|
Sysdig listening at the operating system level, and the system calls and system events and other activities capture system down, which makes it look very much like the system-oriented tcpdump or Wireshark. If you intend to abnormal system failure investigation, it will be your problem Sysdig handy weapon.
On Linux, can be installed Sysdig use the following command:
curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash
This will Sysdig installed rpm or deb-based Linux systems.
Capture system activity
Real-time capture, print the results to the standard output:
sysdig
Save the results to a file capture system.scap, to facilitate later analysis:
sysdig -w system.scap
Specifies the number of events captured 200 and saved to the file:
sysdig -n 200 -w system.scap
Reads the captured file:
sysdig -r system.scap
Capture the interpretation of results
(1) (2) (3) (4) (5) (6) (7) (8)
1 10: 54: 50.462463956 0 sysdig (29043)> sysdigevent event_type = 1 event_data = 0
2 10: 54: 50.462603110 0 sysdig (29043)> sysdigevent event_type = 1 event_data = 0
3 10: 54: 50.462729565 0 sysdig (29043)> sysdigevent event_type = 1 event_data = 0
4 10: 54: 50.462859521 0 sysdig (29043)> sysdigevent event_type = 1 event_data = 0
5 10: 54: 50.463206317 0 sysdig (29043)> switch next = 0 pgft_maj = 0 pgft_min = 1790 vm_size = 35748 vm_rss = 7164 vm_swap = 0
6 10: 54: 50.464246835 0 < NA> (0)> switch next = 7 pgft_maj = 0 pgft_min = 0 vm_size = 0 vm_rss = 0 vm_swap = 0
7 10: 54: 50.464249707 2 < NA> (0)> switch next = 8374 pgft_maj = 0 pgft_min = 0 vm_size = 0 vm_rss = 0 vm_swap = 0
8 10: 54: 50.464255940 0 < NA> (7)> switch next = 0 pgft_maj = 0 pgft_min = 0 vm_size = 0 vm_rss = 0 vm_swap = 0
9 10: 54: 50.464264256 2 < NA> (8374)> switch next = 0 pgft_maj = 0 pgft_min = 0 vm_size = 0 vm_rss = 0 vm_swap = 0
10 10: 54: 50.464358113 2 < NA> (0)> switch next = 854 (mlnet) pgft_maj = 0 pgft_min = 0 vm_size = 0 vm_rss = 0 vm_swap = 0
11 10: 54: 50.464370099 2 mlnet (854) < poll res = 0 fds =
12 10: 54: 50.464378193 2 mlnet (854)> poll fds = timeout = 5
13 10: 54: 50.464385400 2 mlnet (854)> switch next = 0 pgft_maj = 216 pgft_min = 3386 vm_size = 162608 vm_rss = 12196 vm_swap = 2716
14 10: 54: 50.464950541 0 < NA> (0)> switch next = 1105 (memcached) pgft_maj = 0 pgft_min = 0 vm_size = 0 vm_rss = 0 vm_swap = 0
15 10: 54: 50.464954692 0 memcached (1105) < epoll_wait res = 0
16 10: 54: 50.464976007 0 memcached (1105)> epoll_wait maxevents = 32
17 10: 54: 50.464984030 0 memcached (1105)> switch next = 0 pgft_maj = 3 pgft_min = 247 vm_size = 327412 vm_rss = 1860 vm_swap = 468
18 10: 54: 50.465256687 2 < NA> (0)> switch next = 2181 (plugin-containe) pgft_maj = 0 pgft_min = 0 vm_size = 0 vm_rss = 0 vm_swap = 0
19 10: 54: 50.465261465 2 plugin-containe (2181) < poll res = 0 fds =
20 10: 54: 50.465297692 2 plugin-containe (2181)> getrlimit resource = 3 (RLIMIT_STACK)
The results captured by Sysdig As indicated above, the meaning of each column are as follows:
Event number
Timestamp
CPU ID
Process Name
Thread ID
Event direction> to enter the event, < an exit event
Types of events, such as open, read, etc.
Event parameter list
Capture Filter Results
By default, Sysdig captured information is very much in our interest to find the information from, which requires grep-like filtering.
Filter by category field:
sysdig -r system.scap proc.name = sysdig
This command system to filter out the process called sysdig events, the result is:
1 10: 54: 50.462463956 0 sysdig (29043)> sysdigevent event_type = 1 event_data = 0
2 10: 54: 50.462603110 0 sysdig (29043)> sysdigevent event_type = 1 event_data = 0
3 10: 54: 50.462729565 0 sysdig (29043)> sysdigevent event_type = 1 event_data = 0
4 10: 54: 50.462859521 0 sysdig (29043)> sysdigevent event_type = 1 event_data = 0
5 10: 54: 50.463206317 0 sysdig (29043)> switch next = 0 pgft_maj = 0 pgft_min = 1790 vm_size = 35748 vm_rss = 7164 vm_swap = 0
Sysdig offer include fd, process, evt, user, group, syslog fields such as category, can be found by sysdig -l.
In addition to = outside, Sysdig filter expression also supports the! =, < , < =,>,> =, And contains other more operators.
Also, you can use and, or, not, etc. Boolean operators. E.g:
sysdig -r system.scap proc.name = sysdig and evt.type = switch
Chisels
In Sysdig in, chisels Lua script is written, can be used to extend Sysdig filtering.
For example, we want to see the most frequently read and write disk files process, you can use this topprocs_file chisels:
sysdig -c topprocs_file
Results:
Bytes Process
------------------------------
448.36KB mozStorage
220.38KB perl
1.69KB tmux
1.62KB sh
1.59KB Xorg
1.30KB urxvtd
More chisels, by sysdig -cl understanding. Of course, if you are familiar with Lua, you can also write your own chisels. |
|
|
|