Open ChrisLiCheng opened 7 months ago
therealbobo
commented
7 months ago Hey @ChrisLiCheng! At the moment this feature is not supported but it could be great to have it! I don't think it's particularly difficult to implement but I don't know if we can make it for the 0.35.0. If you would like to help out, I can provide some guidance! 😄
ChrisLiCheng
commented
7 months ago Hey @therealbobo! Thank you for your offer and willingness to provide guidance. I am happy to help and contribute to this project. Please let me know what needs to be done and how I should get started. Looking forward to your further instructions.
therealbobo
commented
7 months ago Hey @ChrisLiCheng! Sorry for the delay! You could start taking a look at how it's done in falco userspace/falco/app/actions/helpers_inspector.cpp. At the end is just matter of changing the buffer size on the open of the engine (https://github.com/draios/sysdig/blob/73c07b92e49953f351b4004b14deaea724b6395e/userspace/sysdig/utils/sinsp_opener.cpp#L109) but we should consider also the page size (as is done in falco). Please ping me if you need anything more :)
I captured system call events of a container using sysdig and saved the events to a file. In my subsequent analysis, I noticed that some events were missing. I'm wondering if this might be due to sysdig not being configured with an appropriate ring buffer size when it was started, resulting in event loss. Can sysdig be configured to modify the ring buffer size?