Sysdig Nedir ?
Bazı durumlarda bir işlem tarafından yapılan ve alınan sistem çağrılarını takip etmek gerekebilir bunun için akla gelen ilk şey nedir? Muhtemelen haklı olarak düşünceniz strace olur ve haklısın. strace hakkında bilgi sahibi değilseniz ilgili paylaşımımı inceleyebilirsiniz.
Hangi araç ile komut satırından ham ağ trafiğini izlemek için kullanırsınız? Hakkında bilgi sahibiyseniz tcpdump , kullanarak yine doğru bir seçim yapmış oluruz. (unix’de her şey bir dosyadır)
Açık dosyaları izlemek zorunda kaldığımızda ise ilk kullanacağımız lsof‘dur. lsof ile daha önce payaştığım yazıya göz atabilirsiniz.
Sysdig, açık kaynak kodlu linux (RHE,Debian,Container),OSX ve Windows sistemlerde çalışan ve strace , tcpdump ve lsof gibi (strace+tcpdump+lsof+iftop+htop) sysadmin’in sıklıkla kullandığı klasik ama gerçekten harika araçları tek çatıda toplayan ve farklı birçok kabiliyet ve özelliğe sahip gelişmiş bir araçtır.
Ayrıca, çok güzel de bir filtreleme sistemine sahiptir. Bu şekilde spesifik olarak system çağrıların(syscall) ve olayların(event) belirttiğiniz kriterlere göre görüntülenmesini veya istersek bir dosyaya(trace file) yazılmasını sağlayabiliriz. Bu trace file’ları MacOS X ya da Windows gibi farklı platformlar üzerinde de analiz edebiliriz.
Sysdig’in bir diğer güzel özelliği ise “chisels” adını verdikleri analiz scriptleridir. Bu scriptler toplanan verinin anlamlandırılması için kullanılan Lua dilinde yazılmış scriptlerdir ve sisteminiz hakkında detaylı bilgi edinmek için kullanabileceğiniz ve analiz ihtiyaçlarınıza göre kendi scriptlerinizi geliştirebileceğiniz bir mekanizmadır. Yazının sonunda örnekler ile bu kısmı daha iyi analayacaksınız.
Bu yazıda sysdig ile Linux sistem izleme ve sorun gidermek için kurulum ve temel kullanımını inceleyeceğiz.
Sysdig Kurulumu
Bu yazı için ben, kısalık ve kolaylık uğruna resmi internet sitesinde açıklanan otomatik yükleme işlemini kullanmayı tercih ettim.
Sysdig kurulumu gerçekleştirmek için sudo olarak aşağıdaki komutu çalıştırmanız yeterli oluyor. Herşey otomatik olarak kuruluyor. Tüm kurulum seçenekleri için sayfayı inceleyebilirsiniz.
1 |
curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash |
Sysdig Kullanımı
Yükleme tamamlandıktan sonra, sysdig’in en basit (primitive) kullanımı komut satırından doğrudan sysdig komutunu çalıştırmaktır.
1 |
# sysdig |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
51566 21:25:58.543390176 0 systemd-journal (717) < read res=0 data= 51567 21:25:58.543391247 0 systemd-journal (717) > close fd=12(<f>/proc/3475/sessionid) 51568 21:25:58.543391677 0 systemd-journal (717) < close res=0 51569 21:25:58.543392498 0 systemd-journal (717) > munmap addr=7F3FFF1C8000 length=4096 51570 21:25:58.543396570 0 systemd-journal (717) < munmap res=0 vm_size=34884 vm_rss=2176 vm_swap=128 51571 21:25:58.543401235 0 systemd-journal (717) > open 51572 21:25:58.543418728 0 systemd-journal (717) < open fd=12(<f>/proc/3475/loginuid) name=/proc/3475/loginuid flags=4097(O_RDONLY|O_CLOEXEC) mode=0 51573 21:25:58.543419999 0 systemd-journal (717) > fstat fd=12(<f>/proc/3475/loginuid) 51574 21:25:58.543420558 0 systemd-journal (717) < fstat res=0 51575 21:25:58.543420948 0 systemd-journal (717) > mmap addr=0 length=4096 prot=3(PROT_READ|PROT_WRITE) flags=10(MAP_PRIVATE|MAP_ANONYMOUS) fd=4294967295 offset=0 51576 21:25:58.543422767 0 systemd-journal (717) < mmap res=7F3FFF1C8000 vm_size=34888 vm_rss=2176 vm_swap=128 51577 21:25:58.543423255 0 systemd-journal (717) > read fd=12(<f>/proc/3475/loginuid) size=1024 51578 21:25:58.543427096 0 systemd-journal (717) < read res=10 data=4294967295 51579 21:25:58.543427952 0 systemd-journal (717) > read fd=12(<f>/proc/3475/loginuid) size=1024 51580 21:25:58.543428397 0 systemd-journal (717) < read res=0 data= 51581 21:25:58.543429281 0 systemd-journal (717) > close fd=12(<f>/proc/3475/loginuid) 51582 21:25:58.543429588 0 systemd-journal (717) < close res=0 51583 21:25:58.543430815 0 systemd-journal (717) > munmap addr=7F3FFF1C8000 length=4096 51584 21:25:58.543434951 0 systemd-journal (717) < munmap res=0 vm_size=34884 vm_rss=2176 vm_swap=128 51585 21:25:58.543439530 0 systemd-journal (717) > open 51586 21:25:58.543444291 0 systemd-journal (717) < open fd=12(<f>/proc/3475/cgroup) name=/proc/3475/cgroup flags=4097(O_RDONLY|O_CLOEXEC) mode=0 51587 21:25:58.543445172 0 systemd-journal (717) > fstat fd=12(<f>/proc/3475/cgroup) 51588 21:25:58.543445616 0 systemd-journal (717) < fstat res=0 51589 21:25:58.543446094 0 systemd-journal (717) > mmap addr=0 length=4096 prot=3(PROT_READ|PROT_WRITE) flags=10(MAP_PRIVATE|MAP_ANONYMOUS) fd=4294967295 offset=0 51590 21:25:58.543447318 0 systemd-journal (717) < mmap res=7F3FFF1C8000 vm_size=34888 vm_rss=2176 vm_swap=128 51591 21:25:58.543448096 0 systemd-journal (717) > read fd=12(<f>/proc/3475/cgroup) size=1024 51592 21:25:58.543458323 0 systemd-journal (717) < read res=234 data=10:hugetlb:/.9:net_cls:/.8:perf_event:/.7:devices:/.6:cpuacct,cpu:/system.slice/ 51593 21:25:58.543462848 0 systemd-journal (717) > close fd=12(<f>/proc/3475/cgroup) 51594 21:25:58.543463274 0 systemd-journal (717) < close res=0 51595 21:25:58.543464719 0 systemd-journal (717) > munmap addr=7F3FFF1C8000 length=4096 51596 21:25:58.543468600 0 systemd-journal (717) < munmap res=0 vm_size=34884 vm_rss=2176 vm_swap=128 51597 21:25:58.543524958 0 systemd-journal (717) > ftruncate 51598 21:25:58.543539047 0 systemd-journal (717) < ftruncate 51599 21:25:58.543543029 0 systemd-journal (717) > epoll_wait maxevents=24 51600 21:25:58.543548575 0 systemd-journal (717) > switch next=879(in:imjournal) pgft_maj=7 pgft_min=394716 vm_size=34884 vm_rss=2176 vm_swap=128 51601 21:25:58.543553999 0 in:imjournal (879) < poll res=1 fds=4:i1 51602 21:25:58.543561591 0 in:imjournal (879) > read fd=4(<i>) size=272 51603 21:25:58.543565250 0 in:imjournal (879) < read res=32 data=................system.journal.. 51604 21:25:58.543573539 0 in:imjournal (879) > read fd=4(<i>) size=272 51605 21:25:58.543574133 0 in:imjournal (879) < read res=-11(EAGAIN) data= 51606 21:25:58.543646921 0 in:imjournal (879) > futex addr=7F47E5774E94 op=133(FUTEX_PRIVATE_FLAG|FUTEX_WAKE_OP) val=1 51607 21:25:58.543652773 0 in:imjournal (879) < futex res=1 51608 21:25:58.543655430 0 in:imjournal (879) > poll fds=4:i1 timeout=4294967295 51609 21:25:58.543658533 0 in:imjournal (879) > switch next=880(rs:main) pgft_maj=0 pgft_min=11014 vm_size=327176 vm_rss=3604 vm_swap=0 51610 21:25:58.543660635 0 rs:main (880) < futex res=0 51611 21:25:58.543661955 0 rs:main (880) > futex addr=7F47E5775060 op=129(FUTEX_PRIVATE_FLAG|FUTEX_WAKE) val=1 51612 21:25:58.543662915 0 rs:main (880) < futex res=0 51613 21:25:58.543675134 0 rs:main (880) > write fd=3(<f>/var/log/messages) size=210 51614 21:25:58.543695768 0 rs:main (880) < write res=210 data=Nov 16 21:25:58 localhost kube-apiserver: E1116 21:25:58.541290 3475 generica 51615 21:25:58.543707751 0 rs:main (880) > futex addr=7F47E5774E94 op=128(FUTEX_PRIVATE_FLAG) val=31759 51616 21:25:58.543710637 0 rs:main (880) > switch next=3476(kube-apiserver) pgft_maj=0 pgft_min=17 vm_size=327176 vm_rss=3604 vm_swap=0 51617 21:25:58.543713363 0 kube-apiserver (3476) < select res=0 51618 21:25:58.543715643 0 kube-apiserver (3476) > futex addr=283F810 op=0(FUTEX_WAIT) val=0 51619 21:25:58.543719814 0 kube-apiserver (3476) > switch next=3474(etcd) pgft_maj=0 pgft_min=2 vm_size=75860 vm_rss=36636 vm_swap=64 51620 21:25:58.543722132 0 etcd (3474) < futex res=-110(ETIMEDOUT) 51621 21:25:58.543729617 0 etcd (3474) > futex addr=1493CB0 op=1(FUTEX_WAKE) val=1 51622 21:25:58.543733599 0 etcd (3474) < futex res=1 51623 21:25:58.543742397 0 etcd (3474) > futex addr=C82019F108 op=1(FUTEX_WAKE) val=1 51624 21:25:58.543746085 0 etcd (3474) < futex res=1 51625 21:25:58.543747284 0 etcd (3474) > futex addr=1493938 op=0(FUTEX_WAIT) val=0 51626 21:25:58.543749916 0 etcd (3474) > switch next=3465(etcd) pgft_maj=0 pgft_min=1262 vm_size=28776 vm_rss=13840 vm_swap=0 51627 21:25:58.543751862 0 etcd (3465) < futex res=0 51628 21:25:58.543754276 0 etcd (3465) > select 51629 21:25:58.543759765 0 etcd (3465) > switch next=3473(etcd) pgft_maj=0 pgft_min=3 vm_size=28776 vm_rss=13840 vm_swap=0 51661 21:25:58.543948682 0 systemd (1) < close res=0 51662 21:25:58.543950238 0 systemd (1) > munmap addr=7F91A3AA5000 length=4096 51663 21:25:58.543955069 0 systemd (1) < munmap res=0 vm_size=43696 vm_rss=6108 vm_swap=0 |
