Captures

Sysdig capture files contain system calls and other OS events that can be analyzed with either the open-source sysdig or csysdig (curses-based) utilities, and are displayed in the Captures module.

The Captures module contains a table listing the capture file name, the host it was retrieved from, the time frame, and the size of the capture. When the capture file status is uploaded, the file has been successfully transmitted from the Sysdig agent to the storage bucket, and is available for download and analysis.

Due to the nature and quantity of data collected, the Sysdig Agent is limited to recording one capture at a time (concurrently) per host. If multiple policies, each configured to create a capture, are triggered at the same time on the same host, only the first event will be able to store the captures. Additional attempts to create captures will result in the error “Maximum number of outstanding captures (1) reached”. This is also true of overlapping captures, often caused by long capture settings.

This section describes how to create capture files in Sysdig Secure.

This feature is available in the Enterprise tier of the Sysdig product. See https://sysdig.com/pricing for details, or contact sales@sysdig.com.

If upgrading from Essentials to Enterprise, users must go to Settings>Teams><Your Team> and check the Enable Captures box. They must then log out and log in again. See also: User and Team Administration.

From June, 2021, the Captures module has moved under the Investigate menu in the nav bar.

Configure Capture Files

Store Capture Files

Sysdig capture files are stored in Sysdig’s AWS S3 storage (for SaaS environments), or in the Cassandra DB (for on-premises environments) by default.

To use your own AWS S3 storage bucket, see Storage: Configure Options for Capture Files.
On-premises installations also have the option to use an AWS-compatible custom storage, such as Minio or IBM Cloud Object Storage, See (On-Prem) Configure Custom S3 Endpoint

Create a Capture File

Capture files can be created in Sysdig Secure either by configuring them as part of a policy, or by manually creating them from the Captures module.

For more information on creating a capture as part of a policy, see Manage Policies.

To create a capture file manually:

From the Captures module, click the Take Capture button to open the capture creation window.
Define the name of the capture.
Configure the host and container the capture file should record system calls from.
Define the duration of the capture. The maximum length is 300 seconds (five minutes).
Click the Start button.

The Sysdig agent will be signaled to start a capture and send back the resulting trace file. The file will then be displayed in the Captures module.

Delete a Capture File

From the Captures module, select the capture file(s) to be deleted.
Click the Delete (trash can) icon:
Click the Yes (tick) icon to confirm deleting the capture, or the No (cross) icon to cancel.

Review Capture Files

Review the Capture File with Sysdig Inspect

To review the capture file in Sysdig Inspect:

From the Captures module, select the capture file to be deleted.
Click the Inspect (Sysdig logo) icon to open Sysdig Inspect in a new browser tab:

Download a Capture File

To download a capture file:

From the Captures module, select the target capture file.
Click the Download icon to download the capture file.

The capture file will now be downloaded to the local machine.

Disable Capture Functionality

Sometimes, security requirements dictate that capture functionality should NOT be triggered at all (for example, PCI compliance for payment information).

To disable Captures altogether, edit the agent configuration file as described in Disable Captures.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.