{"id":12710,"date":"2022-08-06T23:03:49","date_gmt":"2022-08-06T20:03:49","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12710"},"modified":"2024-03-09T21:00:20","modified_gmt":"2024-03-09T18:00:20","slug":"install-sysdig-system-visibility-tool-on-ubuntu","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-sysdig-system-visibility-tool-on-ubuntu\/","title":{"rendered":"Install Sysdig System Visibility Tool on Ubuntu 22.04"},"content":{"rendered":"\n<p>This tutorial will take you through how to install Sysdig system visibility tool on Ubuntu 22.04. <a href=\"https:\/\/github.com\/draios\/sysdig\/wiki\/Sysdig-Overview\" target=\"_blank\" rel=\"noreferrer noopener\">Sysdig<\/a> is a simple visibility tool that provides deep visibility into your system. According to sysdig man pages;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sysdig is a tool for system troubleshooting, analysis and exploration.<\/li>\n\n\n\n<li>It can be used to capture, filter and decode system calls and other OS events.<\/li>\n\n\n\n<li>It can be both used to inspect live systems, or to generate trace files that can be analyzed at a later stage.<\/li>\n\n\n\n<li>sysdig includes a powerful filtering language, has customizable output, and can be extended through Lua scripts, called chisels.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Install Sysdig System Visibility Tool on Ubuntu 22.04<a href=\"https:\/\/github.com\/draios\/sysdig\/wiki\/Sysdig-Overview#how-can-i-get-the-most-out-of-sysdig\" target=\"_blank\" rel=\"noopener\"><\/a><\/h2>\n\n\n\n<p>In this tutorial, we will be installing Sysdig on an Ubuntu 22.04 system.<\/p>\n\n\n\n<p>Sysdig is provided by the default Ubuntu Universe repositories. However, the available version is a bit dated.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt-cache policy sysdig<\/code><\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>sysdig:\n  Installed: (none)\n  Candidate: 0.27.1-0.3build1\n  Version table:\n     0.27.1-0.3build1 500\n        500 http:\/\/ke.archive.ubuntu.com\/ubuntu jammy\/universe amd64 Packages\n<\/code><\/pre>\n\n\n\n<p>The <a href=\"https:\/\/github.com\/draios\/sysdig\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">current release version<\/a> of Sysdig as of this writing is <strong>v0.29.3<\/strong>.<\/p>\n\n\n\n<p>Hence, there are two ways in which you can install current versions of Sysdig on Ubuntu 22.04;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"#automatic-install\">Automated Installation via the install script<\/a><\/li>\n\n\n\n<li><a href=\"#manual-install\">Manual Installation<\/a><\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"automatic-install\">Automatically Install Sysdig on Ubuntu<\/h3>\n\n\n\n<p>To automatically install Sysdig on Ubuntu, all you have to do is to download the installation script and execute it as follows. The script will basically install Sysdig Draios APT repository on your system and install Sysdig and other required packages via that repo.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -s https:\/\/s3.amazonaws.com\/download.draios.com\/stable\/install-sysdig | sudo bash<\/code><\/pre>\n\n\n\n<p>Sample installation output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>* Detecting operating system\n* Installing Sysdig public key\nWarning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).\nOK\n* Installing Sysdig repository\nW: https:\/\/download.sysdig.com\/stable\/deb\/stable-amd64\/InRelease: Key is stored in legacy trusted.gpg keyring (\/etc\/apt\/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.\n* Installing kernel headers\n* Installing Sysdig\nExtracting templates from packages: 100%\nPreconfiguring packages ...\nSelecting previously unselected package gcc-11-base:amd64.\n(Reading database ... 73190 files and directories currently installed.)\nPreparing to unpack ...\/gcc-11-base_11.2.0-19ubuntu1_amd64.deb ...\nUnpacking gcc-11-base:amd64 (11.2.0-19ubuntu1) ...\nPreparing to unpack ...\/libc6_2.35-0ubuntu3.1_amd64.deb ...\nUnpacking libc6:amd64 (2.35-0ubuntu3.1) over (2.35-0ubuntu3) ...\nSetting up libc6:amd64 (2.35-0ubuntu3.1) ...\nSelecting previously unselected package libisl23:amd64.\n(Reading database ... 73195 files and directories currently installed.)\nPreparing to unpack ...\/00-libisl23_0.24-2build1_amd64.deb ...\nUnpacking libisl23:amd64 (0.24-2build1) ...\nSelecting previously unselected package libmpc3:amd64.\nPreparing to unpack ...\/01-libmpc3_1.2.1-2build1_amd64.deb ...\nUnpacking libmpc3:amd64 (1.2.1-2build1) ...\nSelecting previously unselected package cpp-11.\nPreparing to unpack ...\/02-cpp-11_11.2.0-19ubuntu1_amd64.deb ...\nUnpacking cpp-11 (11.2.0-19ubuntu1) ...\nSelecting previously unselected package cpp.\nPreparing to unpack ...\/03-cpp_4%3a11.2.0-1ubuntu1_amd64.deb ...\nUnpacking cpp (4:11.2.0-1ubuntu1) ...\nSelecting previously unselected package libcc1-0:amd64.\nPreparing to unpack ...\/04-libcc1-0_12-20220319-1ubuntu1_amd64.deb ...\nUnpacking libcc1-0:amd64 (12-20220319-1ubuntu1) ...\nSelecting previously unselected package libgomp1:amd64.\nPreparing to unpack ...\/05-libgomp1_12-20220319-1ubuntu1_amd64.deb ...\nUnpacking libgomp1:amd64 (12-20220319-1ubuntu1) ...\nSelecting previously unselected package libitm1:amd64.\nPreparing to unpack ...\/06-libitm1_12-20220319-1ubuntu1_amd64.deb ...\nUnpacking libitm1:amd64 (12-20220319-1ubuntu1) ...\nSelecting previously unselected package libatomic1:amd64.\nPreparing to unpack ...\/07-libatomic1_12-20220319-1ubuntu1_amd64.deb ...\nUnpacking libatomic1:amd64 (12-20220319-1ubuntu1) ...\nSelecting previously unselected package libasan6:amd64.\nPreparing to unpack ...\/08-libasan6_11.2.0-19ubuntu1_amd64.deb ...\nUnpacking libasan6:amd64 (11.2.0-19ubuntu1) ...\nSelecting previously unselected package liblsan0:amd64.\nPreparing to unpack ...\/09-liblsan0_12-20220319-1ubuntu1_amd64.deb ...\nUnpacking liblsan0:amd64 (12-20220319-1ubuntu1) ...\nSelecting previously unselected package libtsan0:amd64.\nPreparing to unpack ...\/10-libtsan0_11.2.0-19ubuntu1_amd64.deb ...\nUnpacking libtsan0:amd64 (11.2.0-19ubuntu1) ...\nSelecting previously unselected package libubsan1:amd64.\nPreparing to unpack ...\/11-libubsan1_12-20220319-1ubuntu1_amd64.deb ...\nUnpacking libubsan1:amd64 (12-20220319-1ubuntu1) ...\nSelecting previously unselected package libquadmath0:amd64.\nPreparing to unpack ...\/12-libquadmath0_12-20220319-1ubuntu1_amd64.deb ...\nUnpacking libquadmath0:amd64 (12-20220319-1ubuntu1) ...\nSelecting previously unselected package libgcc-11-dev:amd64.\nPreparing to unpack ...\/13-libgcc-11-dev_11.2.0-19ubuntu1_amd64.deb ...\nUnpacking libgcc-11-dev:amd64 (11.2.0-19ubuntu1) ...\nSelecting previously unselected package gcc-11.\nPreparing to unpack ...\/14-gcc-11_11.2.0-19ubuntu1_amd64.deb ...\nUnpacking gcc-11 (11.2.0-19ubuntu1) ...\nSelecting previously unselected package gcc.\nPreparing to unpack ...\/15-gcc_4%3a11.2.0-1ubuntu1_amd64.deb ...\nUnpacking gcc (4:11.2.0-1ubuntu1) ...\nSelecting previously unselected package libdpkg-perl.\nPreparing to unpack ...\/16-libdpkg-perl_1.21.1ubuntu2.1_all.deb ...\nUnpacking libdpkg-perl (1.21.1ubuntu2.1) ...\nSelecting previously unselected package bzip2.\nPreparing to unpack ...\/17-bzip2_1.0.8-5build1_amd64.deb ...\nUnpacking bzip2 (1.0.8-5build1) ...\nSelecting previously unselected package make.\nPreparing to unpack ...\/18-make_4.3-4.1build1_amd64.deb ...\nUnpacking make (4.3-4.1build1) ...\nSelecting previously unselected package lto-disabled-list.\nPreparing to unpack ...\/19-lto-disabled-list_24_all.deb ...\nUnpacking lto-disabled-list (24) ...\nSelecting previously unselected package dpkg-dev.\nPreparing to unpack ...\/20-dpkg-dev_1.21.1ubuntu2.1_all.deb ...\nUnpacking dpkg-dev (1.21.1ubuntu2.1) ...\nSelecting previously unselected package libc-dev-bin.\nPreparing to unpack ...\/21-libc-dev-bin_2.35-0ubuntu3.1_amd64.deb ...\nUnpacking libc-dev-bin (2.35-0ubuntu3.1) ...\nSelecting previously unselected package linux-libc-dev:amd64.\nPreparing to unpack ...\/22-linux-libc-dev_5.15.0-43.46_amd64.deb ...\nUnpacking linux-libc-dev:amd64 (5.15.0-43.46) ...\nSelecting previously unselected package libcrypt-dev:amd64.\nPreparing to unpack ...\/23-libcrypt-dev_1%3a4.4.27-1_amd64.deb ...\nUnpacking libcrypt-dev:amd64 (1:4.4.27-1) ...\nSelecting previously unselected package rpcsvc-proto.\nPreparing to unpack ...\/24-rpcsvc-proto_1.4.2-0ubuntu6_amd64.deb ...\nUnpacking rpcsvc-proto (1.4.2-0ubuntu6) ...\nPreparing to unpack ...\/25-libtirpc-common_1.3.2-2ubuntu0.1_all.deb ...\nUnpacking libtirpc-common (1.3.2-2ubuntu0.1) over (1.3.2-2build1) ...\nSetting up libtirpc-common (1.3.2-2ubuntu0.1) ...\n(Reading database ... 75034 files and directories currently installed.)\nPreparing to unpack ...\/libtirpc3_1.3.2-2ubuntu0.1_amd64.deb ...\nUnpacking libtirpc3:amd64 (1.3.2-2ubuntu0.1) over (1.3.2-2build1) ...\nSetting up libtirpc3:amd64 (1.3.2-2ubuntu0.1) ...\nSelecting previously unselected package libtirpc-dev:amd64.\n(Reading database ... 75034 files and directories currently installed.)\nPreparing to unpack ...\/00-libtirpc-dev_1.3.2-2ubuntu0.1_amd64.deb ...\nUnpacking libtirpc-dev:amd64 (1.3.2-2ubuntu0.1) ...\nSelecting previously unselected package libnsl-dev:amd64.\nPreparing to unpack ...\/01-libnsl-dev_1.3.0-2build2_amd64.deb ...\nUnpacking libnsl-dev:amd64 (1.3.0-2build2) ...\nSelecting previously unselected package libc6-dev:amd64.\nPreparing to unpack ...\/02-libc6-dev_2.35-0ubuntu3.1_amd64.deb ...\nUnpacking libc6-dev:amd64 (2.35-0ubuntu3.1) ...\nSelecting previously unselected package libstdc++-11-dev:amd64.\nPreparing to unpack ...\/03-libstdc++-11-dev_11.2.0-19ubuntu1_amd64.deb ...\nUnpacking libstdc++-11-dev:amd64 (11.2.0-19ubuntu1) ...