Bu şekilde o an çalışan sistem çağrıları ve event’ler ekrandan akacaktır. Bu çıktıda her bir olay bir satır olacak şekilde görüntülenmektedir ve her bir satırda aşağıda sıralaması verilen bilgiler ekrana basılacaktır:
1 |
%evt.num %evt.time %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.args |
İlgili bilgilerin açıklaması da şu şekildedir:
- evt.num : Event numarası
- evt.time : Event tarihi
- evt.cpu : Event’in hangi kaç numaralı CPU core üzerinde çalıştığı
- proc.name: Süreç ismi.
- thread.tid : Thread ID ( tek thread’li süreçler için PID)
- evt.dir : Event yönü, giriş eventleri için > ve çıkışlar için <
- evt.type : Event tipi, örm: ‘open’, ‘read’, ‘write’
- evt.args : event’in aldığı argüman.
Sysdig Filtreleme (class.field) Parametreleri
Sysdig’i yukarıda verilen şekilde tüm sistem olaylarını görüntüleyecek şekilde kullanmak aynı anda binlerce olayın ekrandan akıp gitmesine ve bu bilgi akışı içerisinde kaybolup gitmenize neden olacaktır; işte strace’den alışık olduğumuz bu verimsiz durumu ortadan kaldırmak için sysdig’in çok gelişmiş bir filtreleme sistemi bulunmaktadır.
Bu sistem sayesinde binlerce sistem çağrısını en ince ayrıntısına kadar filtreleyerek spesifik aramalar yapabiliriz.
Örnek olarak vim komutuna ait aktiviteyi görüntülemek için sysdig’i aşağıdaki şekilde kullanabilirsiniz:
1 |
[root@kubernetes ~]# sysdig proc.name=vim |
Yukardaki komutu verip aşağıdaki gibi bir vim komutu çalıştırırsanız.
1 |
[root@kubernetes ~]# vim /etc/kubernetes/config |
Aşağıdaki şekle benzer bir çıktı görürsünüz.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
39746 22:17:18.308356450 0 vim (35136) < execve res=0 exe=vim args=/etc/kubernetes/config. tid=35136(vim) pid=35136(vim) ptid=34254(bash) cwd= fdlimit=1024 pgft_maj=1 pgft_min=60 vm_size=2548 vm_rss=4 vm_swap=0 comm=vim cgroups=cpuset=/.cpu_cgroup=/user.slice/user-0.slice/session-12.scope.cpuacct=/user.s... env=XDG_SESSION_ID=12.HOSTNAME=kubernetes.omeroner.com.SELINUX_ROLE_REQUESTED=.TE... 39747 22:17:18.308391765 0 vim (35136) > brk addr=0 39748 22:17:18.308393582 0 vim (35136) < brk res=2023000 vm_size=2548 vm_rss=4 vm_swap=0 39749 22:17:18.308416718 0 vim (35136) > switch next=0 pgft_maj=1 pgft_min=76 vm_size=2548 vm_rss=4 vm_swap=0 39751 22:17:18.308689101 0 vim (35136) > mmap addr=0 length=4096 prot=3(PROT_READ|PROT_WRITE) flags=10(MAP_PRIVATE|MAP_ANONYMOUS) fd=4294967295 offset=0 39752 22:17:18.308694339 0 vim (35136) < mmap res=7F70CF47F000 vm_size=2552 vm_rss=4 vm_swap=0 39753 22:17:18.309157327 0 vim (35136) > switch next=0 pgft_maj=1 pgft_min=84 vm_size=2552 vm_rss=4 vm_swap=0 39755 22:17:18.311538712 0 vim (35136) > access mode=4(R_OK) 39756 22:17:18.311554312 0 vim (35136) < access res=-2(ENOENT) name=/etc/ld.so.preload 39757 22:17:18.311564004 0 vim (35136) > open 39758 22:17:18.311831505 0 vim (35136) > switch next=138 pgft_maj=2 pgft_min=93 vm_size=2552 vm_rss=4 vm_swap=0 39763 22:17:18.312259882 0 vim (35136) < open fd=-2(ENOENT) name=/usr/lib64/perl5/CORE/tls/x86_64/libm.so.6 flags=4097(O_RDONLY|O_CLOEXEC) mode=0 39764 22:17:18.312261784 0 vim (35136) > stat 39765 22:17:18.312264472 0 vim (35136) < stat res=-2(ENOENT) path=/usr/lib64/perl5/CORE/tls/x86_64 39766 22:17:18.312265868 0 vim (35136) > open 39767 22:17:18.312267284 0 vim (35136) < open fd=-2(ENOENT) name=/usr/lib64/perl5/CORE/tls/libm.so.6 flags=4097(O_RDONLY|O_CLOEXEC) mode=0 39768 22:17:18.312267766 0 vim (35136) > stat 39769 22:17:18.312268472 0 vim (35136) < stat res=-2(ENOENT) path=/usr/lib64/perl5/CORE/tls 39770 22:17:18.312268963 0 vim (35136) > open 39771 22:17:18.312274446 0 vim (35136) < open fd=-2(ENOENT) name=/usr/lib64/perl5/CORE/x86_64/libm.so.6 flags=4097(O_RDONLY|O_CLOEXEC) mode=0 39772 22:17:18.312275033 0 vim (35136) > stat 39773 22:17:18.312275856 0 vim (35136) < stat res=-2(ENOENT) path=/usr/lib64/perl5/CORE/x86_64 39774 22:17:18.312276309 0 vim (35136) > open 39775 22:17:18.312279823 0 vim (35136) < open fd=-2(ENOENT) name=/usr/lib64/perl5/CORE/libm.so.6 flags=4097(O_RDONLY|O_CLOEXEC) mode=0 39776 22:17:18.312280251 0 vim (35136) > stat 39777 22:17:18.312281714 0 vim (35136) < stat res=0 path=/usr/lib64/perl5/CORE 39778 22:17:18.312282496 0 vim (35136) > open 39779 22:17:18.312287408 0 vim (35136) < open fd=3(<f>/etc/ld.so.cache) name=/etc/ld.so.cache flags=4097(O_RDONLY|O_CLOEXEC) mode=0 39780 22:17:18.312287815 0 vim (35136) > fstat fd=3(<f>/etc/ld.so.cache) 39781 22:17:18.312289127 0 vim (35136) < fstat res=0 39782 22:17:18.312289498 0 vim (35136) > mmap addr=0 length=20558 prot=1(PROT_READ) flags=2(MAP_PRIVATE) fd=3(<f>/etc/ld.so.cache) offset=0 39783 22:17:18.312295641 0 vim (35136) < mmap res=7F70CF479000 vm_size=2576 vm_rss=4 vm_swap=0 39784 22:17:18.312296095 0 vim (35136) > close fd=3(<f>/etc/ld.so.cache) 39785 22:17:18.312296743 0 vim (35136) < close res=0 39786 22:17:18.312306440 0 vim (35136) > open 39787 22:17:18.312312205 0 vim (35136) < open fd=3(<f>/lib64/libm.so.6) name=/lib64/libm.so.6 flags=4097(O_RDONLY|O_CLOEXEC) mode=0 39788 22:17:18.312312655 0 vim (35136) > read fd=3(<f>/lib64/libm.so.6) size=832 39789 22:17:18.312315890 0 vim (35136) < read res=832 data=.ELF..............>......T......@.......8b..........@.8...@.$.#[email protected] 39790 22:17:18.312317512 0 vim (35136) > fstat fd=3(<f>/lib64/libm.so.6) 39791 22:17:18.312317913 0 vim (35136) < fstat res=0 39792 22:17:18.312320024 0 vim (35136) > mmap addr=0 length=3150168 prot=5(PROT_READ|PROT_EXEC) flags=1026(MAP_PRIVATE|MAP_DENYWRITE) fd=3(<f>/lib64/libm.so.6) offset=0 39793 22:17:18.312322606 0 vim (35136) < mmap res=7F70CEF5D000 vm_size=5656 vm_rss=4 vm_swap=0 39794 22:17:18.312323031 0 vim (35136) > mprotect 39795 22:17:18.312328401 0 vim (35136) < mprotect 39796 22:17:18.312328779 0 vim (35136) > mmap addr=7F70CF25D000 length=8192 prot=3(PROT_READ|PROT_WRITE) flags=1030(MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE) fd=3(<f>/lib64/libm.so.6) offset=1048576 39797 22:17:18.312333683 0 vim (35136) < mmap res=7F70CF25D000 vm_size=5656 vm_rss=172 vm_swap=0 39798 22:17:18.312343629 0 vim (35136) > close fd=3(<f>/lib64/libm.so.6) 39799 22:17:18.312344827 0 vim (35136) < close res=0 39800 22:17:18.312349969 0 vim (35136) > open 39801 22:17:18.312356860 0 vim (35136) < open fd=-2(ENOENT) name=/usr/lib64/perl5/CORE/libselinux.so.1 flags=4097(O_RDONLY|O_CLOEXEC) mode=0 39802 22:17:18.312359181 0 vim (35136) > open 39803 22:17:18.312361824 0 vim (35136) < open fd=3(<f>/lib64/libselinux.so.1) name=/lib64/libselinux.so.1 flags=4097(O_RDONLY|O_CLOEXEC) mode=0 39804 22:17:18.312362233 0 vim (35136) > read fd=3(<f>/lib64/libselinux.so.1) size=832 39805 22:17:18.312363365 0 vim (35136) < read res=832 data=.ELF..............>......d......@.......07..........@.8...@..................... 39806 22:17:18.312364038 0 vim (35136) > fstat fd=3(<f>/lib64/libselinux.so.1) 39807 22:17:18.312364497 0 vim (35136) < fstat res=0 39808 22:17:18.312364911 0 vim (35136) > mmap addr=0 length=4096 prot=3(PROT_READ|PROT_WRITE) flags=10(MAP_PRIVATE|MAP_ANONYMOUS) fd=4294967295 offset=0 |
Sysdig’in fitreleme yapısı standart karşılaştırma operatörlerini ( =, !=, <, <=, >, >= ) ve boolean operatörleri (“and”, “or” ve “not”) desteklediği için filtrelemeyi genişletmek çok kolaydır.
Örnek olarak cat ve vim komutunun aktivitelerini görüntülemek için komutu şu şekilde kullanmak mümkündür:
1 |
[root@kubernetes ~]# sysdig proc.name=vim or proc.name=cat |
ya da ping haricindeki tüm diğer süreçlerin kapadığı dosyaları görüntülemek için örnek şu şekildedir:
1 |
[root@kubernetes ~]# sysdig proc.name!=ping and evt.type=close |
Tüm filtreleme (class.field) seçeneklerini aşağıdaki komut ile görebiliriz:
1 |
