Installing #curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bashListing chisels #sysdig -clListing fields to filter #sysdig -lUsing a chisel #sysdig -c topprocs_cpuWriting events to file #sysdig -z -w tracefile.scap.gzReading events from file and use a chisel #sysdig -z -r tracefile.scap.gz -c topprocs_cpuFiltering events for a specific process #sysdig proc.name=sshdFiltering events for a specific file #sysdig fd.name=/var/log/auth.logFiltering events for files that contain /etc #sysdig fd.name contains /etc#sysdig evt.args contains /bin/ls#sysdig fd.ip=1.2.3.4#sysdig fd.l4proto=udpFormating the output #sysdig -p '%evt.arg.path' 'evt.type=chdir and user.name=root'Information about all chisels #sysdig -cl | grep -P '^\w' | awk '{print $1}' | grep -v -e Category -e Use | xargs -L 1 sysdig -iInteresting chisels #sysdig -c topprocs_cpu#sysdig -c echo_fds -s 2000 -A proc.name=httpd#sysdig -c echo_fds -s 2000 -A fd.port=80 and evt.buffer contains GET#sysdig -c spy_file 'RW /var/log/syslog'#sysdig -c spy_logs#sysdig -c spy_syslog#sysdig -c spy_ip 1.2.3.4#sysdig -c spy_port 443#sysdig -c topconns#sysdig -c topprocs_net#sysdig -c spy_users 0|1#sysdig -c lsof#sysdig -c netstat#sysdig -c ps#sysdig -c topfiles_bytes proc.name contains tar#sysdig -c list_login_shells ncat#sysdig -c spy_users proc.loginshellid=1234#sysdig -c stdin -c stdout proc.name=cat
Reference
https://github.com/draios/sysdig/wiki
No comments:
Post a Comment