\nSelecting previously unselected package g++-11.\nPreparing to unpack ...\/04-g++-11_11.2.0-19ubuntu1_amd64.deb ...\nUnpacking g++-11 (11.2.0-19ubuntu1) ...\nSelecting previously unselected package g++.\nPreparing to unpack ...\/05-g++_4%3a11.2.0-1ubuntu1_amd64.deb ...\nUnpacking g++ (4:11.2.0-1ubuntu1) ...\nSelecting previously unselected package build-essential.\nPreparing to unpack ...\/06-build-essential_12.9ubuntu3_amd64.deb ...\nUnpacking build-essential (12.9ubuntu3) ...\nSelecting previously unselected package dctrl-tools.\nPreparing to unpack ...\/07-dctrl-tools_2.24-3build2_amd64.deb ...\nUnpacking dctrl-tools (2.24-3build2) ...\nSelecting previously unselected package dkms.\nPreparing to unpack ...\/08-dkms_2.8.7-2ubuntu2_all.deb ...\nUnpacking dkms (2.8.7-2ubuntu2) ...\nSelecting previously unselected package libfakeroot:amd64.\nPreparing to unpack ...\/09-libfakeroot_1.28-1ubuntu1_amd64.deb ...\nUnpacking libfakeroot:amd64 (1.28-1ubuntu1) ...\nSelecting previously unselected package fakeroot.\nPreparing to unpack ...\/10-fakeroot_1.28-1ubuntu1_amd64.deb ...\nUnpacking fakeroot (1.28-1ubuntu1) ...\nSelecting previously unselected package fonts-dejavu-core.\nPreparing to unpack ...\/11-fonts-dejavu-core_2.37-2build1_all.deb ...\nUnpacking fonts-dejavu-core (2.37-2build1) ...\nSelecting previously unselected package fontconfig-config.\nPreparing to unpack ...\/12-fontconfig-config_2.13.1-4.2ubuntu5_all.deb ...\nUnpacking fontconfig-config (2.13.1-4.2ubuntu5) ...\nSelecting previously unselected package libalgorithm-diff-perl.\nPreparing to unpack ...\/13-libalgorithm-diff-perl_1.201-1_all.deb ...\nUnpacking libalgorithm-diff-perl (1.201-1) ...\nSelecting previously unselected package libalgorithm-diff-xs-perl.\nPreparing to unpack ...\/14-libalgorithm-diff-xs-perl_0.04-6build3_amd64.deb ...\nUnpacking libalgorithm-diff-xs-perl (0.04-6build3) ...\nSelecting previously unselected package libalgorithm-merge-perl.\nPreparing to unpack ...\/15-libalgorithm-merge-perl_0.08-3_all.deb ...\nUnpacking libalgorithm-merge-perl (0.08-3) ...\nSelecting previously unselected package libfontconfig1:amd64.\nPreparing to unpack ...\/16-libfontconfig1_2.13.1-4.2ubuntu5_amd64.deb ...\nUnpacking libfontconfig1:amd64 (2.13.1-4.2ubuntu5) ...\nSelecting previously unselected package libjpeg-turbo8:amd64.\nPreparing to unpack ...\/17-libjpeg-turbo8_2.1.2-0ubuntu1_amd64.deb ...\nUnpacking libjpeg-turbo8:amd64 (2.1.2-0ubuntu1) ...\nSelecting previously unselected package libjpeg8:amd64.\nPreparing to unpack ...\/18-libjpeg8_8c-2ubuntu10_amd64.deb ...\nUnpacking libjpeg8:amd64 (8c-2ubuntu10) ...\nSelecting previously unselected package libdeflate0:amd64.\nPreparing to unpack ...\/19-libdeflate0_1.10-2_amd64.deb ...\nUnpacking libdeflate0:amd64 (1.10-2) ...\nSelecting previously unselected package libjbig0:amd64.\nPreparing to unpack ...\/20-libjbig0_2.1-3.1build3_amd64.deb ...\nUnpacking libjbig0:amd64 (2.1-3.1build3) ...\nSelecting previously unselected package libwebp7:amd64.\nPreparing to unpack ...\/21-libwebp7_1.2.2-2_amd64.deb ...\nUnpacking libwebp7:amd64 (1.2.2-2) ...\nSelecting previously unselected package libtiff5:amd64.\nPreparing to unpack ...\/22-libtiff5_4.3.0-6_amd64.deb ...\nUnpacking libtiff5:amd64 (4.3.0-6) ...\nSelecting previously unselected package libxpm4:amd64.\nPreparing to unpack ...\/23-libxpm4_1%3a3.5.12-1build2_amd64.deb ...\nUnpacking libxpm4:amd64 (1:3.5.12-1build2) ...\nSelecting previously unselected package libgd3:amd64.\nPreparing to unpack ...\/24-libgd3_2.3.0-2ubuntu2_amd64.deb ...\nUnpacking libgd3:amd64 (2.3.0-2ubuntu2) ...\nSelecting previously unselected package libc-devtools.\nPreparing to unpack ...\/25-libc-devtools_2.35-0ubuntu3.1_amd64.deb ...\nUnpacking libc-devtools (2.35-0ubuntu3.1) ...\nSelecting previously unselected package libfile-fcntllock-perl.\nPreparing to unpack ...\/26-libfile-fcntllock-perl_0.22-3build7_amd64.deb ...\nUnpacking libfile-fcntllock-perl (0.22-3build7) ...\nSelecting previously unselected package manpages-dev.\nPreparing to unpack ...\/27-manpages-dev_5.10-1ubuntu1_all.deb ...\nUnpacking manpages-dev (5.10-1ubuntu1) ...\nSelecting previously unselected package sysdig.\nPreparing to unpack ...\/28-sysdig_0.29.3_amd64.deb ...\nUnpacking sysdig (0.29.3) ...\nSetting up gcc-11-base:amd64 (11.2.0-19ubuntu1) ...\nSetting up manpages-dev (5.10-1ubuntu1) ...\nSetting up lto-disabled-list (24) ...\nSetting up libxpm4:amd64 (1:3.5.12-1build2) ...\nSetting up libfile-fcntllock-perl (0.22-3build7) ...\nSetting up libalgorithm-diff-perl (1.201-1) ...\nSetting up libdeflate0:amd64 (1.10-2) ...\nSetting up linux-libc-dev:amd64 (5.15.0-43.46) ...\nSetting up libgomp1:amd64 (12-20220319-1ubuntu1) ...\nSetting up bzip2 (1.0.8-5build1) ...\nSetting up libjbig0:amd64 (2.1-3.1build3) ...\nSetting up libfakeroot:amd64 (1.28-1ubuntu1) ...\nSetting up libasan6:amd64 (11.2.0-19ubuntu1) ...\nSetting up fakeroot (1.28-1ubuntu1) ...\nupdate-alternatives: using \/usr\/bin\/fakeroot-sysv to provide \/usr\/bin\/fakeroot (fakeroot) in auto mode\nSetting up libtirpc-dev:amd64 (1.3.2-2ubuntu0.1) ...\nSetting up rpcsvc-proto (1.4.2-0ubuntu6) ...\nSetting up make (4.3-4.1build1) ...\nSetting up libquadmath0:amd64 (12-20220319-1ubuntu1) ...\nSetting up libmpc3:amd64 (1.2.1-2build1) ...\nSetting up libatomic1:amd64 (12-20220319-1ubuntu1) ...\nSetting up fonts-dejavu-core (2.37-2build1) ...\nSetting up libjpeg-turbo8:amd64 (2.1.2-0ubuntu1) ...\nSetting up libdpkg-perl (1.21.1ubuntu2.1) ...\nSetting up libwebp7:amd64 (1.2.2-2) ...\nSetting up libubsan1:amd64 (12-20220319-1ubuntu1) ...\nSetting up libnsl-dev:amd64 (1.3.0-2build2) ...\nSetting up libcrypt-dev:amd64 (1:4.4.27-1) ...\nSetting up libisl23:amd64 (0.24-2build1) ...\nSetting up libc-dev-bin (2.35-0ubuntu3.1) ...\nSetting up libalgorithm-diff-xs-perl (0.04-6build3) ...\nSetting up libcc1-0:amd64 (12-20220319-1ubuntu1) ...\nSetting up liblsan0:amd64 (12-20220319-1ubuntu1) ...\nSetting up dctrl-tools (2.24-3build2) ...\nSetting up libitm1:amd64 (12-20220319-1ubuntu1) ...\nSetting up libalgorithm-merge-perl (0.08-3) ...\nSetting up libtsan0:amd64 (11.2.0-19ubuntu1) ...\nSetting up libjpeg8:amd64 (8c-2ubuntu10) ...\nSetting up cpp-11 (11.2.0-19ubuntu1) ...\nSetting up fontconfig-config (2.13.1-4.2ubuntu5) ...\nSetting up dpkg-dev (1.21.1ubuntu2.1) ...\nSetting up libgcc-11-dev:amd64 (11.2.0-19ubuntu1) ...\nSetting up gcc-11 (11.2.0-19ubuntu1) ...\nSetting up cpp (4:11.2.0-1ubuntu1) ...\nSetting up libc6-dev:amd64 (2.35-0ubuntu3.1) ...\nSetting up libtiff5:amd64 (4.3.0-6) ...\nSetting up libfontconfig1:amd64 (2.13.1-4.2ubuntu5) ...\nSetting up gcc (4:11.2.0-1ubuntu1) ...\nSetting up dkms (2.8.7-2ubuntu2) ...\nSetting up libgd3:amd64 (2.3.0-2ubuntu2) ...\nSetting up sysdig (0.29.3) ...\nLoading new scap-e5c53d648f3c4694385bbe488e7d47eaa36c229a DKMS files...\nBuilding for 5.15.0-27-generic\nBuilding initial module for 5.15.0-27-generic\nDone.\n\nscap.ko:\nRunning module version sanity check.\n - Original module\n   - No original module exists within this kernel\n - Installation\n   - Installing to \/lib\/modules\/5.15.0-27-generic\/updates\/dkms\/\n\ndepmod.....\nSetting up libstdc++-11-dev:amd64 (11.2.0-19ubuntu1) ...\nSetting up libc-devtools (2.35-0ubuntu3.1) ...\nSetting up g++-11 (11.2.0-19ubuntu1) ...\nSetting up g++ (4:11.2.0-1ubuntu1) ...\nupdate-alternatives: using \/usr\/bin\/g++ to provide \/usr\/bin\/c++ (c++) in auto mode\nSetting up build-essential (12.9ubuntu3) ...\nProcessing triggers for man-db (2.10.2-1) ...\nProcessing triggers for libc-bin (2.35-0ubuntu3) ...\nNEEDRESTART-VER: 3.5\nNEEDRESTART-KCUR: 5.15.0-27-generic\nNEEDRESTART-KEXP: 5.15.0-27-generic\nNEEDRESTART-KSTA: 1\nNEEDRESTART-SVC: cron.service\nNEEDRESTART-SVC: dbus.service\nNEEDRESTART-SVC: irqbalance.service\nNEEDRESTART-SVC: ModemManager.service\nNEEDRESTART-SVC: multipathd.service\nNEEDRESTART-SVC: networkd-dispatcher.service\nNEEDRESTART-SVC: packagekit.service\nNEEDRESTART-SVC: polkit.service\nNEEDRESTART-SVC: rsyslog.service\nNEEDRESTART-SVC: snapd.service\nNEEDRESTART-SVC: ssh.service\nNEEDRESTART-SVC: systemd-journald.service\nNEEDRESTART-SVC: systemd-logind.service\nNEEDRESTART-SVC: systemd-networkd.service\nNEEDRESTART-SVC: systemd-resolved.service\nNEEDRESTART-SVC: systemd-timesyncd.service\nNEEDRESTART-SVC: systemd-udevd.service\nNEEDRESTART-SVC: udisks2.service\nNEEDRESTART-SVC: unattended-upgrades.service\nNEEDRESTART-SVC: user@1000.service\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"manual-install\">Install Sysdig Manually on Ubuntu 22.04<\/h3>\n\n\n\n<p>To manually install Sysdig on Ubuntu 22.04;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install Sysdig Draios APT Repository<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -s https:\/\/s3.amazonaws.com\/download.draios.com\/DRAIOS-GPG-KEY.public \\\n| gpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/sysdig.gpg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -s https:\/\/s3.amazonaws.com\/download.draios.com\/stable\/deb\/draios.list \\\n-o \/etc\/apt\/sources.list.d\/sysdig-draios.list <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run system package cache update<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install Kernel Headers<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install linux-headers-$(uname -r)<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install Sysdig tool on Ubuntu 22.04<\/li>\n<\/ul>\n\n\n\n<pre class=\"scroll-box\"><code>Reading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nThe following additional packages will be installed:\n  build-essential bzip2 cpp cpp-11 dctrl-tools dkms dpkg-dev fakeroot fontconfig-config fonts-dejavu-core g++ g++-11 gcc gcc-11 gcc-11-base libalgorithm-diff-perl\n  libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan6 libatomic1 libc-dev-bin libc-devtools libc6 libc6-dev libcc1-0 libcrypt-dev libdeflate0 libdpkg-perl\n  libfakeroot libfile-fcntllock-perl libfontconfig1 libgcc-11-dev libgd3 libgomp1 libisl23 libitm1 libjbig0 libjpeg-turbo8 libjpeg8 liblsan0 libmpc3 libnsl-dev\n  libquadmath0 libstdc++-11-dev libtiff5 libtirpc-dev libtsan0 libubsan1 libwebp7 libxpm4 linux-libc-dev lto-disabled-list make manpages-dev rpcsvc-proto\nSuggested packages:\n  bzip2-doc cpp-doc gcc-11-locales debtags menu debian-keyring g++-multilib g++-11-multilib gcc-11-doc gcc-multilib autoconf automake libtool flex bison gdb gcc-doc\n  gcc-11-multilib glibc-doc bzr libgd-tools libstdc++-11-doc make-doc\nRecommended packages:\n  libnss-nis libnss-nisplus\nThe following NEW packages will be installed:\n  build-essential bzip2 cpp cpp-11 dctrl-tools dkms dpkg-dev fakeroot fontconfig-config fonts-dejavu-core g++ g++-11 gcc gcc-11 gcc-11-base libalgorithm-diff-perl\n  libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan6 libatomic1 libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libdeflate0 libdpkg-perl libfakeroot\n  libfile-fcntllock-perl libfontconfig1 libgcc-11-dev libgd3 libgomp1 libisl23 libitm1 libjbig0 libjpeg-turbo8 libjpeg8 liblsan0 libmpc3 libnsl-dev libquadmath0\n  libstdc++-11-dev libtiff5 libtirpc-dev libtsan0 libubsan1 libwebp7 libxpm4 linux-libc-dev lto-disabled-list make manpages-dev rpcsvc-proto sysdig\nThe following packages will be upgraded:\n  libc6\n1 upgraded, 55 newly installed, 0 to remove and 37 not upgraded.\nNeed to get 81.6 MB of archives.\nAfter this operation, 246 MB of additional disk space will be used.\nDo you want to continue? [Y\/n] y\n<\/code><\/pre>\n\n\n\n<p>Kernel headers might be upgrade in the process. You will therefore have to reboot the system.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl reboot -i<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Check Installed Sysdig Version<\/h3>\n\n\n\n<p>Confirming the installed version;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig --version<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig version 0.29.3<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Running Sysdig System Visibility Tool<\/h3>\n\n\n\n<p>Sysdig can be executed from the command line by just running;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig<\/code><\/pre>\n\n\n\n<p>When run with no command line arguments, Sysdig prints the information for each captured system event on a single line, with the following format:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>*%evt.num %evt.time %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info<\/code><\/pre>\n\n\n\n<p>Where;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>evt.num<\/strong> is the incremental event number<\/li>\n\n\n\n<li><strong>evt.time<\/strong> is the event timestamp<\/li>\n\n\n\n<li><strong>evt.cpu<\/strong> is the CPU number where the event was captured<\/li>\n\n\n\n<li><strong>proc.name<\/strong> is the name of the process that generated the event<\/li>\n\n\n\n<li><strong>thread.tid<\/strong> id the TID that generated the event, which corresponds to the PID for single thread processes<\/li>\n\n\n\n<li><strong>evt.dir<\/strong> is the event direction, &gt; for enter events and &lt; for exit events<\/li>\n\n\n\n<li><strong>evt.type<\/strong> is the name of the event, e.g. &#8216;open&#8217; or &#8216;read&#8217;<\/li>\n\n\n\n<li><strong>evt.args<\/strong> is the list of event arguments.<\/li>\n<\/ul>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n180 13:24:24.825700257 0 sudo (1417.1417) > write fd=8(<f>\/dev\/tty) size=2 \n181 13:24:24.825701386 0 sudo (1417.1417) < write res=2 data=.. \n182 13:24:24.825701876 0 sudo (1417.1417) > switch next=4681 pgft_maj=0 pgft_min=477 vm_size=11664 vm_rss=5868 vm_swap=0 \n183 13:24:24.825703162 1 sshd (1407.1407) > getpid \n184 13:24:24.825703262 0 <NA> (<NA>.4681) > switch next=1417(sudo) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0 \n185 13:24:24.825704070 1 sshd (1407.1407) < getpid \n186 13:24:24.825704104 0 sudo (1417.1417) > rt_sigaction \n187 13:24:24.825704316 0 sudo (1417.1417) < rt_sigaction \n188 13:24:24.825704837 0 sudo (1417.1417) > ppoll fds=11:u1 3:p1 18446744073709551615:?4 8:f1 9:f1 timeout=none sigmask= \n189 13:24:24.825706544 0 sudo (1417.1417) > switch next=4685(sysdig) pgft_maj=0 pgft_min=477 vm_size=11664 vm_rss=5868 vm_swap=0 \n191 13:24:24.825714684 1 sshd (1407.1407) > rt_sigprocmask \n193 13:24:24.825715005 1 sshd (1407.1407) < rt_sigprocmask \n194 13:24:24.825716551 1 sshd (1407.1407) > ppoll fds=4:41 4:44 10:f1 7:f0 timeout=none sigmask= \n195 13:24:24.825718500 1 sshd (1407.1407) < ppoll res=2 fds=4:44 10:f1 \n196 13:24:24.825719227 1 sshd (1407.1407) > rt_sigprocmask \n197 13:24:24.825719449 1 sshd (1407.1407) < rt_sigprocmask \n198 13:24:24.825720103 1 sshd (1407.1407) > read fd=10(<f>\/dev\/ptmx) size=32768 \n200 13:24:24.825721199 1 sshd (1407.1407) < read res=2 data=.. \n201 13:24:24.825722309 1 sshd (1407.1407) > write fd=4(<4t>192.168.56.1:48792->192.168.56.143:22) size=356 \n202 13:24:24.825724281 0 sysdig (4685.4685) > switch next=4681 pgft_maj=2 pgft_min=831 vm_size=60092 vm_rss=15628 vm_swap=0 \n203 13:24:24.825727253 0 <NA> (<NA>.4681) > switch next=1417(sudo) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0 \n204 13:24:24.825729171 0 sudo (1417.1417) < ppoll res=1 fds=9:f1 \n205 13:24:24.825731162 0 sudo (1417.1417) > rt_sigaction \n206 13:24:24.825731625 0 sudo (1417.1417) < rt_sigaction \n207 13:24:24.825732245 0 sudo (1417.1417) > read fd=9(<f>\/dev\/ptmx) size=65536 \n208 13:24:24.825733171 0 sudo (1417.1417) < read res=109 data=23 13:24:24.825264580 0 .[01;32msnapd.[00m (.[01;36m1559.[00m.1579) < .[01;34mfu \n209 13:24:24.825733991 0 sudo (1417.1417) > rt_sigaction \n210 13:24:24.825734162 0 sudo (1417.1417) < rt_sigaction \n211 13:24:24.825734643 0 sudo (1417.1417) > rt_sigprocmask \n212 13:24:24.825734870 0 sudo (1417.1417) < rt_sigprocmask \n213 13:24:24.825735287 0 sudo (1417.1417) > rt_sigprocmask \n214 13:24:24.825735442 0 sudo (1417.1417) < rt_sigprocmask \n215 13:24:24.825736119 0 sudo (1417.1417) > ppoll fds=11:u1 3:p1 8:f4 8:f1 9:f1 timeout=none sigmask= \n216 13:24:24.825738008 0 sudo (1417.1417) < ppoll res=1 fds=8:f4 \n217 13:24:24.825739012 0 sudo (1417.1417) > rt_sigaction \n218 13:24:24.825739197 0 sudo (1417.1417) < rt_sigaction \n219 13:24:24.825739623 0 sudo (1417.1417) > write fd=8(<f>\/dev\/tty) size=109 \n220 13:24:24.825740912 0 sudo (1417.1417) < write res=109 data=23 13:24:24.825264580 0 .[01;32msnapd.[00m (.[01;36m1559.[00m.1579) < .[01;34mfu \n221 13:24:24.825741696 0 sudo (1417.1417) > switch next=4681 pgft_maj=0 pgft_min=477 vm_size=11664 vm_rss=5868 vm_swap=0 \n222 13:24:24.825743109 0 <NA> (<NA>.4681) > switch next=1417(sudo) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0 \n223 13:24:24.825743972 0 sudo (1417.1417) > rt_sigaction \n224 13:24:24.825744338 0 sudo (1417.1417) < rt_sigaction \n225 13:24:24.825744876 0 sudo (1417.1417) > ppoll fds=11:u1 3:p1 18446744073709551615:?4 8:f1 9:f1 timeout=none sigmask= \n226 13:24:24.825746787 0 sudo (1417.1417) > switch next=4685(sysdig) pgft_maj=0 pgft_min=477 vm_size=11664 vm_rss=5868 vm_swap=0 \n228 13:24:24.825749220 0 sysdig (4685.4685) > switch next=4681 pgft_maj=2 pgft_min=831 vm_size=60092 vm_rss=15628 vm_swap=0 \n229 13:24:24.825750789 0 <NA> (<NA>.4681) > switch next=1417(sudo) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0 \n230 13:24:24.825752221 0 sudo (1417.1417) < ppoll res=1 fds=9:f1 \n231 13:24:24.825753358 0 sudo (1417.1417) > rt_sigaction \n232 13:24:24.825753560 0 sudo (1417.1417) < rt_sigaction \n233 13:24:24.825754261 0 sudo (1417.1417) > read fd=9(<f>\/dev\/ptmx) size=65536 \n234 13:24:24.825754931 0 sudo (1417.1417) < read res=2 data=.. \n235 13:24:24.825755384 0 sudo (1417.1417) > rt_sigaction \n236 13:24:24.825755548 0 sudo (1417.1417) < rt_sigaction \n237 13:24:24.825756138 0 sudo (1417.1417) > rt_sigprocmask \n238 13:24:24.825756347 0 sudo (1417.1417) < rt_sigprocmask \n239 13:24:24.825756827 0 sudo (1417.1417) > rt_sigprocmask \n240 13:24:24.825756982 0 sudo (1417.1417) < rt_sigprocmask \n241 13:24:24.825757601 0 sudo (1417.1417) > ppoll fds=11:u1 3:p1 8:f4 8:f1 9:f1 timeout=none sigmask= \n242 13:24:24.825758860 0 sudo (1417.1417) < ppoll res=1 fds=8:f4 \n243 13:24:24.825759579 0 sudo (1417.1417) > rt_sigaction \n244 13:24:24.825759872 0 sudo (1417.1417) < rt_sigaction \n245 13:24:24.825760299 0 sudo (1417.1417) > write fd=8(<f>\/dev\/tty) size=2 \n246 13:24:24.825761578 0 sudo (1417.1417) < write res=2 data=.. \n247 13:24:24.825762138 0 sudo (1417.1417) > switch next=4681 pgft_maj=0 pgft_min=477 vm_size=11664 vm_rss=5868 vm_swap=0 \n248 13:24:24.825763510 0 <NA> (<NA>.4681) > switch next=1417(sudo) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0 \n249 13:24:24.825764361 0 sudo (1417.1417) > rt_sigaction \n250 13:24:24.825764540 0 sudo (1417.1417) < rt_sigaction \n251 13:24:24.825765051 0 sudo (1417.1417) > ppoll fds=11:u1 3:p1 18446744073709551615:?4 8:f1 9:f1 timeout=none sigmask= \n252 13:24:24.825766787 0 sudo (1417.1417) > switch next=4685(sysdig) pgft_maj=0 pgft_min=477 vm_size=11664 vm_rss=5868 vm_swap=0 \n255 13:24:24.825776112 1 sshd (1407.1407) < write res=356 data=^.......3.p9...cI...\/.eu.....f..I.0\\D..50.$..kGL...K..S`...A..$...........J..