# sysdig -l |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 |
---------------------- Field Class: fd fd.num the unique number identifying the file descriptor. fd.type type of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix', 'pipe', 'event', 'signalfd', 'eventpoll', 'inotify' or 'signal fd'. fd.typechar type of FD as a single character. Can be 'f' for file, 4 for IP v4 socket, 6 for IPv6 socket, 'u' for unix socket, p for pipe, 'e' for eventfd, 's' for signalfd, 'l' for eventpoll, 'i' for i notify, 'o' for uknown. fd.name FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. fd.directory If the fd is a file, the directory that contains it. fd.filename If the fd is a file, the filename without the path. fd.ip matches the ip address (client or server) of the fd. fd.cip client IP address. fd.sip server IP address. fd.lip local IP address. fd.rip remote IP address. fd.port (FILTER ONLY) matches the port (either client or server) of the fd. fd.cport for TCP/UDP FDs, the client port. fd.sport for TCP/UDP FDs, server port. fd.lport for TCP/UDP FDs, the local port. fd.rport for TCP/UDP FDs, the remote port. fd.l4proto the IP protocol of a socket. Can be 'tcp', 'udp', 'icmp' or 'ra w'. fd.sockfamily the socket family for socket events. Can be 'ip' or 'unix'. fd.is_server 'true' if the process owning this FD is the server endpoint in the connection. fd.uid a unique identifier for the FD, created by chaining the FD numb er and the thread ID. fd.containername chaining of the container ID and the FD name. Useful when tryin g to identify which container an FD belongs to. fd.containerdirectory chaining of the container ID and the directory name. Useful whe n trying to identify which container a directory belongs to. fd.proto (FILTER ONLY) matches the protocol (either client or server) of the fd. fd.cproto for TCP/UDP FDs, the client protocol. fd.sproto for TCP/UDP FDs, server protocol. fd.lproto for TCP/UDP FDs, the local protocol. fd.rproto for TCP/UDP FDs, the remote protocol. fd.net matches the IP network (client or server) of the fd. fd.cnet client IP network. fd.snet server IP network. fd.lnet local IP network. fd.rnet remote IP network. ---------------------- Field Class: process proc.pid the id of the process generating the event. proc.exe the first command line argument (usually the executable name or a custom one). proc.name the name (excluding the path) of the executable generating the event. proc.args the arguments passed on the command line when starting the proc ess generating the event. proc.env the environment variables of the process generating the event. proc.cmdline full process command line, i.e. proc.name + proc.args. proc.exeline full process command line, with exe as first argument, i.e. pro c.exe + proc.args. proc.cwd the current working directory of the event. proc.nthreads the number of threads that the process generating the event cur rently has, including the main process thread. proc.nchilds the number of child threads that the process generating the eve nt currently has. This excludes the main process thread. proc.ppid the pid of the parent of the process generating the event. proc.pname the name (excluding the path) of the parent of the process gene rating the event. proc.apid the pid of one of the process ancestors. E.g. proc.apid[1] retu rns the parent pid, proc.apid[2] returns the grandparent pid, a nd so on. proc.apid[0] is the pid of the current process. proc. apid without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.apid=1234. proc.aname the name (excluding the path) of one of the process ancestors. E.g. proc.aname[1] returns the parent name, proc.aname[2] retur ns the grandparent name, and so on. proc.aname[0] is the name o f the current process. proc.aname without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aname=bash. proc.loginshellid the pid of the oldest shell among the ancestors of the current process, if there is one. This field can be used to separate di fferent user sessions, and is useful in conjunction with chisel s like spy_user. proc.duration number of nanoseconds since the process started. proc.fdopencount number of open FDs for the process proc.fdlimit maximum number of FDs the process can open. proc.fdusage the ratio between open FDs and maximum available FDs for the pr ocess. proc.vmsize total virtual memory for the process (as kb). proc.vmrss resident non-swapped memory for the process (as kb). proc.vmswap swapped memory for the process (as kb). thread.pfmajor number of major page faults since thread start. thread.pfminor number of minor page faults since thread start. thread.tid the id of the thread generating the event. thread.ismain 'true' if the thread generating the event is the main one in th e process. thread.exectime CPU time spent by the last scheduled thread, in nanoseconds. Ex ported by switch events only. thread.totexectime Total CPU time, in nanoseconds since the beginning of the captu re, for the current thread. Exported by switch events only. thread.cgroups all the cgroups the thread belongs to, aggregated into a single string. thread.cgroup the cgroup the thread belongs to, for a specific subsystem. E.g . thread.cgroup.cpuacct. thread.vtid the id of the thread generating the event as seen from its curr ent PID namespace. proc.vpid the id of the process generating the event as seen from its cur rent PID namespace. thread.cpu the CPU consumed by the thread in the last second. thread.cpu.user the user CPU consumed by the thread in the last second. thread.cpu.system the system CPU consumed by the thread in the last second. thread.vmsize For the process main thread, this is the total virtual memory f or the process (as kb). For the other threads, this field is ze ro. thread.vmrss For the process main thread, this is the resident non-swapped m emory for the process (as kb). For the other threads, this fiel d is zero. proc.sid the session id of the process generating the event. proc.sname the name of the current process's session leader. This is eithe r the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process. ---------------------- Field Class: evt evt.num event number. evt.time event timestamp as a time string that includes the nanosecond p art. evt.time.s event timestamp as a time string with no nanoseconds. evt.datetime event timestamp as a time string that includes the date. evt.rawtime absolute event timestamp, i.e. nanoseconds from epoch. evt.rawtime.s integer part of the event timestamp (e.g. seconds since epoch). evt.rawtime.ns fractional part of the absolute event timestamp. evt.reltime number of nanoseconds from the beginning of the capture. evt.reltime.s number of seconds from the beginning of the capture. evt.reltime.ns fractional part (in ns) of the time from the beginning of the c apture. evt.latency delta between an exit event and the correspondent enter event, in nanoseconds. evt.latency.s integer part of the event latency delta. evt.latency.ns fractional part of the event latency delta. evt.latency.human delta between an exit event and the correspondent enter event, as a human readable string (e.g. 10.3ms). evt.deltatime delta between this event and the previous event, in nanoseconds . evt.deltatime.s integer part of the delta between this event and the previous e vent. evt.deltatime.ns fractional part of the delta between this event and the previou s event. evt.outputtime this depends on -t param, default is %evt.time ('h'). evt.dir event direction can be either '>' for enter events or '<' for e xit events. evt.type The name of the event (e.g. 'open'). evt.type.is allows one to specify an event type, and returns 1 for events t hat are of that type. For example, evt.type.is.open returns 1 f or open events, 0 for any other event. syscall.type For system call events, the name of the system call (e.g. 'open '). Unset for other events (e.g. switch or sysdig internal even ts). Use this field instead of evt.type if you need to make sur e that the filtered/printed value is actually a system call. evt.category The event category. Example values are 'file' (for file operati ons like open and close), 'net' (for network operations like so cket and bind), memory (for things like brk or mmap), and so on . evt.cpu number of the CPU where this event happened. evt.args all the event arguments, aggregated into a single string. evt.arg (FILTER ONLY) one of the event arguments specified by name or b y number. Some events (e.g. return codes or FDs) will be conver ted into a text representation when possible. E.g. 'evt.arg.fd' or 'evt.arg[0]'. evt.rawarg (FILTER ONLY) one of the event arguments specified by name. E.g . 