How To Monitor Ubuntu 16.04/16.10 with Sysdig

Control everything that happens in your system and learn how to monitor Ubuntu 16  and see all its processes with Sysdig and Csysdig.

What is Sysdig?

Sysdig is a free open source tool whose purpose is to explore the behavior of the system, capture the state of the system in real time, analyze the instances that are being executed in Linux to create a filter and save this information to obtain a result about the behavior of it.

Sysdig is written in an LUA script and contains a command line. Among its main features we have:

  • Fast and stable
  • Simple to use
  • A wide range of the system.
  • Flexible.
  • Adaptable to the current workflow.
  • It can be installed on Windows and Mac OS systems.

By default, Sysdig analyzes the server where it is installed, but we can use the Sysdig Cloud tool to manage computers remotely.

Update Ubuntu 16

It is essential that before installing any application or utility in the system we update its packages and repositories, for this we will use the following command:

sudo apt-get update

Download Sysdig Install Script

Once the system is updated, the next step is to download the official script for the installation of Sysdig, for this we will use the curl command and enter the following. We see that the script has been downloaded to the system.

curl -o install-sysdig

Proceed to its execution using the cat command as follows:

cat ./install-sysdig | sudo bash

We can see that the script has installed the dependencies of the application, as well as the modules and kernel headers.

Monitor Ubuntu 16 in Real Time with Sysdig

It is important to clarify that to use the Sysdig command it must be with root privileges so that its operation is optimal.

To execute real-time monitoring, we will use the following command:

sudo sysdig

It is an entirely extensive list that we can stop when we want using the following key combination: Ctrl +C

The syntax of the results issued by Sysdig is as follows:

% evt.num% evt.outputtime% evt.cpu% (% thread.tid)% evt.dir% evt.type%

Now, we explain each event:

  • Evt.num: It is the event number which is incremented line by line.
  • Evt. Outputtime: Indicates the time at which the event happened.
  • Evt. Cpu: It is the CPU number where the event was registered, for example, 0.
  • Proc. Name: It refers to the process that triggered the event, for example, and.
  • Thread. Tid: Indicates the TID that generated the process, which corresponds to the PID of single-thread processes.
  • Evt. Dir: It is the address where the event happened, the symbol> represents the event entry and the symbol <the event exit.
  • Evt. Type: It refers to the name of the event, for example open, read, etc.
  • Evt. Info: List the arguments of the event.

It is possible to apply options and filters to the Sysdig command to obtain more specific results to manage, for this we must use the following syntax:

sudo sysdig [option] [filter]

To see the complete list of filters we can use the following command. We recognize that the filter and its respective description are listed.

sysdig -l

As we see there is a full list of options some of the most used classes are:

  • Process: With this class, we filter the process information as your ID or name.
  • Fd: This option allows us to filter the file descriptor (FD) information.
  • Evt: Using this class we can filter information about the event as event number or date it happened.
  • Group: Thanks to this class we can filter group information.
  • Syslog: With this parameter, we filter information from the syslog , such as severity and installation of the event.

To see how to use the filter, we will see all the events associated with the acpid process, for which we enter the following.

We can see that the indicated process has filtered it.

sudo sysdig

Capture Events & Store them in a File using Sysdig

We may want to store the events that occur in Ubuntu in a file for later analysis.

For this, we will use the following syntax. We have added the -w parameter to indicate the destination file.

sudo sysdig -w FileName.scap

To stop the recording process, we will use the key combination Ctrl + C. 

We can add the -n parameter to specify how many events to capture with Sysdig, for this we will use the following syntax:

sudo sysdig -n 300 -w FileName.scap

Now, if we want to take these captures in smaller files, we can use the -C parameter in the following way.

In this example, we will save the events in files no larger than 2 MB.

sudo sysdig -C 2 -W 5 -w File.scap

To list the stored files, we can use the following syntax:

ls -l File_Name *

If we want to record a specific event in a file, for example, acpid, we can use the following syntax. With this syntax, we will record 100 events of the acpid process.

sudo sysdig -n 100 -w File.scap

Read & analyze files recorded with Sysdig

Once we want to examine the data that we have stored, we will use the following command to read them:

sudo sysdig -r Archive.scap

In this case, we will use the next line:

sudo sysdig -r solvetic.scap

There we have all the records that have been saved in the file created with Sysdig.

Analyze System in general with Sysdig

Sysdig includes more than 50 scripts that give us the possibility of executing various administrative tasks within the system.

To see the complete list of available commands, we will use the following command:

sysdig -cl

The result obtained will be the following:

We can see that categories segment each command.

Some of the most used are:

  • Netstat: It allows us to list the active network connections.
  • Spy_users: It allows us to see the activity of each user.
  • Spy_port: It shows the information that has been transmitted to each port.
  • Spy_IP: Shows the activity of the IP address.
  • Httptop: Displays HTTP requests generated in the system.

To know more about each command we can use the -i parameter, in the following way

sudo sysdig -i (Command)

for example:

sudo sysdig -i netstat

To see in detail the operation of the command, we will use the -c parameter, as follows

sudo sysdig -c topprocs_cpu

Use Csysdig to monitor and analyze Ubuntu 16

Csysdig is a tool that is included within Sysdig which offers us the possibility of tracking the system graphically.
It fulfills the same functions of Sysdig when capturing events in real time, analysis and its data are refreshed every two seconds.

To access Csysdig we will use the following command

sudo csysdig

We can see that in the lower part of the console we have different access and visualization options.

To access any of these options just select the corresponding key, for example, to access the Views option, we will use the F2 key.

IWe can use Sysdig and Csysdig for real-time control of our Ubuntu 16 system and maintain the best levels of integrity and optimization.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *