Recording system activity with sysdig

Description:

In process of improving workflow I need tools which give me ability to record all system activities (file operations, launching applications and scripts, network connections etc). Linux contains many of debugging tools, but all of them chase different goals. Without much hope I have decided to search tools which combine all of my need and to my deepest satisfaction I found sysdig.

This great tool can record wholly system activity (kernel module) into file using filters or without them. In case of installing our products I can very quickly estimate what's happening. But that is not all! Sysdig contain Lua processing functionality (chisels), which give me powerful representation tool.

Some examples:

sysdig -w trace

sysdig -r trace -c ps | head -n 10

TID     PID     USER        VIRT       RES        FDLIMIT   CMD                 
1       1       root        120.80M    4.18M      65536     systemd
1054    1054    root        104.59M    59.30M     16384     systemd-journal
1059    1059    root        123.69M    1.32M      1024      lvmetad
1069    1069    root        42.88M     2.41M      1024      systemd-udevd
1273    1273    root        49.97M     1.57M      1024      auditd
1275    1273    root        49.97M     1.57M      1024      auditd
1276    1276    root        78.33M     824.00KB   1024      audispd
1277    1277    root        25.57M     932.00KB   1024      sedispatch
1278    1276    root        78.33M     824.00KB   1024      audispd

sysdig -r trace -c netstat | head -n 10

Proto Server Address           Client Address           State          TID/PID/Program Name
tcp   127.0.0.1:25001          0.0.0.0:*                LISTEN         3863/3847/nxclient.bin
tcp   127.0.0.1:25001          127.0.0.1:45371          ESTABLISHED    3863/3847/nxclient.bin
tcp   0.0.0.0:4000             0.0.0.0:*                LISTEN         3128/3128/nxd
tcp   192.168.103.9:443        192.168.101.2:53653      ESTABLISHED    4455/4093/QThread
tcp   127.0.0.1:13002          127.0.0.1:41300          ESTABLISHED    17675/17609/nxplayer.bin
udp   0.0.0.0:38516            0.0.0.0:*                LISTEN         17675/17609/nxplayer.bin
udp   0.0.0.0:5353             0.0.0.0:*                LISTEN         17675/17609/nxplayer.bin
udp   0.0.0.0:5353             0.0.0.0:*                LISTEN         17675/17609/nxplayer.bin
udp   0.0.0.0:5353             0.0.0.0:*                LISTEN         17675/17609/nxplayer.bin

sysdig -r trace -c topfiles_bytes | head -n 10

Bytes               Filename            
--------------------------------------------------------------------------------
462.05KB            /home/user/.cache/google-chrome/Default/Cache/f_000013
295.24KB            /etc/passwd
170.50KB            /home/user/.config/Trolltech.conf
133.32KB            /home/user/.cache/google-chrome/Default/Cache/f_000161
131.75KB            /usr/share/X11/locale/locale.alias
128.04KB            /home/user/.config/google-chrome/Default/Visited Links
112.53KB            /home/user/.cache/google-chrome/Default/Cache/f_000012
108.88KB            /home/user/.kde/share/config/kdeglobals