'evt.rawarg.fd'. evt.info for most events, this field returns the same value as evt.args. However, for some events (like writes to /dev/log) it provides higher level information coming from decoding the arguments. evt.buffer the binary data buffer for events that have one, like read(), r ecvfrom(), etc. Use this field in filters with 'contains' to se arch into I/O data buffers. evt.buflen the length of the binary data buffer for events that have one, like read(), recvfrom(), etc. evt.res event return value, as a string. If the event failed, the resul t is an error code string (e.g. 'ENOENT'), otherwise the result is the string 'SUCCESS'. evt.rawres event return value, as a number (e.g. -2). Useful for range com parisons. evt.failed 'true' for events that returned an error status. evt.is_io 'true' for events that read or write to FDs, like read(), send, recvfrom(), etc. evt.is_io_read 'true' for events that read from FDs, like read(), recv(), recv from(), etc. evt.is_io_write 'true' for events that write to FDs, like write(), send(), etc. evt.io_dir 'r' for events that read from FDs, like read(); 'w' for events that write to FDs, like write(). evt.is_wait 'true' for events that make the thread wait, e.g. sleep(), sele ct(), poll(). evt.wait_latency for events that make the thread wait (e.g. sleep(), select(), p oll()), this is the time spent waiting for the event to return, in nanoseconds. evt.is_syslog 'true' for events that are writes to /dev/log. evt.count This filter field always returns 1 and can be used to count eve nts from inside chisels. evt.count.error This filter field returns 1 for events that returned with an er ror, and can be used to count event failures from inside chisel s. evt.count.error.file This filter field returns 1 for events that returned with an er ror and are related to file I/O, and can be used to count event failures from inside chisels. evt.count.error.net This filter field returns 1 for events that returned with an er ror and are related to network I/O, and can be used to count ev ent failures from inside chisels. evt.count.error.memory This filter field returns 1 for events that returned with an er ror and are related to memory allocation, and can be used to co unt event failures from inside chisels. evt.count.error.other This filter field returns 1 for events that returned with an er ror and are related to none of the previous categories, and can be used to count event failures from inside chisels. evt.count.exit This filter field returns 1 for exit events, and can be used to count single events from inside chisels. evt.around (FILTER ONLY) Accepts the event if it's around the specified ti me interval. The syntax is evt.around[T]=D, where T is the valu e returned by %evt.rawtime for the event and D is a delta in mi lliseconds. For example, evt.around[1404996934793590564]=1000 w ill return the events with timestamp with one second before the timestamp and one second after it, for a total of two seconds of capture. evt.abspath (FILTER ONLY) Absolute path calculated from dirfd and name duri ng syscalls like renameat and symlinkat. Use 'evt.abspath.src' or 'evt.abspath.dst' for syscalls that support multiple paths. evt.is_open_read 'true' for open/openat events where the path was opened for rea ding evt.is_open_write 'true' for open/openat events where the path was opened for wri ting ---------------------- Field Class: user user.uid user ID. user.name user name. user.homedir home directory of the user. user.shell user's shell. ---------------------- Field Class: group group.gid group ID. group.name group name. ---------------------- Field Class: syslog syslog.facility.str facility as a string. syslog.facility facility as a number (0-23). syslog.severity.str severity as a string. Can have one of these values: emerg, aler t, crit, err, warn, notice, info, debug syslog.severity severity as a number (0-7). syslog.message message sent to syslog. ---------------------- Field Class: container container.id the container id. container.name the container name. container.image the container image name (e.g. sysdig/sysdig:latest for docker, ). container.image.id the container image id (e.g. 6f7e2741b66b). container.type the container type, eg: docker or rkt container.privileged true for containers running as privileged, false otherwise container.mounts A space-separated list of mount information. Each item in the l ist has the format <source>:<dest>:<mode>:<rdrw>:<propagation> container.mount Information about a single mount, specified by number (e.g. con tainer.mount[0]) or mount source (container.mount[/usr/local]). The pathname can be a glob (container.mount[/usr/local/*]), in which case the first matching mount will be returned. The info rmation has the format <source>:<dest>:<mode>:<rdrw>:<propagati on>. If there is no mount with the specified index or matching the provided source, returns the string "none" instead of a NUL L value. container.mount.source the mount source, specified by number (e.g. container.mount.des t[0]) or mount destination (container.mount.source[/usr/local]) . The pathname can be a glob. container.mount.dest the mount destination, specified by number (e.g. container.moun t.dest[0]) or mount source (container.mount.dest[/usr/local]). The pathname can be a glob. container.mount.mode the mount mode, specified by number (e.g. container.mount.mode[ 0]) or mount source (container.mount.mode[/usr/local]). The pat hname can be a glob. container.mount.rdwr the mount rdwr value, specified by number (e.g. container.mount .rdwr[0]) or mount source (container.mount.rdwr[/usr/local]). T he pathname can be a glob. container.mount.propagation the mount propagation value, specified by number (e.g. containe r.mount.propagation[0]) or mount source (container.mount.propag ation[/usr/local]). The pathname can be a glob. ---------------------- Field Class: fdlist fdlist.nums for poll events, this is a comma-separated list of the FD numbe rs in the 'fds' argument, returned as a string. fdlist.names for poll events, this is a comma-separated list of the FD names in the 'fds' argument, returned as a string. fdlist.cips for poll events, this is a comma-separated list of the client I P addresses in the 'fds' argument, returned as a string. fdlist.sips for poll events, this is a comma-separated list of the server I P addresses in the 'fds' argument, returned as a string. fdlist.cports for TCP/UDP FDs, for poll events, this is a comma-separated lis t of the client TCP/UDP ports in the 'fds' argument, returned a s a string. fdlist.sports for poll events, this is a comma-separated list of the server T CP/UDP ports in the 'fds' argument, returned as a string. ---------------------- Field Class: k8s k8s.pod.name Kubernetes pod name. k8s.pod.id Kubernetes pod id. k8s.pod.label Kubernetes pod label. E.g. 'k8s.pod.label.foo'. k8s.pod.labels Kubernetes pod comma-separated key/value labels. E.g. 'foo1:bar 1,foo2:bar2'. k8s.rc.name Kubernetes replication controller name. k8s.rc.id Kubernetes replication controller id. k8s.rc.label Kubernetes replication controller label. E.g. 'k8s.rc.label.foo '. k8s.rc.labels Kubernetes replication controller comma-separated key/value lab els. E.g. 'foo1:bar1,foo2:bar2'. k8s.svc.name Kubernetes service name (can return more than one value, concat enated). k8s.svc.id Kubernetes service id (can return more than one value, concaten ated). k8s.svc.label Kubernetes service label. E.g. 'k8s.svc.label.foo' (can return more than one value, concatenated). k8s.svc.labels Kubernetes service comma-separated key/value labels. E.g. 'foo1 :bar1,foo2:bar2'. k8s.ns.name Kubernetes namespace name. k8s.ns.id Kubernetes namespace id. k8s.ns.label Kubernetes namespace label. E.g. 'k8s.ns.label.foo'. k8s.ns.labels Kubernetes namespace comma-separated key/value labels. E.g. 'fo o1:bar1,foo2:bar2'. k8s.rs.name Kubernetes replica set name. k8s.rs.id Kubernetes replica set id. k8s.rs.label Kubernetes replica set label. E.g. 'k8s.rs.label.foo'. k8s.rs.labels Kubernetes replica set comma-separated key/value labels. E.g. ' foo1:bar1,foo2:bar2'. k8s.deployment.name Kubernetes deployment name. k8s.deployment.id Kubernetes deployment id. k8s.deployment.label Kubernetes deployment label. E.g. 'k8s.rs.label.foo'. k8s.deployment.labels Kubernetes deployment comma-separated key/value labels. E.g. 