Documentation

v2.18
latest v2.19 v2.18 v2.17 v2.16 v2.15 v2.14 v2.12 v2.11 v2.10 v2.9 v2.8 v2.7 v2.6 v2.5 v2.4 v2.3 v2.2 v2.1 v2.0 v1.10 v1.9 v1.8 v1.7 v1.6 v1.5 v1.4 v1.3 v1.2 v1.1 v1.0
    Edit on GitHub

    PLEASE NOTE: This document applies to v2.18 version and not to the latest stable release v2.19

    Documentation for other releases can be found by using the version selector in the top right of any doc page.

    trace

    Trace system activity using eBPF via bpftrace.

    This module provides pre-built probes for common tracing scenarios without requiring bpftrace knowledge. For advanced use cases, custom bpftrace expressions can be provided.

    Prerequisites

    • bpftrace must be installed and available in PATH
    • Root privileges (via become: true) are typically required

    Return Values

    When registered, the following fields are available:

    • extra.events: List of captured events
    • extra.stats.total: Total number of events
    • extra.stats.by_comm: Event count grouped by command name
    • extra.duration_ms: Actual trace duration in milliseconds

    Attributes

    check_mode:
  support: none

    Parameters

    Parameter Required Type Values Description
    probe   string    
    expr   string    
    duration   string    
    filter   string    

    Examples

    Trace file opens during startup

    ```yaml

    • trace: probe: file_opens duration: 10s register: files

    • debug: msg: “Files opened: {{ files.extra.events | length }” /// /// /// ### Trace process execution /// ///yaml /// - trace: /// probe: process_exec /// duration: 5s /// become: true /// register: procs /// /// /// ### Filter syscalls /// ///yaml /// - trace: /// probe: syscalls /// filter: open,openat,read,write /// duration: 10s /// register: syscalls /// /// /// ### Custom bpftrace expression /// ///yaml /// - trace: /// expr: ‘tracepoint:syscalls:sys_enter_open { @[comm] = count(); }’ /// duration: 10s /// become: true /// register: custom /// ```}