Advisor Overview

The Overview feature leverages Sysdig’s unified data platform to monitor, secure, and troubleshoot your hosts and Kubernetes clusters and workloads.

The module provides a unified view of the health, risk, and capacity of your Kubernetes infrastructure— a single pane of glass for host machines as well as Kubernetes Clusters, Nodes, Namespaces, and Workloads across a multi- and hybrid-cloud environment. You can easily filter by any of these entities and view associated events and health data.

The Overview feature shows metrics prioritized by event count and severity, allowing you to get to the root cause of the problem faster. Sysdig Monitor polls the infrastructure data every 10 minutes and refreshes the metrics and events on the Overview page with the system health.

Key Benefits

Overview provides the following benefits:

  • Show a unified view of the health, risk, resource use, and capacity of your infrastructure environment at scale

    • Render metrics, security events, compliance CIS benchmark results, and contextual events in a single location

    • Eliminate the need for stand-alone security, monitoring, and forensics tools

    • View data on-the-fly by workload or by infrastructure

  • Display contextual live event stream from alerts, Kubernetes, containers, policies, and image scanning results

  • Surface entities intelligently based on event count and severity

  • Drill down from Clusters to Nodes and Namespaces

  • Support Infrastructure monitoring of multi- and hybrid- cloud environments

  • Expose relevant information based on core operational users :

    • DevOps / Platform Ops

    • Security Analyst

    • Service Owner

Accessing the Overview User Interface

You can access and set the scope of Overview in the Sysdig Monitor UI or with the URL:

  • On-Prem: https://[Sysdig URL]/#/overview

  • SAAS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East is: https://app.sysdigcloud.com/#/overview

    For other regions, the format is https://<region>.app.sysdig.com/\#/overview . Replace <region> with the region where your Sysdig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com/#/overview.

Click Overview in the left navigation, then select one of the Kubernetes entities:

About the Overview User Interface

The Overview interface opens to the Clusters page. This section describes the major components of the interface and the navigation options.

Though the default landing page is Clusters Overview, when you have no Kubernetes clusters configured, the Overview tab opens to the Hosts view. In addition, when you reopen the Overview menu, the default view will be your last visited Overview page as it retains the visit history.

Overview Rows

Each row represents a Kubernetes entity: a cluster, node, namespace, or workload. In the screenshot above, each row shows a Kubernetes cluster.

  • Navigating rows is easy

    Click on the Overview icon in the left navigation and choose an Overview page, or drill down into the next Overview page to explore the next granular level of data. Each Overview page shows 10 rows by default and a maximum of 100 rows. Click Load More to display additional rows if there are more than 10 rows per page.

  • Ability to select a specific row in an Overview page

    Each row contains the scope of the relevant entity that it is showing data for. Clicking a specific row leads to deselecting the rest of the rows (for instance, selecting staging deselects all other rows in the screenshot above) to focus on the scope of the selected entity, including the events which are scoped out by that row. Pausing to focus on a single row provides a snapshot of what is going on until at the moment with the entity under purview.

  • Entities are ranked according to the severity and the number of events detected in them

    Rows are sorted by the count and severity level of the events associated with the entity and are displayed in descending order. The items with the highest number of high severity events are shown first, followed by medium, low, and info. This organization helps to highlight events demanding immediate attention and to streamline troubleshooting efforts, in environments that may include thousands of entities.

Scope Editor

Scope Editor allows targeting down to a specific entity, such as a particular workload or namespace, from environments that may include thousands of entities. The levels of scope, determined by Kubernetes hierarchy, progresses from Workload to Cluster where Cluster being at the top level. In smaller environments, using the Scope Editor is equivalent to clicking a single row in an Overview page where no scope has been applied.

Cluster: The highest level in the hierarchy. The only scope applied to the page is Cluster. It allows you to select a specific cluster from a list of available ones.

Node: The second level in the hierarchy. The scope is determined by Cluster and Node. Selection is narrowed down to a specific node in a selected cluster.

