{"id":917,"date":"2017-05-01T06:36:20","date_gmt":"2017-05-01T03:36:20","guid":{"rendered":"https:\/\/community.virtono.com\/?p=917"},"modified":"2017-05-01T06:36:20","modified_gmt":"2017-05-01T03:36:20","slug":"how-to-monitor-your-ubuntu-16-04-system-with-sysdig","status":"publish","type":"post","link":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-monitor-your-ubuntu-16-04-system-with-sysdig\/","title":{"rendered":"How To Monitor Your Ubuntu 16.04 System with Sysdig"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">INTRODUCTION<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/www.sysdig.org\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Sysdig<\/span><\/a><span style=\"font-weight: 400;\"> is a open-source system which actives monitoring, capture and analysis application.It provides a powerful filtering language with customizable output, and core functionality that can be extended with <\/span><a href=\"https:\/\/www.lua.org\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Lua<\/span><\/a><span style=\"font-weight: 400;\"> scripts called <\/span><i><span style=\"font-weight: 400;\">chisels<\/span><\/i><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">This application works by tapping into the kernel, which allows it to see every system call and all of the information passing through the kernel. It also makes it an excellent tool for monitoring and analyzing system activity and events generated by application containers running on a system.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The server which is installed on the core sysdig application is also monitored by it.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A hosted version called Sysdig Cloud that can monitor any number of servers remotely is offered by the company behind the project.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">On the most Linux distributions the standalone application is available, but it&#8217;s also available, with more limited functionality, on Windows and macOS. Aside from the <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> command line tool, Sysdig also comes with an interactive UI called <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> with similar options.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">In this tutorial, we will install and use Sysdig to monitor an Ubuntu 16.04 server and also we will stream live events, save events to files, filter results, and explore the <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> interactive UI.<\/span><\/p>\n<p><b>Prerequisites<\/b><\/p>\n<p><span style=\"font-weight: 400;\">To complete this tutorial we will need<\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">One Ubuntu 16.04 server set up by following <\/span><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/initial-server-setup-with-ubuntu-16-04\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">the Ubuntu 16.04 initial server setup guide<\/span><\/a><span style=\"font-weight: 400;\">, including a sudo non-root user and a firewall<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">These are the following for installing and using <\/span><a href=\"http:\/\/www.sysdig.org\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Sysdig<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_73 counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-monitor-your-ubuntu-16-04-system-with-sysdig\/#Step_1_%E2%80%93_Installing_Sysdig_Using_the_Official_Script\" title=\"Step 1 \u2013 Installing Sysdig Using the Official Script\">Step 1 \u2013 Installing Sysdig Using the Official Script<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-monitor-your-ubuntu-16-04-system-with-sysdig\/#Step_2_%E2%80%93_Monitoring_Your_System_in_Real-Time\" title=\"Step 2 \u2013 Monitoring Your System in Real-Time\">Step 2 \u2013 Monitoring Your System in Real-Time<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-monitor-your-ubuntu-16-04-system-with-sysdig\/#Step_3_%E2%80%93_Capturing_System_Activity_to_a_File_Using_Sysdig\" title=\"Step 3 \u2013 Capturing System Activity to a File Using Sysdig\">Step 3 \u2013 Capturing System Activity to a File Using Sysdig<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-monitor-your-ubuntu-16-04-system-with-sysdig\/#Step_4_%E2%80%93_Reading_and_Analyzing_Event_Data_with_Sysdig\" title=\"Step 4 \u2013 Reading and Analyzing Event Data with Sysdig\">Step 4 \u2013 Reading and Analyzing Event Data with Sysdig<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-monitor-your-ubuntu-16-04-system-with-sysdig\/#Step_5_%E2%80%93_Using_Sysdig_Chisels_for_System_Monitoring_and_Analysis\" title=\"Step 5 \u2013 Using Sysdig Chisels for System Monitoring and Analysis\">Step 5 \u2013 Using Sysdig Chisels for System Monitoring and Analysis<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-monitor-your-ubuntu-16-04-system-with-sysdig\/#Step_6_%E2%80%93_Using_Csysdig_for_System_Monitoring_and_Analysis\" title=\"Step 6 \u2013 Using Csysdig for System Monitoring and Analysis\">Step 6 \u2013 Using Csysdig for System Monitoring and Analysis<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-monitor-your-ubuntu-16-04-system-with-sysdig\/#Conclusion\" title=\"Conclusion\">Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Step_1_%E2%80%93_Installing_Sysdig_Using_the_Official_Script\"><\/span><b>Step 1 \u2013 Installing Sysdig Using the Official Script<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">There&#8217;s a Sysdig package in the Ubuntu repository, but it&#8217;s usually a revision or two behind the current version. At the time of publication, for example, installing Sysdig using Ubuntu&#8217;s package manager will get you Sysdig 0.8.0. However, you can install it using an official script from the project&#8217;s development page, which is the recommended method of installation. This is the method we&#8217;ll use.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But first, update the package database to ensure you have the latest list of available packages:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo apt-get update<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Now download Sysdig&#8217;s installation script with <\/span><span style=\"font-weight: 400;\">curl<\/span><span style=\"font-weight: 400;\"> using the following command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">curl https:\/\/s3.amazonaws.com\/download.draios.com\/stable\/install-sysdig -o install-sysdig<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">This downloads the installation script to the file <\/span><span style=\"font-weight: 400;\">install-sysdig<\/span><span style=\"font-weight: 400;\"> to the current folder. You&#8217;ll need to execute this script with elevated privileges, and it&#8217;s dangerous to run scripts you download from the Internet. Before you execute the script, audit its content by opening it in a text editor or by using the <\/span><span style=\"font-weight: 400;\">less<\/span><span style=\"font-weight: 400;\">command to display the contents on the screen:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">less .