Chisel description description = "counts how many times the specified system call has been called" short_description = "syscall count" category = "misc" -- Chisel argument list args = {} -- Event parsing callback function on_event() print("event!") return true end ``` -------------------------------- ### Filtering by process name Source: https://github.com/draios/sysdig/wiki/Sysdig-User-Guide Example of filtering live capture to show activity of a specific command. ```bash > $ ./sysdig proc.name=cat 21368 13:10:15.384878134 1 cat (8298) < execve res=0 exe=cat args=index.html. tid=8298(cat) pid=8298(cat) ptid=1978(bash) cwd=/root fdlimit=1024 21371 13:10:15.384948635 1 cat (8298) > brk size=0 21372 13:10:15.384949909 1 cat (8298) < brk res=10665984 21373 13:10:15.384976208 1 cat (8298) > mmap 21374 13:10:15.384979452 1 cat (8298) < mmap 21375 13:10:15.384990980 1 cat (8298) > access 21376 13:10:15.384999211 1 cat (8298) < access 21377 13:10:15.385008602 1 cat (8298) > open 21378 13:10:15.385014374 1 cat (8298) < open fd=3(/etc/ld.so.cache) name=/etc/ld.so.cache flags=0(O_NONE) mode=0 21379 13:10:15.385015508 1 cat (8298) > fstat fd=3(/etc/ld.so.cache) 21380 13:10:15.385016588 1 cat (8298) < fstat res=0 21381 13:10:15.385017033 1 cat (8298) > mmap 21382 13:10:15.385019763 1 cat (8298) < mmap 21383 13:10:15.385020047 1 cat (8298) > close fd=3(/etc/ld.so.cache) 21384 13:10:15.385020556 1 cat (8298) < close res=0 ``` -------------------------------- ### Top Processes by Disk Bandwidth Usage Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples See the top processes in terms of disk bandwidth usage. ```bash sysdig -c topprocs_file ``` -------------------------------- ### Run multiple chisels simultaneously Source: https://github.com/draios/sysdig/wiki/Chisels-User-Guide Example command to run multiple chisels ('stdin' and 'stdout') at the same time for a specific process. ```bash >$ sysdig -c stdin -c stdout proc.name=cat ``` -------------------------------- ### Top Directories by Disk Activity Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples See the top directories in terms of R+W disk activity. ```bash sysdig -c fdbytes_by fd.directory "fd.type=file" ``` -------------------------------- ### Run topfiles_bytes chisel with exclusion filter Source: https://github.com/draios/sysdig/wiki/Chisels-User-Guide Example of using 'topfiles_bytes' chisel with a filter to exclude files containing '/dev'. ```bash $ sysdig -c topfiles_bytes "not fd.name contains /dev" Bytes Filename ------------------------------ 23.32KB /proc/net/unix 9.11KB /usr/share/icons/hicolor/16x16/actions/terminator_receive_off.png 5.64KB /etc/localtime 4.92KB /proc/interrupts 4.37KB /etc/wgetrc 2.88KB /proc/stat 2.39KB /usr/share/locale/locale.alias 1.85KB /proc/18263/status ``` -------------------------------- ### Run topfiles_bytes chisel without filters Source: https://github.com/draios/sysdig/wiki/Chisels-User-Guide Example output of the 'topfiles_bytes' chisel showing accessed files without any filters. ```bash $ sysdig -c topfiles_bytes Bytes Filename ------------------------------ 23.32KB /proc/net/unix 9.11KB /usr/share/icons/hicolor/16x16/actions/terminator_receive_off.png 5.64KB /etc/localtime 4.92KB /proc/interrupts 4.38KB /dev/input/event2 4.37KB /etc/wgetrc 2.88KB /proc/stat 2.39KB /usr/share/locale/locale.alias 1.85KB /proc/18263/status ``` -------------------------------- ### Run topfiles_bytes chisel with user name filter Source: https://github.com/draios/sysdig/wiki/Chisels-User-Guide Example of using 'topfiles_bytes' chisel to show files accessed by a specific user ('loris'). ```bash $ sysdig -c topfiles_bytes "user.name=loris" Bytes Filename ------------------------------ 3.31KB /etc/nsswitch.conf 2.18KB /etc/passwd 1.62KB /lib64/libselinux.so.1 1.62KB /lib64/libc.so.6 1.62KB /lib64/libpcre.so.1 1.62KB /lib64/libdl.so.2 1.62KB /lib64/libnss_files.so.2 898B /etc/group 54B /proc/self/task/30414/attr/current ``` -------------------------------- ### Run topfiles_bytes chisel with process name filter Source: https://github.com/draios/sysdig/wiki/Chisels-User-Guide Example of using 'topfiles_bytes' chisel to show files accessed by a specific process name ('vi'). ```bash $ sysdig -c topfiles_bytes "proc.name=vi" Bytes Filename ------------------------------ 4.00KB /root/agent/build/debug/test/.lo.txt.swp 3.36KB /usr/share/terminfo/x/xterm-256color 2.18KB /etc/passwd 1.98KB /root/agent/build/debug/test/lo.txt 1.92KB /etc/virc 1.66KB /etc/nsswitch.conf 832B /lib64/libpcre.so.1 832B /lib64/libc.so.6 832B /lib64/libnss_files.so.2 ``` -------------------------------- ### Run topfiles_bytes chisel with inclusion filter for specific folder Source: https://github.com/draios/sysdig/wiki/Chisels-User-Guide