I set out to install sysdig and have it monitor my system but there didn't seem to be any good documentation to make it start with my system. Tons of weird posts out there all over about systemd, init.d, upstart, etc. I figured I'd write up the adventure.

Installing Sysdig

The instructions tell you to do something like this:

curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

However I would caution you to always download bash scripts and inspect them before running them

Writing our service:

It turns out writing a systemd service is quite easy. Here is what I ended up writing for sysdig:

sudo nano /etc/systemd/system/sysdig.service

[Unit]
Description=sysdig Service  
After=network-pre.target

[Service]
Type=simple  
User=root  
ExecStart=/usr/bin/sysdig -s 4096 -G 86400 -W 5 -z -w /var/local/sd/trace.scap.gz  
Restart=on-abort

[Install]
WantedBy=multi-user.target  

This is pretty straight forward config from the docs. Here are the flag definitions for the sysdig service I used:

  • -s: Capture the first bytes of each I/O buffer. By default, the first 80 bytes are captured. Use this option with caution, it can generate huge trace files.
  • -G: Rotate the dump file after X seconds (in this case I chose daily)
  • -W: In conjunction with G will limit the number of rotated dump files
  • -z: compress
  • -w: output file

Enabling the service

sudo systemctl enable sysdig

Now we have an awesome service that will start after the network-pre time on boot.