Master Linux System Monitoring with Sysdig: Installation, Chisels, and Real‑World Use Cases

Sysdig is a powerful open‑source tool for system‑level inspection and troubleshooting, described by its creator as "strace + tcpdump + lsof + a dash of Lua‑cherry sauce". It can capture live system state, save dumps for offline analysis, and be extended with built‑in or custom scripts called chisels .

Installation

For simplicity, use the official automated installer which detects the OS and installs required dependencies.

<code># curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | bash</code>

After installation, run Sysdig to see a live stream of all system events:

<code># sysdig</code>

Because the raw output is overwhelming, list available chisels with:

<code># sysdig -cl | less</code>

CPU Usage ：CPU使用量 Errors ：错误 I/O Logs ：日志 Misc ：混杂 Net ：网络 Performance ：性能 Security ：安全 System State ：系统状态

Display detailed usage for a specific chisel:

<code># sysdig -cl [chisel_name]</code>

Sysdig Example: Server Performance Troubleshooting

If a server shows latency or hangs, use the bottlenecks chisel to list the ten slowest system calls.

<code># sysdig -c bottlenecks</code>

Or capture a trace for offline analysis:

<code># sysdig -w trace.scap</code>

Then run the bottlenecks chisel on the saved file:

<code># sysdig -r trace.scap -c bottlenecks</code>

Focus on columns #2 (execution time), #3 (process name), and #4 (PID).

Sysdig Example: Monitoring Interactive User Activity

Collect a compressed trace that records up to 4096 bytes per event:

<code># sysdig -s 4096 -z -w /mnt/sysdig/$(hostname).scap.gz</code>

"-s 4096" captures 4096 bytes per event. "-z" enables compression when used with "-w". "-w" writes the trace to the specified file.

After gathering data, view each user's activity with the spy_users chisel:

<code># sysdig -r /mnt/sysdig/debian.scap.gz -c spy_users</code>

Filter the output for a specific user:

<code># sysdig -r /mnt/sysdig/debian.scap.gz -c spy_users "user.name=xmodulo"</code>

Sysdig Example: Monitoring File I/O

Customize the output format to capture only write events in home directories:

<code># sysdig -p "%user.name %proc.name %fd.name" "evt.type=write and fd.name contains /home/" -z -w writetrace.scap.gz</code>

Sysdig Example: Monitoring Network I/O

Sniff network traffic in a human‑readable form using the echo_fds chisel, filtering by IP and process name:

<code># sysdig -s 4096 -A -c echo_fds fd.cip=192.168.0.100 -r /mnt/sysdig/debian.scap.gz proc.name=apache2</code>

For raw binary data, replace

-A

with

-X

:

<code># sysdig -s 4096 -X -c echo_fds fd.cip=192.168.0.100 -r /mnt/sysdig/debian.scap.gz proc.name=apache2</code>

Explore the project website for more chisels, examples, and advanced use cases; start installing Sysdig today to unlock deeper system insights.