From fc5b51774a38078e8f9b72960307519f7ccffed8 Mon Sep 17 00:00:00 2001 From: Henri DF Date: Tue, 12 Apr 2016 21:57:10 -0700 Subject: [PATCH] Update README.md --- README.md | 52 ++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 6127845a..6cde51fd 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,38 @@ -# Digwatch: activity monitoring with sysdig +# Digwatch: Host Activity Monitoring with Sysdig Filters -## Build and run instructions +## Overview +Brief description of what, why, how, and pointer to website. -_Note:_ This is not yet set up to be propertly packaged and installed. For now, running digwatch means building it and installing it manually on the host where you want to run it. +### What kind of events can digwatch detect? + +## Installing Digwatch +Installation instructions. + +## Configuring Digwatch + +Digwatch is primarily configured via two files: a configuration file (such as the `digwatch.yaml` in this repository) and a rules file (such as the `digwatch_rules.conf` file in `rules/`). These two files are written to `/etc` after you install the Digwatch package. + +### Rules file +Explain the rules file syntax + +### Configuration file +Explain the config file contents and syntax + + +## Running Digwatch + +Digwatch is intended to be run as a service. But for experimentation and designing/testing rulesets, you will likely want to run it manually from the command-line. + +### Running Digwatch as a service +Instructions for Centos and Ubuntu. + +### Running Digwatch manually + + +## Building Digwatch + ### Building Clone this repo in a directory that also contains the sysdig source repo. The result should be something like: @@ -13,11 +41,8 @@ Clone this repo in a directory that also contains the sysdig source repo. The re $ pwd /sysdig 22:50 vagrant@vagrant-ubuntu-trusty-64:/sysdig -$ ls -la +$ ls -l total 20 -drwxr-xr-x 1 vagrant vagrant 306 Feb 16 23:06 . -drwxr-xr-x 25 root root 4096 Feb 18 19:24 .. -drwxr-xr-x 1 vagrant vagrant 680 Jan 23 19:32 agent drwxr-xr-x 1 vagrant vagrant 238 Feb 21 21:44 digwatch drwxr-xr-x 1 vagrant vagrant 646 Feb 21 17:41 sysdig ``` @@ -31,11 +56,16 @@ $ cmake .. $ make ``` -as a result, you should have a digwatch executable `build/userspace/digwatch/digwatch`. +as a result, you should have a digwatch executable in `build/userspace/digwatch/digwatch`. ### Running locally-built sysdig +Assuming you are in the `build` dir, you can run digwatch as: + +`$ sudo ./userspace/digwatch/digwatch -c ../digwatch.yaml -r ../rules/digwatch_rules.conf` + +Or instead you can try using some of the simpler rules files in `rules`. Or to get started, try creating a file with this: Create a file with some [digwatch rules](Rule-syntax-and-design). For example: ``` @@ -45,12 +75,6 @@ write and interactive and fd.name contains sysdig write and interactive and fd.name contains .txt ``` - - -Let's assume you called that file rules.txt. Now you can run digwatch like so: - -`./userspace/digwatch/digwatch rules.txt` - And you will see an output event for any interactive process that touches a file with "sysdig" or ".txt" in its name!