How to Install and Use Sysdig on Ubuntu 22.04: A Complete Guide
In the world of Linux system administration and DevOps, having deep visibility into your system’s activity is not a luxury—it’s a necessity. Whether you are troubleshooting performance bottlenecks, investigating security incidents, or simply trying to understand how applications interact with the kernel, you need the right tool for the job. Sysdig is a powerful open-source tool for system-level exploration, offering granular insight into system calls and events.
Unlike traditional tools that provide pre-canned metrics, Sysdig allows you to capture, filter, and analyze everything happening on your machine in real-time. It acts like a universal system tap, giving you a detailed stream of data that can be dissected for performance analysis, security forensics, and debugging.
This guide will walk you through the complete process of installing and getting started with Sysdig on Ubuntu 22.04 LTS (Jammy Jellyfish).
Prerequisites
Before we begin, ensure you have the following:
- An operational Ubuntu 22.04 system.
- A user account with
sudoor root privileges. - An active internet connection to download packages.
Step-by-Step Installation Guide
Follow these instructions carefully to add the official Sysdig repository and install the software correctly.
Step 1: Update Your System’s Package List
First, it’s always a best practice to ensure your system’s package index is up to date. Open a terminal and run the following command:
sudo apt update && sudo apt upgrade -y
This command refreshes your local package cache and applies any pending updates to your system.
Step 2: Add the Sysdig GPG Key and Repository
To ensure the packages you download are authentic and have not been tampered with, you must first trust the Sysdig GPG key. Afterward, you’ll add the official repository to your system’s sources list.
Execute the following commands in your terminal:
sudo curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | gpg --dearmor | sudo tee /usr/share/keyrings/sysdig.gpg > /dev/null
echo 'deb [signed-by=/usr/share/keyrings/sysdig.gpg] https://s3.amazonaws.com/download.draios.com/stable/deb/any/ any' | sudo tee /etc/apt/sources.list.d/sysdig.list
These two commands first download the GPG key and store it in a trusted location, then add the Sysdig repository configuration, pointing apt to the correct location for the software.
Step 3: Refresh the Package List Again
Now that you’ve added a new repository, you need to update your package manager’s list one more time to make it aware of the new Sysdig packages.
sudo apt update
Step 4: Install Required Kernel Headers
This is a critical step that is often missed. Sysdig interacts directly with the Linux kernel at a very low level by compiling a small kernel module. To do this successfully, it requires the specific kernel headers that match your currently running kernel version.
You can install the correct headers automatically with this command:
sudo apt install -y linux-headers-$(uname -r)
The $(uname -r) part dynamically inserts your current kernel version, ensuring you install the correct package.
Step 5: Install Sysdig
With all the dependencies and configurations in place, you can now install the main Sysdig package.
sudo apt install -y sysdig
The package manager will now download and install Sysdig and its dependencies. The installation process may automatically build the kernel module (scap.ko), which is essential for its operation.
Verifying the Sysdig Installation
Once the installation is complete, you should verify that it was successful and that Sysdig is ready to use.
First, check the installed version:
sysdig --version
You should see output displaying the Sysdig version, confirming the tool is in your path.
Next, run Sysdig with sudo privileges to see the live event stream. This will confirm that the kernel module is loaded and working correctly.
sudo sysdig
You will see a continuous stream of system events scrolling across your screen. This is the raw, unfiltered output of everything happening on your system. You can stop the stream by pressing Ctrl+C.
Getting Started with Sysdig: Basic Commands and Usage
The real power of Sysdig lies in its ability to filter and format data using “chisels”—small Lua scripts that provide specific views of the system.
Here are a few practical examples to get you started.
Interactive Curses-Based UI
For a more user-friendly, top-like interface, you can use csysdig.
sudo csysdig
This command launches an interactive dashboard where you can navigate through different views, such as processes, file I/O, and network connections.
Using Chisels for Targeted Insights
Chisels help you make sense of the raw data stream. You can list all available chisels with sysdig -cl.
1. View Top Processes by CPU Usage:
This is a classic use case for performance monitoring.
sudo sysdig -c topprocs_cpu
2. Monitor File I/O in Real-Time:
See which files are being most actively read from or written to.
sudo sysdig -c topfiles_bytes
3. Actionable Security Tip: Monitor Directory Access
You can use Sysdig for basic security monitoring. For example, to watch for any process opening a file within the sensitive /etc directory, use the following command:
sudo sysdig "evt.type=openat and fd.name contains /etc"
This command provides a real-time log of every file access attempt in /etc, which can be invaluable for tracking unauthorized configuration changes.
Conclusion
You have successfully installed Sysdig on your Ubuntu 22.04 system and explored its basic functionality. By mastering Sysdig, you gain a formidable tool for performance monitoring, in-depth troubleshooting, and security analysis. Its ability to trace system calls and events provides an unparalleled level of detail that is essential for managing modern, complex systems.
From here, we encourage you to explore the vast library of chisels and learn about Sysdig’s powerful filtering syntax to tailor its output to your specific needs. With this tool in your arsenal, you are better equipped to handle any performance or security challenge that comes your way.
Source: https://kifarunix.com/install-sysdig-system-visibility-tool-on-ubuntu/
