sysdig_sysdig使用心得

“strace+tcpdump+lsof+上面点缀着lua樱桃的绝妙酱汁” :)

它不仅能分析Linux系统的“现场”状态,也能将该状态保存为转储文件以供离线检查。你可以自定义sysdig的行为,或者甚至通过内建的(你也可以自己编写)名为凿子(chisel)的小脚本增强其功能。单独的凿子可以以脚本指定的各种风格分析sysdig捕获的事件流。

安装配置

0、官网

http://www.sysdig.org/

==================================================

1、下载

git clonehttps://github.com/draios/sysdig.git

centos7:

yum install cmake make gcc gcc-c++

2、编译

yum install kernel-devel

rm -f CMakeCache.txt

mkdir build

cd build

cmake ..

make

==================================================

3、安装

make install

==================================================

4、安装内核模块

cd driver/

insmod sysdig-probe.ko

==================================================

cmake 》2.8.2

到这里下载 CMake包

解压,进入解压后的目录

./bootstrap && make && make install

==================================================

How to Install Sysdig from the Source Code

Note: this content is mirrored from the sysdig github repository. Please go there to edit or contribute to the sysdig wiki.

NOTE: sysdig can be compiled under Linux, OSX and Windows, but only the Linux version is capable of capturing events and doing live analysis. On the other platforms, you will be limited to working with the trace files generated by a Linux installation of sysdig.

Linux and OSX

Requirements

GCC/G++ > 4.4 (Linux) or Clang (for OSX)

Linux kernel headers

CMake > 2.8.2

For Linux, the following kernel options must be enabled (usually they are, unless a custom built kernel is used):

CONFIG_TRACEPOINTS

CONFIG_HAVE_SYSCALL_TRACEPOINTS

Installation Instructions

1. Download the sysdig github repository to your local machine

2. From the command line, navigate to the sysdig repository on your local machine

3. Run the following commands:

mkdir build

cd build

cmake ..

make

make install

This will just install sysdig and chisels, the compiled kernel module (needed for live capture and built on Linux only) will stay in build/driver/sysdig-probe.ko (which can be manually loaded with insmod). If you want to install the driver in the current kernel modules directory, then use (as root):

make install_driver

Build options

To manually specify the installation target directory, use:

cmake -DCMAKE_INSTALL_PREFIX=/my/prefix ..

By default the make target will compile the kernel module as well. If you prefer to not do that (e.g. you're not interested in the live capture feature or you are making a package), then you can do:

cmake -DBUILD_DRIVER=OFF

By default the bundled version of LuaJIT will be built and linked statically. If you prefer to use the system one, then you can do:

cmake -DUSE_BUNDLED_LUAJIT=OFF ..

Or, if LuaJIT is installed in a non-standard path:

cmake -DUSE_BUNDLED_LUAJIT=OFF -DLUAJIT_PREFIX=/opt/superluajit ..

By default the bundled version of JsonCpp will be built and linked statically. If you prefer to use the system one, then you can do:

cmake -DUSE_BUNDLED_JSONCPP=OFF ..

Or, if JsonCpp is installed in a non-standard path:

cmake -DUSE_BUNDLED_JSONCPP=OFF -DJSONCPP_PREFIX=/opt/superjson ..

By default the bundled version of zlib will be built and linked statically. If you prefer to use the system one, then you can do:

cmake -DUSE_BUNDLED_ZLIB=OFF ..

Or, if zlib is installed in a non-standard path:

cmake -DUSE_BUNDLED_ZLIB=OFF -DZLIB_PREFIX=/opt/superzlib ..

If you plan on making changes to the sysdig code, it can be handy to compile everything in debug mode, so that assertions are enabled and can save you some time troubleshooting issues:

cmake -DCMAKE_BUILD_TYPE=Debug ..

Windows

Requirements

Windows 7 SP1 (x86 and x64) or higher

Visual Studio Express 2013 for Windows Desktop (download page)

cmake for Windows (download page)

Installation Instructions

1. Download the sysdig github repository to your local machine

2. Open a Developer Command Prompt and navigate to the sysdig repository on your local machine

3. Run the following commands:

md build

cd build

cmake -G "Visual Studio 12 Win64" ..

msbuild sysdig.sln /p:Configuration=Release

The previous steps compile sysdig as a 64bit executable. If you want to build a 32bit executable, replace the cmake command with

cmake -G"Visual Studio 12" ..

If you plan on making changes to the sysdig code, it can be handy to compile everything in debug mode, so that assertions are enabled and can save you some time troubleshooting issues:

msbuild sysdig.sln /p:Configuration=Debug

Also, if you want to use Visual Studio IDE, it is suggested to change the following settings:

Default project: Make the project sysdig the StartUp Project

Command: Change the Debugging / Command parameter to $(SolutionDir)$(Configuration)\$(TargetFileName)

Working Directory: Change the Debugging / Working Directory parameter to $(SolutionDir)$(Configuration)\

==================================================

sysdig -cl

Category: CPU Usage

-------------------

topprocs_cpu Top processes by CPU usage

Category: Errors

----------------

topfiles_errors top files by number of errors

topprocs_errors top processes by number of errors

Category: I/O

-------------

echo_fds Print the data read and written by processes.

fdbytes_by I/O bytes, aggregated by an arbitrary filter field

fdcount_by FD count, aggregated by an arbitrary filter field

iobytes Sum of I/O bytes on any type of FD

iobytes_file Sum of file I/O bytes

spy_file Echo any read/write made by any process to all files. Optio

nally, you can provide the name of one file to only interce

pt reads/writes to that file.

stderr Print stderr of processes

stdin Print stdin of processes

stdout Print stdout of processes

topfiles_bytes Top files by R+W bytes

topfiles_time Top files by time

topprocs_file Top processes by R+W disk bytes

Category: Logs

--------------

spy_logs Echo any write made by any process to a log file. Optionall

y, export the events around each log message to file.

spy_syslog Print every message written to syslog. Optionally, export t

he events around each syslog message to file.

Category: Misc

--------------

around Export to file the events around the where the given filter

matches.

Category: Net

-------------

iobytes_net Show total network I/O bytes

spy_ip Show the data exchanged with the given IP address

spy_port Show the data exchanged using the given IP port number

topconns top network connections by total bytes

topports_server Top TCP/UDP server ports by R+W bytes

topprocs_net Top processes by network I/O

Category: Performance

---------------------

bottlenecks Slowest system calls

fileslower Trace slow file I/O

netlower Trace slow network I/0

proc_exec_time Show process execution time

scallslower Trace slow syscalls

topscalls Top system calls by number of calls

topscalls_time Top system calls by time

Category: Security

------------------

list_login_shells List the login shell IDs

shellshock_detect print shellshock attacks

spy_users Display interactive user activity

Category: System State

----------------------

lsof List (and optionally filter) the open file descriptors.

netstat List (and optionally filter) network connections.

ps List (and optionally filter) the machine processes.

Use the -i flag to get detailed information about a specific chisel

==============================

http://os.51cto.com/art/201412/458595_1.htm

你可能感兴趣的:(sysdig)