Cribl Sandbox

Cribl Sandbox

    ›Scoping an App

    Intro

    • In To Win
    • Course Overview

    Scoping an App

    • Running An App
    • Routing Data
    • Analyzing Data

    Conclusion

    • Conclusion

    Running An App With AppScope

    AppScope provides runtime-agnostic, black-box instrumentation that works with any Linux binary. AppScope gathers detailed metrics and events about application behavior: resource consumption (like CPU, memory, disk, and network I/O), and detailed events about files opened, network sockets opened, and application-level events from HTTP.

    AppScope can even retrieve full payload data from encrypted streams, due to its position inside each scoped application itself. To learn more about AppScope basics, how it works, and its fundamental capabilities, check out AppScope Fundamentals.

    In this sandbox, we have a full Ubuntu desktop environment running in a container, with the screen displayed in the browser via VNC. We've preloaded AppScope, using the instructions from the AppScope download page. We've preconfigured this container to automatically output data to Stream using the environment variable SCOPE_CRIBL. You can see this by typing the command below into the terminal at right:

    important
    1. In the terminal, type:
        env | grep SCOPE_CRIBL
    

    Note that, due to the VNC client, clipboards do not automatically synchronize. Copying and pasting into the desktop environment does not work.

    We can use the scope CLI to easily instrument any Linux binary. Let's see how easy it is to get data to Stream from a built-in utility like top. First, we'll use scope to instrument top:

    important
    1. In the terminal, type:
        scope top -b
    

    Now top is outputting some console data every second. AppScope is capturing all of the console output data, and some metrics about resource consumption from top. Let's see the data in Stream.

    important
    1. Click the "Stream" tab up top.
    2. With the "Manage" tab active in Stream's top nav, click "Data > Sources".
    3. In the search bar, type "appscope".
    4. Click the "AppScope" tile.
    5. Click the "Live" button to the right of the preconfigured AppScope source.
    6. Click the "Charts" tab at the top of the new modal.

    Stream makes it easy to troubleshoot and diagnose data flow. We can see that data is coming in from the AppScope input. Next, let's capture some of this data.

    important

    Capture data in Stream

    1. Click "Live Data" at the top of the modal.
    2. Click "Stop", then click "Capture..." to start a new capture.
    3. Leave the "Capture Time" at the default "10".
    4. For "Capture Up to N Events," enter "1000".
    5. Click "Start".

    Stream makes it easy to interactively capture data flowing through the system. Here, we've captured up to 1,000 events over 10 seconds. Next, we can look through these events to see what kind of data we have coming from AppScope.

    AppScope collects metric data about resource consumption, event data about network connections, files opened, HTTP requests, and more. Let's look at a few different types of events:

    important

    Look at metric event data

    1. Below "Capture", click the "Filter visible rows" button.
    2. Enter _metric in the Filter expression bar.

    Now, we can see metric events captured (if any) about CPU and memory consumption, filesystem and network I/O, and more.

    important

    Look at non-metric event data

    1. Enter !_metric in the Filter expression bar.

    Now, we've inverted the filter and we're looking for !_metric. Here, we'll see events for every file open and close. Notice that top opens a lot of files in /proc! (Expand the data field in some events where you see it.) Let's look just at console data.

    important

    Look at console data

    1. Enter sourcetype=='console' in the filter expression bar.

    Now, we're looking just at the console output of top. AppScope makes it easy to collect fine-grained data about application performance, events about application behavior, and logs from the console or other log files.

    Next, let's send this data to some popular analysis tools for visualization! Stream will make it easy to connect data from AppScope to any tool – in our case, Prometheus/Grafana and Elasticsearch/Kibana.

    ← Course OverviewRouting Data →
    Docs
    Cribl Docs
    Community
    SlackCribl Content
    More
    Cribl WebsiteCribl Blog
    Copyright © 2023 Cribl, Inc.