Example of using 'topfiles_bytes' chisel with a filter to show files accessed within '/root'. ```bash $ sysdig -c topfiles_bytes "fd.name contains /root" Bytes Filename ------------------------------ 1.29KB /root/agent/build/debug/test/index.html.93 1.10KB /root/.dropbox/PENDING_aWX7WU 1.10KB /root/.dropbox/UPDATED_UsxrsX 16B /root/.dropbox/filecache.dbx ``` -------------------------------- ### Top Files by I/O Bytes within a Container Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples View the top files in terms of I/O bytes inside the wordpress1 container. ```bash sudo sysdig -pc -c topfiles_bytes container.name=wordpress1 ``` -------------------------------- ### Manual Installation - CentOS/RHEL/Fedora/Amazon Linux: Install sysdig Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Installs the sysdig package on RHEL-based systems after all prerequisites are met. ```bash yum -y install sysdig ``` -------------------------------- ### Manual Installation - Debian/Ubuntu: Install sysdig Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Installs the sysdig package on Debian and Ubuntu systems after the prerequisites are met. ```bash sudo apt-get -y install sysdig ``` -------------------------------- ### Example Usage of evtin.* Filter Fields Source: https://github.com/draios/sysdig/wiki/Tracers This command line demonstrates how to list file opens generated within spans tagged with 'query'. ```bash > sudo sysdig evt.type=open and evtin.tag=query ``` -------------------------------- ### Use System JsonCpp Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-from-the-Source-Code CMake option to use the system's JsonCpp instead of the bundled version. ```bash cmake -DUSE_BUNDLED_JSONCPP=OFF .. # Or if JsonCpp is in a non-standard path: cmake -DUSE_BUNDLED_JSONCPP=OFF -DJSONCPP_PREFIX=/opt/superjson .. ``` -------------------------------- ### Manual Installation - CentOS/RHEL/Fedora/Amazon Linux: Install kernel headers Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Installs the kernel development package for the current kernel version on RHEL-based systems. ```bash yum -y install kernel-devel-$(uname -r) ``` -------------------------------- ### Docker Installation - Install kernel headers (Debian-like) Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Installs kernel headers on Debian-based systems, a prerequisite for running sysdig within a Docker container. ```bash apt-get -y install linux-headers-$(uname -r) ``` -------------------------------- ### Performance and Errors: Failed File Opens by httpd Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples Shows all the failed file opens by httpd. ```bash sysdig "proc.name=httpd and evt.type=open and evt.failed=true" ``` -------------------------------- ### Manual Installation - Debian/Ubuntu: Install kernel headers Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Installs the necessary kernel headers for the currently running kernel on Debian and Ubuntu systems. This is a prerequisite for sysdig. ```bash sudo apt-get -y install linux-headers-$(uname -r) ``` -------------------------------- ### Top Files by Read+Write Bytes Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples See the top files in terms of read+write bytes. ```bash sysdig -c topfiles_bytes ``` -------------------------------- ### Performance and Errors: Failed Disk I/O Calls Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples Shows all the failed disk I/O calls. ```bash sysdig fd.type=file and evt.failed=true ``` -------------------------------- ### Manual Installation - CentOS/RHEL/Fedora/Amazon Linux: Install EPEL repository Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-for-Linux Installs the Extra Packages for Enterprise Linux (EPEL) repository, which is often a dependency for DKMS on older RHEL-based systems. ```bash rpm -i https://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm ``` -------------------------------- ### Incoming Connections Not Served by Apache Source: https://github.com/draios/sysdig/wiki/Sysdig-Examples List all the incoming connections that are not served by apache. ```bash sysdig -p"%proc.name %fd.name" "evt.type=accept and proc.name!=httpd" ``` -------------------------------- ### Specify Installation Target Directory Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-from-the-Source-Code CMake option to manually specify the installation target directory. ```bash cmake -DCMAKE_INSTALL_PREFIX=/my/prefix .. ``` -------------------------------- ### Install Driver Source: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-from-the-Source-Code Command to install the compiled kernel module into the current kernel modules directory. ```bash make install_driver ```