Skip to content

Event Command Usage

The event command in traceectl is used for managing events within Tracee. It allows you to list, describe, enable, and disable various event types that Tracee can capture. Below is the usage guide for the event command and its subcommands.

Usage

The event command is structured as follows:

traceectl event [subcommand] [flags]

Subcommands

  • describe: Retrieves detailed information about a specific event or all the events, including its fields, types, and other metadata.
traceectl event describe EVENT
  • EVENT: The name of the event to describe (default is all events).
  • --format: Specifies the format (default is table).
  • --server: Specifies the server unix socket path (default is /var/run/tracee.sock)

  • --output: Specifies the output (default is stdout)

  • enable: Enables capturing of a specific event type in Tracee.

traceectl event enable <event_name>
  • EVENT: The name of the event to enable.
  • --server: Specifies the server unix socket path (default is /var/run/tracee.sock)

  • --output: Specifies the output (default is stdout)

  • disable: Disables capturing of a specific event type in Tracee.

traceectl event disable <event_name>
  • EVENT: The name of the event to disable.
  • --server: Specifies the server unix socket path (default is /var/run/tracee.sock)
  • --output: Specifies the output (default is stdout)

Examples

  • List All Events in JSON Format
traceectl event describe --format json
  • Describe an Event
traceectl event describe execve
  • Enable an Event
traceectl event enable execve
  • Disable an Event
traceectl event disable execve

Summary

The event command in traceectl is a powerful tool for managing Tracee's event capabilities. Use the, describe, enable, and disable subcommands to gain detailed insight and control over the events Tracee monitors.