Namespace: The third level in the hierarchy. The scope is determined by Cluster and Namespace. Selection is narrowed down to a specific namespace in a selected cluster.

Workloads: The last entity in the hierarchy. The scope is initially determined by Cluster and Namespace, then the selection is narrowed to a specific Deployment, DaemonSet, or StatefulSet. Choosing all three options are not allowed.

Time Navigation

The Overview feature is based around time. Sysdig Monitor polls the infrastructure data every 10 second and refreshes the metrics and events on the Overview page with the system health. The time range is fixed at 12 hours. However, the gauge and compliance score widgets display the latest data sample, not an aggregation over the entire 12-hour time range.

The Overview feed is always live and cannot be paused.

Unified Stream of Events

The right panel of Overview provides a context-sensitive events feed.

Click an overview row to see relevant Events on the right. Each event is intelligently populated with end-to-end metadata to give context and enable troubleshooting.

Event Types

Overview renders the following event types:

  • Alert: See Alerts.

  • Custom: Ensure that Custom labels are enabled to view this type of events.

  • Containers: Events associated with containers.

  • Kubernetes: Events associated with Kubernetes infrastructure.

  • Sysdig: Events emitted by Sysdig about failing notification channels and deactivated alerts.

Event Statuses

Overview renders the following alert-generated event statuses:

  • Triggered: The alert condition has been met and still persists.

  • Resolved: A previously existed alert condition no longer persists.

  • Acknowledged: The event has been acknowledged by the intended recipient.

  • Un-acknowledged: The event has not been acknowledged by an intended recipient. All events are by default marked as Un-acknowledged.

  • Silenced: The alert event has been silenced for a specified scope. No alert notification will be sent out to the channels during the silenced window.

General Guidelines

First-Time Usage

  • If the environment is created for the first time, Sysdig Monitor fetches data and generates associated pages. The Overview feature is immediately enabled. However, wait for, at the maximum, 1 hour to see the Overview pages with the necessary data.

  • Overview uses time windows in segments of 1H, 6H and 1D, and therefore wait respectively for 1H, 6H and 1D to be able to see data on the Overview pages.

  • If enough data is not available for the first 1 hour, the “No Data Available” page will be presented until the first 1 hour passes.

Tuning Overview Data

Sysdig Monitor leverages a caching mechanism to fetch pre-computed data for the Overview screens.

If pre-computed data is unavailable, data fetched will be non-computed data, which must be calculated before displaying. This additional computational time adds delays. Caching is enabled for Overview but for optimum performance, you must wait for 1H, 6H, and 1D windows the first time you use Overview. After the specified time has passed, the data will be automatically be cached with every passing minute.

Enabling Overview for On-Prem Deployments

The Overview feature is not available by default on On-Prem deployments. Use the following API to enable it:

  1. Get the Beta settings as follows:

    curl -X GET 'https://<Sysdig URL>/api/on-prem/settings/overviews' \
    -H 'Authorization: Bearer <GLOBAL_SUPER_ADMIN_SDC_TOKEN>' \
    -H 'X-Sysdig-Product: SDC' -k
    

    Replace <Sysdig URL> with the Sysdig URL associated with your deployment and <GLOBAL_SUPER_ADMIN_SDC_TOKEN> with the SDC token associated with your deployment.

  2. Copy the payload and change the desired values in the settings.

  3. Update the settings as follows:

    curl X PUT 'https://<Sysdig URL>/api/on-prem/settings/overview' \
    -H 'Authorization: Bearer <GLOBAL_SUPER_ADMIN_SDC_TOKEN>' \
    -H 'X-Sysdig-Product: SDC' \
    -d '{  "overviews": true,  "eventScopeExpansion": true}'
    

Feature Flags

  • overviews: Set overviews to true to enable the backend components and the UI.

  • eventScopeExpansion: Set eventScopeExpansion to true to enable scope expansion for all the Event types.