Captures

Sysdig capture files contain system calls and other operating system events. You can create captures manually, or configure certain Threat Detection policies, such as Workload and List Matching policies, to take captures in response to an event. Those captures can be then analyzed from Sysdig or opened with multiple open-source tools.

Limitations

The Sysdig Agent can record only one capture per host at a time due to the volume of data collected. If multiple policies, each configured to create a capture, are triggered simultaneously on the same host, only the first event will store the capture successfully. Subsequent attempts to initiate captures will fail with the error: Maximum number of outstanding captures (1) reached. This issue also occurs with overlapping captures, often caused by lengthy capture durations.

Access Captures

To access the Captures:

  1. Log in to Sysdig Secure.

  2. Select Threats > Forensics | Captures.

The Captures page contains a table listing the:

  • Status: When the status is Ok, the file has been successfully transmitted from the Sysdig agent to the storage bucket, and is available for download and analysis.
  • Name: The capture file name.
  • Time: The time the capture was taken.
  • Duration: The period of time captured.
  • Trigger: The cause that triggered the capture.
  • Infrastructure: The host the capture was retrieved from.

You can also search for captures using the search bar, or filter them by Error or Expiring.

Take a Capture

There are two ways to take a capture:

  • Manually
  • As a Policy action

Take a Capture Manually

To take a capture manually:

  1. Go to Threats > Forensics |Captures from the left navigation bar.

  2. Select Take Capture from the top right corner.

    The Take Capture window appears.

  3. Specify the following information:

    • Name: Define the Name of the capture, also used as capture file name.
    • Host Name: Specify the Host where you want to take a capture
    • Container ID: Configure the Container ID to set as aa predefined filter when you open the Capture using Sysdig Inspect.
    • Storage: Choose your storage options. The default is Sysdig Secure Storage, where captures are stored for 90 days. To configure alternative storage options, see Configure Capture Storage.
    • Duration: Define the duration of the capture. The default time is 5 seconds; the maximum length is 300 seconds (five minutes).
    • Filter: Optionally, set a filter for the capture. This restricts the data streaming captured (syscalls, i/o streams), while it doesn’t apply to the inspector tables (file descriptors, network connections, open ports, thread table, process list, containers). Applicable filters match the syntax for Falco conditions. See Condition Syntax.
  4. Click Start.

    The capture is taken.

  5. After the capture is complete, select whether to Keep it or Discard the capture. Capture you keep are displayed in the Captures report page.

Take a Capture as Policy Action

To take a capture in Sysdig Secure, set up a policy with the capture Action available, or manually take a capture in the Captures page.

Policies that offer the capture action include:

To configure a capture to be taken as Policy Action:

  1. Select Policies > Runtime Policies from the left navigation bar.

  2. Select an existing List Matching or Workload Policy, or create a new one.

  3. Complete the configuration under the Actions section:

    • Capture: Toggle on or off.
    • File Name: Define the Name of the capture, also used as capture file name.
    • Storage: Choose your storage options. The default is Sysdig Secure Storage, where captures are stored for 90 days. To configure alternative storage options, see Configure Capture Storage.
    • Time interval: Define the time interval of the capture. The default time is from 5 seconds before to 20 seconds after the event; the maximum length is 300 seconds (five minutes).
    • Filter: Optionally, set a filter for the capture. This restricts the data streaming captured (syscalls, i/o streams), while it doesn’t apply to the inspector tables (file descriptors, network connections, open ports, thread table, process list, containers). Applicable filters match the syntax for Falco conditions. See Condition Syntax.

Review a Capture

From the Captures page you can perform multiple operations on the previously taken Captures:

  • Open with Sysdig Inspect
  • Download
  • Delete

Delete a Capture File

  1. From the Captures page, select the capture files to be deleted.

  2. Click the Delete (trash can) icon.

  3. Click Yes to confirm deleting the capture, or the No to cancel.

Review a Capture with Sysdig Inspect

To review the capture file with Sysdig Inspect:

  1. From the Captures page, navigate to the target capture file.

  2. Hover your cursor over the target capture file.

  3. Click on the Sysdig Inspect button to open Sysdig Inspect in a new browser tab.

Sysdig Inspect is not available for captures over 200 MB.

Download a Capture File

To download a capture file:

  1. From the Captures page, select the three-dot menu on the side of a capture listing.

  2. Select Download File.

The capture downloads in .scap format. You can open this with:

Delete a Capture File

You can delete a single capture file or multiple files.

To delete a single file:

  1. From the Captures page, navigate to the target capture file.

  2. Hover your cursor over the target capture file.

  3. Select the three-dot menu icon from the right hand side of the capture listing.

  4. Select the Delete (trash can) button.

  5. Click Delete to confirm deleting the capture, or No to cancel.

To delete multiple files:

  1. From the Captures page, select the capture files to be deleted.

  2. Select the option Delete next to the number of selected captures in the top right corner.

  3. On the Delete Captures prompt, click the Yes button to confirm, or the No button to cancel.

Disable Capture Functionality

Sometimes, security requirements dictate that capture functionality should not be available. To disable the Captures feature, see Disable Captures.

Capture Files Storage

Sysdig capture files are stored in Sysdig’s storage (for SaaS environments), or in the Cassandra DB (for on-premises environments) by default. Captures saved in the Sysdig Storage (SaaS environments) for more than 90 days are automatically deleted. Both environments have the option to use a S3-compatible custom storage, such as Minio or IBM Cloud Object Storage. This lets you store captures for longer periods of time. To configure a custom storage, see S3 Capture Storage.

Capture Threshold

Enablement and Configuration

The agent monitors memory usage during Captures to prevent restarts caused by intensive computational demands. You can adjust the default values by adding the following configuration to the dragent.yaml:

capture_memory_thresholds:
  enabled: true 
  critical_percentage: 95 # critical if the memory used is 95% of limits
  warning_percentage: 90  # warning if the memory used is 90% of limits

Capture Threshold Logging

When the Warning or Critical threshold is reached, the agent logs the following messages:

-skipping capture due to high memory usage -interrupting capture. Agent memory is too high