Storing SysDig Streams with Apache NiFi

SysDig (GitHub) is an open source tool that allows for the exploration, analysis and troubleshooting of Linux systems and containers. It is well documented and very easy to install and use. It can be used for container and Linux system diagnostics, security analysis, monitoring and basic system information capture. Remember that SysDig can produce thousands of lines of messages and can continue doing so infinitely depending on the options.   

To install:To get started, follow the get started guide and try out the csysdig console.

 curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash 

There are a number of examples of using SysDig for getting specific system information, this could include processes, networking, files, errors, events and more.  

It is a very compact tool that can generate a ton of system and tracing information to use for current or predictive analysis of your system.   My use case was to capture a stream of this data every 15 minutes and store to Apache Phoenix on HBase for predictive analytics.

To use from the command line:

sysdig --help
sysdig version 0.11.0
Usage: sysdig [options] [-p <output_format>] [filter]

To start my flow in NiFi 1.00, I use the ExecuteProcess processor and wrap my SysDig command in a BASH script. This example returns ASCII text formatted as JSON and just gives me a 1-second snapshot.  This actually generates a ton of data.

 sysdig -A -j -M 1 --unbuffered 

This is an example of an Event returned by SysDig in JSON format:

"evt.cpu":6,
"evt.dir":">",
"evt.info":"fd=7(<f>/usr/lib64/python2.7/lib-dynload/_elementtree.so) ",
"evt.num":111138,
"evt.outputtime":1477313882635597873,
"evt.type":"fstat",
"proc.name":"python",
"thread.tid":14602}

Resources:

• Fishing for Hackers With Sysdig Part 1
• Fishing for Hackers With Sysdig Part 2
• Sysdig Examples
• Sysdig Cheatsheet mapping to legacy tools