sysdig OSS/sysdig CLI Frequently Asked Questions (FAQs)

‍1. What is the sysdig OSS also known as the sysdig CLI tool?

The sysdig OSS or sysdig CLI is a command-line interface that allows you to capture, filter, and analyze system calls and events in real time or from trace files. It provides deep visibility into system activity for troubleshooting, performance monitoring, and security auditing.

‍

2. How do I install sysdig OSS?

You can install sysdig OSS on Linux using your package manager or by downloading from the official sysdig OSS repository. For example:

Bash
curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | bash

Ensure that the kernel headers for your running kernel are installed for the sysdig OSS probe to build successfully.

‍

3. Do I need root privileges to run sysdig OSS?

Yes, sysdig OSS typically requires root (or CAP_SYS_ADMIN) privileges to capture system calls, as it uses kernel instrumentation to trace processes and network activity.

‍

4. How do I capture system events with sysdig OSS?

To start capturing all system events:

Bash
sysdig

To write them to a file:

Bash
sysdig -w capture.scap

To read from a capture file:

Bash
sysdig -r capture.scap

‍

5. How can I filter events in sysdig OSS?

You can use chisel-like filters in sysdig. For example:

Bash
sysdig proc.name=nginx

This captures only events related to processes named nginx.

‍

6. What are chisels in sysdig OSS?

Chisels are pre-built scripts that analyze and format sysdig OSS event streams. They provide quick insights into specific system behaviors (e.g., network activity, file I/O). To list all chisels:

Bash
sysdig -cl

To use a chisel, for example:

Bash
sysdig -c topfiles_bytes

‍

7. How do I monitor network connections with sysdig OSS?

You can use filters or chisels. For example:

Bash
sysdig fd.type=inet

Or with chisels:

Bash
sysdig -c netstat

‍

8. Can sysdig OSS work without installing a kernel module?

Sysdig OSS typically requires a kernel module (or eBPF probe) to capture system calls. On modern systems, sysdig OSS can use an eBPF probe instead of a kernel module if available:

Bash
sysdig --modern-bpf

‍

9. How do I integrate sysdig OSS with containers?

Sysdig OSS can capture events from containers running on the host. For example:

Bash
sysdig container.name=mycontainer

You can filter by container ID, image, or name using sysdig OSS filters.

‍

10. Where can I find sysdig OSS documentation and examples? Is there a community? 

The official Sysdig OSS documentation is available at:
https://github.com/draios/sysdig

You can also check:

Bash
man sysdig
sysdig -h

for usage details and examples.

Come join the Sysdig Open Source Community @ https://community.sysdig.com
It's a place built to empower analysts, engineers, and innovators for the future of security.

‍