'f oo1:bar1,foo2:bar2'. ---------------------- Field Class: mesos mesos.task.name Mesos task name. mesos.task.id Mesos task id. mesos.task.label Mesos task label. E.g. 'mesos.task.label.foo'. mesos.task.labels Mesos task comma-separated key/value labels. E.g. 'foo1:bar1,fo o2:bar2'. mesos.framework.name Mesos framework name. mesos.framework.id Mesos framework id. marathon.app.name Marathon app name. marathon.app.id Marathon app id. marathon.app.label Marathon app label. E.g. 'marathon.app.label.foo'. marathon.app.labels Marathon app comma-separated key/value labels. E.g. 'foo1:bar1, foo2:bar2'. marathon.group.name Marathon group name. marathon.group.id Marathon group id. ---------------------- Field Class: span span.id ID of the span. This is a unique identifier that is used to mat ch the enter and exit tracer events for this span. It can also be used to match different spans belonging to a trace. span.time time of the span's enter tracer as a human readable string that includes the nanosecond part. span.ntags number of tags that this span has. span.nargs number of arguments that this span has. span.tags dot-separated list of all of the span's tags. span.tag one of the span's tags, specified by 0-based offset, e.g. 'span .tag[1]'. You can use a negative offset to pick elements from t he end of the tag list. For example, 'span.tag[-1]' returns the last tag. span.args comma-separated list of the span's arguments. span.arg one of the span arguments, specified by name or by 0-based offs et. E.g. 'span.arg.xxx' or 'span.arg[1]'. You can use a negativ e offset to pick elements from the end of the tag list. For exa mple, 'span.arg[-1]' returns the last argument. span.enterargs comma-separated list of the span's enter tracer event arguments . For enter tracers, this is the same as evt.args. For exit tra cers, this is the evt.args of the corresponding enter tracer. span.enterarg one of the span's enter arguments, specified by name or by 0-ba sed offset. For enter tracer events, this is the same as evt.ar g. For exit tracer events, this is the evt.arg of the correspon ding enter event. span.duration delta between this span's exit tracer event and the enter trace r event. span.duration.human delta between this span's exit tracer event and the enter event , as a human readable string (e.g. 10.3ms). ---------------------- Field Class: evtin evtin.span.id (FILTER ONLY) accepts all the events that are between the enter and exit tracers of the spans with the given ID and are genera ted by the same thread that generated the tracers. evtin.span.ntags (FILTER ONLY) accepts all the events that are between the enter and exit tracers of the spans with the given number of tags an d are generated by the same thread that generated the tracers. evtin.span.nargs (FILTER ONLY) accepts all the events that are between the enter and exit tracers of the spans with the given number of argumen ts and are generated by the same thread that generated the trac ers. evtin.span.tags (FILTER ONLY) accepts all the events that are between the enter and exit tracers of the spans with the given tags and are gene rated by the same thread that generated the tracers. evtin.span.tag (FILTER ONLY) accepts all the events that are between the enter and exit tracers of the spans with the given tag and are gener ated by the same thread that generated the tracers. See the des cription of span.tag for information about the syntax accepted by this field. evtin.span.args (FILTER ONLY) accepts all the events that are between the enter and exit tracers of the spans with the given arguments and are generated by the same thread that generated the tracers. evtin.span.arg (FILTER ONLY) accepts all the events that are between the enter and exit tracers of the spans with the given argument and are generated by the same thread that generated the tracers. See th e description of span.arg for information about the syntax acce pted by this field. evtin.span.p.id (FILTER ONLY) same as evtin.span.id, but also accepts events ge nerated by other threads in the same process that produced the span. evtin.span.p.ntags (FILTER ONLY) same as evtin.span.ntags, but also accepts events generated by other threads in the same process that produced t he span. evtin.span.p.nargs (FILTER ONLY) same as evtin.span.nargs, but also accepts events generated by other threads in the same process that produced t he span. evtin.span.p.tags (FILTER ONLY) same as evtin.span.tags, but also accepts events generated by other threads in the same process that produced th e span. evtin.span.p.tag (FILTER ONLY) same as evtin.span.tag, but also accepts events g enerated by other threads in the same process that produced the span. evtin.span.p.args (FILTER ONLY) same as evtin.span.args, but also accepts events generated by other threads in the same process that produced th e span. evtin.span.p.arg (FILTER ONLY) same as evtin.span.arg, but also accepts events g enerated by other threads in the same process that produced the span. evtin.span.s.id (FILTER ONLY) same as evtin.span.id, but also accepts events ge nerated by the script that produced the span, i.e. by the proce sses whose parent PID is the same as the one of the process gen erating the span. evtin.span.s.ntags (FILTER ONLY) same as evtin.span.id, but also accepts events ge nerated by the script that produced the span, i.e. by the proce sses whose parent PID is the same as the one of the process gen erating the span. evtin.span.s.nargs (FILTER ONLY) same as evtin.span.id, but also accepts events ge nerated by the script that produced the span, i.e. by the proce sses whose parent PID is the same as the one of the process gen erating the span. evtin.span.s.tags (FILTER ONLY) same as evtin.span.id, but also accepts events ge nerated by the script that produced the span, i.e. by the proce sses whose parent PID is the same as the one of the process gen erating the span. evtin.span.s.tag (FILTER ONLY) same as evtin.span.id, but also accepts events ge nerated by the script that produced the span, i.e. by the proce sses whose parent PID is the same as the one of the process gen erating the span. evtin.span.s.args (FILTER ONLY) same as evtin.span.id, but also accepts events ge nerated by the script that produced the span, i.e. by the proce sses whose parent PID is the same as the one of the process gen erating the span. evtin.span.s.arg (FILTER ONLY) same as evtin.span.id, but also accepts events ge nerated by the script that produced the span, i.e. by the proce sses whose parent PID is the same as the one of the process gen erating the span. evtin.span.m.id (FILTER ONLY) same as evtin.span.id, but accepts all the events generated on the machine during the span, including other thre ads and other processes. evtin.span.m.ntags (FILTER ONLY) same as evtin.span.id, but accepts all the events generated on the machine during the span, including other thre ads and other processes. evtin.span.m.nargs (FILTER ONLY) same as evtin.span.id, but accepts all the events generated on the machine during the span, including other thre ads and other processes. evtin.span.m.tags (FILTER ONLY) same as evtin.span.id, but accepts all the events generated on the machine during the span, including other thre ads and other processes. evtin.span.m.tag (FILTER ONLY) same as evtin.span.id, but accepts all the events generated on the machine during the span, including other thre ads and other processes. evtin.span.m.args (FILTER ONLY) same as evtin.span.id, but accepts all the events generated on the machine during the span, including other thre ads and other processes. evtin.span.m.arg (FILTER ONLY) same as evtin.span.id, but accepts all the events generated on the machine during the span, including other thre ads and other processes. |
Sysdig Kullanışlı Örnekler
Belirli bir dizin altında işlem yapan süreçleri görüntülemek için:
1 |
# sysdig fd.directory=<dizin adı> |
Bellibir süreç haricinde dosyalar üzerinde aktivite gerçekleştiren süreçler ve yaptıkları işlemler:
1 |
# sysdig proc.name!=<process adı> and fd.type=file |
Java ve MySQL süreçlerine ait aktivite:
1 |
# sysdig proc.name=java and proc.name=mysqld |
Komutların aldığı parametreler üzerinden filtreleme yapmak için proc.args filtresi yani class.filed’i kullanılmaktadır.
