owner uid: ${uid}
condition: event rule matches
rule: test-name (type: user tracepoint)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: aaa (type: user tracepoint, filter: p == 2)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: gerboise (type: user tracepoint, log level at least INFO)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: * (type: user tracepoint)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: hello* (type: user tracepoint, exclusions: hello2,hello3,hello4)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: lemming (type: user tracepoint, log level is WARNING)
+ errors: none
actions:
notify
errors: none
rule: capture-payload-field (type: user tracepoint)
captures:
- a
+ errors: none
actions:
notify
errors: none
captures:
- a[2]
- \$ctx.tourlou[18]
+ errors: none
actions:
notify
errors: none
rule: capture-chan-ctx (type: user tracepoint)
captures:
- \$ctx.vpid
+ errors: none
actions:
notify
errors: none
rule: capture-app-ctx (type: user tracepoint)
captures:
- \$app.iga:active_clients
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: lemming (type: user tracepoint)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: my_channel_enable (type: kernel:kprobe, location: lttng_channel_enable)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: my_channel_enable (type: kernel:kprobe, location: ${base_symbol}+${offset_hex})
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: my_channel_enable (type: kernel:kprobe, location: 0x${channel_enable_addr})
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: ma-probe-elf (type: kernel:uprobe, location type: ELF, location: ${uprobe_elf_binary}:${elf_function_name})
+ errors: none
actions:
notify
errors: none
owner uid: 0
condition: event rule matches
rule: ma-probe-sdt (type: kernel:uprobe, location type: SDT, location: ${uprobe_sdt_binary}:${sdt_provider_name}:${sdt_probe_name})
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: open (type: kernel:syscall:entry+exit)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: open (type: kernel:syscall:entry)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: open (type: kernel:syscall:exit)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: open (type: kernel:syscall:entry+exit)
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: ptrace (type: kernel:syscall:entry+exit, filter: a > 2)
+ errors: none
actions:
notify
errors: none
condition: session consumed size
session name: the-session-name
threshold: 1234 bytes
+ errors: none
actions:
notify
errors: none
channel name: the-channel-name
domain: ust
threshold (bytes): 1234
+ errors: none
actions:
notify
errors: none
channel name: the-channel-name
domain: ust
threshold (ratio): 0.25
+ errors: none
actions:
notify
errors: none
channel name: the-channel-name
domain: ust
threshold (bytes): 2345
+ errors: none
actions:
notify
errors: none
channel name: the-channel-name
domain: ust
threshold (ratio): 0.40
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: session rotation completed
session name: the-session-name
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: session rotation ongoing
session name: the-session-name
+ errors: none
actions:
notify
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`, path: /some/path
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`, path: /some/other/path
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`, url: net://1.2.3.4
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`, url: net://1.2.3.4:1234:1235
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`, control url: tcp://1.2.3.4:1111, data url: tcp://1.2.3.4:1112
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`, path: /some/path, max size: 1234
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`, path: /some/path, name: meh
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`, rate policy: every 10 occurrences
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
snapshot session \`ze-session\`, rate policy: once after 10 occurrences
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
notify, rate policy: once after 5 occurrences
errors: none
owner uid: ${uid}
condition: event rule matches
rule: some-event (type: user tracepoint)
+ errors: none
actions:
notify, rate policy: every 10 occurrences
errors: none