Install Sysdig on Ubuntu 20.04 – Get it Running Fast
In this short guide you’ll see exactly how to drop Sysdig onto a fresh (or already‑running) Ubuntu 20.04 box and fire up its terminal UI without pulling your hair out. I’ll point out the bits that usually bite—like kernel header mismatches—and give you a quick sanity check at the end.
What you need
- An Ubuntu 20.04 server or desktop with sudo access.
- A working internet connection (the installer pulls packages from Amazon S3).
- Basic comfort with the shell; if you can run apt you’re fine.
I’ve installed Sysdig on a dozen VPSes, and the most common hiccup is forgetting to install the matching kernel headers before the package tries to compile its kernel module. Keep that in mind.
Update the base system
Running an up‑to‑date distro avoids needless compilation errors later.
sudo apt update && sudo apt upgrade -y
The -y flag saves you a prompt, but feel free to omit it if you prefer to review what’s being upgraded. After that, pull in a few utilities the installer expects:
sudo apt install gnupg software-properties-common curl linux-headers-$(uname -r) -y
Why the headers? Sysdig ships a kernel module for deep packet capture; without the exact headers for your running kernel it will refuse to build.
Pull in the official repository
The “curl | bash” pattern gets a lot of flak, and rightfully so—blindly executing remote scripts is risky. In this case the script is just adding a signed APT source, but you can inspect it first if you’re paranoid:
curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig > /tmp/install-sysdig.sh less /tmp/install-sysdig.sh # skim the contents sudo bash /tmp/install-sysdig.sh
If you trust the source, skip the less step and pipe directly; it’s quicker and works fine on most clean installs.
Install the package
Now that the repository is registered, pull in Sysdig itself:
sudo apt update sudo apt install sysdig -y
The installer will compile the kernel module against the headers you installed earlier. If you see a message about “module build failed,” double‑check that linux-headers-$(uname -r) matches your current kernel (uname -r).
Verify it’s alive
A quick sanity check:
sysdig --info
You should see the version number, supported capture methods, and a line confirming the kernel module is loaded. If the output complains about missing capabilities, run the next command with sudo.
To launch the curses‑based UI that shows live CPU, memory, I/O, and network stats:
sudo csysdig
You’ll get a split‑screen view: processes on the left, resource graphs on the right. It’s surprisingly lightweight; on my 1 CPU droplet it barely nudges the load average.
A couple of gotchas I’ve run into
- Kernel upgrades – After a kernel update you must reinstall the headers (sudo apt install linux-headers-$(uname -r)) and then sudo modprobe sysdig_probe. Otherwise Sysdig will start but won’t capture anything.
- Docker containers – If you plan to sniff inside containers, add your user to the docker group and enable the --privileged flag on the container running Sysdig; otherwise it’ll only see host‑level traffic.
That’s it—Sysdig is now humming away on your Ubuntu 20.04 box. Feel free to experiment with filters (sysdig evt.type=read) or save snapshots for later analysis.
