Sysdig capture files contain system calls and other OS events that can
be analyzed with either the open-source
(curses-based) utilities, and are displayed in the Captures module.
The Captures module contains a table listing the capture file name, the host it was retrieved from, the time frame, and the size of the capture. When the capture file status is uploaded, the file has been successfully transmitted from the Sysdig agent to the storage bucket, and is available for download and analysis.
Due to the nature and quantity of data collected, the Sysdig Agent is limited to recording one capture at a time (concurrently) per host. If multiple policies, each configured to create a capture, are triggered at the same time on the same host, only the first event will be able to store the captures. Additional attempts to create captures will result in the error “Maximum number of outstanding captures (1) reached”. This is also true of overlapping captures, often caused by long capture settings.
This section describes how to create capture files in Sysdig Secure.
This feature is available in the Enterprise tier of the Sysdig product. See https://sysdig.com/pricing for details, or contact firstname.lastname@example.org.
If upgrading from Essentials to Enterprise, users must go to
Settings>Teams><Your Team> and check the
Enable Captures box. They must then log out and log in again. See also: User and Team
From June, 2021, the Captures module has moved under the Investigate menu in the nav bar.
Configure Capture Files
Store Capture Files
Sysdig capture files are stored in Sysdig’s AWS S3 storage (for SaaS environments), or in the Cassandra DB (for on-premises environments) by default.
To use your own AWS S3 storage bucket, see Storage: Configure Options for Capture Files.
On-premises installations also have the option to use an AWS-compatible custom storage, such as Minio or IBM Cloud Object Storage, See (On-Prem) Configure Custom S3 Endpoint
Create a Capture File
Capture files can be created in Sysdig Secure either by configuring them
as part of a policy, or by manually creating them from the
For more information on creating a capture as part of a policy, see Manage Policies.
To create a capture file manually:
Capturesmodule, click the
Take Capturebutton to open the capture creation window.
Define the name of the capture.
Configure the host and container the capture file should record system calls from.
Define the duration of the capture. The maximum length is 300 seconds (five minutes).
The Sysdig agent will be signaled to start a capture and send back the
resulting trace file. The file will then be displayed in the
Delete a Capture File
Capturesmodule, select the capture file(s) to be deleted.
Delete(trash can) icon:
Yes(tick) icon to confirm deleting the capture, or the
No(cross) icon to cancel.
Review Capture Files
Review the Capture File with Sysdig Inspect
To review the capture file in Sysdig Inspect:
Capturesmodule, select the capture file to be deleted.
Click the Inspect (Sysdig logo) icon to open Sysdig Inspect in a new browser tab:
See also: Quick Menu to Captures from Runtime Events.
Download a Capture File
To download a capture file:
Capturesmodule, select the target capture file.
Downloadicon to download the capture file.
The capture file will now be downloaded to the local machine.
Disable Capture Functionality
Sometimes, security requirements dictate that capture functionality should NOT be triggered at all (for example, PCI compliance for payment information).
To disable Captures altogether, edit the agent configuration file as described in Disable Captures.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.