\/install-sysdig<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Once you&#8217;re comfortable with the commands the script will run, execute the script with the following command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">cat .\/install-sysdig | sudo bash<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The command will install all dependencies, including kernel headers and modules. The output of the installation will be similar to the following:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">* Detecting operating system<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">* Installing Sysdig public key<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">OK<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">* Installing sysdig repository<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">* Installing kernel headers<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">* Installing sysdig<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">&#8230;<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">sysdig-probe:<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Running module version sanity check.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"> &#8211; Original module<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"> \u00a0\u00a0&#8211; No original module exists within this kernel<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"> &#8211; Installation<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"> \u00a0\u00a0&#8211; Installing to \/lib\/modules\/4.4.0-59-generic\/updates\/dkms\/<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">depmod&#8230;.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">DKMS: install completed.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Processing triggers for libc-bin (2.23-0ubuntu5) &#8230;<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">Now that you&#8217;ve got Sysdig installed, let&#8217;s look at some ways to use it.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Step_2_%E2%80%93_Monitoring_Your_System_in_Real-Time\"><\/span><b>Step 2 \u2013 Monitoring Your System in Real-Time<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">In this section, you&#8217;ll use the <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> command to look at some events on your Ubuntu 16.04 server. The <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> command requires root privileges to run, and it takes any number of options and filters. The simplest way to run the command is without any arguments. This will give you a real-time view of system data refreshed every two seconds:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">But, as you&#8217;ll see as soon as you run the command, it can be difficult to analyze the data being written to the screen because it streams continuously, and there are lots of events happening on your server. Stop <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> by pressing <\/span><span style=\"font-weight: 400;\">CTRL+C<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Before we run the command again with some options, let&#8217;s get familiar with the output by looking at a sample output from the command:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">253566 11:16:42.808339958 0 sshd (12392) &gt; rt_sigprocmask<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">253567 11:16:42.808340777 0 sshd (12392) &lt; rt_sigprocmask<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">253568 11:16:42.808341072 0 sshd (12392) &gt; rt_sigprocmask<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">253569 11:16:42.808341377 0 sshd (12392) &lt; rt_sigprocmask<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">253570 11:16:42.808342432 0 sshd (12392) &gt; clock_gettime<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">253571 11:16:42.808343127 0 sshd (12392) &lt; clock_gettime<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">253572 11:16:42.808344269 0 sshd (12392) &gt; read fd=10(&lt;f&gt;\/dev\/ptmx) size=16384<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">253573 11:16:42.808346955 0 sshd (12392) &lt; read res=2 data=..<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">The output&#8217;s columns are:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">%evt.num %evt.outputtime %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.info<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here&#8217;s what each column means:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">evt.num is the incremental event number.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">evt.outputtime is the event timestamp, which you can customize.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">evt.cpu is the CPU number where the event was captured. In the above output, the evt.cpu is 0, which is the server&#8217;s first CPU.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">proc.name is the name of the process that generated the event.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">thread.tid is the TID that generated the event, which corresponds to the PID for single thread processes.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">evt.dir is the event direction. You&#8217;ll see &gt; for enter events and &lt; for exit events.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">evt.type is the name of the event, e.g. &#8216;open&#8217;, &#8216;read&#8217;, &#8216;write&#8217;, etc.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">evt.info is the list of event arguments. In case of system calls, these tend to correspond to the system call arguments, but that\u2019s not always the case: some system call arguments are excluded for simplicity or performance reasons.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">There&#8217;s hardly any value in running <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> like you did in the previous command because there&#8217;s so much information streaming in. But you can apply options and filters to the command using this syntax:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig [option] [filter]<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">You can view the complete list of available filters using:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sysdig -l<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">There&#8217;s an extensive list of filters spanning several classes, or categories. Here are some of the classes:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">fd: Filter on file descriptor (FD) information, like FD numbers and FD names.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">process: Filter on process information, like id and name of the process that generated an event.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">evt: Filter on event information, like event number and time.