Sysdig笔记(3)——chisel

Sysdig中的chisel是用Lua语言编写的脚本,用来分析和处理sysdig产生的eventSysidg会在下列目录中查找chisel., ./chisels, ~/chisels和/usr/share/sysdig/chisels

列出sysdig所有的chisel

# sysdig -cl

Category: Application
---------------------
httplog         HTTP requests log
httptop         Top HTTP requests
memcachelog     memcached requests log

Category: CPU Usage
-------------------
spectrogram     Visualize OS latency in real time.
......

如果想查看关于某个chisel的详细信息,可以使用-i选项:

# sysdig -itopfiles_bytes

Category: I/O
-------------
topfiles_bytes  Top files by R+W bytes

Shows the top files in terms of disk usage. This chisel is compatable with cont
ainers using the sysdig -pc or -pcontainer argument, otherwise no container inf
ormation will be shown.
Args:
(None)

执行chisel使用-c选项:

# sysdig -c topfiles_bytes
Bytes               Filename
--------------------------------------------------------------------------------
Bytes               Filename
--------------------------------------------------------------------------------
144B                /dev/ptmx
Bytes               Filename
--------------------------------------------------------------------------------
165B                /dev/ptmx

也可以为chisel指定参数:

# sysdig -c topfiles_bytes "not fd.name contains /dev"
Bytes               Filename
--------------------------------------------------------------------------------
Bytes               Filename
--------------------------------------------------------------------------------
Bytes               Filename
--------------------------------------------------------------------------------
7.47KB              /proc/cpuinfo
1024B               /proc/meminfo

参考资料:

Sysdig Quick Reference Guide

Chisels User Guide

Sysdig笔记(2)——sysdig的输出日志

在命令行执行sysdig命令,得到下列输出日志:

# sysdig | more
8 11:04:39.920906090 2 <NA> (0) > switch next=4606(qemu-kvm) pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0
9 11:04:39.920923972 2 qemu-kvm (4606) < ioctl res=0
10 11:04:39.920927878 2 qemu-kvm (4606) > ioctl fd=17(<X>) request=AE80 argument=0
11 11:04:39.920933865 2 qemu-kvm (4606) < ioctl res=0
12 11:04:39.920934920 2 qemu-kvm (4606) > ioctl fd=17(<X>) request=AE80 argument=0
21 11:04:39.920950032 2 qemu-kvm (4606) < ioctl res=0
22 11:04:39.920951238 2 qemu-kvm (4606) > ioctl fd=17(<X>) request=AE80 argument=0
24 11:04:39.920958802 2 qemu-kvm (4606) > switch next=0 pgft_maj=0 pgft_min=930 vm_size=1534620 vm_rss=1083932 vm_swap=0
500 11:04:39.923348311 1 <NA> (0) > switch next=17 pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0
501 11:04:39.923351955 1 <NA> (17) > switch next=0 pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0
504 11:04:39.923380189 7 <NA> (0) > switch next=22 pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0
507 11:04:39.923394983 7 <NA> (22) > switch next=0 pgft_maj=0 pgft_min=0 vm_size=0 vm_rss=0 vm_swap=0

第一列是事件序号,它是增长的,不连续的原因是因为没有包含sysdig自身产生的事件(可以使用sysdig -D得到sysdig自身产生的事件);
第二列是发生事件的时间戳;
第三列是CPU ID
第四列是命令;
第五列是线程ID
第六列是事件方向,比如进入ioctl函数为>,离开为<
第七列是事件名称(比如ioctl);
第八列是事件参数。

参考资料:
Interpreting Sysdig Output
How to understand evt.num?