Sysdig OSS: Deep Kernel Visibility Without a Kernel Module
A modern, container-aware alternative to strace, tcpdump, and auditd — all rolled into one
What is Sysdig (OSS)?
It’s a system-level inspection tool for Linux. Originally based on a kernel module, now powered by eBPF. It captures everything that happens on a host — process creation, file access, syscalls, network events — and lets users filter, explore, and make sense of it.
If `strace` gives you a microscope, `sysdig` gives you a live camera crew inside the OS. It’s used by security teams, incident responders, and SREs who need to know what actually happened — not just what logs say happened.
And because it’s open source, minimal, and non-intrusive (especially in eBPF mode), it’s safe to run in production — even inside containers.
You spin up a container.
It starts writing to a temp file, opens suspicious sockets, and then crashes.
The logs? Empty. The container is gone. No auditd, no journald.
How do you figure out what it did?
You run sysdig with a filter and get the answer — even if the container no longer exists.
Where It’s Being Used
– Forensics during incident response — what process touched what file?
– Real-time syscall inspection when a service misbehaves under load.
– Container-level auditing on unmodified Kubernetes nodes.
– Live tracing during software troubleshooting (e.g., why nginx is stalling on accept()).
– Triggering Falco rules (Sysdig OSS is what powers Falco’s detection engine).
Key Characteristics
| Feature | Why It Matters |
| eBPF or Kernel Driver | Runs either via modern eBPF or traditional kernel module |
| Syscall-Level Capture | Tracks every open, execve, clone, bind, read, write, etc. |
| Supports Containers | Namespaces, cgroups, docker IDs — it sees everything in context |
| Chisel Scripts | Built-in filters for common tasks: topfiles, spy_process, echo_fds |
| Filter Language | Powerful, CLI-friendly — filter by user, PID, filename, net addr, etc. |
| PCAP-Like Dumps (.scap) | Record and replay system activity for later investigation |
| Non-intrusive | Passive, no behavior change on monitored workloads |
| Live or Offline | Can run against live systems or replay scap dumps offline |
| Low Overhead | Especially in eBPF mode — designed for prod environments |
| Works in CI/CD | Integrates into testing pipelines to validate system behavior |
What You Actually Need
– Linux 4.14+ (for eBPF support) or DKMS headers (for kernel module)
– Root access (required for system tap and tracing)
– A terminal. That’s it.
To install via package:
curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | bash
Or build from source (eBPF mode preferred):
git clone https://github.com/draios/sysdig
cd sysdig
mkdir build && cd build
cmake .. && make -j$(nproc)
sudo ./sysdig
Sample usage:
sudo sysdig evt.type=execve
Want to trace file writes by a container?
sudo sysdig container.name=myapp evt.type=write
Need to record a session?
sudo sysdig -w trace.scap
sudo sysdig -r trace.scap
What People Actually Say
“It saved us during an incident where no logs existed. Sysdig had it all.”
“I’ve used tcpdump and strace forever, but sysdig gives me context I never got before.”
“This is the only way I found out that our app was calling `rm -rf` from a subprocess.”
One Thing to Know
Sysdig OSS isn’t fancy. It doesn’t draw graphs or offer a GUI. But it tells the truth — directly from the kernel. There’s no abstraction, no buffering, no log loss.
If you need to know what happened — not what was logged, not what was assumed — Sysdig is the tool.