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">user: Filter on user information, like user id, username, user&#8217;s home directory or login shell.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">group: Filter on group information, like group id and name.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">syslog: Filter on syslog information, like facility and severity.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">fdlist: Filter on file descriptor for poll events.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Since it&#8217;s not practical to cover every filter in this tutorial, let&#8217;s just try a couple, starting with the syslog.severity.str filter in the syslog class, which lets you view messages sent to syslog at a specific severity level. This command shows messages sent to syslog at the &#8220;information&#8221; level:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig syslog.severity.str=info<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Notes: Depending on the level of activity on your server, you might not see any output after typing this command, or it might take a long time before you see any output. To force issues, open another terminal emulator and perform an action that will generate a message to syslog. For example, perform a package update, upgrade the system, or install any package.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Kill the command by pressing <\/span><span style=\"font-weight: 400;\">CTRL+C<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The output, which should be fairly easy to interpret, should look something like this:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">10716 03:15:37.111266382 0 sudo (26322) &lt; sendto syslog sev=info msg=Jan 24 03:15:37 sudo: pam_unix(sudo:session): session opened for user root b<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">618099 03:15:57.643458223 0 sudo (26322) &lt; sendto syslog sev=info msg=Jan 24 03:15:57 sudo: pam_unix(sudo:session): session closed for user root<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">627648 03:16:23.212054906 0 sudo (27039) &lt; sendto syslog sev=info msg=Jan 24 03:16:23 sudo: pam_unix(sudo:session): session opened for user root b<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">629992 03:16:23.248012987 0 sudo (27039) &lt; sendto syslog sev=info msg=Jan 24 03:16:23 sudo: pam_unix(sudo:session): session closed for user root<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">639224 03:17:01.614343568 0 cron (27042) &lt; sendto syslog sev=info msg=Jan 24 03:17:01 CRON[27042]: pam_unix(cron:session): session opened for user<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">639530 03:17:01.615731821 0 cron (27043) &lt; sendto syslog sev=info msg=Jan 24 03:17:01 CRON[27043]: (root) CMD ( \u00a0\u00a0cd \/ &amp;&amp; run-parts &#8211;report \/etc\/<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">640031 03:17:01.619412864 0 cron (27042) &lt; sendto syslog sev=info msg=Jan 24 03:17:01 CRON[27042]: pam_unix(cron:session): session closed for user<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can also filter on a single process. For example, to look for events from <\/span><span style=\"font-weight: 400;\">nano<\/span><span style=\"font-weight: 400;\">, execute this command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig proc.name=nano<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Since this command filers on <\/span><span style=\"font-weight: 400;\">nano<\/span><span style=\"font-weight: 400;\">, you will have to use the <\/span><span style=\"font-weight: 400;\">nano<\/span><span style=\"font-weight: 400;\"> text editor to open a file to see any output. Open another terminal editor, connect to your server, and use <\/span><span style=\"font-weight: 400;\">nano<\/span><span style=\"font-weight: 400;\"> to open a text file. Write a few characters and save the file. Then return to your original terminal.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You&#8217;ll then see some output similar to this:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">21840 11:26:33.390634648 0 nano (27291) &lt; mmap res=7F517150A000 vm_size=8884 vm_rss=436 vm_swap=0<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21841 11:26:33.390654669 0 nano (27291) &gt; close fd=3(&lt;f&gt;\/lib\/x86_64-linux-gnu\/libc.so.6)<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21842 11:26:33.390657136 0 nano (27291) &lt; close res=0<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21843 11:26:33.390682336 0 nano (27291) &gt; access mode=0(F_OK)<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21844 11:26:33.390690897 0 nano (27291) &lt; access res=-2(ENOENT) name=\/etc\/ld.so.nohwcap<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21845 11:26:33.390695494 0 nano (27291) &gt; open<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21846 11:26:33.390708360 0 nano (27291) &lt; open fd=3(&lt;f&gt;\/lib\/x86_64-linux-gnu\/libdl.so.2) name=\/lib\/x86_64-linux-gnu\/libdl.so.2 flags=4097(O_RDONLY|O_CLOEXEC) mode=0<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21847 11:26:33.390710510 0 nano (27291) &gt; read fd=3(&lt;f&gt;\/lib\/x86_64-linux-gnu\/libdl.so.2) size=832<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">Again, kill the command by typing <\/span><span style=\"font-weight: 400;\">CTRL+C<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Getting a real time view of system events using <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> is not always the best method of using it. Luckily, there&#8217;s another way &#8211; capturing events to a file for analysis at a later time. Let&#8217;s look at how.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Step_3_%E2%80%93_Capturing_System_Activity_to_a_File_Using_Sysdig\"><\/span><b>Step 3 \u2013 Capturing System Activity to a File Using Sysdig<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Capturing system events to a file using <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> lets you analyze those events at a later time. To save system events to a file, pass <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> the -w option and specify a target file name, like this:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig -w <\/span><span style=\"font-weight: 400;\">sysdig-trace-file<\/span><span style=\"font-weight: 400;\">.scap<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Sysdig will keep saving generated events to the target file until you press <\/span><span style=\"font-weight: 400;\">CTRL+C<\/span><span style=\"font-weight: 400;\">. With time, that file can grow quite large. With the -n option, however, you can specify how many events you want Sysdig to capture. After the target number of events have been captured, it will exit. For example, to save 300 events to a file, type:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig -n 300 -w <\/span><span style=\"font-weight: 400;\">sysdig-file<\/span><span style=\"font-weight: 400;\">.scap<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Though you can use Sysdig to capture a specified number of events to a file, a better approach would be to use the -C option to break up a capture into smaller files of a specific size. And to not overwhelm the local storage, you can instruct Sysdig to keep only a few of the saved files. In other words, Sysdig supports capturing events to logs with file rotation, in one command.