[.. \n256 13:24:24.825778159 1 sshd (1407.1407) > getpid \n257 13:24:24.825778500 1 sshd (1407.1407) < getpid \n259 13:24:24.825781130 1 sshd (1407.1407) > rt_sigprocmask \n260 13:24:24.825781448 1 sshd (1407.1407) < rt_sigprocmask \n261 13:24:24.825782499 1 sshd (1407.1407) > ppoll fds=4:41 4:44 10:f1 7:f0 timeout=none sigmask= \n262 13:24:24.825784482 0 sysdig (4685.4685) > switch next=4681 pgft_maj=2 pgft_min=831 vm_size=60092 vm_rss=15628 vm_swap=0 \n263 13:24:24.825784780 1 sshd (1407.1407) < ppoll res=2 fds=4:44 10:f1 \n264 13:24:24.825785407 1 sshd (1407.1407) > rt_sigprocmask \n265 13:24:24.825785602 1 sshd (1407.1407) < rt_sigprocmask \n266 13:24:24.825786280 1 sshd (1407.1407) > read fd=10(<f>\/dev\/ptmx) size=32768 \n267 13:24:24.825786972 0 <NA> (<NA>.4681) > switch next=1417(sudo) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0 \n268 13:24:24.825787376 1 sshd (1407.1407) < read res=111 data=23 13:24:24.825264580 0 .[01;32msnapd.[00m (.[01;36m1559.[00m.1579) < .[01;34mfu \n269 13:24:24.825788199 1 sshd (1407.1407) > write fd=4(<4t>192.168.56.1:48792->192.168.56.143:22) size=36 \n270 13:24:24.825788929 0 sudo (1417.1417) < ppoll res=1 fds=9:f1 \n271 13:24:24.825789978 1 sshd (1407.1407) < write res=36 data=#.Z.,.}..@.E~+...>.z.e^8.>.1.+.....\\ \n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Filtering Sysdig command Output<\/h3>\n\n\n\n<p>The output of sysdig can be filtered using various event fields.<\/p>\n\n\n\n<p>You can check available sysdig event fields using the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig -l<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n-------------------------------\nField Class:                  evt (All event types)\nDescription:                  These fields can be used for all event types \n\nevt.num                       event number. \nevt.time                      event timestamp as a time string that includes the nanosecond part. \nevt.time.s                    event timestamp as a time string with no nanoseconds. \nevt.time.iso8601              event timestamp in ISO 8601 format, including nanoseconds and time zone offset (in UTC). \nevt.datetime                  event timestamp as a time string that includes the date. \nevt.datetime.s                event timestamp as a datetime string with no nanoseconds. \nevt.rawtime                   absolute event timestamp, i.e. nanoseconds from epoch. \nevt.rawtime.s                 integer part of the event timestamp (e.g. seconds since epoch). \nevt.rawtime.ns                fractional part of the absolute event timestamp. \nevt.reltime                   number of nanoseconds from the beginning of the capture. \nevt.reltime.s                 number of seconds from the beginning of the capture. \nevt.reltime.ns                fractional part (in ns) of the time from the beginning of the capture. \nevt.pluginname                if the event comes from a plugin, the name of the plugin that generated it. The plugin \n                              must be currently loaded. \nevt.plugininfo                if the event comes from a plugin, a summary of the event as formatted by the plugin. The \n                              plugin must be currently loaded. \n\n-------------------------------\nField Class:                  evt (Syscall events only)\nDescription:                  Event fields applicable to syscall events. Note that for most events you can access the \n                              individual arguments\/parameters of each syscall via evt.arg, e.g. evt.arg.filename. \n\nevt.latency                   delta between an exit event and the correspondent enter event, in nanoseconds. \nevt.latency.s                 integer part of the event latency delta. \nevt.latency.ns                fractional part of the event latency delta. \nevt.latency.human             delta between an exit event and the correspondent enter event, as a human readable string \n                              (e.g. 10.3ms). \nevt.deltatime                 delta between this event and the previous event, in nanoseconds. \nevt.deltatime.s               integer part of the delta between this event and the previous event. \nevt.deltatime.ns              fractional part of the delta between this event and the previous event. \nevt.dir                       event direction can be either '>' for enter events or '<' for exit events. \nevt.type                      The name of the event (e.g. 'open'). \nevt.type.is                   allows one to specify an event type, and returns 1 for events that are of that type. For \n                              example, evt.type.is.open returns 1 for open events, 0 for any other event. \nsyscall.type                  For system call events, the name of the system call (e.g. 'open'). Unset for other events \n                              (e.g. switch or internal events). Use this field instead of evt.type if you need to make \n                              sure that the filtered\/printed value is actually a system call. \nevt.category                  The event category. Example values are 'file' (for file operations like open and close), \n                              'net' (for network operations like socket and bind), memory (for things like brk or \n                              mmap), and so on. \nevt.cpu                       number of the CPU where this event happened. \nevt.args                      all the event arguments, aggregated into a single string. \nevt.arg                       one of the event arguments specified by name or by number. Some events (e.g. return codes \n                              or FDs) will be converted into a text representation when possible. E.g. 'evt.arg.fd' or \n                              'evt.arg[0]'. \nevt.rawarg                    one of the event arguments specified by name. E.g. 'evt.rawarg.fd'. \nevt.info                      for most events, this field returns the same value as evt.args. However, for some events \n                              (like writes to \/dev\/log) it provides higher level information coming from decoding the \n                              arguments. \nevt.buffer                    the binary data buffer for events that have one, like read(), recvfrom(), etc. Use this \n                              field in filters with 'contains' to search into I\/O data buffers. \nevt.buflen                    the length of the binary data buffer for events that have one, like read(), recvfrom(), \n                              etc. \nevt.res                       event return value, as a string. If the event failed, the result is an error code string \n                              (e.g. 'ENOENT'), otherwise the result is the string 'SUCCESS'. \nevt.rawres                    event return value, as a number (e.g. -2). Useful for range comparisons. \nevt.failed                    'true' for events that returned an error status. \nevt.is_io                     'true' for events that read or write to FDs, like read(), send, recvfrom(), etc. \nevt.is_io_read                'true' for events that read from FDs, like read(), recv(), recvfrom(), etc. \nevt.is_io_write               'true' for events that write to FDs, like write(), send(), etc. \nevt.io_dir                    'r' for events that read from FDs, like read(); 'w' for events that write to FDs, like \n                              write(). \nevt.is_wait                   'true' for events that make the thread wait, e.g. sleep(), select(), poll(). \nevt.wait_latency              for events that make the thread wait (e.g. sleep(), select(), poll()), this is the time \n                              spent waiting for the event to return, in nanoseconds. \nevt.is_syslog                 'true' for events that are writes to \/dev\/log. \nevt.count                     This filter field always returns 1 and can be used to count events from inside chisels. \nevt.count.error               This filter field returns 1 for events that returned with an error, and can be used to \n                              count event failures from inside chisels. \nevt.count.error.file          This filter field returns 1 for events that returned with an error and are related to \n                              file I\/O, and can be used to count event failures from inside chisels. \nevt.count.error.net           This filter field returns 1 for events that returned with an error and are related to \n                              network I\/O, and can be used to count event failures from inside chisels. \nevt.count.error.memory        This filter field returns 1 for events that returned with an error and are related to \n                              memory allocation, and can be used to count event failures from inside chisels. \nevt.count.error.other         This filter field returns 1 for events that returned with an error and are related to \n                              none of the previous categories, and can be used to count event failures from inside \n                              chisels. \nevt.count.exit                This filter field returns 1 for exit events, and can be used to count single events from \n                              inside chisels. \nevt.around                    (FILTER ONLY) Accepts the event if it's around the specified time interval. The syntax is \n                              evt.around[T]=D, where T is the value returned by %evt.rawtime for the event and D is a \n                              delta in milliseconds. For example, evt.around[1404996934793590564]=1000 will return the \n                              events with timestamp with one second before the timestamp and one second after it, for a \n                              total of two seconds of capture. \nevt.abspath                   Absolute path calculated from dirfd and name during syscalls like renameat and symlinkat. \n                              Use 'evt.abspath.src' or 'evt.abspath.dst' for syscalls that support multiple paths. \nevt.is_open_read              'true' for open\/openat\/openat2 events