This is mostly just for my own quick reference for common usages
Sysdig is well its best sumed up on their site http://www.sysdig.org/
Sysdig is open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze.
Sysdig is scriptable in Lua and includes a command line interface and a powerful interactive UI, csysdig, that runs in your terminal. Think of sysdig as strace + tcpdump + htop + iftop + lsof + awesome sauce. With state of the art container visibility on top.
Its a tool I have been chasing for a while to be able to dig into a problem rapidly and quickly. Although I have not started using the commercial side of it ( Sysdigcloud – https://sysdig.com/ ) I can see it being implemented in the very near future. As this looks to be a powerhouse of information as well.
Install
Simple check out – http://www.sysdig.org/install/
There are a very small number of requirements (namely requiring newish versions of OS’s)
The Cheatsheet
This is an active list and will grow over time, although I would welcome any ones only little hints.
A list of some sources where theses commands are from:
- https://sysdig.com/wp-content/uploads/2014/12/Sysdig-Official-Cheatsheet.pdf
- https://github.com/draios/sysdig/wiki/Sysdig%20Examples
The Basics
sysdig -l # List all available fields sysdig -L # List all events sysdig -cl # List all available Chisels sysdig –w myfile.scap # Create a dump of full system (as with most dump it can grow pretty quickly) sysdig –r myfile.scap # Read a dump file csysdig #run in top style mode csysdig name.user=$SOMEUSERNAME # Top style mode filtered for a selected user sysdig -c spy_users # see all commands all users are preforming sysdig fd.name contains /home #
Some IO based stuff
sysdig -c fileslower 1 # I/O calls that have a latency greater than 1ms. This would be useful if you were tracking down certain kinds of performance issues. sysdig proc.name=nano # see what is happening when some one is opening nano(or any other proc) sysdig proc.name=httpd and fd.name contains /home/user