You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mark Stemm edited this page Oct 4, 2018
·
1 revision
How it works
A new set of filterchecks fd.*ip.name has been added to the sysdig filter engine, that allows to match a domain name with the related client/server/local/remote address of the descriptor.
If you specify a filter containing fd.*ip.name, the domain names on the right hand side of the comparison (=foo.com or in (foo.com, bar.com)) will be saved upon first resolution of the condition and kept in sync, on a separate thread, with the following strategy:
Domain names have a base refresh time of 10 seconds.
If after a full refresh cycle the IP addresses haven't changed, the refresh timeout for that domain name is doubled until 320 seconds (~5mins).
Domain names that haven't been used in any filter for an hour will be deleted.
Notes
fd.*ip.name predicates can also be used in the output expression, but they will return meaningful values only when the associated IP fd.*ip is one of the IPs to which one of the domain names present in the rule resolves to. For example, running sysdig with sysdig "proc.name=apache" -p "Source IP=%fd.sip.name" will never display any meaningful value for fd.sip.name, because no event was ever filtered using that name. On the other hand, sysdig "proc.name=apache and fd.sip.name=yahoo.com" -p "Source IP=%fd.sip.name" would display a meaningful value, because fd.sip.name was used to match the system call event.