Master Linux System Monitoring with Sysdig: Installation, Chisels, and Real‑World Use Cases
This tutorial introduces Sysdig, an open‑source Linux monitoring tool that combines strace, tcpdump, and lsof, shows how to install it, explore its built‑in chisels, and apply practical examples for performance troubleshooting, user activity, file I/O, and network traffic analysis.
Sysdig is a powerful open‑source tool for system‑level inspection and troubleshooting, described by its creator as "strace + tcpdump + lsof + a dash of Lua‑cherry sauce". It can capture live system state, save dumps for offline analysis, and be extended with built‑in or custom scripts called chisels .
Installation
For simplicity, use the official automated installer which detects the OS and installs required dependencies.
# curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | bashAfter installation, run Sysdig to see a live stream of all system events: # sysdig Because the raw output is overwhelming, list available chisels with:
# sysdig -cl | lessCPU Usage :CPU使用量 Errors :错误 I/O Logs :日志 Misc :混杂 Net :网络 Performance :性能 Security :安全 System State :系统状态
Display detailed usage for a specific chisel:
# sysdig -cl [chisel_name]Sysdig Example: Server Performance Troubleshooting
If a server shows latency or hangs, use the bottlenecks chisel to list the ten slowest system calls. # sysdig -c bottlenecks Or capture a trace for offline analysis: # sysdig -w trace.scap Then run the bottlenecks chisel on the saved file: # sysdig -r trace.scap -c bottlenecks Focus on columns #2 (execution time), #3 (process name), and #4 (PID).
Sysdig Example: Monitoring Interactive User Activity
Collect a compressed trace that records up to 4096 bytes per event:
# sysdig -s 4096 -z -w /mnt/sysdig/$(hostname).scap.gz"-s 4096" captures 4096 bytes per event. "-z" enables compression when used with "-w". "-w" writes the trace to the specified file.
After gathering data, view each user's activity with the spy_users chisel:
# sysdig -r /mnt/sysdig/debian.scap.gz -c spy_usersFilter the output for a specific user:
# sysdig -r /mnt/sysdig/debian.scap.gz -c spy_users "user.name=xmodulo"Sysdig Example: Monitoring File I/O
Customize the output format to capture only write events in home directories:
# sysdig -p "%user.name %proc.name %fd.name" "evt.type=write and fd.name contains /home/" -z -w writetrace.scap.gzSysdig Example: Monitoring Network I/O
Sniff network traffic in a human‑readable form using the echo_fds chisel, filtering by IP and process name:
# sysdig -s 4096 -A -c echo_fds fd.cip=192.168.0.100 -r /mnt/sysdig/debian.scap.gz proc.name=apache2For raw binary data, replace -A with -X:
# sysdig -s 4096 -X -c echo_fds fd.cip=192.168.0.100 -r /mnt/sysdig/debian.scap.gz proc.name=apache2Explore the project website for more chisels, examples, and advanced use cases; start installing Sysdig today to unlock deeper system insights.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.