Output OptionsΒΆ
Tracee supports different output options for customizing the way events are printed. For a complete list of available options.
Available options:
Makes it possible to pick stack memory addresses from each event.
output: options: stack-addresses: true
In order to have a better experience with the output provided by tracee, you may opt to parse event arguments to a human *readable format.
output: options: parse-arguments: true
Sometimes it is also important to know the execution environment variables whenever an event is detected, specially when detecting execve event.
output: options: exec-env: true
This is a special output option for sched_process_exec so user can get the file hash and process ctime (particularly interesting if you would like to compare executed binaries from a list of known hashes, for example).
output: options: exec-hash: dev-inode
This makes it possible to sort the events as they happened. Especially in systems where Tracee tracks lots of events, it can happen that they are received unordered. More information is provided in the deep-dive section of the documentation.
output: options: sort-events: true