Örnek olarak parametre olarak www.omeroner.com alan bir uygulamanın hareketlerini izlemek için (örn: dig www.omeroner.com)
1 |
# sysdig proc.args=www.omeroner.com |
Spesifik bir ip adresi tarafından yapılan bağlantılar sonucu oluşan ve sshd süreci ile alakalı olmayan aktiviteyi incelemek için:
1 |
# sysdig fd.ip=<ip adresi> and proc.name!=sshd |
Mysql dışındaki süreçler tarafından karşılanan gelen network bağlantılarını incelemek için:
1 |
# sysdig evt.type=accept and proc.name!=mysqld |
Belli bir kullanıcıya ait tüm aktivitenin izlenmesi:
1 |
# sysdig user.name=<kullanıcı adı> |
Belli bir gruba ait tüm aktivitenin izlenmesi:
1 |
# sysdig group.name=<grup adı> |
Event tipine göre çağrıları görüntülemek için: (LINUX System Call Quick Reference için bu dosyayı inceleyebilirsiniz.)
1 |
# sysdig evt.type=<olay tipi> |
Tüm event listesini görmek için:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 |
[root@kubernetes ~]# sysdig -L > syscall(SYSCALLID ID, UINT16 nativeID) < syscall(SYSCALLID ID) > open() < open(FD fd, FSPATH name, FLAGS32 flags, UINT32 mode) > close(FD fd) < close(ERRNO res) > read(FD fd, UINT32 size) < read(ERRNO res, BYTEBUF data) > write(FD fd, UINT32 size) < write(ERRNO res, BYTEBUF data) > socket(FLAGS32 domain, UINT32 type, UINT32 proto) < socket(FD fd) > bind(FD fd) < bind(ERRNO res, SOCKADDR addr) > connect(FD fd) < connect(ERRNO res, SOCKTUPLE tuple) > listen(FD fd, UINT32 backlog) < listen(ERRNO res) > send(FD fd, UINT32 size) < send(ERRNO res, BYTEBUF data) > sendto(FD fd, UINT32 size, SOCKTUPLE tuple) < sendto(ERRNO res, BYTEBUF data) > recv(FD fd, UINT32 size) < recv(ERRNO res, BYTEBUF data) > recvfrom(FD fd, UINT32 size) < recvfrom(ERRNO res, BYTEBUF data, SOCKTUPLE tuple) > shutdown(FD fd, FLAGS8 how) < shutdown(ERRNO res) > getsockname() < getsockname() > getpeername() < getpeername() > socketpair(FLAGS32 domain, UINT32 type, UINT32 proto) < socketpair(ERRNO res, FD fd1, FD fd2, UINT64 source, UINT64 peer) > setsockopt() < setsockopt() > getsockopt() < getsockopt() > sendmsg(FD fd, UINT32 size, SOCKTUPLE tuple) < sendmsg(ERRNO res, BYTEBUF data) > sendmmsg() < sendmmsg() > recvmsg(FD fd) < recvmsg(ERRNO res, UINT32 size, BYTEBUF data, SOCKTUPLE tuple) > recvmmsg() < recvmmsg() > creat() < creat(FD fd, FSPATH name, UINT32 mode) > pipe() < pipe(ERRNO res, FD fd1, FD fd2, UINT64 ino) > eventfd(UINT64 initval, FLAGS32 flags) < eventfd(FD res) > futex(UINT64 addr, FLAGS16 op, UINT64 val) < futex(ERRNO res) > stat() < stat(ERRNO res, FSPATH path) > lstat() < lstat(ERRNO res, FSPATH path) > fstat(FD fd) < fstat(ERRNO res) > stat64() < stat64(ERRNO res, FSPATH path) > lstat64() < lstat64(ERRNO res, FSPATH path) > fstat64(FD fd) < fstat64(ERRNO res) > epoll_wait(ERRNO maxevents) < epoll_wait(ERRNO res) > poll(FDLIST fds, INT64 timeout) < poll(ERRNO res, FDLIST fds) > select() < select(ERRNO res) > select() < select(ERRNO res) > lseek(FD fd, UINT64 offset, FLAGS8 whence) < lseek(ERRNO res) > llseek(FD fd, UINT64 offset, FLAGS8 whence) < llseek(ERRNO res) > getcwd() < getcwd(ERRNO res, CHARBUF path) > chdir() < chdir(ERRNO res, CHARBUF path) > fchdir(FD fd) < fchdir(ERRNO res) > mkdir(FSPATH path, UINT32 mode) < mkdir(ERRNO res) > rmdir(FSPATH path) < rmdir(ERRNO res) > openat(FD dirfd, CHARBUF name, FLAGS32 flags, UINT32 mode) < openat(FD fd) > link(FSPATH oldpath, FSPATH newpath) < link(ERRNO res) > linkat(FD olddir, CHARBUF oldpath, FD newdir, CHARBUF newpath) < linkat(ERRNO res) > unlink(FSPATH path) < unlink(ERRNO res) > unlinkat(FD dirfd, CHARBUF name) < unlinkat(ERRNO res) > pread(FD fd, UINT32 size, UINT64 pos) < pread(ERRNO res, BYTEBUF data) > pwrite(FD fd, UINT32 size, UINT64 pos) < pwrite(ERRNO res, BYTEBUF data) > readv(FD fd) < readv(ERRNO res, UINT32 size, BYTEBUF data) > writev(FD fd, UINT32 size) < writev(ERRNO res, BYTEBUF data) > preadv(FD fd, UINT64 pos) < preadv(ERRNO res, UINT32 size, BYTEBUF data) > pwritev(FD fd, UINT32 size, UINT64 pos) < pwritev(ERRNO res, BYTEBUF data) > dup(FD fd) < dup(FD res) > signalfd(FD fd, UINT32 mask, FLAGS8 flags) < signalfd(FD res) > kill(PID pid, SIGTYPE sig) < kill(ERRNO res) > tkill(PID tid, SIGTYPE sig) < tkill(ERRNO res) > tgkill(PID pid, PID tid, SIGTYPE sig) < tgkill(ERRNO res) > nanosleep(RELTIME interval) < nanosleep(ERRNO res) > timerfd_create(UINT8 clockid, FLAGS8 flags) < timerfd_create(FD res) > inotify_init(FLAGS8 flags) < inotify_init(FD res) > getrlimit(FLAGS8 resource) < getrlimit(ERRNO res, INT64 cur, INT64 max) > setrlimit(FLAGS8 resource) < setrlimit(ERRNO res, INT64 cur, INT64 max) > prlimit(PID pid, FLAGS8 resource) < prlimit(ERRNO res, INT64 newcur, INT64 newmax, INT64 oldcur, INT64 oldmax) > fcntl(FD fd, FLAGS8 cmd) < fcntl(FD res) > switch(PID next, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap) > brk(UINT64 addr) < brk(UINT64 res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap) > mmap(UINT64 addr, UINT64 length, FLAGS32 prot, FLAGS32 flags, FD fd, UINT64 offset) < mmap(UINT64 res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap) > mmap2(UINT64 addr, UINT64 