How to Install Sysdig on Debian 13, 12 and 11

Tracing live system calls is often the fastest way to catch the process, file, or network event that ordinary metrics miss. You can install Sysdig on Debian to inspect that activity in real time, whether you are debugging an application, watching container behavior, or investigating a host for suspicious changes.

Sysdig’s current official APT repository path targets Debian 13 (Trixie), Debian 12 (Bookworm), and Debian 11 (Bullseye) on amd64 and arm64 systems. It also includes csysdig, the matching text interface, along with update, removal, and troubleshooting paths for the current 0.41.x package line.

Prepare Debian Before Installing Sysdig

Start with fresh package metadata so Debian resolves the Sysdig dependencies against your current system state:

sudo apt update

If you install pending kernel updates before Sysdig, reboot into the new kernel before installing Sysdig so linux-headers-$(uname -r) matches the kernel that is actually running.

These commands use sudo for tasks that need root privileges. If your account is not in the sudoers file yet, follow the guide on how to add a user to sudoers on Debian.

Install Sysdig on Debian

Debian 12 currently carries sysdig 0.29.3-1+b1 in its default APT sources, while Debian 11 and Debian 13 currently do not show a default candidate. The Sysdig package repository publishes the newer 0.41.x package line for amd64 and arm64, so begin by installing the required packages.

Desktop Debian systems may already have some of these packages, but minimal and server installs usually need the full list:

sudo apt install ca-certificates curl gpg ncurses-term dkms -y

curl downloads the repository key, gpg converts it into APT’s keyring format, ca-certificates validates the HTTPS connection, ncurses-term helps csysdig avoid common terminal-definition errors such as xterm-256color, and dkms rebuilds Sysdig’s scap module when your kernel changes. The -y flag accepts APT’s confirmation prompt automatically, and curl command examples cover the -f, -s, -S, and -L download flags.

Import the Sysdig GPG Key on Debian

Download the ASCII-armored Sysdig key and store the converted keyring file in /usr/share/keyrings/ for APT:

curl -fsSL https://download.sysdig.com/DRAIOS-GPG-KEY.public | sudo gpg --dearmor --yes -o /usr/share/keyrings/sysdig.gpg

The sudo gpg --dearmor --yes -o form writes the keyring file directly as root and replaces an older local copy on reruns instead of waiting for an interactive prompt.

Add the Sysdig Repository on Debian

Create a DEB822 .sources file that points APT to Sysdig’s stable Debian repository. Sysdig’s upstream instructions use the same repository and signing key in a one-line APT source; DEB822 keeps the refreshed Debian setup easier to inspect and remove later. The guard skips unsupported architectures instead of writing a source that cannot provide the documented package line.

arch="$(dpkg --print-architecture)"
case "$arch" in
  amd64|arm64)
    printf '%s\n' \
      'Types: deb' \
      'URIs: https://download.sysdig.com/stable/deb' \
      "Suites: stable-${arch}/" \
      'Signed-By: /usr/share/keyrings/sysdig.gpg' \
      | sudo tee /etc/apt/sources.list.d/sysdig.sources > /dev/null
    ;;
  *)
    printf 'Sysdig 0.41.x Debian packages are available for amd64 and arm64; detected %s.\n' "$arch" >&2
    ;;
esac

This DEB822 file uses a trailing slash in Suites: because Sysdig publishes a flat repository layout without separate components. The dpkg --print-architecture check chooses stable-amd64/ or stable-arm64/ only when that repository path matches the documented package line, and sudo tee writes the file as root because a plain shell redirect would not.

If the command prints the unsupported-architecture message, stop before refreshing APT because the remaining install steps apply only to the current amd64 and arm64 package paths. You can remove the unused keyring with sudo rm -f /usr/share/keyrings/sysdig.gpg.

Refresh APT for the Sysdig Repository

Refresh APT so Debian reads the new Sysdig source:

sudo apt update

APT should now read metadata from https://download.sysdig.com/stable/deb. The exact Get: line numbers and byte counts vary by mirror state, so use the package-policy check next for stable proof.