where the path was opened for reading \nevt.is_open_write             'true' for open\/openat\/openat2 events where the path was opened for writing \nevt.is_open_exec              'true' for open\/openat\/openat2 or creat events where a file is created with execute \n                              permissions \n\n-------------------------------\nField Class:                  process\nDescription:                  Additional information about the process and thread executing the syscall event. \n\nproc.pid                      the id of the process generating the event. \nproc.exe                      the first command line argument (usually the executable name or a custom one). \nproc.name                     the name (excluding the path) of the executable generating the event. \nproc.args                     the arguments passed on the command line when starting the process generating the event. \nproc.env                      the environment variables of the process generating the event. \nproc.cmdline                  full process command line, i.e. proc.name + proc.args. \nproc.exeline                  full process command line, with exe as first argument, i.e. proc.exe + proc.args. \nproc.cwd                      the current working directory of the event. \nproc.nthreads                 the number of threads that the process generating the event currently has, including the \n                              main process thread. \nproc.nchilds                  the number of child threads that the process generating the event currently has. This \n                              excludes the main process thread. \nproc.ppid                     the pid of the parent of the process generating the event. \nproc.pname                    the name (excluding the path) of the parent of the process generating the event. \nproc.pcmdline                 the full command line (proc.name + proc.args) of the parent of the process generating the \n                              event. \nproc.apid                     the pid of one of the process ancestors. E.g. proc.apid[1] returns the parent pid, \n                              proc.apid[2] returns the grandparent pid, and so on. proc.apid[0] is the pid of the \n                              current process. proc.apid without arguments can be used in filters only and matches any \n                              of the process ancestors, e.g. proc.apid=1234. \nproc.aname                    the name (excluding the path) of one of the process ancestors. E.g. proc.aname[1] returns \n                              the parent name, proc.aname[2] returns the grandparent name, and so on. proc.aname[0] is \n                              the name of the current process. proc.aname without arguments can be used in filters only \n                              and matches any of the process ancestors, e.g. proc.aname=bash. \nproc.loginshellid             the pid of the oldest shell among the ancestors of the current process, if there is one. \n                              This field can be used to separate different user sessions, and is useful in conjunction \n                              with chisels like spy_user. \nproc.duration                 number of nanoseconds since the process started. \nproc.fdopencount              number of open FDs for the process \nproc.fdlimit                  maximum number of FDs the process can open. \nproc.fdusage                  the ratio between open FDs and maximum available FDs for the process. \nproc.vmsize                   total virtual memory for the process (as kb). \nproc.vmrss                    resident non-swapped memory for the process (as kb). \nproc.vmswap                   swapped memory for the process (as kb). \nthread.pfmajor                number of major page faults since thread start. \nthread.pfminor                number of minor page faults since thread start. \nthread.tid                    the id of the thread generating the event. \nthread.ismain                 'true' if the thread generating the event is the main one in the process. \nthread.exectime               CPU time spent by the last scheduled thread, in nanoseconds. Exported by switch events \n                              only. \nthread.totexectime            Total CPU time, in nanoseconds since the beginning of the capture, for the current \n                              thread. Exported by switch events only. \nthread.cgroups                all the cgroups the thread belongs to, aggregated into a single string. \nthread.cgroup                 the cgroup the thread belongs to, for a specific subsystem. E.g. thread.cgroup.cpuacct. \nthread.vtid                   the id of the thread generating the event as seen from its current PID namespace. \nproc.vpid                     the id of the process generating the event as seen from its current PID namespace. \nthread.cpu                    the CPU consumed by the thread in the last second. \nthread.cpu.user               the user CPU consumed by the thread in the last second. \nthread.cpu.system             the system CPU consumed by the thread in the last second. \nthread.vmsize                 For the process main thread, this is the total virtual memory for the process (as kb). \n                              For the other threads, this field is zero. \nthread.vmrss                  For the process main thread, this is the resident non-swapped memory for the process (as \n                              kb). For the other threads, this field is zero. \nproc.sid                      the session id of the process generating the event. \nproc.sname                    the name of the current process's session leader. This is either the process with \n                              pid=proc.sid or the eldest ancestor that has the same sid as the current process. \nproc.tty                      The controlling terminal of the process. 0 for processes without a terminal. \nproc.exepath                  The full executable path of the process. \nproc.vpgid                    the process group id of the process generating the event, as seen from its current PID \n                              namespace. \nproc.is_container_healthcheck true if this process is running as a part of the container's health check. \nproc.is_container_liveness_probe\n                              true if this process is running as a part of the container's liveness probe. \nproc.is_container_readiness_probe\n                              true if this process is running as a part of the container's readiness probe. \nproc.is_exe_writable          true if this process' executable file is writable by the same user that spawned the \n                              process. \n\n-------------------------------\nField Class:                  user\nDescription:                  Information about the user executing the specific event. \n\nuser.uid                      user ID. \nuser.name                     user name. \nuser.homedir                  home directory of the user. \nuser.shell                    user's shell. \nuser.loginuid                 audit user id (auid). \nuser.loginname                audit user name (auid). \n\n-------------------------------\nField Class:                  group\nDescription:                  Information about the user group. \n\ngroup.gid                     group ID. \ngroup.name                    group name. \n\n-------------------------------\nField Class:                  container\nDescription:                  Container information. If the event is not happening inside a container, both id and name \n                              will be set to 'host'. \n\ncontainer.id                  the container id. \ncontainer.name                the container name. \ncontainer.image               the container image name (e.g. falcosecurity\/falco:latest for docker). \ncontainer.image.id            the container image id (e.g. 6f7e2741b66b). \ncontainer.type                the container type, eg: docker or rkt \ncontainer.privileged          true for containers running as privileged, false otherwise \ncontainer.mounts              A space-separated list of mount information. Each item in the list has the format \n                              <source>:<dest>:<mode>:<rdrw>:<propagation> \ncontainer.mount               Information about a single mount, specified by number (e.g. container.mount[0]) or mount \n                              source (container.mount[\/usr\/local]). The pathname can be a glob \n                              (container.mount[\/usr\/local\/*]), in which case the first matching mount will be returned. \n                              The information has the format <source>:<dest>:<mode>:<rdrw>:<propagation>. If there is \n                              no mount with the specified index or matching the provided source, returns the string \n                              \"none\" instead of a NULL value. \ncontainer.mount.source        the mount source, specified by number (e.g. container.mount.source[0]) or mount \n                              destination (container.mount.source[\/host\/lib\/modules]). The pathname can be a glob. \ncontainer.mount.dest          the mount destination, specified by number (e.g. container.mount.dest[0]) or mount source \n                              (container.mount.dest[\/lib\/modules]). The pathname can be a glob. \ncontainer.mount.mode          the mount mode, specified by number (e.g. container.mount.mode[0]) or mount source \n                              (container.mount.mode[\/usr\/local]). The pathname can be a glob. \ncontainer.mount.rdwr          the mount rdwr value, specified by number (e.g. container.mount.rdwr[0]) or mount source \n                              (container.mount.rdwr[\/usr\/local]). The pathname can be a glob. \ncontainer.mount.propagation   the mount propagation value, specified by number (e.g. container.mount.propagation[0]) or \n                              mount source (container.mount.propagation[\/usr\/local]). The pathname can be a glob. \ncontainer.image.repository    the container image repository (e.g. falcosecurity\/falco). \ncontainer.image.tag           the container image tag (e.g. stable, latest). \ncontainer.image.digest        the container image registry digest (e.g. \n                              sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27). \ncontainer.healthcheck         The container's health check. Will be the null value (\"N\/A\") if no healthcheck \n                              configured, \"NONE\" if configured but explicitly not created, and the healthcheck command \n                              line otherwise \ncontainer.liveness_probe      The container's liveness probe. Will be the null value (\"N\/A\") if no liveness probe \n                              configured, the liveness probe command line otherwise \ncontainer.readiness_probe     The container's readiness probe. Will be the null value (\"N\/A\") if no readiness probe \n                              configured, the readiness probe command line otherwise \n\n-------------------------------\nField Class:                  fd\nDescription:                  Every syscall that has a file descriptor in its arguments has these fields set with \n                              information related to the file. \n\nfd.num                        the unique number identifying the file descriptor. \nfd.type                       type of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix', 'pipe', 'event', \n                              'signalfd', 'eventpoll', 'inotify' or 'signalfd'. \nfd.typechar                   type of FD as a single character. Can be 'f' for file, 4 for IPv4 socket, 6 for IPv6 \n                              socket, 'u' for unix socket, p for pipe, 'e' for eventfd, 's' for signalfd, 'l' for \n                              eventpoll, 'i' for inotify, 'o' for unknown. \nfd.name                       FD full name. If the fd is a file, this field contains the full path. If the FD is a \n                              socket, this field contain the connection tuple. \nfd.directory                  If the fd is a file, the directory that contains it. \nfd.filename                   If the fd is a file, the filename without the path. \nfd.ip                         (FILTER ONLY) matches the ip address (client or server) of the fd. \nfd.cip                        client IP address. \nfd.sip                        server IP address. \nfd.lip                        local IP address. \nfd.rip                        remote IP address. \nfd.port                       (FILTER ONLY) matches the port (either client or server) of the fd. \nfd.cport                      for TCP\/UDP FDs, the client port. \nfd.sport                      for TCP\/UDP FDs, server port. \nfd.lport                      for TCP\/UDP FDs, the local port. \nfd.rport                      for TCP\/UDP FDs, the remote port. \nfd.l4proto                    the IP protocol of a socket. Can be 'tcp', 'udp', 'icmp' or 'raw'. \nfd.sockfamily                 the socket family for socket events. Can be 'ip' or 'unix'. \nfd.is_server                  'true' if the process owning this FD is the server endpoint in the connection. \nfd.uid                        a unique identifier for the FD, created by chaining the FD number and the thread ID. \nfd.containername              chaining of the container ID and the FD name. Useful when trying to identify which \n                              container an FD belongs to. \nfd.containerdirectory         chaining of the container ID and the directory name. Useful when trying to identify which \n                              container a directory belongs to. \nfd.proto                      (FILTER ONLY) matches the protocol (either client or server) of the fd. \nfd.cproto                     for TCP\/UDP FDs, the client protocol. \nfd.sproto                     for TCP\/UDP FDs, server protocol. \nfd.lproto                     for TCP\/UDP FDs, the local protocol. \nfd.rproto                     for TCP\/UDP FDs, the remote protocol. \nfd.net                        (FILTER ONLY) matches the IP network (client or server) of the fd. \nfd.cnet                       (FILTER ONLY) matches the client IP network of the fd. \nfd.snet                       (FILTER ONLY) matches the server IP network of the fd. \nfd.lnet                       (FILTER ONLY) matches the local IP network of the fd. \nfd.rnet                       (FILTER ONLY) matches the remote IP network of the fd. \nfd.connected                  for TCP\/UDP FDs, 'true' if the socket is connected. \nfd.name_changed               True when an event changes the name of an fd used by this event. This can occur in some \n                              cases such as udp connections where the connection tuple changes. \nfd.cip.name                   Domain name associated with the client IP address. \nfd.sip.name                   Domain name associated with the server IP address. \nfd.lip.name                   Domain name associated with the local IP address. \nfd.rip.name                   Domain name associated with the remote IP address. \nfd.dev                        device number (major\/minor) containing the referenced file \nfd.dev.major                  major device number containing the referenced file \nfd.dev.minor                  minor device number containing the referenced file \n\n-------------------------------\nField Class:                  syslog\nDescription:                  Content of Syslog messages. \n\nsyslog.facility.str           facility as a string. \nsyslog.facility               facility as a number (0-23). \nsyslog.severity.str           severity as a string. Can have one of these values: emerg, alert, crit, err, warn, \n                              notice, info, debug \nsyslog.severity               severity as a number (0-7). \nsyslog.message                message sent to syslog. \n\n-------------------------------\nField Class:                  fdlist\nDescription:                  Poll event related fields. \n\nfdlist.nums                   for poll events, this is a comma-separated list of the FD numbers in the 'fds' argument, \n                              returned as a string. \nfdlist.names                  for poll events, this is a comma-separated list of the FD names in the 'fds' argument, \n                              returned as a string. \nfdlist.cips                   for poll events, this is a comma-separated list of the client IP addresses in the 'fds' \n                              argument, returned as a string. \nfdlist.sips                   for poll events, this is a comma-separated list of the server IP addresses in the 'fds' \n                              argument, returned as a string. \nfdlist.cports                 for TCP\/UDP FDs, for poll events, this is a comma-separated list of the client TCP\/UDP \n                              ports in the 'fds' argument, returned as a string. \nfdlist.sports                 for poll events, this is a comma-separated list of the server TCP\/UDP ports in the 'fds' \n                              argument, returned as a string. \n\n-------------------------------\nField Class:                  k8s\nDescription:                  Kubernetes related context. Available when configured to fetch k8s meta-data from API \n                              Server. \n\nk8s.pod.name                  Kubernetes pod name. \nk8s.pod.id                    Kubernetes pod id. \nk8s.pod.label                 Kubernetes pod label. E.g. 'k8s.pod.label.foo'. \nk8s.pod.labels                Kubernetes pod comma-separated key\/value labels. E.g. 'foo1:bar1,foo2:bar2'. \nk8s.rc.name                   Kubernetes replication controller name. \nk8s.rc.id                     Kubernetes replication controller id. \nk8s.rc.label                  Kubernetes replication controller label. E.g. 'k8s.rc.label.foo'. \nk8s.rc.labels                 Kubernetes replication controller comma-separated key\/value labels. E.g. \n                              'foo1:bar1,foo2:bar2'. \nk8s.svc.name                  Kubernetes service name (can return more than one value, concatenated). \nk8s.svc.id                    Kubernetes service id (can return more than one value, concatenated). \nk8s.svc.label                 Kubernetes service label. E.g. 'k8s.svc.label.foo' (can return more than one value, \n                              concatenated). \nk8s.svc.labels                Kubernetes service comma-separated key\/value labels. E.g. 'foo1:bar1,foo2:bar2'. \nk8s.ns.name                   Kubernetes namespace name. \nk8s.ns.id                     Kubernetes namespace id. \nk8s.ns.label                  Kubernetes namespace label. E.g. 'k8s.ns.label.foo'. \nk8s.ns.labels                 Kubernetes namespace comma-separated key\/value labels. E.g. 'foo1:bar1,foo2:bar2'. \nk8s.rs.name                   Kubernetes replica set name. \nk8s.rs.id                     Kubernetes replica set id. \nk8s.rs.label                  Kubernetes replica set label. E.g. 'k8s.rs.label.foo'. \nk8s.rs.labels                 Kubernetes replica set comma-separated key\/value labels. E.g. 'foo1:bar1,foo2:bar2'. \nk8s.deployment.name           Kubernetes deployment name. \nk8s.deployment.id             Kubernetes deployment id. \nk8s.deployment.label          Kubernetes deployment label. E.g. 'k8s.rs.label.foo'. \nk8s.deployment.labels         Kubernetes deployment comma-separated key\/value labels. E.g. 'foo1:bar1,foo2:bar2'. \n\n-------------------------------\nField Class:                  mesos\nDescription:                  Mesos related context. \n\nmesos.task.name               Mesos task name. \nmesos.task.id                 Mesos task id. \nmesos.task.label              Mesos task label. E.g. 'mesos.task.label.foo'. \nmesos.task.labels             Mesos task comma-separated key\/value labels. E.g. 'foo1:bar1,foo2:bar2'. \nmesos.framework.name          Mesos framework name. \nmesos.framework.id            Mesos framework id. \nmarathon.app.name             Marathon app name. \nmarathon.app.id               Marathon app id. \nmarathon.app.label            Marathon app label. E.g. 'marathon.app.label.foo'. \nmarathon.app.labels           Marathon app comma-separated key\/value labels. E.g. 'foo1:bar1,foo2:bar2'. \nmarathon.group.name           Marathon group name. \nmarathon.group.id             Marathon group id. \n\n-------------------------------\nField Class:                  span\nDescription:                  Fields used if information about distributed tracing is available. \n\nspan.id                       ID of the span. This is a unique identifier that is used to match the enter and exit \n                              tracer events for this span. It can also be used to match different spans belonging to a \n                              trace. \nspan.time                     time of the span's enter tracer as a human readable string that includes the nanosecond \n                              part. \nspan.ntags                    number of tags that this span has. \nspan.nargs                    number of arguments that this span has. \nspan.tags                     dot-separated list of all of the span's tags. \nspan.tag                      one of the span's tags, specified by 0-based offset, e.g. 'span.tag[1]'. You can use a \n                              negative offset to pick elements from the end of the tag list. For example, \n                              'span.tag[-1]' returns the last tag. \nspan.args                     comma-separated list of the span's arguments. \nspan.arg                      one of the span arguments, specified by name or by 0-based offset. E.g. 'span.arg.xxx' or \n                              'span.arg[1]'. You can use a negative offset to pick elements from the end of the tag \n                              list. For example, 'span.arg[-1]' returns the last argument. \nspan.enterargs                comma-separated list of the span's enter tracer event arguments. For enter tracers, this \n                              is the same as evt.args. For exit tracers, this is the evt.args of the corresponding \n                              enter tracer. \nspan.enterarg                 one of the span's enter arguments, specified by name or by 0-based offset. For enter \n                              tracer events, this is the same as evt.arg. For exit tracer events, this is the evt.arg \n                              of the corresponding enter event. \nspan.duration                 delta between this span's exit tracer event and the enter tracer event. \nspan.duration.human           delta between this span's exit tracer event and the enter event, as a human readable \n                              string (e.g. 10.3ms). \n\n-------------------------------\nField Class:                  evtin\nDescription:                  Fields used if information about distributed tracing is available. \n\nevtin.span.id                 accepts all the events that are between the enter and exit tracers of the spans with the \n                              given ID and are generated by the same thread that generated the tracers. \nevtin.span.ntags              accepts all the events that are between the enter and exit tracers of the spans with the \n                              given number of tags and are generated by the same thread that generated the tracers. \nevtin.span.nargs              accepts all the events that are between the enter and exit tracers of the spans with the \n                              given number of arguments and are generated by the same thread that generated the \n                              tracers. \nevtin.span.tags               accepts all the events that are between the enter and exit tracers of the spans with the \n                              given tags and are generated by the same thread that generated the tracers. \nevtin.span.tag                accepts all the events that are between the enter and exit tracers of the spans with the \n                              given tag and are generated by the same thread that generated the tracers. See the \n                              description of span.tag for information about the syntax accepted by this field. \nevtin.span.args               accepts all the events that are between the enter and exit tracers of the spans with the \n                              given arguments and are generated by the same thread that generated the tracers. \nevtin.span.arg                accepts all the events that are between the enter and exit tracers of the spans with the \n                              given argument and are generated by the same thread that generated the tracers. See the \n                              description of span.arg for information about the syntax accepted by this field. \nevtin.span.p.id               same as evtin.span.id, but also accepts events generated by other threads in the same \n                              process that produced the span. \nevtin.span.p.ntags            same as evtin.span.ntags, but also accepts events generated by other threads in the same \n                              process that produced the span. \nevtin.span.p.nargs            same as evtin.span.nargs, but also accepts events generated by other threads in the same \n                              process that produced the span. \nevtin.span.p.tags             same as evtin.span.tags, but also accepts events generated by other threads in the same \n                              process that produced the span. \nevtin.span.p.tag              same as evtin.span.tag, but also accepts events generated by other threads in the same \n                              process that produced the span. \nevtin.span.p.args             same as evtin.span.args, but also accepts events generated by other threads in the same \n                              process that produced the span. \nevtin.span.p.arg              same as evtin.span.arg, but also accepts events generated by other threads in the same \n                              process that produced the span. \nevtin.span.s.id               same as evtin.span.id, but also accepts events generated by the script that produced the \n                              span, i.e. by the processes whose parent PID is the same as the one of the process \n                              generating the span. \nevtin.span.s.ntags            same as evtin.span.id, but also accepts events generated by the script that produced the \n                              span, i.e. by the processes whose parent PID is the same as the one of the process \n                              generating the span. \nevtin.span.s.nargs            same as evtin.span.id, but also accepts events generated by the script that produced the \n                              span, i.e. by the processes whose parent PID is the same as the one of the process \n                              generating the span. \nevtin.span.s.tags             same as evtin.span.id, but also accepts events generated by the script that produced the \n                              span, i.e. by the processes whose parent PID is the same as the one of the process \n                              generating the span. \nevtin.span.s.tag              same as evtin.span.id, but also accepts events generated by the script that produced the \n                              span, i.e. by the processes whose parent PID is the same as the one of the process \n                              generating the span. \nevtin.span.s.args             same as evtin.span.id, but also accepts events generated by the script that produced the \n                              span, i.e. by the processes whose parent PID is the same as the one of the process \n                              generating the span. \nevtin.span.s.arg              same as evtin.span.id, but also accepts events generated by the script that produced the \n                              span, i.e. by the processes whose parent PID is the same as the one of the process \n                              generating the span. \nevtin.span.m.id               same as evtin.span.id, but accepts all the events generated on the machine during the \n                              span, including other threads and other processes. \nevtin.span.m.ntags            same as evtin.span.id, but accepts all the events generated on the machine during the \n                              span, including other threads and other processes. \nevtin.span.m.nargs            same as evtin.span.id, but accepts all the events generated on the machine during the \n                              span, including other threads and other processes. \nevtin.span.m.tags             same as evtin.span.id, but accepts all the events generated on the machine during the \n                              span, including other threads and other processes. \nevtin.span.m.tag              same as evtin.span.id, but accepts all the events generated on the machine during the \n                              span, including other threads and other processes. \nevtin.span.m.args             same as evtin.span.id, but accepts all the events generated on the machine during the \n                              span, including other threads and other processes. \nevtin.span.m.arg              same as evtin.span.id, but accepts all the events generated on the machine during the \n                              span, including other threads and other processes. \n<\/code><\/pre>\n\n\n\n<p>For example, to print only SSH related events;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig proc.name=sshd<\/code><\/pre>\n\n\n\n<p>And press ENTER.<\/p>\n\n\n\n<p>It is also possible to use comparison operators: <strong>=, !=, &lt;, &lt;=, &gt;, &gt;=, contains, icontains, in, exists<\/strong>. For example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig fd.name contains etc<\/code><\/pre>\n\n\n\n<p>Process must exist;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig proc.name exists<\/code><\/pre>\n\n\n\n<p>You can also filter multiple events using the boolean operators: <strong>and, or, not<\/strong>;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig \"not (fd.name contains \/proc or fd.name contains \/dev)\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Sysdig Chisels<\/h3>\n\n\n\n<p>Sysdig also comes bundled with lua scripts that called chisels. These scripts can analyze the sysdig event stream to perform useful actions. For example, monitor user activity, monitor specific IP addresses etc.<\/p>\n\n\n\n<p>To list Sysdig chisels;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig -cl<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nCategory: Application\n---------------------\nhttplog         HTTP requests log\nhttptop         Top HTTP requests\nmemcachelog     memcached requests log\n\nCategory: CPU Usage\n-------------------\nspectrogram     Visualize OS latency in real time.\nsubsecoffset    Visualize subsecond offset execution time.\ntopcontainers_cpu\n                Top containers by CPU usage\ntopprocs_cpu    Top processes by CPU usage\n\nCategory: Errors\n----------------\ntopcontainers_error\n                Top containers by number of errors\ntopfiles_errors Top files by number of errors\ntopprocs_errors top processes by number of errors\n\nCategory: I\/O\n-------------\necho_fds        Print the data read and written by processes.\nfdbytes_by      I\/O bytes, aggregated by an arbitrary filter field\nfdcount_by      FD count, aggregated by an arbitrary filter field\nfdtime_by       FD time group by\niobytes         Sum of I\/O bytes on any type of FD\niobytes_file    Sum of file I\/O bytes\nspy_file        Echo any read\/write made by any process to all files. Optionall\n                y, you can provide the name of one file to only intercept reads\n                \/writes to that file.\nstderr          Print stderr of processes\nstdin           Print stdin of processes\nstdout          Print stdout of processes\ntopcontainers_file\n                Top containers by R+W disk bytes\ntopfiles_bytes  Top files by R+W bytes\ntopfiles_time   Top files by time\ntopprocs_file   Top processes by R+W disk bytes\nudp_extract     extract data from UDP streams to files.\n\nCategory: Logs\n--------------\nspy_logs        Echo any write made by any process to a log file. Optionally, e\n                xport the events around each log message to file.\nspy_syslog      Print every message written to syslog. Optionally, export the e\n                vents around each syslog message to file.\n\nCategory: Misc\n--------------\naround          Export to file the events around the time range where the given\n                 filter matches.\n\nCategory: Net\n-------------\niobytes_net     Show total network I\/O bytes\nspy_ip          Show the data exchanged with the given IP address\nspy_port        Show the data exchanged using the given IP port number\ntopconns        Top network connections by total bytes\ntopcontainers_net\n                Top containers by network I\/O\ntopports_server Top TCP\/UDP server ports by R+W bytes\ntopprocs_net    Top processes by network I\/O\n\nCategory: Performance\n---------------------\nbottlenecks     Slowest system calls\nfileslower      Trace slow file I\/O\nnetlower        Trace slow network I\/0\nproc_exec_time  Show process execution time\nscallslower     Trace slow syscalls\ntopscalls       Top system calls by number of calls\ntopscalls_time  Top system calls by time\n\nCategory: Security\n------------------\nlist_login_shells\n                List the login shell IDs\nshellshock_detect\n                print shellshock attacks\nspy_users       Display interactive user activity\n\nCategory: System State\n----------------------\nlscontainers    List the running containers\nlsof            List (and optionally filter) the open file descriptors.\nnetstat         List (and optionally filter) network connections.\nps              List (and optionally filter) the machine processes.\n\nCategory: Tracers\n-----------------\ntracers_2_statsd\n                Export spans duration as statds metrics.\n\nUse the -i flag to get detailed information about a specific chisel\n\n<\/code><\/pre>\n\n\n\n<p>For example, to list running processes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig -c ps<\/code><\/pre>\n\n\n\n<p>To get top processes by CPU usage;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig -c topprocs_cpu<\/code><\/pre>\n\n\n\n<p>Show the data exchanged with the given IP address;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig -c spy_ip 192.168.100.1<\/code><\/pre>\n\n\n\n<p>Display interactive user activity;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sysdig -c spy_users<\/code><\/pre>\n\n\n\n<p>And many more.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Csysdig: Intuitive sysdig UI tool<\/h3>\n\n\n\n<p>Sysdig ships with an intuitive UI tool called Csysdig. It works in a similar way like top\/htop command.<\/p>\n\n\n\n<p>You can simply launch Csysdig from command line.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>csysdig<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1876\" height=\"1025\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-sysdig-UI.png\" alt=\"install Sysdig system visibility tool on Ubuntu\" class=\"wp-image-13667\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-sysdig-UI.png?v=1659815096 1876w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-sysdig-UI-768x420.png?v=1659815096 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-sysdig-UI-1536x839.png?v=1659815096 1536w\" sizes=\"(max-width: 1876px) 100vw, 1876px\" \/><\/figure>\n\n\n\n<p>Csysdig has different views. Press <strong>Fn+F12<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1726\" height=\"1033\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-views.png\" alt=\"install Sysdig system visibility tool on Ubuntu\" class=\"wp-image-13668\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-views.png?v=1659815119 1726w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-views-768x460.png?v=1659815119 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-views-1536x919.png?v=1659815119 1536w\" sizes=\"(max-width: 1726px) 100vw, 1726px\" \/><\/figure>\n\n\n\n<p>You can scroll up\/down the views using arrow keys to select a specific view. Press Enter to display the view.<\/p>\n\n\n\n<p>Sample spy_users view.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1896\" height=\"291\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-spy-users.png\" alt=\"\" class=\"wp-image-13669\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-spy-users.png?v=1659815144 1896w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-spy-users-768x118.png?v=1659815144 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2022\/08\/csysdig-spy-users-1536x236.png?v=1659815144 1536w\" sizes=\"(max-width: 1896px) 100vw, 1896px\" \/><\/figure>\n\n\n\n<p>Awesome, isn&#8217;t it?<\/p>\n\n\n\n<p>That brings us to a close of our tutorial on how to install Sysdig on Ubuntu 22.04.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Further Reading<\/h3>\n\n\n\n<p><a href=\"https:\/\/github.com\/draios\/sysdig\/wiki\/Sysdig-User-Guide\" target=\"_blank\" rel=\"noreferrer noopener\">Sysdig User Guide<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-ntopng-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ntopng on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-copy-paste-lines-in-vim\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to copy paste lines in vim<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/example-usage-of-ps-command-in-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Example Usage of ps Command in Linux<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This tutorial will take you through how to install Sysdig system visibility tool on Ubuntu 22.04. Sysdig is a simple visibility tool that provides deep<\/p>\n","protected":false},"author":1,"featured_media":13671,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,49,72],"tags":[5641,5644,5642,5643,5640],"class_list":["post-12710","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-command-cheatsheets","category-monitoring","tag-csysdig","tag-install-sysdig","tag-install-sysdig-system-visibility-tool-on-ubuntu","tag-monitor-linux-using-sysdig","tag-sysdig","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12710"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12710"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12710\/revisions"}],"predecessor-version":[{"id":20604,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12710\/revisions\/20604"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/13671"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}