[*] Can't find "%proc.exe_ino" in output file #2102
Labels
Comments
|
Hey @ChinaBluecat! That's for sure a problem of https://github.com/falcosecurity/libs. You can open an issue there :) |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I run this script, I can get %proc.exe_ino in result normally
'''bash
sudo sysdig "evt.type in ('read', 'write') and proc.exe_ino!=0" -p "%proc.exe_ino" -j
'''
Result:
'''bash
{"proc.exe_ino":138584166}
{"proc.exe_ino":138584166}
{"proc.exe_ino":138584166}
{"proc.exe_ino":138584166}
{"proc.exe_ino":138584166}
......
'''
But when I export them using the "-w" argument and try to load them from the output file, I get an empty result.
'''bash
sudo sysdig "evt.type in ('read', 'write') and proc.exe_ino!=0" -p "%proc.exe_ino" -w [output_path]
sudo sysdig -r [output_path] -p "%proc.exe_ino" -j
'''
But it seems that other keys can be found in output file
'''bash
sudo sysdig -r [output_path] -p "%evt.type, %evt.info"
'''
Result:
'''bash
{"evt.info":"res=0 ","evt.type":"epoll_wait"}
{"evt.info":"maxevents=1024 ","evt.type":"epoll_wait"}
{"evt.info":"next=0 pgft_maj=0 pgft_min=4411 vm_size=1055528 vm_rss=27548 vm_swap=0 ","evt.type":"switch"}
{"evt.info":"","evt.type":"clock_nanosleep"}
{"evt.info":"fd=17() ","evt.type":"recvmsg"}
{"evt.info":"res=-11(EAGAIN) size=0 data=NULL tuple=NULL msgcontrol=NULL ","evt.type":"recvmsg"}
{"evt.info":"fd=17() ","evt.type":"recvmsg"}
{"evt.info":"res=-11(EAGAIN) size=0 data=NULL tuple=NULL msgcontrol=NULL ","evt.type":"recvmsg"}
{"evt.info":"fds=17:u3 timeout=0 ","evt.type":"poll"}
{"evt.info":"res=0 fds= ","evt.type":"poll"}
'''
The text was updated successfully, but these errors were encountered: