Sysdig is an open-source tool that can installed on Debian 12 (bookworm), 11 (bullseye) and other Linux systems easily to capture, filter, and analyze the state of a system including its activities. The key purpose of creating this tool is to provide information about the performance and behavior of applications and security monitoring across physical, virtual, and containerized environments.
It is an alternative tool to top, iotop, iftop, strace, tcpdump, htop, iftop, lsof and transaction tracing. It provides a complete overview of the usage of CPU, Memory, IO, users, and more directly on the command terminal in a well-structured interface. Sysdig can be installed on almost all operating systems, even on Windows and OS X.
Installing Sysdig on Debian 12 or 11
1. Add Darios Repository for Sysdig
Well, we don’t need to add any additional repository on Debian 12 or 11 to install the Sysdig. However, the version of this monitoring platform through the system repos of Debian will not be the latest one.
Therefore, those who have any problem adding any external repository can use the APT command given below which will fetch the packages from the system repository to install Sysdig:
sudo apt install sysdigHowever, for the latest version use the given commands:
On the GitHub page of Sysdig, the developers of this tool have given the repository called Darios to get the latest version of this system monitoring software.
Using the terminal, first add the required GPG key :
curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | gpg --dearmor | sudo tee /usr/share/keyrings/DRAIOS-GPG-KEY.gpgAfter that, add the official Draios repository for Sysdig:
echo 'deb [signed-by=/usr/share/keyrings/DRAIOS-GPG-KEY.gpg] https://download.sysdig.com/stable/deb stable-$(ARCH)/' | sudo tee /etc/apt/sources.list.d//draios.list2. Execute the Debian Update command
After adding the repositories mentioned in the previous step, run the system update command, so that our Debian system can recognize the packages available to install through the added repos:
sudo apt update && sudo apt upgrade -y3. Installing Sysdig on Debian 12 or 11
Well, the command to install the Sysdig will be the same that we have discussed in Step 1, however, after adding its official repository the version available through it will be the latest one. In the given command, we are also installing the kernel modules required by Sysdig.
sudo apt install linux-headers-$(uname -r) sysdigNote: (optional) To install some specific version of Sysdig you can mention that in the above command. For example– to install older version 29 of Sysdig, the command will be like this, just replace the – “version-number” text with the exact version you want to install:
sudo apt install linux-headers-$(uname -r) sysdig=version-number
Note: if don’t use the “Linux-headers-$(uname -r) in the above command to install Sysdig then later you may get an error while running it as given below:
“Unable to load the driver error opening device /dev/scap0. Make sure you have root credentials and that the scap module is loaded: No such file or directory”
Whereas, to check the available versions we can use the following:
sudo apt-cache policy sysdig4. To Check Version
By following the above-given commands you will have the Sysdig already installed on your Debian system, however, to confirm the same we can check its version.
sysdig -version5. A few examples of using Sysdig Commands
Sysdig can perform a wide range of system monitoring tasks. Here are some common use cases:
Capturing System Events
To capture all system events and save it to a file for later analysis, use:
sudo sysdig -w file.scapYou can stop the capture by pressing Ctrl+C.
Capture all the events from the live system and print them to screen
sudo sysdigCapture all the events from the live system and save them to disk
sudo sysdig -w dumpfile.scapRead events from a file and print them to screen
sudo sysdig -r dumpfile.scapPrint all the open system calls invoked by cat
sudo sysdig proc.name=cat and evt.type=openPrint the name of the files opened by cat
sudo sysdig -p"%evt.arg.name" proc.name=cat and evt.type=openRegister any found plugin and use dummy as input source passing to it open params
sudo sysdig -I dummy:10'Load and register dummy source plugin passing to it init config and open params
sudo sysdig -H dummy:'{"jitter":50}' -I dummy:10Captured Data from some particular process
You can filter the data based on various criteria. For example, to show all system calls made by the mysql process:
sudo sysdig proc.name=mysqlMonitoring File I/O
To monitor all file I/O activities:
sudo sysdig -c echo_fdsViewing Network Connections
To see all network connections, you can use:
sudo sysdig -c netstatList all processes by CPU:
To see the top processes by CPU usage using Sysdig:
sudo sysdig -c topprocs_cpu
6. Explore more Chisels
Find out more Chisels commands to use:
sudo sysdig -cl7. How to update Sysdig on Debian
Now, as we have used the Sysdig repository to install, therefore whenever, we want to get the updated version of it, just need to run the system update and upgrade command i.e:
sudo apt update && sudo apt upgrade -y8. Uninstallation
Perhaps, after some time you will not require Sysdig anymore or you want to move to some other tool for monitoring your systems in that case those who want to remove Sysdig as well as its Repository from Debian can use the given commands:
sudo apt remove sysdig --purgeTo remove repository:
sudo rm /usr/share/keyrings/DRAIOS-GPG-KEY.gpg
sudo rm /etc/apt/sources.list.d//draios.list
Key Features and Capabilities
- Rich System Visibility: Sysdig can inspect everything happening on a Linux system, including system calls made by processes, file I/O, network I/O, and much more. This visibility is crucial for deep system analysis, troubleshooting, and monitoring.
- Container and Kubernetes Support: It offers support for container technologies such as Docker and container orchestration tools like Kubernetes. Not only this, Sysdig can understand and inspect containerized environments which makes it an important tool for modern cloud-native applications.
- Filtering and Analysis: Admins can use it to filter the captured data based on various criteria (e.g., process names, file paths, network ports) and perform in-depth analysis.
- Chisels: Sysdig comes with a set of scripts, known as chisels. This script allows admins to analyze the captured data in real time or from trace files.
- Security Monitoring and Forensics: Apart from monitoring the system performance, using Sysdig we can security monitoring and forensic analysis. Using it to capture detailed system events users can detect unauthorized access, track user activities, and investigate security incidents.
How Sysdig Works
Sysdig hooks into the Linux kernel and captures system calls and other events that occur in the system. This data can then be saved into trace files for later analysis or monitored in real-time. The tool leverages a kernel module, sysdig-probe, which it installs to perform its monitoring activities without requiring changes to the applications or containers running on the system.
Sysdig vs. Traditional Tools
While traditional tools like top, ps, netstat, and lsof provide snapshots of system activity, Sysdig offers more comprehensive, in-depth, and granular visibility into system behavior. It can trace system calls, which are the fundamental interfaces between programs and the Linux kernel, offering insights that are not possible with most other tools. Furthermore, its support for modern infrastructure components like containers and Kubernetes distinguishes it from many traditional Linux monitoring tools.
Conclusion
Sysdig is quite a powerful tool for system administrators, security professionals, and developers, for system-level exploration, monitoring, and troubleshooting, especially in complete or dynamic environments. Although we have just given a glimpse of the commands used to operate Sysdig, you can check out more and how to use them by visiting its GitHub Manual Page. However, if you are facing any problem in installing the Sysdig on Linux or any other system the comment section is all yours.