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For example, to save events continuously to files that are no more than 1 MB in size, and only keep the last five files (that&#8217;s what the -W option does), execute this command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig -C 1 -W 5 -w <\/span><span style=\"font-weight: 400;\">sysdig-trace<\/span><span style=\"font-weight: 400;\">.scap<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">List the files using <\/span><span style=\"font-weight: 400;\">ls -l sysdig-trace*<\/span><span style=\"font-weight: 400;\"> and you&#8217;ll see output similar to this, with five log files:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">-rw-r&#8211;r&#8211; 1 root root 985K Nov 23 04:13 sysdig-trace.scap0<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">-rw-r&#8211;r&#8211; 1 root root 952K Nov 23 04:14 sysdig-trace.scap1<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">-rw-r&#8211;r&#8211; 1 root root 985K Nov 23 04:13 sysdig-trace.scap2<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">-rw-r&#8211;r&#8211; 1 root root 985K Nov 23 04:13 sysdig-trace.scap3<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">-rw-r&#8211;r&#8211; 1 root root 985K Nov 23 04:13 sysdig-trace.scap4<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">As with real-time capture, you can apply filters to saved events. For example, to save 200 events generated by the process <\/span><span style=\"font-weight: 400;\">nano<\/span><span style=\"font-weight: 400;\">, type this command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig -n 200 -w <\/span><span style=\"font-weight: 400;\">sysdig-trace-nano<\/span><span style=\"font-weight: 400;\">.scap proc.name=nano<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Then, in another terminal connected to your server, open a file with <\/span><span style=\"font-weight: 400;\">nano<\/span><span style=\"font-weight: 400;\"> and generate some events by typing text or saving the file. The events will be captured to <\/span><span style=\"font-weight: 400;\">sysdig-trace-nano.scap<\/span><span style=\"font-weight: 400;\"> until <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\">records 200 events.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">How would you go about capturing all write events generated on your server? You would apply the filter like this:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig -w <\/span><span style=\"font-weight: 400;\">sysdig-write-events<\/span><span style=\"font-weight: 400;\">.scap evt.type=write<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Press <\/span><span style=\"font-weight: 400;\">CTRL+C<\/span><span style=\"font-weight: 400;\"> after a few moments to exit.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can do a whole lot more when saving system activity to a file using <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\">, but these examples should have given you a pretty good idea of how to go about it. Let&#8217;s look at how to analyze these files.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Step_4_%E2%80%93_Reading_and_Analyzing_Event_Data_with_Sysdig\"><\/span><b>Step 4 \u2013 Reading and Analyzing Event Data with Sysdig<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Reading captured data from a file with Sysdig is as simple as passing the -r switch to the <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\">command, like this:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig -r <\/span><span style=\"font-weight: 400;\">sysdig-trace-file<\/span><span style=\"font-weight: 400;\">.scap<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">That will dump the entire content of the file to the screen, which is not really the best approach, especially if the file is large. Luckily, you can apply the same filters when reading the file that you applied to it while it was being written.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For example, to read the <\/span><span style=\"font-weight: 400;\">sysdig-trace-nano.scap<\/span><span style=\"font-weight: 400;\"> trace file you created, but only look at a specific type of event, like write events, type this command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sysdig -r <\/span><span style=\"font-weight: 400;\">sysdig-trace-nano<\/span><span style=\"font-weight: 400;\">.scap evt.type=write<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The output should be similar to:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">21340 13:32:14.577121096 0 nano (27590) &lt; write res=1 data=.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21736 13:32:17.378737309 0 nano (27590) &gt; write fd=1 size=23<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21737 13:32:17.378748803 0 nano (27590) &lt; write res=23 data=#This is a test file..#<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21752 13:32:17.611797048 0 nano (27590) &gt; write fd=1 size=24<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21753 13:32:17.611808865 0 nano (27590) &lt; write res=24 data= This is a test file..# \u00a0<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21768 13:32:17.992495582 0 nano (27590) &gt; write fd=1 size=25<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21769 13:32:17.992504622 0 nano (27590) &lt; write res=25 data=TThis is a test file..# T<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21848 13:32:18.338497906 0 nano (27590) &gt; write fd=1 size=25<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21849 13:32:18.338506469 0 nano (27590) &lt; write res=25 data=hThis is a test file..[5G<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21864 13:32:18.500692107 0 nano (27590) &gt; write fd=1 size=25<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21865 13:32:18.500714395 0 nano (27590) &lt; write res=25 data=iThis is a test file..[6G<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21880 13:32:18.529249448 0 nano (27590) &gt; write fd=1 size=25<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21881 13:32:18.529258664 0 nano (27590) &lt; write res=25 data=sThis is a test file..