QUARK-MON(8) System Manager's Manual QUARK-MON(8)

quark-monmonitor and print quark events

quark-mon [-bDekstv] [-C filename] [-l maxlength] [-m maxnodes]

quark-mon -V

The quark-mon program listens to all incoming quark(7) events and prints them to stdout, the output format used is the one in quark_event_dump(3).

The main utility is for testing and debugging quark, it's also a good introduction to the code base. quark-mon runs until a SIGINT is received.

The options are as follows:

Attempt EBPF as the backend.
filename
Dumps the contents of the internal cache into filename after exit. Format is a file that can be compiled to a with: 
dot -Tsvg filename -o filename.svg
Drop priviledges to nobody and chroot to /var/empty, useful to show how quark can run without priviledges.
Include and in . Entry leader is how the process entered the system, it is disabled by default as it is Elastic/ECS specific.
Use minimal aggregation, fork, exec and exit will be aggregated.
Attempt kprobe as the backend.
maxlength
Maximum lenght of the quark queue, essentially how much quark is willing to buffer, refer to quark_queue_open(3) for further details.
Don't send the initial snapshot of existing processes.
Don't supress thread events, this is only useful for debugging and will likely be zapped in the future.
Increase verbosity, can be specified multiple times for more verbosity.
maxnodes
Don't really process events, just collect maxnodes in the sorting tree and output quark_by_time.dot and quark_by_pidtime.dot. The first is events sorted by time, and the second by pid plus time. Exits after maxnodes has been reached. This is used purely for internal debugging.
Print version and exit.

If no backend option is specified, quark-mon will attempt EBPF, and then kprobe if EBPF failed. If only one of -b or -k is passed, then quark-mon will be restricted to that option only.

quark-mon exits with 0 in if a SIGINT was sent, or 1 in case of error.

Running:

$ quark-mon

outputs:

->1607007 (FORK+EXEC+EXIT)
  COMM  comm=locale
  CMDL  cmdline=[ locale, charmap ]
  PROC  ppid=1607003
  PROC  uid=1000 gid=1000 suid=1000 sgid=1000 euid=1000 egid=1000
  PROC  cap_inheritable=0x0 cap_permitted=0x0 cap_effective=0x0
  PROC  cap_bset=0x1ffffffffff cap_ambient=0x0
  PROC  time_boot=1713340073284870415
  CWD   cwd=/d/e/quark
  FILE  filename=/usr/bin/locale
  EXIT  exit_code=0 exit_time=434523672438062
->1607008 (FORK+EXEC+EXIT)
  COMM  comm=groff
  CMDL  cmdline=[ groff, -mtty-char, -Tutf8, -mandoc, -rLL=109n, -rLT=109n, -P-c ]
  PROC  ppid=1607003
  PROC  uid=1000 gid=1000 suid=1000 sgid=1000 euid=1000 egid=1000
  PROC  cap_inheritable=0x0 cap_permitted=0x0 cap_effective=0x0
  PROC  cap_bset=0x1ffffffffff cap_ambient=0x0
  PROC  time_boot=1713340073288110375
  CWD   cwd=/d/e/quark
  FILE  filename=/usr/bin/groff
  EXIT  exit_code=0 exit_time=434523688177774
  ...

Refer to quark_event_dump(3) for the output format description.

quark_event_dump(3), quark_process_lookup(3), quark_queue_block(3), quark_queue_close(3), quark_queue_get_epollfd(3), quark_queue_get_events(3), quark_queue_get_stats(3), quark_queue_open(3), quark-btf(8)

October 14, 2024 Linux