How to Install Sysdig on Ubuntu 26.04, 24.04 and 22.04

Live syscall tracing helps when CPU graphs, process lists, and logs still do not explain what a process actually did. If you need to install Sysdig on Ubuntu, the main choice is between Ubuntu’s Universe package and Sysdig’s official APT repository: the Ubuntu package is simpler, while the official repository currently provides Sysdig 0.41.4 across Ubuntu 26.04, 24.04, and 22.04.

The sysdig package is also the Sysdig CLI package: it installs the sysdig command and the matching csysdig terminal interface. Sysdig loads a DKMS-built kernel module for live captures, so the install also needs headers for your running kernel and a cleanup path that handles the module state correctly.

Prepare Ubuntu Before Installing Sysdig

Refresh package metadata first so APT resolves Sysdig, DKMS, and kernel-header dependencies against the current Ubuntu repositories:

sudo apt update && sudo apt upgrade

These commands use sudo for tasks that need root privileges. If your account is not in the sudoers file yet, follow the guide on how to add a new user to sudoers on Ubuntu.

Install Sysdig on Ubuntu

Ubuntu 26.04, 24.04, and 22.04 all provide a Sysdig package through Universe, but the official Sysdig repository carries the newest upstream build across the same supported LTS scope.

Sysdig is distributed for Ubuntu through APT package sources rather than a standalone archive. The official method below pulls packages from Sysdig’s maintained download repository, while the alternate method stays with Ubuntu’s own repositories.

Method	Current package	Best fit
Official Sysdig APT repository	0.41.4 on Ubuntu 26.04, 24.04, and 22.04	Recommended when you want the current upstream release and the same package version across supported LTS releases.
Ubuntu Universe repository	0.40.0 on Ubuntu 26.04, 0.36.0 on Ubuntu 24.04, and 0.27.1 on Ubuntu 22.04	Best when you prefer Ubuntu-managed packages and do not need the newest Sysdig release.

Install Sysdig from the Official Repository

Use the official repository when you want the current upstream Sysdig build instead of the older package shipped by a specific Ubuntu release. The upstream project is maintained at the Sysdig GitHub repository. Install the setup tools first:

sudo apt install ca-certificates curl gpg ncurses-term dkms -y

curl downloads the repository key, gpg converts it into APT’s keyring format, ca-certificates validates HTTPS, ncurses-term helps csysdig avoid terminal-definition errors, and dkms rebuilds the Sysdig module when your kernel changes. The guide on how to use the curl command in Linux explains the download flags used below.

Download the Sysdig signing key and store the converted keyring file under /usr/share/keyrings/:

curl -fsSL https://download.sysdig.com/DRAIOS-GPG-KEY.public | sudo gpg --dearmor --yes -o /usr/share/keyrings/sysdig.gpg

Add the Sysdig repository with a DEB822 .sources file:

printf '%s\n' \
  'Types: deb' \
  'URIs: https://download.sysdig.com/stable/deb' \
  "Suites: stable-$(dpkg --print-architecture)/" \
  'Signed-By: /usr/share/keyrings/sysdig.gpg' \
  | sudo tee /etc/apt/sources.list.d/sysdig.sources > /dev/null

The Suites: line ends with a slash because Sysdig publishes a flat repository layout. The dpkg --print-architecture substitution fills in your package architecture, such as amd64 or arm64, and sudo tee writes the root-owned source file because a plain shell redirect would not.

Refresh APT so Ubuntu reads the new Sysdig source:

sudo apt update

Relevant output includes the Sysdig metadata fetch:

Get:6 https://download.sysdig.com/stable/deb stable-amd64/ InRelease [1,390 B]
Get:7 https://download.sysdig.com/stable/deb stable-amd64/ Packages [56.4 kB]

Confirm that APT now prefers the official Sysdig package:

apt-cache policy sysdig

On Ubuntu 26.04, the official package appears above the Ubuntu Universe package:

sysdig:
  Installed: (none)
  Candidate: 0.41.4
  Version table:
     0.41.4 500
        500 https://download.sysdig.com/stable/deb stable-amd64/ Packages
     0.40.0+repack-3 500
        500 http://archive.ubuntu.com/ubuntu resolute/universe amd64 Packages

Your Ubuntu mirror hostname may differ, but the Sysdig repository line and the version ordering should match.

