How To Monitor Ubuntu 16.04/16.10 with Sysdig
Control everything that happens in your system and learn how to monitor Ubuntu 16 and see all its processes with Sysdig and Csysdig.
What is Sysdig?
Sysdig is a free open source tool whose purpose is to explore the behavior of the system, capture the state of the system in real time, analyze the instances that are being executed in Linux to create a filter and save this information to obtain a result about the behavior of it.
Sysdig is written in an LUA script and contains a command line. Among its main features we have:
- Fast and stable
- Simple to use
- A wide range of the system.
- Flexible.
- Adaptable to the current workflow.
- It can be installed on Windows and Mac OS systems.
By default, Sysdig analyzes the server where it is installed, but we can use the Sysdig Cloud tool to manage computers remotely.
Update Ubuntu 16
It is essential that before installing any application or utility in the system we update its packages and repositories, for this we will use the following command:
sudo apt-get update
Download Sysdig Install Script
Once the system is updated, the next step is to download the official script for the installation of Sysdig, for this we will use the curl command and enter the following. We see that the script has been downloaded to the system.
curl https://s3.amazonaws.com/download.draios.com/stable/install-sysdig -o install-sysdig
Proceed to its execution using the cat command as follows:
cat ./install-sysdig | sudo bash
We can see that the script has installed the dependencies of the application, as well as the modules and kernel headers.
Monitor Ubuntu 16 in Real Time with Sysdig
It is important to clarify that to use the Sysdig command it must be with root privileges so that its operation is optimal.
To execute real-time monitoring, we will use the following command:
sudo sysdig
It is an entirely extensive list that we can stop when we want using the following key combination: Ctrl +C
The syntax of the results issued by Sysdig is as follows:
% evt.num% evt.outputtime% evt.cpu% proc.name (% thread.tid)% evt.dir% evt.type% evt.info
Now, we explain each event:
- Evt.num: It is the event number which is incremented line by line.
- Evt. Outputtime: Indicates the time at which the event happened.
- Evt. Cpu: It is the CPU number where the event was registered, for example, 0.
- Proc. Name: It refers to the process that triggered the event, for example, and.
- Thread. Tid: Indicates the TID that generated the process, which corresponds to the PID of single-thread processes.
- Evt. Dir: It is the address where the event happened, the symbol> represents the event entry and the symbol <the event exit.
- Evt. Type: It refers to the name of the event, for example open, read, etc.
- Evt. Info: List the arguments of the event.
It is possible to apply options and filters to the Sysdig command to obtain more specific results to manage, for this we must use the following syntax:
sudo sysdig [option] [filter]
To see the complete list of filters we can use the following command. We recognize that the filter and its respective description are listed.
sysdig -l
As we see there is a full list of options some of the most used classes are:
- Process: With this class, we filter the process information as your ID or name.
- Fd: This option allows us to filter the file descriptor (FD) information.
- Evt: Using this class we can filter information about the event as event number or date it happened.
- Group: Thanks to this class we can filter group information.
- Syslog: With this parameter, we filter information from the syslog , such as severity and installation of the event.
To see how to use the filter, we will see all the events associated with the acpid process, for which we enter the following.
We can see that the indicated process has filtered it.
sudo sysdig proc.name=acpid
Capture Events & Store them in a File using Sysdig
We may want to store the events that occur in Ubuntu in a file for later analysis.
For this, we will use the following syntax. We have added the -w parameter to indicate the destination file.
sudo sysdig -w FileName.scap
To stop the recording process, we will use the key combination Ctrl + C.
We can add the -n parameter to specify how many events to capture with Sysdig, for this we will use the following syntax:
sudo sysdig -n 300 -w FileName.scap
Now, if we want to take these captures in smaller files, we can use the -C parameter in the following way.
In this example, we will save the events in files no larger than 2 MB.
sudo sysdig -C 2 -W 5 -w File.scap
To list the stored files, we can use the following syntax:
ls -l File_Name *
If we want to record a specific event in a file, for example, acpid, we can use the following syntax. With this syntax, we will record 100 events of the acpid process.
sudo sysdig -n 100 -w File.scap proc.name=acpid
Read & analyze files recorded with Sysdig
Once we want to examine the data that we have stored, we will use the following command to read them:
sudo sysdig -r Archive.scap
In this case, we will use the next line:
sudo sysdig -r solvetic.scap
There we have all the records that have been saved in the file created with Sysdig.
Analyze System in general with Sysdig
Sysdig includes more than 50 scripts that give us the possibility of executing various administrative tasks within the system.
To see the complete list of available commands, we will use the following command:
sysdig -cl
The result obtained will be the following:
We can see that categories segment each command.
Some of the most used are:
- Netstat: It allows us to list the active network connections.
- Spy_users: It allows us to see the activity of each user.
- Spy_port: It shows the information that has been transmitted to each port.
- Spy_IP: Shows the activity of the IP address.
- Httptop: Displays HTTP requests generated in the system.
To know more about each command we can use the -i parameter, in the following way
sudo sysdig -i (Command)
for example:
sudo sysdig -i netstat
To see in detail the operation of the command, we will use the -c parameter, as follows
sudo sysdig -c topprocs_cpu
Use Csysdig to monitor and analyze Ubuntu 16
Csysdig is a tool that is included within Sysdig which offers us the possibility of tracking the system graphically.
It fulfills the same functions of Sysdig when capturing events in real time, analysis and its data are refreshed every two seconds.
To access Csysdig we will use the following command
sudo csysdig
We can see that in the lower part of the console we have different access and visualization options.
To access any of these options just select the corresponding key, for example, to access the Views option, we will use the F2 key.
IWe can use Sysdig and Csysdig for real-time control of our Ubuntu 16 system and maintain the best levels of integrity and optimization.