Verify the Sysdig Repository on Debian

Confirm that APT now prefers the Sysdig package from the official repository:

apt-cache policy sysdig

Relevant apt-cache policy output from the validated amd64 Debian hosts shows the Sysdig repository as the preferred source. Debian 13 and Debian 11 show the Sysdig repository candidate without a lower distro package:

sysdig:
  Installed: (none)
  Candidate: 0.41.4
  Version table:
     0.41.4 500
        500 https://download.sysdig.com/stable/deb stable-amd64/ Packages

Debian 12 also shows its older default package below the Sysdig repository entry, but APT should choose the newer Sysdig repository candidate:

sysdig:
  Installed: (none)
  Candidate: 0.41.4
  Version table:
     0.41.4 500
        500 https://download.sysdig.com/stable/deb stable-amd64/ Packages
     0.29.3-1+b1 500
        500 http://deb.debian.org/debian bookworm/main amd64 Packages

The important check is the download.sysdig.com source. On arm64, the source label uses stable-arm64/ instead.

Install Sysdig and Matching Linux Headers on Debian

Install Sysdig with the headers that match your running kernel so DKMS can build the scap module immediately:

sudo apt install linux-headers-$(uname -r) sysdig -y

linux-headers-$(uname -r) expands to the exact header package for the kernel you are running. During installation, Sysdig builds the scap DKMS module automatically, and that module is rebuilt again when you install a newer kernel later.

A successful install ends with DKMS building and installing the scap module. Relevant lines differ slightly by release and kernel. Debian 13 can show module signing and more than one installed kernel:

Building initial module scap/8.1.0+driver for 6.12.88+deb13-amd64
Sign command: /lib/modules/6.12.88+deb13-amd64/build/scripts/sign-file
Signing module /var/lib/dkms/scap/8.1.0+driver/build/scap.ko
Installing /lib/modules/6.12.88+deb13-amd64/updates/dkms/scap.ko.xz
Running depmod... done.

Debian 12 shows the classic DKMS install path:

Setting up sysdig (0.41.4) ...
Loading new scap-8.1.0+driver DKMS files...
Building initial module for 6.1.0-48-amd64
Done.

scap.ko:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/6.1.0-48-amd64/updates/dkms/

Debian 11 uses the same DKMS module version with the Debian 11 kernel path:

Loading new scap-8.1.0+driver DKMS files...
Building initial module for 5.10.0-42-amd64
Done.

scap.ko:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.10.0-42-amd64/updates/dkms/

DKMS: install completed.

Different kernel patch numbers are normal. Continue as long as DKMS finishes without an error.

Verify Sysdig on Debian

Check the main binary and confirm that the package also placed csysdig on your system:

sysdig --version
command -v csysdig

Example output:

sysdig version 0.41.4
/usr/bin/csysdig

The official sysdig package also installs csysdig, so you do not need a second package to use the text interface.

Use Sysdig on Debian

Sysdig can trace raw system activity with enough detail to explain what a process touched, which network sockets it opened, and how its behavior changed over time. These examples cover a practical starting set of filters and chisels.

Run Basic Sysdig Monitoring Commands

Start with fields and chisels so filters make sense before you run broad captures.

List Sysdig Filter Fields

List the filter fields Sysdig can match against:

sysdig -l

The list is long and grouped by field class. Common fields include proc.name for process names, fd.name for file descriptor names, evt.type for events such as read, write, and open, and container.name for container-aware filters.

Monitor System Activity with Sysdig

Monitor real-time CPU activity with the topprocs_cpu chisel. Chisels are pre-built Lua scripts that process Sysdig’s raw event stream into useful summaries:

sudo sysdig -c topprocs_cpu

This displays the processes consuming the most CPU in a continuously updating view, helping identify resource-intensive applications. Press Ctrl+C to stop monitoring. For basic process monitoring without kernel-level detail, install htop on Debian as a lightweight alternative.

List Available Sysdig Chisels

List the installed chisels and scan the first categories:

sysdig -cl

Relevant output from the current package includes:

Category: Application
---------------------
httplog.lua     HTTP requests log
httptop.lua     Top HTTP requests
memcachelog.lua memcached requests log

Category: CPU Usage
-------------------
spectrogram.lua Visualize OS latency in real time.
subsecoffset.lua
                Visualize subsecond offset execution time.
topcontainers_cpu.lua
                Top containers by CPU usage
topprocs_cpu.lua
                Top processes by CPU usage

Category: Errors

Each chisel serves a specific monitoring purpose. For instance, topprocs_cpu.lua summarizes CPU-heavy processes, while network chisels such as topconns.lua help you focus on connections without reading the raw syscall stream.

Filter Sysdig Events by Process Name

Beyond summary views, Sysdig also works well when you need raw events from one service. For example, monitor every system call from an Nginx worker after you install Nginx on Debian:

sudo sysdig proc.name=nginx

This captures every system call made by Nginx processes, including file reads, network operations, and memory allocations. The output streams in real time, showing the direction (> for entry, < for exit), timestamp, process name, and syscall details.

Filter Sysdig Events by Container Name

If you run containers, Sysdig can filter events to a specific workload after you install Docker on Debian:

sudo sysdig container.name=my_container

Replace my_container with your actual container name. This approach is particularly useful for debugging container-specific issues, since you see only events from processes inside that container rather than system-wide noise.

Run Advanced Sysdig Monitoring Commands

Sysdig also includes specialized chisels for file I/O analysis, network monitoring, and security investigations. Use these when the raw event stream is too noisy for the question you are trying to answer.

Monitor File I/O with Sysdig

The spy_file chisel shows files being accessed, the processes accessing them, and the actual data being read or written:

sudo sysdig -c spy_file

This helps identify which configuration files an application reads during startup or which log files it writes to. You can also filter to a specific file:

sudo sysdig -c spy_file /etc/passwd

Analyze Network Connections with Sysdig

Display active network connections with the netstat chisel:

sudo sysdig -c netstat

Output includes source and destination IP addresses, ports, and connection state for active connections. For traffic analysis, the topconns chisel sorts connections by transferred bytes:

sudo sysdig -c topconns

Create Custom Sysdig Filtered Views

You can combine chisels with filters to create focused monitoring views for specific processes or events.

Create a Sysdig CPU Filter View

Filter the CPU chisel to one process name when a broad process list is too noisy:

sudo sysdig -c topprocs_cpu "proc.name=my_process"

Replace my_process with the process name you want to monitor. The filter limits output to only matching processes while the chisel displays CPU consumption rankings. Like all capture commands, this requires root privileges.

Use csysdig on Debian

csysdig gives you the same event stream in a navigable terminal interface, which is useful when you want to explore process and network activity live instead of reading a long capture scroll. It feels closer to htop, but the data still comes from Sysdig’s syscall tracing engine.

Launch csysdig on Debian

Launch csysdig with root privileges to access all system events:

sudo csysdig

The interface opens showing the default Processes view. From here, use keyboard shortcuts to navigate between views and filter data.

Navigate csysdig Views on Debian

Once csysdig is running, press F2 or type : followed by the view name to switch between built-in views:

• Processes: Displays running processes and their resource usage. Shortcut: :processes.
• Connections: Shows active network connections, including source and destination IP addresses, ports, and connection state. Shortcut: :connections.
• Errors: Highlights system errors and exceptions. Shortcut: :errors.
• Containers: Lists running containers and their resource usage. Shortcut: :containers.

Learn csysdig Keyboard Shortcuts

These shortcuts cover the common navigation tasks:

• F1 or h: Display the help menu with available commands and shortcuts.
• F2 or v: Switch between available views.
• F4 or l: Apply a filter to the current view, such as a process name or container ID.
• F5 or s: Sort the current view by a specific column.
• F6 or a: Add or remove columns from the current view.
• Esc or q: Quit csysdig or close the current menu.

Create Custom csysdig Views on Debian

Create a custom view when the built-in views do not match the metric or filter you need:

1. Press F2 or type :addview to open the Add View menu.
2. Enter a name for your custom view.
3. Define the columns you want to include in your view by typing the respective column names.
4. Add a filter to your custom view by pressing F4 and entering the filter criteria.
5. Save your custom view by pressing Enter.