[7G<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">21896 13:32:18.620305802 0 nano (27590) &gt; write fd=1 size=25<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">Let&#8217;s look at the contents of the file you saved in the previous section: the <\/span><span style=\"font-weight: 400;\">sysdig-write-events.scap<\/span><span style=\"font-weight: 400;\">file. We know that all events saved to the file are write events, so let&#8217;s view the contents:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig -r <\/span><span style=\"font-weight: 400;\">sysdig-write-events.scap<\/span><span style=\"font-weight: 400;\"> evt.type=write<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">This is a partial output. You will see something like this if there was any SSH activity on the server when you captured the events:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">42585 19:58:03.040970004 0 gmain (14818) &lt; write res=8 data=&#8230;&#8230;..<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">42650 19:58:04.279052747 0 sshd (22863) &gt; write fd=3(&lt;4t&gt;11.11.11.11:43566-&gt;22.22.22.22:ssh) size=28<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">42651 19:58:04.279128102 0 sshd (22863) &lt; write res=28 data=.8c..jp&#8230;P&#8230;&#8230;..s.E&lt;&#8230;s.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">42780 19:58:06.046898181 0 sshd (12392) &gt; write fd=3(&lt;4t&gt;11.11.11.11:51282-&gt;22.22.22.22:ssh) size=28<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">42781 19:58:06.046969936 0 sshd (12392) &lt; write res=28 data=M~&#8230;&#8230;V&#8230;..Z&#8230;\\..o&#8230;N..<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">42974 19:58:09.338168745 0 sshd (22863) &gt; write fd=3(&lt;4t&gt;11.11.11.11:43566-&gt;22.22.22.22:ssh) size=28<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">42975 19:58:09.338221272 0 sshd (22863) &lt; write res=28 data=66..J.._s&amp;U.UL8..A&#8230;.U.qV.*<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">43104 19:58:11.101315981 0 sshd (12392) &gt; write fd=3(&lt;4t&gt;11.11.11.11:51282-&gt;22.22.22.22:ssh) size=28<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">43105 19:58:11.101366417 0 sshd (12392) &lt; write res=28 data=d).(&#8230;e&#8230;.l..D.*_e&#8230;}..!e<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">43298 19:58:14.395655322 0 sshd (22863) &gt; write fd=3(&lt;4t&gt;11.11.11.11:43566-&gt;22.22.22.22:ssh) size=28<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">43299 19:58:14.395701578 0 sshd (22863) &lt; write res=28 data=.|.o&#8230;.\\&#8230;V&#8230;2.$_&#8230;{3.3|<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">43428 19:58:16.160703443 0 sshd (12392) &gt; write fd=3(&lt;4t&gt;11.11.11.11:51282-&gt;22.22.22.22:ssh) size=28<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">43429 19:58:16.160788675 0 sshd (12392) &lt; write res=28 data=..Hf.%.Y.,.s&#8230;q&#8230;=..(.1De.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">43622 19:58:19.451623249 0 sshd (22863) &gt; write fd=3(&lt;4t&gt;11.11.11.11:43566-&gt;22.22.22.22:ssh) size=28<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">43623 19:58:19.451689929 0 sshd (22863) &lt; write res=28 data=.ZT^U.pN&#8230;.Q.z.!.i-Kp.o.y..<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">43752 19:58:21.216882561 0 sshd (12392) &gt; write fd=3(&lt;4t&gt;11.11.11.11:51282-&gt;22.22.22.22:ssh) size=28<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">Notice that all the lines in the preceding output contain 11.11.11.11:51282-&gt;22.22.22.22:ssh. Those are events coming from the external IP address of the client, <\/span><span style=\"font-weight: 400;\">11.11.11.11<\/span><span style=\"font-weight: 400;\"> to the IP address of the server, <\/span><span style=\"font-weight: 400;\">22.22.22.22<\/span><span style=\"font-weight: 400;\"> . These events occurred over an SSH connection to the server, so those events are expected. But are there other SSH write events that are not from this known client IP address? It&#8217;s easy to find out.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There are many comparison operators you can use with Sysdig. The first one you saw is =. Others are !=, &gt;, &gt;=, &lt;, and &lt;=. In the following command, fd.rip filters on remote IP address. We&#8217;ll use the != comparison operator to look for events that are from IP addresses other than <\/span><span style=\"font-weight: 400;\">11.11.11.11<\/span><span style=\"font-weight: 400;\">:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sysdig -r <\/span><span style=\"font-weight: 400;\">sysdig-write-events.scap<\/span><span style=\"font-weight: 400;\"> fd.rip!=<\/span><span style=\"font-weight: 400;\">11.11.11.11<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">A partial output, which showed that there were write events from IP addresses other than the client IP address, is shown in the following output:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">294479 21:47:47.812314954 0 sshd (28766) &gt; read fd=3(&lt;4t&gt;33.33.33.33:49802-&gt;22.22.22.22:ssh) size=1<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294480 21:47:47.812315804 0 sshd (28766) &lt; read res=1 data=T<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294481 21:47:47.812316247 0 sshd (28766) &gt; read fd=3(&lt;4t&gt;33.33.33.33:49802-&gt;22.22.22.22:ssh) size=1<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294482 21:47:47.812317094 0 sshd (28766) &lt; read res=1 data=Y<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294483 21:47:47.812317547 0 sshd (28766) &gt; read fd=3(&lt;4t&gt;33.33.33.33:49802-&gt;22.22.22.22:ssh) size=1<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294484 21:47:47.812318401 0 sshd (28766) &lt; read res=1 data=.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294485 21:47:47.812318901 0 sshd (28766) &gt; read fd=3(&lt;4t&gt;33.33.33.33:49802-&gt;22.22.22.22:ssh) size=1<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294486 21:47:47.812320884 0 sshd (28766) &lt; read res=1 data=.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294487 21:47:47.812349108 0 sshd (28766) &gt; fcntl fd=3(&lt;4t&gt;33.33.33.33:49802-&gt;22.22.22.22:ssh) cmd=4(F_GETFL)<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294488 21:47:47.812350355 0 sshd (28766) &lt; fcntl res=2(&lt;f&gt;\/dev\/null)<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294489 21:47:47.812351048 0 sshd (28766) &gt; fcntl fd=3(&lt;4t&gt;33.33.33.33:49802-&gt;22.22.22.22:ssh) cmd=5(F_SETFL)<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294490 21:47:47.812351918 0 sshd (28766) &lt; fcntl res=0(&lt;f&gt;\/dev\/null)<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294554 21:47:47.813383844 0 sshd (28767) &gt; write fd=3(&lt;4t&gt;33.33.33.33:49802-&gt;22.22.22.22:ssh) size=976<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294555 21:47:47.813395154 0 sshd (28767) &lt; write res=976 data=&#8230;&#8230;..zt&#8230;..L&#8230;..}&#8230;.curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-s<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">294691 21:47:48.039025654 0 sshd (28767) &gt; read fd=3(&lt;4t&gt;221.229.172.117:49802-&gt;45.55.71.190:ssh) size=8192<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">Further investigation also showed that the rogue IP address <\/span><span style=\"font-weight: 400;\">33.33.33.33<\/span><span style=\"font-weight: 400;\"> belonged to a machine in China. That&#8217;s something to worry about! That&#8217;s just one example of how you can use Sysdig to keep a watchful eye on traffic hitting your server.