length, FLAGS32 prot, FLAGS32 flags, FD fd, UINT64 pgoffset) < mmap2(UINT64 res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap) > munmap(UINT64 addr, UINT64 length) < munmap(ERRNO res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap) > splice(FD fd_in, FD fd_out, UINT64 size, FLAGS32 flags) < splice(ERRNO res) > ptrace(FLAGS16 request, PID pid) < ptrace(ERRNO res, DYNAMIC addr, DYNAMIC data) > ioctl(FD fd, UINT64 request, UINT64 argument) < ioctl(ERRNO res) > rename() < rename(ERRNO res, FSPATH oldpath, FSPATH newpath) > renameat() < renameat(ERRNO res, FD olddirfd, CHARBUF oldpath, FD newdirfd, CHARBUF newpath) > symlink() < symlink(ERRNO res, CHARBUF target, FSPATH linkpath) > symlinkat() < symlinkat(ERRNO res, CHARBUF target, FD linkdirfd, CHARBUF linkpath) > procexit(ERRNO status) > sendfile(FD out_fd, FD in_fd, UINT64 offset, UINT64 size) < sendfile(ERRNO res, UINT64 offset) > quotactl(FLAGS16 cmd, FLAGS8 type, UINT32 id, FLAGS8 quota_fmt) < quotactl(ERRNO res, CHARBUF special, CHARBUF quotafilepath, UINT64 dqb_bhardlimit, UINT64 dqb_bsoftlimit, UINT64 dqb_curspace, UINT64 dqb_ihardlimit, UINT64 dqb_isoftlimit, RELTIME dqb_btime, RELTIME dqb_itime, RELTIME dqi_bgrace, RELTIME dqi_igrace, FLAGS8 dqi_flags, FLAGS8 quota_fmt_out) > setresuid(UID ruid, UID euid, UID suid) < setresuid(ERRNO res) > setresgid(GID rgid, GID egid, GID sgid) < setresgid(ERRNO res) > setuid(UID uid) < setuid(ERRNO res) > setgid(GID gid) < setgid(ERRNO res) > getuid() < getuid(UID uid) > geteuid() < geteuid(UID euid) > getgid() < getgid(GID gid) > getegid() < getegid(GID egid) > getresuid() < getresuid(ERRNO res, UID ruid, UID euid, UID suid) > getresgid() < getresgid(ERRNO res, GID rgid, GID egid, GID sgid) > clone() < clone(PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags, UINT32 uid, UINT32 gid, PID vtid, PID vpid) > fork() < fork(PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags, UINT32 uid, UINT32 gid, PID vtid, PID vpid) > vfork() < vfork(PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags, UINT32 uid, UINT32 gid, PID vtid, PID vpid) > execve() < execve(ERRNO res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, UINT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, BYTEBUF env) > signaldeliver(PID spid, PID dpid, SIGTYPE sig) > getdents(FD fd) < getdents(ERRNO res) > getdents64(FD fd) < getdents64(ERRNO res) > setns(FD fd, FLAGS32 nstype) < setns(ERRNO res) > flock(FD fd, FLAGS32 operation) < flock(ERRNO res) > cpu_hotplug(UINT32 cpu, UINT32 action) > accept() < accept(FD fd, SOCKTUPLE tuple, UINT8 queuepct, UINT32 queuelen, UINT32 queuemax) > accept(INT32 flags) < accept(FD fd, SOCKTUPLE tuple, UINT8 queuepct, UINT32 queuelen, UINT32 queuemax) > semop(INT32 semid) < semop(ERRNO res, UINT32 nsops, UINT16 sem_num_0, INT16 sem_op_0, FLAGS16 sem_flg_0, UINT16 sem_num_1, INT16 sem_op_1, FLAGS16 sem_flg_1) > semctl(INT32 semid, INT32 semnum, FLAGS16 cmd, INT32 val) < semctl(ERRNO res) > ppoll(FDLIST fds, RELTIME timeout, SIGSET sigmask) < ppoll(ERRNO res, FDLIST fds) > mount(FLAGS32 flags) < mount(ERRNO res, CHARBUF dev, FSPATH dir, CHARBUF type) > umount(FLAGS32 flags) < umount(ERRNO res, FSPATH name) > semget(INT32 key, INT32 nsems, FLAGS32 semflg) < semget(ERRNO res) > access(FLAGS32 mode) < access(ERRNO res, FSPATH name) > chroot() < chroot(ERRNO res, FSPATH path) > tracer(INT64 id, <NA> tags, <NA> args) < tracer(INT64 id, <NA> tags, <NA> args) > setsid() < setsid(PID res) |
Sysdig Çıktı Formatlarını Düzenleme
Sysdig ile filtreleme sonuçlarının çıktılarını customize edebililiyoruz. Örnek olarak event tipi chdir (change dir) olan sistem çağrılarını, komutu (cd) çalıştıran kullanıcı ve ilgli dizini görüntülemek üzere formatlı bir şekilde ekrana basmak için şu komut kullanılabilir:
1 |
# sysdig -p"user:%user.name dir:%evt.arg.path" evt.type=chdir |
shell üzerinden gerçekleştirilen tüm komutları, kullanıcı, komut ve komut agrümanını içerecek şekilde ekrana basmak için:
1 |
[root@kubernetes ~]# sysdig -p"%user.name==> %proc.name %proc.args" evt.type=execve and evt.arg.ptid=bash |
1 2 3 4 5 6 |
root==> service /usr/sbin/service ntpd restart root==> systemctl restart ntpd.service root==> service /usr/sbin/service nfs restart root==> systemctl restart nfs.service root==> systemctl restart etcd kube-apiserver kube-controller-manager kube-scheduler etcd==> nproc |
Sysdig ile Trace Dosyaları
Yazının başında’da ifade ettiğim gibi sysdig ile elde ettiğimiz sonuçları daha sonra incelemek için bir dosyaya (trace file) yazdırabiliriz.
Örnek olarak tüm sysdig çıktısını trace.scap dosyasına yazılması için kullanılacak komut:
1 |
# sysdig –w trace.scap |
Sadece 50 adet event’in ilgili dosyaya yani trace.scap yazılmasını sağlamak için komut:
1 |
# sysdig -n 50 -w trace.scap |
Trace dosyasına yazdırdığımız bir sysdig çıktılarını okumak için kullanılacak komut:
1 |
# sysdig –r trace.scap |
Sysdig ‘de Chisels Kullanımı
chisels , sysdig üzerinden elde edilen verinin anlamlandırılması üzere kullanılan scriptlere verilen addır ve öntanımlı olarak bir çok chisel bulunmaktadır.
