FS#65407 : [sysdig] sysdig -c spy_logs is not showing any output

FS#65407 - [sysdig] sysdig -c spy_logs is not showing any output

Attached to Project: Community Packages
Opened by Munzir Taha (munzirtaha) - Friday, 07 February 2020, 11:39 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Thursday, 09 April 2020, 07:35 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Massimiliano Torromeo (mtorromeo)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
`sysdig -c spy_logs` is not showing any output

`dmesg` shows

[ 2549.770607] audit: type=1101 audit(1581075273.473:87): pid=201746 uid=1000 auid=1000 ses=2 msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="arch" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
[ 2549.770727] audit: type=1110 audit(1581075273.473:88): pid=201746 uid=0 auid=1000 ses=2 msg='op=PAM:setcred grantors=pam_unix,pam_permit,pam_env acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
[ 2549.774988] audit: type=1105 audit(1581075273.480:89): pid=201746 uid=0 auid=1000 ses=2 msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
[ 2549.788285] sysdig_probe: adding new consumer 00000000b40690d9
[ 2549.788292] sysdig_probe: initializing ring buffer for CPU 0
[ 2549.791291] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.791292] sysdig_probe: initializing ring buffer for CPU 1
[ 2549.794331] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.794332] sysdig_probe: initializing ring buffer for CPU 2
[ 2549.797521] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.797521] sysdig_probe: initializing ring buffer for CPU 3
[ 2549.800515] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.800516] sysdig_probe: initializing ring buffer for CPU 4
[ 2549.803477] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.803477] sysdig_probe: initializing ring buffer for CPU 5
[ 2549.806469] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.806469] sysdig_probe: initializing ring buffer for CPU 6
[ 2549.809409] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.809410] sysdig_probe: initializing ring buffer for CPU 7
[ 2549.812488] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.812489] sysdig_probe: initializing ring buffer for CPU 8
[ 2549.815462] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.815463] sysdig_probe: initializing ring buffer for CPU 9
[ 2549.818405] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.818405] sysdig_probe: initializing ring buffer for CPU 10
[ 2549.821303] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.821303] sysdig_probe: initializing ring buffer for CPU 11
[ 2549.824413] sysdig_probe: CPU buffer initialized, size=8388608
[ 2549.824414] sysdig_probe: starting capture

Additional info:
* package version(s)
sysdig 0.26.4-4

This task depends upon

Closed by Massimiliano Torromeo (mtorromeo)
Thursday, 09 April 2020, 07:35 GMT
Reason for closing: Fixed

Comment by Doug Newgard (Scimmia) - Friday, 07 February 2020, 13:21 GMT

And what do you expect to see?

Comment by Munzir Taha (munzirtaha) - Saturday, 08 February 2020, 09:31 GMT

$ sysdig -i spy_logs

Category: Logs
--------------
spy_logs Echo any write made by any process to a log file. Optionally, export the events around each log message to file.

This chisel intercepts all the writes to files containing '.log' or '_log' in their name, and pretty prints them ...

Comment by Doug Newgard (Scimmia) - Saturday, 08 February 2020, 12:45 GMT

Which doesn't answer the question.

Comment by Munzir Taha (munzirtaha) - Sunday, 09 February 2020, 10:15 GMT

I expect to see it monitor the logs in /var, e.g. Xorg.0.log, pacman.log, ...
This used to work before.

Comment by Doug Newgard (Scimmia) - Sunday, 09 February 2020, 13:09 GMT

So Xorg.0.log is being written to at that time? That's relevant information.

Comment by Munzir Taha (munzirtaha) - Sunday, 09 February 2020, 13:11 GMT

Yes, I tested this by adding information to Xorg.0.log and installing packages and creating my own files with .log extension. Nothing works, it just keeps silent.

Comment by Munzir Taha (munzirtaha) - Sunday, 09 February 2020, 15:07 GMT

I just checked the configuration files to give more accurate information.

/usr/share/sysdig/chisels/spy_logs.lua

contains

FILE_FILTER = "(fd.name contains .log or fd.name contains _log or fd.name contains /var/log) and not (fd.name contains .gz or fd.name contains .tgz)"

So, this chisel should show any thing written to .log or _log created anywhere on the system in addition to any thing in /var/log. All messages shown by journalctl should also show here. Does this answer your question?

Comment by Munzir Taha (munzirtaha) - Thursday, 20 February 2020, 18:52 GMT

It seems something is seriously broken because I now tried a very basic thing

sudo sysdig fd.name contains /usr/bin/

I expected this to print lots of messages. I launched many programs from terminal like `ls`, `ldd`, I launched many GUI programs but nothing is printed!

Comment by Munzir Taha (munzirtaha) - Thursday, 09 April 2020, 04:56 GMT

This is now solved after latest updates.

Comment by Massimiliano Torromeo (mtorromeo) - Thursday, 09 April 2020, 07:35 GMT

Thanks for letting me know

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#65407 - [sysdig] sysdig -c spy_logs is not showing any output

Details

Loading...