How to Monitor Your Ubuntu 18.04 System with Sysdig

By Hitesh Jethva, Alibaba Cloud Community Blog author.

Introduction

Sysdig is a free and open source activity monitoring tool that can be used to capture and analyze application logs. It is a powerful and flexible system monitoring and troubleshooting tool for Linux based operating systems. Sysdig allows you to capture, save, filter and examine the real time events of Linux systems.

In this tutorial, we will learn how to install and configure Sysdig on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 18.04 server.

Prerequisites

A fresh Alibaba Cloud instance with Ubuntu 18.04 installed.
A root password is set up to your instance.

Create a new ECS instance and connect to your instance as the root user.

Once you are logged into your Ubuntu 18.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install Sysdig

By default, Sysdig is available in the Ubuntu 18.04 default repository. You can install it by just running the following command:

apt-get install sysdig -y

Once the installation has been completed, you can see more information about the Sysdig with the following command:

sysdig --help

Monitor Your System in Realtime

The simple and easiest method to use sysdig is by running it without any argument. This will show your Linux system stream of events updated in real-time:

sysdig

To see the more useful output run the following command:

csysdig

You should see the following image:

You can also filter on a single process. For example, monitor events from command free. Run the following command:

sysdig proc.name=free

Next, open another terminal and run the following command:

free -m

Now, navigate to first terminal, you should see the following output:

936681 11:44:43.343571078 0 free (4285) < openat fd=-2(ENOENT) 
936682 11:44:43.343571938 0 free (4285) > openat dirfd=4294967196 name=/usr/share/locale-langpack/en_US.UTF-8/LC_MESSAGES/procps-ng.mo flags=1(O_RDONLY) mode=0 
936683 11:44:43.343574213 0 free (4285) < openat fd=-2(ENOENT) 
936684 11:44:43.343575039 0 free (4285) > openat dirfd=4294967196 name=/usr/share/locale-langpack/en_US.utf8/LC_MESSAGES/procps-ng.mo flags=1(O_RDONLY) mode=0 
936685 11:44:43.343577111 0 free (4285) < openat fd=-2(ENOENT) 
936686 11:44:43.343577952 0 free (4285) > openat dirfd=4294967196 name=/usr/share/locale-langpack/en_US/LC_MESSAGES/procps-ng.mo flags=1(O_RDONLY) mode=0 
936687 11:44:43.343579971 0 free (4285) < openat fd=-2(ENOENT) 
936688 11:44:43.343580810 0 free (4285) > openat dirfd=4294967196 name=/usr/share/locale-langpack/en.UTF-8/LC_MESSAGES/procps-ng.mo flags=1(O_RDONLY) mode=0 
936689 11:44:43.343582830 0 free (4285) < openat fd=-2(ENOENT) 
936690 11:44:43.343583659 0 free (4285) > openat dirfd=4294967196 name=/usr/share/locale-langpack/en.utf8/LC_MESSAGES/procps-ng.mo flags=1(O_RDONLY) mode=0 
936691 11:44:43.343585706 0 free (4285) < openat fd=-2(ENOENT) 
936692 11:44:43.343586548 0 free (4285) > openat dirfd=4294967196 name=/usr/share/locale-langpack/en/LC_MESSAGES/procps-ng.mo flags=1(O_RDONLY) mode=0 
936693 11:44:43.343588558 0 free (4285) < openat fd=-2(ENOENT)

Save and Read Data with Sysdig

Sysdig can also capture the system events and save it to a target file. You can also use -n option with sysdig to specify how many events you want Sysdig to capture. For example, to capture 10 events and save it to file with the following command:

sysdig -n 10 -w sysdig-file.scap

Next, read the captured data from a file with the following command:

sysdig -r sysdig-file.scap

You can also save events continuously to files that are no more than 1 MB in size and keep only last four files with the following command:

sysdig -C 1 -W 4 -w sysdig-trace.scap

Monitor System Using Sysdig Chisels

Sysdig comes with Lua scripts chisels that can be used to analyze the Sysdig event stream to perform useful actions.

You can list all the available chisels with the following command:

sysdig -cl

You can use sysdig with spy_users to display interactive user activity. For example, run the following command on the first terminal:

sysdig -c spy_users

Next, from the remote system connect your server with ssh and run the following command:

ssh your-server-ip
free -m
df -h

Next, navigate to first terminal. You should see the interactive activity of system users in the following output:

1621 12:13:13 root) free -m
1621 12:13:17 root) df -h

You can also use sysdig with netstat to view system network connections:

sysdig -c netstat

Output:

Proto Server Address           Client Address           State          TID/PID/Program Name
tcp   127.0.0.1:27017          0.0.0.0:*                LISTEN         1231/862/signalP.gThread
udp   0.0.0.0:111              0.0.0.0:*                LISTEN         517/517/rpcbind
udp   0.0.0.0:693              0.0.0.0:*                LISTEN         517/517/rpcbind
tcp   0.0.0.0:111              0.0.0.0:*                LISTEN         517/517/rpcbind
tcp   192.168.0.11:22          192.168.0.249:60476      ESTABLISHED    4486/4486/sshd
tcp   127.0.0.1:27017          0.0.0.0:*                LISTEN         1301/862/TTLMonitor
tcp   127.0.0.1:27017          0.0.0.0:*                LISTEN         1299/862/Network.cutor-0
tcp   127.0.0.1:27017          0.0.0.0:*                LISTEN         1290/862/mongod
tcp   0.0.0.0:22               0.0.0.0:*                LISTEN         1112/1112/sshd

Community

How to Monitor Your Ubuntu 18.04 System with Sysdig

Introduction

Prerequisites

Install Sysdig

Monitor Your System in Realtime

Save and Read Data with Sysdig

Monitor System Using Sysdig Chisels

Read previous post:

Read next post:

Hiteshjethva

You may also like

Comments

Hiteshjethva

Related Products

Content Moderation

Resource Management

Managed Service for Prometheus

Application Real-Time Monitoring Service