The offical Install guide intends to build for x86 platforms, and there are slightly differences for Arm devices.
linux headers
Run
1 | uname -a |
to find your Linux version, and then run
1 | apt-cache search linux-image |
to find the package of Linux headers for your linux version, for example linux-headers-4.19.0-14-arm64
Sysdig build from source
Luajit-dev
Install luajit manually: sudo apt install lua5.1-dev
Build and install
1 | mkdir build && cd build |
Development Kernel Module install
If it shows error opening device /dev/sysdig0. Make sure ... when you execute command sysdig, you need to insmod sysdig-probe.ko manually. which locates in {gitpath}/sysdig/driver
Use sysdig to record syscall events
Basically, you could use command sysdig proc.name=cat and proc.pid=1234 which inidcates filter syscall with caller name cat and process id 1234
The default output format is
1 | *%evt.num %evt.time %evt.cpu %proc.name (%thread.tid) %evt.dir %evt.type %evt.args |
Specify the output format by opetion -P, i.e.,
1 | sysdig -p"user:%user.name dir:%evt.arg.path" evt.type=chdir |
If there is a return value for a syscall, it should have res in its evt.args
For more usage, see official wiki page on Github