Captures

Limitations

The Sysdig Agent can record only one capture per host at a time due to the volume of data collected.. If multiple policies, each configured to create a capture, are triggered simultaneously on the same host, only the first event will store the capture successfully. Subsequent attempts to initiate captures will fail with the error: Maximum number of outstanding captures (1) reached`. This issue also occurs with overlapping captures, often caused by lengthy capture durations.

Access Captures

To access the Captures module:

1. Log in to Sysdig Secure.

2. Select Threats > Captures.

The Captures page appears.

Navigate Captures

The Captures page contains a table listing the:

• Status: When the status is Ok, the file has been successfully transmitted from the Sysdig agent to the storage bucket, and is available for download and analysis.
• Name: The capture file name.
• Time: The time the capture was taken.
• Duration: The period of time captured.
• Trigger: The cause that triggered the capture.
• Infrastructure: The host the capture was retrieved from.

Configure Capture Files

Store Capture Files

By default Sysdig capture files are stored in:

• Sysdig’s AWS S3 storage: for SaaS environment
• Cassandra DB: for on-premises environments

Both environments have the option to use S3-compatible custom storage, such as Minio or IBM Cloud Object Storage.

To configure custom S3 storage, see Storage: Configure Custom S3 Endpoint.

Create a Capture File

You can create capture files in Sysdig Secure either by configuring them as part of a policy, or by manually creating them from the Captures module.

To create a capture file manually:

1. Go to Threats > Forensics |Captures and click Take Capture.

   

2. Specify the following information:

   • Name: Define the Name of the capture.
   • Host Name and Container ID: Configure the Host and, optionally, the Container where the capture file should record system calls.
   • Storage: Choose your storage options. The default is Sysdig Secure Storage, where captures are stored for 90 days. To configure alternative storage options, see Configure Capture Storage.
   • Duration: Define the duration of the capture. The maximum length is 300 seconds (five minutes).
   • Filter: Optionally, set a filter for the capture. This restricts the amount of information collected. Applicable filters match the syntax for Falco conditions. See Condition Syntax.

3. Click Start.

   The capture is taken.

4. After the capture is complete, select whether to Keep it or Discard the capture. Capture you keep are displayed in the Captures report page.

Delete a Capture File

1. From the Captures module, select the capture files to be deleted.

2. Click the Delete (trash can) icon.

3. Click Yes to confirm deleting the capture, or the No to cancel.

Review Capture Files

Review a Capture File with Sysdig Inspect

To review the capture file in Sysdig Inspect:

1. From the Captures module, select the capture file to be reviewed.

2. Select Sysdig Inspect on the right side of the capture listing to open Sysdig Inspect in a new browser tab.

From here, you can review the details of the capture file.

Download a Capture File

To download a capture file:

1. From the Captures module, select the target capture file.

2. Click the Download icon to download the capture file.

The capture file is downloaded to the local machine.

Disable Capture Functionality

Sometimes, security requirements dictate that capture functionality should not be triggered at all (for example, PCI compliance for payment information).

To disable Captures altogether, edit the agent configuration file as described in Disable Captures.