On a modern Linux system, numerous processes often run simultaneously. Several applications might be running at once, and each application opens files, writes data, reads data, closes files, and so on. All this activity stresses the CPU, which can lead to bottlenecks that can slow down the entire system.

System administrators use tools such as top, ps, vmstat, strace, and lsof to find and fix these bottlenecks. The output of the tools often serves as input for other tools, which often leads to complex and confusing situations.

Sysdig [1] cleans up some of that confusion. The sysdig developers grouped the commands they used most frequently and equipped the tool with a programmable interface. Sysdig understands a large number of options that control specific properties. (You can try the sysdig --help command for a list of options.)

Sysdig's line-by-line output consists of several parts, or fields. The first two fields, evt.num and evt.time clearly identify the described event with a number and the date on which the software registered it. Additionally, evt.cpu describes the involved CPU for systems with multiple CPUs.

The proc.name field stands for the process, thread.tid for the thread. The software uses evt.dir to tell the user how the event works: < stands for incoming data and > for outgoing. The evt.type field classifies the results themselves as, for example, read or open. Last, but not least, the evt.args field summarizes the event arguments.

curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | sudo apt-key add -
curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list
sudo apt-get update

apt-get -y install

Hands-On

If you start sysdig as root without options, you will instantly see output in the form shown in Listing 1. To exit this mode, type Ctrl+C.

The first recorded event is labeled number 3 and comes from the systemd-journal process It follows one of many processes signified as plugin-containe (the output truncates the "r"), the embedded Flash player in Firefox, and then Firefox itself, which generates an array of events. Of interest, among other things, is that Firefox uses a different CPU than the container. In the last row of the listing (with the data= string), you can see a number of dots. Sysdig writes them to represent non-printable characters in the output. If necessary, you can change this behavior using options like -A, which tells the program to output only ASCII characters.

Because sysdig can register almost 20,000 events a second, it is evident that meaningful use of the software requires a powerful filter to restrict output to the desired events. You append the details for filtering to the command as options. Listing 2 shows how to reduce the output to the read event.

Chisels

The system does not directly reveal very many complex details (e.g., processes with the most inputs or outputs), so you will need to determine this information by aggregating data and using statistical methods. This, and much more, is done through what are known as chisels, which are 2KB Lua scripts that sysdig activates via the -c <chisel name> option.

This is how the example in Listing 3 analyzes the slowest system calls. To begin, sysdig collects data and doesn't stop until you stop the program, when the collected data and its output are analyzed. Again, Flash player stands out: Besides the Java program, it consumes the most resources and slows down the system the most.

Many chisels require additional arguments – perhaps a monitored IP address or a port – specified directly after the chisel, say

sysdig -c spy_ip <IP address>

During the installation, sysdig copies the chisels into the /usr/share/sysdig/chisels/ directory. Thanks to the relatively simple structure, they are suitable as templates for your own development.The sysdig-cl selection shows existing chisels organized in six categories, allowing you to:

• examine CPU and network workload,
• determine throughput,
• analyze performance of the entire system,
• make security checks, and
• drive error analysis.

Most categories include several different variants of chisels, which allow special predictions.

Filters

As mentioned, sysdig lets you restrict output to the most relevant information. To do this, specify the events relevant for you at the command line:

evt.type=open

Out of the many events, Table 1 summarizes a few of the most common. Typing

sysdig -l

shows all supported events.

If you combine multiple fields with the logical expression and, they act as variables for the outputs, or you can limit them using contains <pattern>. In this case, the specified pattern must occur in the data of the field for sysdig to output them. The focus is often only a certain range of values, especially with numeric data. You can limit these more accurately, if necessary (see Table 2).

Another possibility is grouping the operators using parentheses, and negating them using not. There is also a logical OR; however, this presupposes that you double quote the expressions in the shell. An example from the documentation shows this:

sysdig "not (fd.name contains /proc or fd.name contains /dev)"

It is not always necessary or sensible to analyze the data collected by sysdig directly. Sometimes, it makes sense to cache the data obtained initially and analyze it subsequently in different ways.

You can save the unfiltered output in a file using the -w <file> option. Developers recommend the .scap suffix for these files. Selecting sysdig -r <file> reads all collected data; you can append the desired filter options to the command line.