How to Install Sysdig to Monitor Your Linux System

Published:8 March 2022 - 8 min. read

Nicholas Xuan Nguyen Image

Nicholas Xuan Nguyen

Read more tutorials by Nicholas Xuan Nguyen!

Your Linux system is an excellent platform for servers and desktops. But like any other complex system, having proper monitoring in place is crucial to keep your system at its peak. Luckily, Sysdig is just around the corner!

Sysdig is a comprehensive Linux monitoring tool that can monitor your system for threats, errors, usage patterns, and many more. And in this tutorial, you’ll learn to install Sysdig while highlighting particular configuration options along the way on how to monitor your Linux system better.

Read on and never miss an ‘alert’ again!

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have the following.

  • A Linux machine – This tutorial uses Ubuntu 20.04 LTS, but any Linux distributions will work.
  • A non-root user with sudo privileges.

Installing Sysdig on Linux

The Sysdig command-line tool is typically available in most modern Linux distributions, and you can install Sysdig like other packages you’ve installed so far on your machine.

1. Open your terminal, and run the apt update command below to ensure you have the latest updates from your distribution’s repositories. This command updates your system’s package lists and may take a few minutes to complete.

sudo apt update -y
Updating your System's Package Lists
Updating your System’s Package Lists

2. Next, run the apt install command below to download (curl) and install the necessary packages for Sysdig. This command also installs some additional modules used later in this tutorial as follows:

  • gnupg – The GNU Privacy Guard is a tool for secure communication and data storage. This package enables downloading of Sysdig’s public GPG key to verify the validity of Sysdig packages.
  • software-properties-common – Provides a quick way to manage your software sources via the command line environment or GUI. This package lets you use the add-apt-repository command to add the Sysdig package repositories.
  • linux-headers-$(uname -r) – Provides the necessary files to build kernel modules for your running kernel. This package is required because you might install Sysdig on a machine with an older stock kernel.
sudo apt install gnupg software-properties-common curl -y && sudo apt install linux-headers-$(uname -r) -y
Installing the Necessary Packages for Sysdig
Installing the Necessary Packages for Sysdig

3. Run the curl command below to add Sysdig’s GPG public key (GPG) to your APT’s keyring. This command lets you verify that packages downloaded from sysdig.com are valid and unmodified.

curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -

You will get an OK message after you’ve successfully added the key, as shown below.

Adding the GPG key to APT”s Keyring
Adding the GPG key to APT”s Keyring

4. Now, run the curl command below to silently (-s) download the Sysdig repositories as draios.list and add it to your system. The .list extension tells your APT that the file is a list of URLs for repositories, rather than just one URL.

curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list

5. Rerun the apt update command below to download the new Sysdig repositories and update your APT’s package lists with the new repositories’ information.

sudo apt update -y

You will see the following output if your APT is configured correctly.

Updating your APT's Package Lists
Updating your APT’s Package Lists

6. After downloading the Sysdig repositories, run the apt install command below to install sysdig on your machine. This command downloads and installs the sysdig package and its supporting packages.

sudo apt install sysdig -y
Installing Sysdig
Installing Sysdig

7. Finally, run the sysdig command below to check the Sysdig version installed on your machine.

sudo sysdig --version

The version number helps determine if your Sysdig package is up to date. The version also gives insight into whether or not the release of Sysdig impacts system performance.

As shown below, 0.28.0 is the latest version of sysdig as of this writing. Your version number might be different.

Verifying Sysdig Version Installed
Verifying Sysdig Version Installed

Monitoring Linux Systems with csysdig

Now that you have Sysdig installed, you can use Sysdig to look at what is going on with your system. The Sysdig command-line tool has many flags that give you different views of your system and its activity. The most basic example is the csysdig command.

Run the command csysdig without any flags to see what is happening on your system right now. The command will show you the activity of all the processes currently running.

Note that you must run Sysdig commands with sudo privilege to have full access to your system. Some system activity might be hidden by default from non-root users, like the output of the /proc file system. Sysdig also requires sudo privileges to auto-load the kernel symbols necessary to do many of its tricks, like the sysdig-probe kernel module

sudo csysdig

If you encounter the following error, you’ll need to reinstall the ncurses-term package. The ncurses-term package tends to get corrupted after a fresh Sysdig installation. Sysdig depends on the ncurses-term package to support its ncurses UI.

Getting an Error while Running csysdig
Getting an Error while Running csysdig

If the csysdig command is successful, you’ll get the following output organized into tabs.

Description
PIDThe Process ID that assigned by the Linux kernel. You use PIDs to identify and manage processes.
PPIDThe parent process ID of the process. You use PPID to trace the process back through its parent processes. Together, PID and PPID uniquely identify a process on your system.
CPUThe percentage of CPU used by the application since it started can be seen on a scale from 0 to 100%, where 100% equals total CPU usage. You use CPU usage to find applications that are hogging system resources.
USERThe name of the user that started the process. You use USER to find out who is executing a process you are interested in.
THThe name of the user that started the process. You use USER to find out who is executing a process you are interested in.
VIRTThe total amount of virtual memory used by the application. You use VIRT to find applications that are hogging your system’s memory.
RESThe number of resident memory pages a process has, as mapped to physical memory. You use RES to find applications that are hogging your system’s memory.
FILEThe disk’s file descriptor used by the application. You use FILE to see which files are being read or written frequently, usually an indication of I/O activity.
NETThe network socket descriptor used by the application. You use NET to see which network connections are being used by the process, and how much data is being transferred in bytes per second.
CommandThe network socket descriptor used by the application. You use NET to see which network connections are being used by the process, and how much data is being transferred in bytes per second.

At first glance, the csysdig interface looks similar to monitoring tools like htop.

Monitoring System Processes using Csysdig
Monitoring System Processes using Csysdig

Press F2 and the top tabs will change to display a new set of information organized into tabs on the left, as shown below.

Sysdig calls these “views” because they are different system views, organized by the kind of information they show, offering more context. And since these views are LUA script-based, you can customize the scripts to extract different data from the system and change the view as you prefer.

Viewing System Information via the Csysdig Views
Viewing System Information via the Csysdig Views

By default, the LUA scripts are located in the /usr/share/sysdig/chisels directory, as shown below.

ls /usr/share/sysdig/chisels
Listing files (scripts) in the /usr/share/sysdig/chisels directory
Listing files (scripts) in the /usr/share/sysdig/chisels directory

Monitoring CPU-Consuming Processes with Sysdig Chisels

Sysdig offers several ready-to-use chisels that automatically collect specific system information, known as “chisels.” Perhaps you’re experiencing slow performance on your CPU. If so, running the sysdig command with a specified chisel lets you view which applications/processes are taking up most of your CPU usage.

1. Run the sysdig command below to list available chisels.

sudo sysdig -cl

The below screenshot shows only a few chisels. But you can find and learn the complete list of all available chisels in the official documentation.

Sysdig chisels are also LUA scripts. You can create your own chisels to monitor specific system information or implement your own view, but this topic is beyond the scope of this tutorial.

Showing Sysdig Chisels
Showing Sysdig Chisels

2. Next, run the below command to see the detailed information (-i) about a specific chisel, like topprocs_cpu in this demo.

sudo sysdig -i topprocs_cpu

You can see all the information about the topprocs_cpu chisel below, including the chisel’s name, category, and a brief description of what the chisel does.

In this example, the topprocs_cpu chisel is categorized as CPU Usage and Shows the top process defined by the highest CPU utilization.

Once you understand the functionality of a chisel, you can start using that chisel.

Showing All Information About the topprocs_cpu Chisel
Showing All Information About the topprocs_cpu Chisel

3. Run the sysdig command below, specifying the right chisel (-c topprocs_cpu) to find the applications using the highest amount of CPU in your system.

sudo sysdig -c topprocs_cpu

Sysdig captures the top 10 CPU-consuming processes in this demo and prints them on the terminal. The most CPU-intensive process will be displayed on top (sshd), making them quicker to find.

Listing the process defined by the highest CPU utilization.
Listing the process defined by the highest CPU utilization.

Monitoring Filtered System Information

In some cases, the output is enormous, making it hard to filter system information based on a specific chisel. Luckily, Sysdig offers a powerful filtering option that uses Lua syntax so you can perform effective filtering.

Suppose you’re only looking for sshd processes that contribute to high CPU usage. You can define a filter expression by a specific PID or process name.

Run the below sysdig command to show only the sshd process that uses a lot of CPU.

sudo sysdig proc.name=sshd

As shown below, you will get a filtered output without getting any other process information.

From the output, you can get more information about the sshd process, like why the sshd process uses more CPU or memory, and so on.

Listing the SSHD process
Listing the SSHD process

Creating an Event Log File to Monitor your System

One of the great features that Sysdig offers are event log files, which allow you to collect all information about what your application or the system does for later analysis. The event log files provide the same information as the command-line outputs in the previous examples but are saved to a file on disk.

1. Run the below command create a file (-w) called ata.scap in your home directory, where Syslog will store all sysdig outputs.

The .scap file extension allows saving data streams in the form of human-readable text.

sudo sysdig -w ata.scap

2. Next, run the ls -la command below to list all files in the working directory.

ls -la

You’ll notice a new file named ata.scap in your home directory, as shown below.

Listing All Files in Home Directory
Listing All Files in Home Directory

3. Finally, run the below command for Sysdig to read (-r) the Sysdig event log file (ata.scap) and print your system’s behavior when you SSH into your server.

sudo sysdig -r ata.scap
Viewing the ata.scap File
Viewing the ata.scap File

Conclusion

In this article, you learned how to install Sysdig on Ubuntu 20.04 and use csysdig to collect your system, applications, and security information. You also touched on creating an event log file that allows you to record your system’s behavior.

At this point, you’ve realized that having Sysdig installed in your system provides you with powerful tools. And these tools help you gain more insights into how your system, applications, and infrastructure work.

Now, with this newfound knowledge, why not learn to decode your HTTP traffic with Sysdig? Or how to track down application bottlenecks with Sysdig tracers?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!