Install Sysdig with headers for the running kernel so DKMS can build the capture module immediately:

sudo apt install linux-headers-$(uname -r) sysdig -y

The header package must match the kernel shown by uname -r. If you recently installed a new kernel but have not rebooted, reboot first so the running kernel and available headers line up. For a deeper package-name walkthrough, use the guide to install Linux kernel headers on Ubuntu.

A successful official-repository install builds the scap DKMS module:

Setting up sysdig (0.41.4) ...
Loading new scap/8.1.0+driver DKMS files...
Building initial module scap/8.1.0+driver for 7.x.x-generic
Building module(s)...... done.
Installing /lib/modules/7.x.x-generic/updates/dkms/scap.ko.zst
Running depmod..... done.

Install Sysdig from Ubuntu Repositories

Use Ubuntu’s package when you want the simpler distro-managed install and do not need the newest upstream release. This method works only from Ubuntu’s repositories, so skip it if you already added the official Sysdig source above.

The Ubuntu package lives in the Universe component. Standard desktop installs often have Universe enabled already, but minimal or customized systems may need the guide on how to enable Universe and Multiverse on Ubuntu before APT can locate sysdig.

Install the Ubuntu package, matching kernel headers, and the terminal definitions used by csysdig:

sudo apt install linux-headers-$(uname -r) sysdig ncurses-term -y

Ubuntu 26.04 and 24.04 build a scap DKMS module for the distro package. Ubuntu 22.04 uses the older sysdig_probe module name, so module checks need to allow both names.

Verify Sysdig on Ubuntu

Check the main binary and confirm that csysdig is available:

sysdig --version
command -v csysdig

The official repository currently returns:

sysdig version 0.41.4
/usr/bin/csysdig

Ubuntu’s own packages return release-specific versions instead: 0.40.0 on Ubuntu 26.04, 0.36.0 on Ubuntu 24.04, and 0.27.1 on Ubuntu 22.04.

Check the DKMS module state next:

dkms status | grep -E 'scap|sysdig'

For the official package, the output shows the scap driver installed for your active kernel:

scap/8.1.0+driver, 7.x.x-generic, x86_64: installed

The grep -E filter keeps the DKMS output focused on Sysdig-related module names. The grep command examples in Linux cover that extended-regex mode if you want the filter syntax explained.

Run a simple process snapshot to confirm Sysdig can read live system events:

sudo sysdig -c ps

Relevant output starts with a process table similar to this:

TID     PID     USER        VIRT       RES        FDLIMIT   CMD
1       1       root        25.81M     16.55M     214748358 systemd
602     602     root        57.63M     18.90M     524288    systemd-journal

Use Sysdig on Ubuntu

Sysdig can summarize live events through built-in chisels or show raw syscall-level activity with filters. The examples below cover the commands most readers need first.

Launch csysdig on Ubuntu

Start the ncurses interface with root privileges so it can read kernel-level events:

sudo csysdig

csysdig opens a top-like view for processes, containers, connections, and files. Press F2 to switch views, use the arrow keys to navigate, and press q to quit.

View Top Processes with Sysdig

Use the topprocs_cpu chisel to show processes ranked by CPU usage:

sudo sysdig -c topprocs_cpu

The display updates continuously until you press Ctrl+C. For basic process monitoring without syscall tracing, install htop on Ubuntu as a lighter companion tool.

Display Network Connections with Sysdig

Use the netstat chisel to summarize active TCP and UDP connections:

sudo sysdig -c netstat

The output shows connection states, local addresses, and remote addresses from Sysdig’s event stream.

List Processes with Sysdig

Capture a process snapshot with the ps chisel:

sudo sysdig -c ps

This view is similar to ps aux, but Sysdig builds it from the same event source used for deeper filters and chisels.

Explore Available Sysdig Chisels

List built-in chisels when you need a view for files, network activity, containers, errors, or security events:

sysdig -cl

Relevant output begins with grouped categories:

Category: Application
---------------------
httplog.lua     HTTP requests log
httptop.lua     Top HTTP requests
memcachelog.lua memcached requests log

Category: CPU Usage
-------------------
spectrogram.lua Visualize OS latency in real time.

