Skip to content

Instantly share code, notes, and snippets.

@adrianlzt

adrianlzt/sysdig-snippets.md

Forked from molotovbliss/sysdig-snippets.md
Last active November 11, 2021 17:44
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adrianlzt/6d3fdca40f6b51c379696a129b73118e to your computer and use it in GitHub Desktop.
Save adrianlzt/6d3fdca40f6b51c379696a129b73118e to your computer and use it in GitHub Desktop.
Download ZIP
SYSDIG CHEAT SHEET
Raw
sysdig-snippets.md

OFFICIAL OPENSOURCE SYSDIG CHEAT SHEET

Basic usage

Capture & write every system event to standard output

$ sysdig

Run sysdig as container (capturing host events)

$ docker run -i -t --name sysdig --privileged -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/sysdig

Capture events to a trace file for later analysis

$ sysdig –w myfile.scap

Read events from a trace file

$ sysdig –r myfile.scap

Filter events based on certain fields

$ sysdig proc.name=httpd and evt.type!=open

Run a chisel for advanced functionality

$ sysdig -c topprocs_cpu

List all available fields

$ sysdig -l

List all available chisels

$ sysdig -cl

Containers

View the list of processes with container context

$ sysdig -pc

View the CPU usage of the processes running in wordpress1 container

$sysdig -pc -c topprocs_cpu container.name=wordpress1

View the top HTTP requests made to the Kubernetes-based mySQL service

$sysdig -k http://127.0.0.1:8080 -c httptop k8s.svc.name=mysql

Network

Show the network data exchanged with a host

$ sysdig -s2000 -A -c echo_fds fd.cip=192.168.0.1

List all the incoming connections that are not served by apache

$ sysdig -p "%proc.name %fd.name" "evt.type=accept and proc.name!=httpd"

File system

List the processes using the highest number of files

$ sysdig -c fdcount_by proc.name "fd.type=file"

Observe the I/O activity on all the files named 'passwd'

$ sysdig -A -c echo_fds "fd.filename=passwd"

Security

Show the directories that root visits

$ sysdig -p "%evt.arg.path" "evt.type=chdir and user.name=root"

Observe ssh activity

$ sysdig -A -c echo_fds fd.name=/dev/ptmx and proc.name=sshd

Logs

Display all syslog messages from python

$ sysdig -c spy_syslog proc.name=python

Super-tail all log files in the system

$ sysdig -c spy_logs

CSysdig

Run Csysdig, the curses based UI for Sysdig, with Mesos metadata

$ csysdig -m http://127.0.0.1:8080
@adrianlzt
Copy link
Author

Exercises (by @aebm):

  1. The container is not starting, make it work:
docker run --name ej1 aebm/ej1:v1
  1. Be able to start the container and the find the file where logs are being written (look for the "FATAL" string)
    Try not to brutforce.
docker run --name ej2 aebm/ej2:v1
  1. Which cat is being asked to procatinator.com?
docker run --name ej3 aebm/ej3:v1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment