Ability to filter out OS events and trace only system calls

[jetlime]

I’d like to use sysdig exclusively for tracing system calls.

From the documentation (and experimenting with the -L flag), I see that sysdig captures not only system calls but also a variety of OS events. I couldn’t find a built-in filter that allows me to exclude all non–system call events. For now, I’ve manually enumerated the OS events and excluded them with the following filter:

$ sudo sysdig evt.type!=drop and evt.type!=switch and evt.type!=scapevent and evt.type!=signaldeliver and evt.type!=procinfo and evt.type!=cpu_hotplug and evt.type!=k8s and evt.type!=tracer and evt.type!=mesos and evt.type!=notification and evt.type!=infra and evt.type!=page_fault and evt.type!=pluginevent and evt.type!=container and evt.type!=useradded and evt.type!=userdeleted and evt.type!=groupadded and evt.type!=groupdeleted and evt.type!=asyncevent and evt.type!=procexit

This works, but it feels brittle and hard to maintain.

1. Is there a more maintainable way to capture only system calls (e.g., a predefined filter or category)?

2. There is an exhaustive list of OS events here: https://docs.sysdig.com/en/sysdig-secure/rule-fields-library/#metaevents Where can I find a detailed explanation for each of them?

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.