Useful starting points include topfiles_bytes for file I/O, topconns for network bandwidth, and spy_users for interactive user activity.

Troubleshoot Sysdig on Ubuntu

Most Sysdig failures come from terminal definitions, missing kernel headers, or running capture commands without elevated privileges.

Fix the xterm-256color Error in csysdig

If csysdig cannot find your terminal definition, it may show this error:

Error opening terminal: xterm-256color

Install ncurses-term, then launch csysdig again:

sudo apt install ncurses-term
sudo csysdig

Fix Sysdig Kernel Module Errors

If Sysdig reports a missing or unloaded probe, check DKMS first:

dkms status | grep -E 'scap|sysdig'

A missing result usually means the module did not build for the running kernel. Install matching headers and rerun DKMS:

sudo apt install linux-headers-$(uname -r)
sudo dkms autoinstall

If APT ends with the generic Sub-process /usr/bin/dpkg returned an error code message during Sysdig setup, treat it as a package-script failure and check the DKMS state first. The real cause is usually above that final APT line.

On Ubuntu, do not use Debian’s linux-headers-amd64 package name for this fix. The release-specific header package above is the safest match for the kernel that is actually running.

Official Sysdig packages and Ubuntu 26.04/24.04 packages use scap. Ubuntu 22.04’s distro package uses sysdig_probe, so older-release troubleshooting output can show that module name instead.

Fix Sysdig Permission Errors

Live captures need root privileges. If a capture command fails as a regular user, rerun it with sudo:

sudo sysdig -c ps

The same rule applies to the interactive interface, so use sudo csysdig for full host visibility.

Update or Remove Sysdig on Ubuntu

Update Sysdig with APT like any other package, then remove the package, repository files, and loaded module state only when you no longer need live tracing.

Update Sysdig on Ubuntu

Upgrade only the Sysdig package after refreshing package metadata:

sudo apt update && sudo apt install --only-upgrade sysdig -y

Confirm the version afterward:

sysdig --version

Remove Sysdig from Ubuntu

Remove the main package first:

sudo apt remove sysdig -y

If you used Ubuntu’s repository package and want to remove the matching DKMS helper package too, use the package name for your release.

Ubuntu 26.04 and 24.04:

sudo apt remove falcosecurity-scap-dkms -y

Ubuntu 22.04:

sudo apt remove sysdig-dkms -y

Package removal deletes the DKMS files, but a module that was already loaded can remain in the running kernel until you unload it. Check for a loaded Sysdig module:

lsmod | grep -E '^(scap|sysdig_probe)' || echo 'No loaded Sysdig module found'

If the command shows scap, unload it:

sudo rmmod scap

If the command shows sysdig_probe, unload that older module name instead:

sudo rmmod sysdig_probe

If you added the official Sysdig repository, remove its source file and keyring:

sudo rm -f /etc/apt/sources.list.d/sysdig.sources
sudo rm -f /usr/share/keyrings/sysdig.gpg
sudo apt update

Verify that the package is not installed and that the official 0.41.x candidate is gone:

apt-cache policy sysdig
dkms status | grep -E 'scap|sysdig' || echo 'No Sysdig DKMS modules remain'

After removing the official repository, Ubuntu’s own package may still appear as a candidate. On Ubuntu 26.04, that looks like this:

sysdig:
  Installed: (none)
  Candidate: 0.40.0+repack-3
  Version table:
     0.40.0+repack-3 500
        500 http://archive.ubuntu.com/ubuntu resolute/universe amd64 Packages
No Sysdig DKMS modules remain

Run sudo apt autoremove only after reviewing APT’s proposed removals. Sysdig installs compiler and DKMS dependencies, but reused systems can also have unrelated old kernels or desktop helpers marked as autoremovable.

Conclusion

Sysdig is ready on Ubuntu for syscall tracing, container inspection, and quick csysdig exploration. The official repository keeps the package on the current 0.41.x branch, while Ubuntu’s package remains available for simpler distro-managed installs. For broader container work, install Docker on Ubuntu; for lighter process monitoring, install htop on Ubuntu.