【簡介】

https://github.com/draios/sysdig

【安裝】

安裝方法：

CentOS, RHEL, Fedora, Amazon Linux

Trust the Draios GPG key, configure the yum repository
rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public  
curl -s -o /etc/yum.repos.d/draios.repo https://s3.amazonaws.com/download.draios.com/stable/rpm/draios.repo
 

Install the EPEL repository
Note: The following command is required only if DKMS is not available in the distribution. You can verify if DKMS is available with yum list dkms

rpm -i https://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
Install kernel headers
Warning: The following command might not work with any kernel. Make sure to customize the name of the package properly

 
yum -y install kernel-devel-$(uname -r)
Install sysdig
yum -y install sysdig

【使用】

sysdig -cl列出可用的目錄

[loki@loki-c7t1 ~]$ sysdig -cl |more

Category: Application  # 應用
---------------------
httplog         HTTP requests log
httptop         Top HTTP requests
memcachelog     memcached requests log

Category: CPU Usage  # CPU用量
 
-------------------
spectrogram     Visualize OS latency in real time.
subsecoffset    Visualize subsecond offset execution time.
topcontainers_cpu
                Top containers by CPU usage
topprocs_cpu    Top processes by CPU usage

Category: Errors   # 錯誤資訊
----------------
topcontainers_error
                Top containers by number of errors
topfiles_errors Top files by number of errors
topprocs_errors top processes by number of errors

Category: I/O    # 磁碟IO相關
-------------
echo_fds        Print the data read and written by processes.
fdbytes_by      I/O bytes, aggregated by an arbitrary filter field
fdcount_by      FD count, aggregated by an arbitrary filter field
fdtime_by       FD time group by
iobytes         Sum of I/O bytes on any type of FD
iobytes_file    Sum of file I/O bytes
spy_file        Echo any read/write made by any process to all files. Optionall
                y, you can provide the name of one file to only intercept reads
                /writes to that file.
stderr          Print stderr of processes
stdin           Print stdin of processes
stdout          Print stdout of processes
topcontainers_file
                Top containers by R+W disk bytes
topfiles_bytes  Top files by R+W bytes
topfiles_time   Top files by time
topprocs_file   Top processes by R+W disk bytes
udp_extract     extract data from UDP streams to files.

Category: Logs    # 系統日誌相關
--------------
spy_logs        Echo any write made by any process to a log file. Optionally, e
                xport the events around each log message to file.
spy_syslog      Print every message written to syslog. Optionally, export the e
                vents around each syslog message to file.

Category: Misc
--------------
around          Export to file the events around the time range where the given
                 filter matches.

Category: Net    # 網路相關
-------------
iobytes_net     Show total network I/O bytes
spy_ip          Show the data exchanged with the given IP address
spy_port        Show the data exchanged using the given IP port number
topconns        Top network connections by total bytes
topcontainers_net
                Top containers by network I/O
topports_server Top TCP/UDP server ports by R+W bytes
topprocs_net    Top processes by network I/O

Category: Performance    #  效能相關
---------------------
bottlenecks     Slowest system calls
fileslower      Trace slow file I/O
netlower        Trace slow network I/0
proc_exec_time  Show process execution time
scallslower     Trace slow syscalls
topscalls       Top system calls by number of calls
topscalls_time  Top system calls by time

Category: Security    #  安全相關
------------------
list_login_shells
                List the login shell IDs
shellshock_detect
                print shellshock attacks
spy_users       Display interactive user activity

Category: System State    # 系統狀態
----------------------
lscontainers    List the running containers
lsof            List (and optionally filter) the open file descriptors.
netstat         List (and optionally filter) network connections.
ps              List (and optionally filter) the machine processes.

Category: Tracers
-----------------
tracers_2_statsd
                Export spans duration as statds metrics.

Use the -i flag to get detailed information about a specific chisel

# 使用-i 檢視具體的資訊的介紹

sysdig -i topcontainers_cpu

# 監控互動使用者活動

自行建立一個日誌存放目錄：mkdir -p /log/sysdig/

-z 壓縮

-w 寫入

-r 讀取

# 開始監控當前使用者正在操作的命令

sudo sysdig -z -w /log/sysdig/loki.gz -c spy_users

# 讀取監控資訊

sysdig -r /log/sysdig/loki.gz -c spy_users

# 檢視R+W讀寫量最大的檔案

sysdig -c topfiles_bytes

#檢視佔用網路頻寬最多的程序

sysdig -c topprocs_net

# 顯示主機192.168.x.x的網路傳輸資料

as binary:
sysdig -s2000 -X -c echo_fds fd.cip=192.168.x.x
as ASCII:
sysdig -s2000 -A -c echo_fds fd.cip=192.168.x.x

# 檢視伺服器連線最多的埠

sysdig -c fdbytes_by fd.sport

# 檢視伺服器連線最多的IP

sysdig -c fdbytes_by fd.cip

#檢視CPU佔用量最大的程序

sysdig -c topprocs_cpu

#列出所有不是訪問apache服務的訪問連線

sysdig -p"%proc.name %fd.name" "proc.name!=httpd"

# 檢視機器所有的HTTP請求

sudo sysdig -s 2000 -A -c echo_fds fd.port=80 and evt.buffer contains GET

參考資料：

https://www.oschina.net/p/sysdig

https://github.com/draios/sysdig/wiki/sysdig-examples