Sysdig Documentation

Captures

Sysdig capture files contain system calls and other OS events that can be analyzed with either the open-source sysdig or csysdig (curses-based) utilities, and are displayed in the Captures module.

The Captures module contains a table listing the capture file name, the host it was retrieved from, the time frame, and the size of the capture. When the capture file status is uploaded, the file has been successfully transmitted from the Sysdig agent to the storage bucket, and is available for download and analysis.

This section describes how to create capture files in Sysdig Secure.

Configure Capture Files

Store Capture Files

Sysdig capture files are stored in Sysdig's AWS S3 storage (for SaaS environments), or in the Cassandra DB (for on-premises environments) by default. To use your own AWS S3 storage bucket, see Configure a Custom S3 Capture Bucket.

Create a Capture File

Capture files can be created in Sysdig Secure either by configuring them as part of a policy, or by manually creating them from the Captures module.

Note

For more information on creating a capture as part of a policy, refer to the Policies module documentation.

To manually create a capture file:

  1. From the Captures module, click the Take Capture button to open the capture creation window.

    374670338.png
  2. Define the name of the capture.

  3. Configure the host and container the capture file should record system calls from.

  4. Define the duration of the capture. The maximum length is 300 seconds (five minutes).

  5. Click the Start button.

The Sysdig agent will be signaled to start a capture and send back the resulting trace file. The file will then be displayed in the Captures module.

Delete a Capture File

  1. From the Captures module, select the capture file to be deleted.

  2. Click the Delete (trash can) icon:

    374670324.png
  3. Click the Yes (tick) icon to confirm deleting the capture, or the No (cross) icon to cancel.

Review Capture Files

Review the Capture Event in the Policy Events Module

To review the event that caused the capture file's creation:

  1. From the Captures module, select the capture file to be deleted.

  2. Click the View Policy Event (list) icon:

    374670310.png

Sysdig Secure will navigate to the Policy Events module, and display the exact event that caused the capture file.

Review the Capture File with Sysdig Inspect

To review the capture file in Sysdig Inspect:

  1. From the Captures module, select the capture file to be deleted.

  2. Click the Inspect (Sysdig logo) icon to open Sysdig Inspect in a new browser tab:

    374670317.png

Download a Capture File

To download a capture file:

  1. From the Captures module, select the target capture file.

  2. Click the Download (down arrow) icon to download the capture file.

    374670331.png

The capture file will now be downloaded to the local machine.

Disable Capture Functionality

Sometimes, security requirements dictate that capture functionality should NOT be triggered at all (for example, PCI compliance for payment information).

To disable Captures altogether, edit the agent configuration file as described in Disable Captures.