Sysdig Platform CLI - Captures
This section explains concepts and notations in the set of the Capture commands provided.
Usage
The Capture section allows the user to perform the following actions:
$ sdc-cli capture --help
Usage: sdc-cli capture [OPTIONS] COMMAND [ARGS]...
Options:
--secure Work Sysdig Secure captures instead of Sysdig Monitor
--help Show this message and exit.
Commands:
add Create a new sysdig capture. The capture will be immediately
started.
download Download a sysdig capture
get Fetch the state of a sysdig capture
list List alerts
⚠️ By default, this command operates with Monitor captures, if you want to operate with Secure
captures, you need to specify --secure.
List Captures
To list the captures, you can use the list subcommand:
$ sdc-cli capture list --help
Usage: sdc-cli capture list [OPTIONS]
Options:
--duration TEXT Duration to display the events from. (ex: 30M, 1H, 3D, 2W)
--start TEXT Start of the time range.
--end TEXT End of the time range.
--scope TEXT this is a SysdigMonitor-like filter (e.g
'container.image=ubuntu'). When provided, events are
filtered by their scope, so only a subset will be returned
(e.g. 'container.image=ubuntu' will provide only events
that have happened on an ubuntu container).
--help Show this message and exit.
For example, if we want to list the captures from the last 3 days, we can specify --duration 3D
$ sdc-cli capture list --duration 3D
id name hostname time status
33363258 pod-crashloop-nginx-1c2ec6b6-a8a8-4b89-9739-b71c007ce76c ip-172-20-42-99 2020-09-16 11:08:48 (52 sec) uploaded
33366946 pod-crashloop-nginx-5e0a7f37-02ef-4136-b57f-91d55e55c982 ip-172-20-42-99 2020-09-17 11:08:48 (51 sec) uploaded
Describe a capture
You can describe more information from a capture seeing the size, and the notification that triggered it.
$ sdc-cli capture get 33363258
id: 33363258
name: pod-crashloop-nginx-1c2ec6b6-a8a8-4b89-9739-b71c007ce76c
hostname: ip-172-20-42-99
time: 2020-09-16 11:08:48 (52 sec)
folder: /
size: 18.14 MiB
notification: {'id': 52573488, 'alertId': 2114996, 'timestamp': 1600254420000}
status: uploaded
Download a capture for further analysis
You can download a defined capture and do a further analysis with Sysdig Inspect.
$ sdc-cli capture download 33363258 pod-crashloop.scap
$ ls -alh pod-crashloop.scap
Permissions Size User Group Date Modified Date Accessed Name
.rw-r--r-- 19M sysdig sysdig 17 sep 17:18 17 sep 17:18 pod-crashloop.scap
Create a capture in a remote host
You can also trigger a new capture of the syscalls happening in a remote host (only if the Sysdig Agent is running is running in such host):
$ sdc-cli capture add --help
Usage: sdc-cli capture add [OPTIONS] NAME HOSTNAME
NAME: the name of the capture. HOSTNAME: the hostname of the instrumented
host where the capture will be taken.
Options:
--duration INTEGER the duration of the capture, in seconds.
--filter TEXT a sysdig filter expression.
--folder TEXT directory in the S3 bucket where the capture will be
saved.
--help Show this message and exit.
For example, to create a 30 second capture in the host called ip-172-20-42-99, you can execute:
$ sdc-cli capture add test-capture ip-172-20-42-99 --duration 30
id: 33370445
name: test-capture (1)
hostname: ip-172-20-42-99
time: 2020-09-17 15:30:09.484000
folder: /
status: requested
$ sdc-cli capture list --duration 1H
id name hostname time status
33370445 test-capture (1) ip-172-20-42-99 2020-09-17 15:30:09 (32 sec) uploaded