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Let&#8217;s look at using some additional scripts to analyze the event stream.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Step_5_%E2%80%93_Using_Sysdig_Chisels_for_System_Monitoring_and_Analysis\"><\/span><b>Step 5 \u2013 Using Sysdig Chisels for System Monitoring and Analysis<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">In Sysdig parlance, <\/span><i><span style=\"font-weight: 400;\">chisels<\/span><\/i><span style=\"font-weight: 400;\"> are Lua scripts you can use that analyze the Sysdig event stream to perform useful actions. There are close to 50 scripts that ship with every Sysdig installation, and you can view a list of available chisels on your system using this command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sysdig -cl<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Some of the more interesting chisels include:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">netstat: List (and optionally filter) network connections.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">shellshock_detect: Print <\/span><a href=\"https:\/\/en.wikipedia.org\/wiki\/Shellshock_(software_bug)\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">shellshock<\/span><\/a><span style=\"font-weight: 400;\"> attacks<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spy_users: Display interactive user activity.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">list<\/span><i><span style=\"font-weight: 400;\">login<\/span><\/i><span style=\"font-weight: 400;\">shells: List the login shell IDs.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spy_ip: Show the data exchanged with the given IP address.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spy_port: Show the data exchanged using the given IP port number.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">spy_file: Echo any read or write made by any process to all files. Optionally, you can provide the name of a file to only intercept reads or writes to that file.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">httptop: Show the top HTTP requests<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">For a more detailed description of a chisel, including any associated arguments, use the <\/span><span style=\"font-weight: 400;\">-i<\/span><span style=\"font-weight: 400;\"> flag, followed by the name of the chisel. So, for example, to view more information about the <\/span><span style=\"font-weight: 400;\">netstat<\/span><span style=\"font-weight: 400;\"> chisel, type:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sysdig -i netstat<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Now that you know all you need to know about using that <\/span><span style=\"font-weight: 400;\">netstat<\/span><span style=\"font-weight: 400;\"> chisel, tap into its power to monitor your system by running:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig -c netstat<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The output should be similar to the following:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Output<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Proto Server Address \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Client Address \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0State \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0TID\/PID\/Program Name<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">tcp \u00a0\u00a022.22.22.22:22 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a011.11.11.11:60422 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ESTABLISHED \u00a0\u00a0\u00a015567\/15567\/sshd<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">tcp \u00a0\u00a00.0.0.0:22 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00.0.0.0:* \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0LISTEN \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a01613\/1613\/sshd<\/span><span style=\"font-weight: 400;\"><\/p>\n<p><\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you see ESTABLISHED SSH connections from an IP address other than yours in the Client Address column, that should be a red flag, and you should probe deeper.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A far more interesting chisel is <\/span><span style=\"font-weight: 400;\">spy_users<\/span><span style=\"font-weight: 400;\">, which lets you view interactive user activity on the system.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Exit this command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo sysdig -c spy_users<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Then, open a second terminal and connect to your server. Execute some commands in that second terminal, then return to your terminal running <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\">. The commands you typed in the first terminal will be echoed on the terminal that you executed the <\/span><span style=\"font-weight: 400;\">sysdig -c spy_users<\/span><span style=\"font-weight: 400;\"> command on.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Next, let&#8217;s explore Csysdig, a graphical tool.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Step_6_%E2%80%93_Using_Csysdig_for_System_Monitoring_and_Analysis\"><\/span><b>Step 6 \u2013 Using Csysdig for System Monitoring and Analysis<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Csysdig is the other utility that comes with Sysdig. It has an interactive user interface that offers the same features available on the command line with <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\">. It&#8217;s like <\/span><span style=\"font-weight: 400;\">top<\/span><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">htop<\/span><span style=\"font-weight: 400;\"> and <\/span><span style=\"font-weight: 400;\">strace<\/span><span style=\"font-weight: 400;\">, but more feature-rich.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Like the <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> command, the <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> command can perform live monitoring and can capture events to a file for later analysis. But <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> gives you a more useful real time view of system data refreshed every two seconds. To see an example of that, type the following command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo csysdig<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">That will open an interface like the one in the following figure, which shows event data generated by all users and applications on the monitored host.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At the bottom of the interface are several buttons you can use to access the different aspects of the program. Most notable is the Views button, which is akin to categories of metrics collected by <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\">. There are 29 views available out of the box, including Processes, System Calls, Threads, Containers, Processes CPU, Page Faults, Files, and Directories.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">When you start <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> without arguments, you&#8217;ll see live events from the Processes view. By clicking on the Views button, or pressing the <\/span><span style=\"font-weight: 400;\">F2<\/span><span style=\"font-weight: 400;\"> key, you&#8217;ll see the list of available views, including a description of the columns. You may also view a description of the columns by pressing the <\/span><span style=\"font-weight: 400;\">F7<\/span><span style=\"font-weight: 400;\"> key or by clicking the Legend button. And a summary man page of the application itself (<\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\">) is accessible by pressing the <\/span><span style=\"font-weight: 400;\">F1<\/span><span style=\"font-weight: 400;\"> key or clicking on the Help button.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The following image shows a listing of the application&#8217;s Views interface.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Notes: For every button, there&#8217;s a corresponding keyboard shortcut, or hotkey, to the left side of the button. Pressing a shortcut key twice will get you back to the previous window. Pressing the <\/span><span style=\"font-weight: 400;\">ESC<\/span><span style=\"font-weight: 400;\"> key will achieve the same result.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Though you can run <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> without any options and arguments, the command&#8217;s syntax, as with <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\">&#8216;s, usually takes this form:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo csysdig [option]&#8230; \u00a0[filter]<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The most common option is -d, which is used to modify the delay between updates in milliseconds. For example, to view <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> output updated every 10 seconds, instead of the default of 2 seconds, type:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo csysdig -d 10000<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">You can exclude the user and group information from views with the -E option:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo csysdig -E<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">This can make <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> start up faster, but the speed gain is negligible in most situations.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To instruct <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> to stop capturing after a certain number of events, use the -n option. The application will exit after that number has been reached. The number of captured events has to be in the five figures; otherwise you won&#8217;t even see the <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> UI:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo csysdig -n 100000<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">To analyze a trace file, pass <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> the -r option, like so:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo csysdig -r <\/span><span style=\"font-weight: 400;\">sysdig-trace-file<\/span><span style=\"font-weight: 400;\">.scap<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">You can use the same filters you used with <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> to restrict <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\">&#8216;s output. So, for example, rather than viewing event data generated by all users on the system, you can filter the output by users by launching <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> with the following command, which will show event data only generated by the root user:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo csysdig user.name=root<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The output should be similar to the one shown in the following image, although the output will reflect what&#8217;s running on your server:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To view the output for an executable generating an event, pass the filter the name of the binary without the path. The following example will show all events generated by the <\/span><span style=\"font-weight: 400;\">nano<\/span><span style=\"font-weight: 400;\"> command. In other words, it will show all open files where the text editor is <\/span><span style=\"font-weight: 400;\">nano<\/span><span style=\"font-weight: 400;\">:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo csysdig proc.name=nano<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">There are several dozen filters available, which you can view with the following command:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">sudo csysdig -l<\/span><span style=\"font-weight: 400;\">\n<p><\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">You&#8217;ll notice that that was the same option you used to view the filters available with <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> command. So <\/span><span style=\"font-weight: 400;\">sysdig<\/span><span style=\"font-weight: 400;\"> and <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> are just about the same. The main difference is that <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> comes with a mouse-friendly interactive UI. To exit <\/span><span style=\"font-weight: 400;\">csysdig<\/span><span style=\"font-weight: 400;\"> at any time, press the <\/span><span style=\"font-weight: 400;\">Q<\/span><span style=\"font-weight: 400;\"> key on your keyboard.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><b>Conclusion<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Sysdig helps you monitor and troubleshoot your server.It gives a deep insight into all the system activity on a monitored host, including those generated by application containers.But this tutorial didn&#8217;t cover containers specificially, the ability to monitor system acticity generated by containers is what sets Sysdig apart from similar applications. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Sysdig&#8217;s chisels are a powerful extension of the core Sysdig functionality.They&#8217;re written in Lua, so you can alway customize them or write one from scratch. <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>INTRODUCTION &nbsp; Sysdig is a open-source system which actives monitoring, capture and analysis application.It provides a powerful filtering language with customizable output, and core functionality that can be extended with Lua scripts called chisels. &nbsp; This application works by tapping into the kernel, which allows it to see every system<\/p>\n","protected":false},"author":3,"featured_media":918,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3],"tags":[],"class_list":["post-917","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorial-how-to"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/www.virtono.com\/community\/wp-content\/uploads\/2017\/05\/swq.svg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-eN","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":235,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/lamp-technology\/","url_meta":{"origin":917,"position":0},"title":"LAMP TECHNOLOGY","author":"Daniel Draga","date":"July 30, 2016","format":false,"excerpt":"LAMP STANDS FOR: L:Linux A:Apache M:MySQL P:PHP What is LAMP? LAMP is a shorthand term for a web application platform consisting of Linux, Apache, MySQL and one of Perl or PHP. Lamp is an\u00a0 OPENSOURCE Together, these open source tools provide a world-class platform for deploying web applications TECHNOLOGIES USED\u2026","rel":"","context":"In &quot;Knowledgebase&quot;","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic-1.png?fit=1200%2C750&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":97,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/what-is-the-difference-between-kvm-and-openvz-virtualization\/","url_meta":{"origin":917,"position":1},"title":"What is the difference between KVM and OpenVZ virtualization?","author":"Virtono","date":"July 18, 2016","format":false,"excerpt":"\u00a0 VS \u00a0What is the difference between KVM and OpenVZ? Usually this question arises when a person is looking for a Virtual Private Server, it\u2019s a dilemma, isn\u2019t it? Weighing the pros and cons but one thing that should be kept in mind is that out of these two, there\u2026","rel":"","context":"In &quot;Knowledgebase&quot;","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/1-2.jpg?fit=1024%2C768&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/1-2.jpg?fit=1024%2C768&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/1-2.jpg?fit=1024%2C768&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/1-2.jpg?fit=1024%2C768&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1370,"url":"https:\/\/www.virtono.com\/community\/internet-and-technology-news\/how-dtrace-could-come-to-linux\/","url_meta":{"origin":917,"position":2},"title":"How Dtrace could come to Linux","author":"Shreyash Sharma","date":"February 25, 2018","format":false,"excerpt":"Without much notice, Oracle has changed the license of Dtrace.\u00a0The tool adopted by Sun could theoretically be incorporated into the main branch of\u00a0Linux\u00a0.\u00a0This is probably not the case. Already half a year ago Oracle put the license of the kernel module for the analysis tool Dtrace under the GPLv2.\u00a0This is\u00a0what\u00a0Red\u2026","rel":"","context":"In &quot;IT News&quot;","block_context":{"text":"IT News","link":"https:\/\/www.virtono.com\/community\/category\/internet-and-technology-news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/02\/bcc_tracing_tools_2016.png?fit=1200%2C840&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/02\/bcc_tracing_tools_2016.png?fit=1200%2C840&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/02\/bcc_tracing_tools_2016.png?fit=1200%2C840&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/02\/bcc_tracing_tools_2016.png?fit=1200%2C840&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/02\/bcc_tracing_tools_2016.png?fit=1200%2C840&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":1341,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/compiling-linux-kernels-under-ubuntu-or-debian-2\/","url_meta":{"origin":917,"position":3},"title":"Compiling Linux kernels under Ubuntu or Debian","author":"Shreyash Sharma","date":"February 21, 2018","format":false,"excerpt":"Compiling a Linux kernel is not an everyday occurrence for most administrators.\u00a0It is all the more important\u00a0to know\u00a0the right\u00a0tools\u00a0when the time comes.\u00a0The following article shows examples of how Mainline \/ Vanilla Kernel and the distribution-specific\u00a0kernel are compiled\u00a0. \u00a0 Install required software The following packages are needed to compile: $ sudo\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2018\/02\/kernel1.png?fit=400%2C225&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1243,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/compiling-linux-kernels-under-ubuntu-or-debian\/","url_meta":{"origin":917,"position":4},"title":"Compiling Linux kernels under Ubuntu or Debian","author":"Daniel Draga","date":"November 6, 2017","format":false,"excerpt":"Compiling a Linux kernel is not an everyday occurrence for most administrators.\u00a0It is all the more important\u00a0to know\u00a0the right\u00a0tools\u00a0when the time comes.\u00a0The following article shows examples of how Mainline \/ Vanilla Kernel and the distribution-specific\u00a0kernel are compiled. Install required software The following packages are needed to compile: $ sudo apt-get\u2026","rel":"","context":"In &quot;Tutorials&quot;","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/517444-636210253990788094_270x480_thumb.jpg?fit=480%2C270&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1256,"url":"https:\/\/www.virtono.com\/community\/internet-and-technology-news\/google-disassembles-usb-stack-of-the-linux-kernel\/","url_meta":{"origin":917,"position":5},"title":"Google disassembles USB stack of the Linux kernel","author":"Daniel Draga","date":"November 9, 2017","format":false,"excerpt":"With a special fuzzer for kernel system calls from\u00a0Google\u00a0, extremely many bugs have been found in the USB stack of the\u00a0Linux kernel\u00a0.\u00a0Many of them are classified as critical vulnerabilities, which is true for all kernel bugs. The Syzkaller tool, created and developed with Google support, is intended to fuzzy operating\u2026","rel":"","context":"In &quot;IT News&quot;","block_context":{"text":"IT News","link":"https:\/\/www.virtono.com\/community\/category\/internet-and-technology-news\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/google-linux.png?fit=1200%2C569&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/google-linux.png?fit=1200%2C569&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/google-linux.png?fit=1200%2C569&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/google-linux.png?fit=1200%2C569&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/11\/google-linux.png?fit=1200%2C569&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=917"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/917\/revisions"}],"predecessor-version":[{"id":919,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/917\/revisions\/919"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/918"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}