sysdig是一個能夠讓系統管理者和開發人員以前所未有方式洞察其系統行為的監控工具。我們可以用sysdig指令做很多很酷的事情。你如果有更有趣的用法,想添加到下面的指令例子中,請告訴我們!
1.網絡
檢視占用網絡帶寬最多的程序:
sysdig -c topprocs_net
顯示主機192.168.0.1的網絡傳輸資料:
as binary:
sysdig -s2000 -x -c echo_fds fd.cip=192.168.0.1
as ascii:
sysdig -s2000 -a -c echo_fds fd.cip=192.168.0.1
檢視連接配接最多的伺服器端口:
in terms of established connections:
sysdig -c fdcount_by fd.sport "evt.type=accept"
in terms of total bytes:
sysdig -c fdbytes_by fd.sport
檢視用戶端連接配接最多的ip:
in terms of established connections
sysdig -c fdcount_by fd.cip "evt.type=accept"
in terms of total bytes
sysdig -c fdbytes_by fd.cip
列出所有不是通路apache服務的通路連接配接:
sysdig -p"%proc.name %fd.name" "evt.type=accept and proc.name!=httpd"
2.容器
檢視機器上運作的容器清單及其資源使用情況:
sudo csysdig -vcontainers
檢視容器上下文的程序清單:
sudo csysdig -pc
檢視運作在wordpress1容器裡cpu的使用率:
sudo sysdig -pc -c topprocs_cpu container.name=wordpress1
檢視運作在wordpress1容器裡網絡帶寬的使用率:
sudo sysdig -pc -c topprocs_net container.name=wordpress1
檢視在wordpress1容器裡使用網絡帶寬最多的程序:
檢視在wordpress1 容器裡占用 i/o 位元組最多的檔案:
sudo sysdig -pc -c topfiles_bytes container.name=wordpress1
檢視在wordpress1 容器裡網絡連接配接的排名情況:
sudo sysdig -pc -c topconns container.name=wordpress1
顯示wordpress1容器裡所有指令執行的情況:
sudo sysdig -pc -c spy_users container.name=wordpress1
3.應用
檢視機器所有的http請求:
sudo sysdig -s 2000 -a -c echo_fds fd.port=80 and evt.buffer contains get
檢視機器所有的sql select查詢:
sudo sysdig -s 2000 -a -c echo_fds evt.buffer contains select
see queries made via apache to an external mysql server happening in real time
sysdig -s 2000 -a -c echo_fds fd.sip=192.168.30.5 and proc.name=apache2 and evt.buffer contains select
4.硬碟 i/o
檢視使用硬碟帶寬最多的程序:
sysdig -c topprocs_file
列出使用大量檔案描述符的程序:
sysdig -c fdcount_by proc.name "fd.type=file"
see the top files in terms of read+write bytes
sysdig -c topfiles_bytes
print the top files that apache has been reading from or writing to
sysdig -c topfiles_bytes proc.name=httpd
basic opensnoop: snoop file opens as they occur
sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open
see the top directories in terms of r+w disk activity
sysdig -c fdbytes_by fd.directory "fd.type=file"
see the top files in terms of r+w disk activity in the /tmp directory
sysdig -c fdbytes_by fd.filename "fd.directory=/tmp/"
observe the i/o activity on all the files named 'passwd'
sysdig -a -c echo_fds "fd.filename=passwd"
display i/o activity by fd type
sysdig -c fdbytes_by fd.type
程序和cpu使用率:
see the top processes in terms of cpu usage
sysdig -c topprocs_cpu
see the top processes for cpu 0
sysdig -c topprocs_cpu evt.cpu=0
observe the standard output of a process
sysdig -s4096 -a -c stdout proc.name=cat
性能和錯誤:
see the files where most time has been spent
sysdig -c topfiles_time
see the files where apache spent most time
sysdig -c topfiles_time proc.name=httpd
see the top processes in terms of i/o errors
sysdig -c topprocs_errors
see the top files in terms of i/o errors
sysdig -c topfiles_errors
see all the failed disk i/o calls
sysdig fd.type=file and evt.failed=true
see all the failed file opens by httpd
sysdig "proc.name=httpd and evt.type=open and evt.failed=true"
see the system calls where most time has been spent
sysdig -c topscalls_time
see the top system calls returning errors
sysdig -c topscalls "evt.failed=true"
snoop failed file opens as they occur
sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open and evt.failed=true
print the file i/o calls that have a latency greater than 1ms:
sysdig -c fileslower 1
5.安全
show the directories that the user "root" visits
sysdig -p"%evt.arg.path" "evt.type=chdir and user.name=root"
observe ssh activity
sysdig -a -c echo_fds fd.name=/dev/ptmx and proc.name=sshd
show every file open that happens in /etc
sysdig evt.type=open and fd.name contains /etc
show the id of all the login shells that have launched the "tar" command
sysdig -r file.scap -c list_login_shells tar
show all the commands executed by the login shell with the given id
sysdig -r trace.scap.gz -c spy_users proc.loginshellid=5459
本文作者:佚名
來源:51cto