After saving, switch to your custom view with F2 or by typing :your_view_name.

Troubleshoot Sysdig on Debian

Most Sysdig problems on Debian come from the kernel module path or from running a capture without elevated privileges. These checks cover both cases.

Fix Sysdig Kernel Module Errors on Debian

If Sysdig reports that the probe cannot load, first make sure the headers for your running kernel are installed:

sudo apt install linux-headers-$(uname -r)

Then load Sysdig’s tested DKMS module name directly:

sudo modprobe scap

A successful modprobe run returns no output. If the module still does not load, switch to Sysdig’s eBPF path instead of the DKMS module:

sudo sysdig --modern-bpf -cl

Relevant output includes:

Category: Application
---------------------
httplog.lua     HTTP requests log
httptop.lua     Top HTTP requests
memcachelog.lua memcached requests log

The --modern-bpf option uses the kernel’s built-in eBPF support and works on kernels 5.8 and newer.

Fix Sysdig Permission Errors on Debian

Sysdig needs elevated privileges for live captures, so a regular shell will trigger permission errors. Re-run the command with sudo:

sudo sysdig -c topprocs_cpu

A live list of top CPU consumers confirms that Sysdig can read events again. The same rule applies to csysdig, so launch it with sudo csysdig.

Update or Remove Sysdig on Debian

Keep Sysdig current with a targeted package upgrade, then remove the package and repository files cleanly if you no longer need them.

Update Sysdig on Debian

When new versions are released, you can update only Sysdig without upgrading other packages:

sudo apt update && sudo apt install --only-upgrade sysdig -y

If you prefer to upgrade the whole system at the same time, use the normal Debian upgrade path:

sudo apt update && sudo apt upgrade -y

Confirm the installed version after either update path:

sysdig --version

Example output:

sysdig version 0.41.4

Remove Sysdig on Debian

Remove the package first, then delete the repository file and refresh APT before removing the keyring.

Remove the Sysdig Package on Debian

Start by removing the package itself:

sudo apt remove sysdig -y

This removal also unregisters the scap DKMS module automatically. Leave dkms, linux-headers-$(uname -r), and ncurses-term installed unless you know nothing else on the system needs them.

Remove the Sysdig Repository on Debian

Delete the Sysdig .sources file first so APT no longer reads the repository:

sudo rm -f /etc/apt/sources.list.d/sysdig.sources

Verify Sysdig Package Removal on Debian

Refresh APT and confirm that the package is no longer installed:

sudo apt update
if dpkg-query -W -f='${db:Status-Abbrev}\n' sysdig 2>/dev/null | grep -q '^ii'; then
  printf 'sysdig is still installed\n'
else
  printf 'sysdig is not installed\n'
fi

Example installed-state output after successful removal:

sysdig is not installed

Then confirm that APT no longer prefers the Sysdig repository package:

apt-cache policy sysdig

After repository cleanup, Debian 13 returns no installed package and no candidate:

sysdig:
  Installed: (none)
  Candidate: (none)
  Version table:

Debian 12 may still show the older package from its default APT sources:

sysdig:
  Installed: (none)
  Candidate: 0.29.3-1+b1
  Version table:
     0.29.3-1+b1 500
        500 http://deb.debian.org/debian bookworm/main amd64 Packages

Debian 11 returns no package stanza after the Sysdig repository is removed. If any release still shows a 0.41.x candidate, the Sysdig repository file likely remains in place.

Remove the keyring only after removing the source and refreshing APT, so the final repository check does not depend on trust material that has already been deleted.

Remove the Sysdig GPG Key on Debian

Remove the keyring file that APT used to trust the Sysdig repository:

sudo rm -f /usr/share/keyrings/sysdig.gpg

Conclusion

Sysdig is ready on Debian with the current upstream package, the csysdig interface, and an eBPF fallback if the kernel module path gives you trouble. If container tracing is next, install Docker on Debian; for login protection on exposed services, install Fail2Ban on Debian.