Running An App With AppScope
AppScope provides runtime-agnostic, black-box instrumentation that works with any Linux binary. AppScope gathers detailed metrics and events about application behavior: resource consumption (like CPU, memory, disk, and network I/O), and detailed events about files opened, network sockets opened, and application-level events from HTTP.
AppScope can even retrieve full payload data from encrypted streams, due to its position inside each scoped application itself. To learn more about AppScope basics, how it works, and its fundamental capabilities, check out AppScope Fundamentals.
In this sandbox, we have a full Ubuntu desktop environment running in a container, with the screen displayed in the browser via VNC. We've preloaded AppScope, using the instructions from the AppScope download page. We've preconfigured this container to automatically output data to Stream using the environment variable SCOPE_CRIBL
. You can see this by typing the command below into the terminal at right:
important
- In the terminal, type:
env | grep SCOPE_CRIBL
Note that, due to the VNC client, clipboards do not automatically synchronize. Copying and pasting into the desktop environment does not work.
We can use the scope
CLI to easily instrument any Linux binary. Let's see how easy it is to get data to Stream from a built-in utility like top
. First, we'll use scope
to instrument top
:
important
- In the terminal, type:
scope top -b
Now top
is outputting some console data every second. AppScope is capturing all of the console output data, and some metrics about resource consumption from top
. Let's see the data in Stream.
important
- Click the "Stream" tab up top.
- With the "Manage" tab active in Stream's top nav, click "Data > Sources".
- In the search bar, type "appscope".
- Click the "AppScope" tile.
- Click the "Live" button to the right of the preconfigured AppScope source.
- Click the "Charts" tab at the top of the new modal.
Stream makes it easy to troubleshoot and diagnose data flow. We can see that data is coming in from the AppScope input. Next, let's capture some of this data.
important
Capture data in Stream
- Click "Live Data" at the top of the modal.
- Click "Stop", then click "Capture..." to start a new capture.
- Leave the "Capture Time" at the default "10".
- For "Capture Up to N Events," enter "1000".
- Click "Start".
Stream makes it easy to interactively capture data flowing through the system. Here, we've captured up to 1,000 events over 10 seconds. Next, we can look through these events to see what kind of data we have coming from AppScope.
AppScope collects metric data about resource consumption, event data about network connections, files opened, HTTP requests, and more. Let's look at a few different types of events:
important
Look at metric event data
- Below "Capture", click the "Filter visible rows" button.
- Enter
_metric
in the Filter expression bar.
Now, we can see metric events captured (if any) about CPU and memory consumption, filesystem and network I/O, and more.
important
Look at non-metric event data
- Enter
!_metric
in the Filter expression bar.
Now, we've inverted the filter and we're looking for !_metric
. Here, we'll see events for every file open and close. Notice that top
opens a lot of files in /proc
! (Expand the data
field in some events where you see it.) Let's look just at console data.
important
Look at console data
- Enter
sourcetype=='console'
in the filter expression bar.
Now, we're looking just at the console output of top
. AppScope makes it easy to collect fine-grained data about application performance, events about application behavior, and logs from the console or other log files.
Next, let's send this data to some popular analysis tools for visualization! Stream will make it easy to connect data from AppScope to any tool – in our case, Prometheus/Grafana and Elasticsearch/Kibana.