Öncelikle bu chisel’lerin bir listesini -cl parametresi kullanarak görebiliriz:
1 |
[root@kubernetes ~]# sysdig -cl |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
Category: Application --------------------- httplog HTTP requests log httptop Top HTTP requests memcachelog memcached requests log Category: CPU Usage ------------------- spectrogram Visualize OS latency in real time. subsecoffset Visualize subsecond offset execution time. topcontainers_cpu Top containers by CPU usage topprocs_cpu Top processes by CPU usage Category: Errors ---------------- topcontainers_error Top containers by number of errors topfiles_errors Top files by number of errors topprocs_errors top processes by number of errors Category: I/O ------------- echo_fds Print the data read and written by processes. fdbytes_by I/O bytes, aggregated by an arbitrary filter field fdcount_by FD count, aggregated by an arbitrary filter field fdtime_by FD time group by iobytes Sum of I/O bytes on any type of FD iobytes_file Sum of file I/O bytes spy_file Echo any read/write made by any process to all files. Optionall y, you can provide the name of one file to only intercept reads /writes to that file. stderr Print stderr of processes stdin Print stdin of processes stdout Print stdout of processes topcontainers_file Top containers by R+W disk bytes topfiles_bytes Top files by R+W bytes topfiles_time Top files by time topprocs_file Top processes by R+W disk bytes Category: Logs -------------- spy_logs Echo any write made by any process to a log file. Optionally, e xport the events around each log message to file. spy_syslog Print every message written to syslog. Optionally, export the e vents around each syslog message to file. Category: Misc -------------- around Export to file the events around the time range where the given filter matches. Category: Net ------------- iobytes_net Show total network I/O bytes spy_ip Show the data exchanged with the given IP address spy_port Show the data exchanged using the given IP port number topconns Top network connections by total bytes topcontainers_net Top containers by network I/O topports_server Top TCP/UDP server ports by R+W bytes topprocs_net Top processes by network I/O Category: Performance --------------------- bottlenecks Slowest system calls fileslower Trace slow file I/O netlower Trace slow network I/0 proc_exec_time Show process execution time scallslower Trace slow syscalls topscalls Top system calls by number of calls topscalls_time Top system calls by time Category: Security ------------------ list_login_shells List the login shell IDs shellshock_detect print shellshock attacks spy_users Display interactive user activity Category: System State ---------------------- lscontainers List the running containers lsof List (and optionally filter) the open file descriptors. netstat List (and optionally filter) network connections. ps List (and optionally filter) the machine processes. Category: Tracers ----------------- tracers_2_statsd Export spans duration as statds metrics. Use the -i flag to get detailed information about a specific chisel [root@kubernetes ~]# |
chisel’ler hakkında daha detaylu bilgi almak üzere -i parametresi kullanılabilir. Örnek olarakbottlenecks isimli chisel’in ne iş yaptığına bakmak için aşağıdaki komut kullanılabilir:
1 2 3 4 5 6 7 8 9 10 11 |
[root@kubernetes ~]# sysdig -i bottlenecks Category: Performance --------------------- bottlenecks Slowest system calls Lists the 10 system calls that took the longest to return during the capture in terval. Args: (None) [root@kubernetes ~]# |
Sysdig Chisels Kullanışlı Örnekler
Ençok cpu kullanan süreçleri görmek için:
1 |
# sysdig -c topprocs_cpu |
1 2 3 4 5 6 7 8 9 10 11 12 |
CPU% Process PID --------------------------- 1.00% sysdig 35503 0.00% sshd 34250 0.00% master 1382 0.00% auditd 851 0.00% rs:main 874 0.00% lvmetad 732 0.00% bash 2209 0.00% wpa_supplicant 906 0.00% in:imjournal 874 0.00% crond 24764 |
1 ms’den uzun süren I/O aktivitesi:
1 |
# sysdig -c fileslower 1 |
1 ms’den uzun süren network aktivitesi:
1 |
# sysdig -c netlower 1 |
1 2 3 4 5 6 7 8 |
evt.datetime proc.name evt.type LATENCY(ms) fd.name ----------------------- ------------ -------- ------------ ----------------------------------------- 2016-11-16 23:37:11.038 ping recvmsg 9 192.168.177.168->178.210.175.25 2016-11-16 23:37:12.040 ping recvmsg 10 192.168.177.168->178.210.175.25 2016-11-16 23:37:13.041 ping recvmsg 9 192.168.177.168->178.210.175.25 2016-11-16 23:37:14.044 ping recvmsg 9 192.168.177.168->178.210.175.25 2016-11-16 23:37:15.046 ping recvmsg 9 192.168.177.168->178.210.175.25 2016-11-16 23:37:16.047 ping recvmsg 8 192.168.177.168->178.210.175.25 |
Syscall bazında en çok error üreten süreçler:
1 |
# sysdig -c topprocs_errors |
1 2 3 4 5 |
#Errors Process PID -------------------------------------------------------------------------------- 13 etcd 35461 12 kube-controller 35454 2 kube-apiserver 35472 |
Süreçlere ait standart çıktıları ekrana basmak için (class.field kullanılabilir):
1 |
# sysdig -c stdout |
Yazma + Okuma anlamında en çok disk I/O’nun yapıldığı dosyalar:
1 |
# sysdig -c topfiles_bytes |
1 2 3 4 |
Bytes Filename -------------------------------------------------------------------------------- 262B /dev/ptmx 228B /var/lib/etcd/default.etcd/member/wal/0000000000000000-0000000000000000.wal |
En çok disk I/O üreten (Read + Write) süreçler:
1 |
# sysdig -c topprocs_file |
1 2 3 4 5 6 7 |
Bytes Process PID -------------------------------------------------------------------------------- 1.92KB systemd-journal 717 708B systemd 1 230B etcd 35461 211B sshd 35114 210B rs:main 874 |
Byte cinsinden toplam I/O miktarı:
1 |
# sysdig -c iobytes_file |
1 2 3 4 5 6 |
23:43:23 in:0 out:115 tot:115 23:43:25 in:31 out:230 tot:261 23:43:26 in:32 out:230 tot:262 23:43:27 in:2709 out:440 tot:3149 23:43:28 in:35 out:230 tot:265 23:43:29 in:32 out:229 tot:261 |
Hangi süreçlerin hangi log dosyalarına ne yazdığının ekrana basılması:
1 |
# sysdig -c spy_logs |
1 2 3 4 5 6 7 |
rs:main /var/log/messages Nov 16 23:46:56 localhost kube-apiserver: E1116 23:46:56.622637 35472 genericapiserver.go:716] Unable to listen for secure (open /var/run/kubernetes/apiserver.crt: no such file or directory); will try again. auditd /var/log/audit/audit.log type=ADD_GROUP msg=audit(1479332831.041:462): pid=35616 uid=0 auid=0 ses=12 subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 msg='op=add-group id=72 exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=success' rs:main /var/log/secure Nov 16 23:47:11 localhost groupadd[35616]: group added to /etc/group: name=tcpdump, GID=72 auditd /var/log/audit/audit.log type=GRP_MGMT msg=audit(1479332831.044:463): pid=35616 uid=0 auid=0 ses=12 subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 msg='op=add-shadow-group id=72 exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=success' rs:main /var/log/secure Nov 16 23:47:11 localhost groupadd[35616]: group added to /etc/gshadow: name=tcpdump rs:main /var/log/secure Nov 16 23:47:11 localhost groupadd[35616]: new group: name=tcpdump, GID=72 rs:main /var/log/secure Nov 16 23:47:11 localhost useradd[35620]: new user: name=tcpdump, UID=72, GID=72, home=/, shell=/sbin/nologin |
Syslog’a yazılan her mesajın görüntülenmesi:
1 |
# sysdig -c spy_syslog |
Spesific bir ip’nin ürettiği trafiğin görüntülenmesi (dikkat edeceğiniz üzere chisel’leri filtreleme seçenekleri kullanabiliyoruz):
1 |
# sysdig -c spy_ip 192.168.177.1 proc.name!=sshd |
Spesifik bir port üzerinde gerçekleşen trafiğin görüntülenmesi:
1 |
# sysdig -c spy_port 8080 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
------ Read 5B 0.... ------ Read 5B 0.... ------ Read 204B GET /api/v1/watch/services?resourceVersion=17&timeoutSeconds=531 HTTP/1.1..Host: kubernetes.omeroner.com:8080..User-Agent: kube-scheduler/v1.2.0 (linux/amd64) kubernetes/ec7364b..Accept-Encoding: gzip.... ------ Read 1B G ------ Read 1B ET /api/v1/watch/services?resourceVersion=17&timeoutSeconds=531 HTTP/1.1..Host: kubernetes.omeroner.com:8080..User-Agent: kube-scheduler/v1.2.0 (linux/amd64) kubernetes/ec7364b..Accept-Encoding: gzip.... ------ Read 112B HTTP/1.1 200 OK..Transfer-Encoding: chunked..Date: Wed, 16 Nov 2016 21:53:51 GMT..Transfer-Encoding: chunked.... ------ Read 112B HTTP/1.1 200 OK..Transfer-Encoding: chunked..Date: Wed, 16 Nov 2016 21:53:51 GMT..Transfer-Encoding: chunked.... ------ Read 5B 0.... ------ Read 5B |
Byte cinsinden en çok trafik üreten bağlantıların listenmesi:
1 |
# sysdig -c topconns |
1 2 3 |
Bytes Proto Conn -------------------------------------------------------------------------------- 444B tcp 192.168.177.1:54326->192.168.177.168:ssh |
En çok trafik üreten portların listelenmesi:
1 |
# sysdig -c topports_server |
1 2 3 4 5 |
Bytes Srv Port -------------------------------------------------------------------------------- 6.04KB 2379 868B webcache 196B ssh |
En çok trafik üreten süreçlerin görüntülenmesi:
1 2 3 4 5 |
Bytes Process PID -------------------------------------------------------------------------------- 335B kube-scheduler 35453 335B kube-apiserver 35472 252B sshd 36059 |
Sistemdeki kullanıcılara ait aktivitenin interaktif olarak izlenmesi:
1 |
# sysdig -c spy_users |
1 2 3 4 5 6 7 8 9 10 11 12 |
36118 23:56:39 root) id -un 36118 23:56:39 root) /usr/bin/hostname 36118 23:56:39 root) /bin/sh /usr/libexec/grepconf.sh -c 36118 23:56:39 root) grep -qsi ^COLOR.*none /etc/GREP_COLORS 36118 23:56:39 root) /usr/bin/tty -s 36118 23:56:39 root) /usr/bin/tput colors 36118 23:56:39 root) /usr/bin/dircolors --sh /etc/DIR_COLORS 36118 23:56:39 root) /usr/bin/grep -qi ^COLOR.*none /etc/DIR_COLORS 36118 23:56:39 root) /sbin/consoletype stdout 36118 23:56:39 root) /usr/bin/id -u 36118 23:56:42 root) ls --color=auto -l --color=auto 36118 23:56:46 root) cd /tmp |
Örnekleri çoğaltmak kendinize kalmış ve daha fazlası için bu sayfayı ziyaret edebilirsiniz.