Supported Events

Find out which events Falco supports

Here are the system call event types and args supported by the kernel module and BPF probe via libscap included in the Falco libs. Note that, for performance reasons, by default Falco will only consider a subset of them indicated in the table below with "yes". However, it's possible to make Falco consider all events by using the -A command line switch.

Note that several event types exist:

  • Syscall events correspond to Linux system calls. Most of them have parameters, documented below, while some are detected as generic and they only offer the syscall ID.
  • Tracepoint events represent internal kernel events that may be significant but don't directly translate to any syscall.
  • Metaevents are generated from supplementary data sources, for instance, during data enrichment procedures or when the need for asynchronous actions arises. This group also encompasses some of Falco's internally produced events (such as the drop event) that are unavailable for rules.
  • Plugin events act as an envelope for actual plugin event data. In order to write rules that use plugins use the fields documented in the individual plugin.

Schema Version: 2.0.0

Syscall events

DefaultDirNameArgs
Yes>openFSPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, UINT32 mode
Yes<openFD fd, FSPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, UINT32 mode, UINT32 dev, UINT64 ino
Yes>closeFD fd
Yes<closeERRNO res
No>readFD fd, UINT32 size
No<readERRNO res, BYTEBUF data
No>writeFD fd, UINT32 size
No<writeERRNO res, BYTEBUF data
Yes>socketENUMFLAGS32 domain: AF_NFC, AF_ALG, AF_CAIF, AF_IEEE802154, AF_PHONET, AF_ISDN, AF_RXRPC, AF_IUCV, AF_BLUETOOTH, AF_TIPC, AF_CAN, AF_LLC, AF_WANPIPE, AF_PPPOX, AF_IRDA, AF_SNA, AF_RDS, AF_ATMSVC, AF_ECONET, AF_ASH, AF_PACKET, AF_ROUTE, AF_NETLINK, AF_KEY, AF_SECURITY, AF_NETBEUI, AF_DECnet, AF_ROSE, AF_INET6, AF_X25, AF_ATMPVC, AF_BRIDGE, AF_NETROM, AF_APPLETALK, AF_IPX, AF_AX25, AF_INET, AF_LOCAL, AF_UNIX, AF_UNSPEC, UINT32 type, UINT32 proto
Yes<socketFD fd
Yes>bindFD fd
Yes<bindERRNO res, SOCKADDR addr
Yes>connectFD fd, SOCKADDR addr
Yes<connectERRNO res, SOCKTUPLE tuple, FD fd
Yes>listenFD fd, UINT32 backlog
Yes<listenERRNO res
No>sendFD fd, UINT32 size
No<sendERRNO res, BYTEBUF data
Yes>sendtoFD fd, UINT32 size, SOCKTUPLE tuple
Yes<sendtoERRNO res, BYTEBUF data
No>recvFD fd, UINT32 size
No<recvERRNO res, BYTEBUF data
Yes>recvfromFD fd, UINT32 size
Yes<recvfromERRNO res, BYTEBUF data, SOCKTUPLE tuple
Yes>shutdownFD fd, ENUMFLAGS8 how: SHUT_RDWR, SHUT_WR, SHUT_RD
Yes<shutdownERRNO res
Yes>getsockname
Yes<getsockname
Yes>getpeername
Yes<getpeername
Yes>socketpairENUMFLAGS32 domain: AF_NFC, AF_ALG, AF_CAIF, AF_IEEE802154, AF_PHONET, AF_ISDN, AF_RXRPC, AF_IUCV, AF_BLUETOOTH, AF_TIPC, AF_CAN, AF_LLC, AF_WANPIPE, AF_PPPOX, AF_IRDA, AF_SNA, AF_RDS, AF_ATMSVC, AF_ECONET, AF_ASH, AF_PACKET, AF_ROUTE, AF_NETLINK, AF_KEY, AF_SECURITY, AF_NETBEUI, AF_DECnet, AF_ROSE, AF_INET6, AF_X25, AF_ATMPVC, AF_BRIDGE, AF_NETROM, AF_APPLETALK, AF_IPX, AF_AX25, AF_INET, AF_LOCAL, AF_UNIX, AF_UNSPEC, UINT32 type, UINT32 proto
Yes<socketpairERRNO res, FD fd1, FD fd2, UINT64 source, UINT64 peer
Yes>setsockopt
Yes<setsockoptERRNO res, FD fd, ENUMFLAGS8 level: SOL_SOCKET, SOL_TCP, UNKNOWN, ENUMFLAGS8 optname: SO_COOKIE, SO_MEMINFO, SO_PEERGROUPS, SO_ATTACH_BPF, SO_INCOMING_CPU, SO_BPF_EXTENSIONS, SO_MAX_PACING_RATE, SO_BUSY_POLL, SO_SELECT_ERR_QUEUE, SO_LOCK_FILTER, SO_NOFCS, SO_PEEK_OFF, SO_WIFI_STATUS, SO_RXQ_OVFL, SO_DOMAIN, SO_PROTOCOL, SO_TIMESTAMPING, SO_MARK, SO_TIMESTAMPNS, SO_PASSSEC, SO_PEERSEC, SO_ACCEPTCONN, SO_TIMESTAMP, SO_PEERNAME, SO_DETACH_FILTER, SO_ATTACH_FILTER, SO_BINDTODEVICE, SO_SECURITY_ENCRYPTION_NETWORK, SO_SECURITY_ENCRYPTION_TRANSPORT, SO_SECURITY_AUTHENTICATION, SO_SNDTIMEO, SO_RCVTIMEO, SO_SNDLOWAT, SO_RCVLOWAT, SO_PEERCRED, SO_PASSCRED, SO_REUSEPORT, SO_BSDCOMPAT, SO_LINGER, SO_PRIORITY, SO_NO_CHECK, SO_OOBINLINE, SO_KEEPALIVE, SO_RCVBUFFORCE, SO_SNDBUFFORCE, SO_RCVBUF, SO_SNDBUF, SO_BROADCAST, SO_DONTROUTE, SO_ERROR, SO_TYPE, SO_REUSEADDR, SO_DEBUG, UNKNOWN, DYNAMIC val, UINT32 optlen
Yes>getsockopt
Yes<getsockoptERRNO res, FD fd, ENUMFLAGS8 level: SOL_SOCKET, SOL_TCP, UNKNOWN, ENUMFLAGS8 optname: SO_COOKIE, SO_MEMINFO, SO_PEERGROUPS, SO_ATTACH_BPF, SO_INCOMING_CPU, SO_BPF_EXTENSIONS, SO_MAX_PACING_RATE, SO_BUSY_POLL, SO_SELECT_ERR_QUEUE, SO_LOCK_FILTER, SO_NOFCS, SO_PEEK_OFF, SO_WIFI_STATUS, SO_RXQ_OVFL, SO_DOMAIN, SO_PROTOCOL, SO_TIMESTAMPING, SO_MARK, SO_TIMESTAMPNS, SO_PASSSEC, SO_PEERSEC, SO_ACCEPTCONN, SO_TIMESTAMP, SO_PEERNAME, SO_DETACH_FILTER, SO_ATTACH_FILTER, SO_BINDTODEVICE, SO_SECURITY_ENCRYPTION_NETWORK, SO_SECURITY_ENCRYPTION_TRANSPORT, SO_SECURITY_AUTHENTICATION, SO_SNDTIMEO, SO_RCVTIMEO, SO_SNDLOWAT, SO_RCVLOWAT, SO_PEERCRED, SO_PASSCRED, SO_REUSEPORT, SO_BSDCOMPAT, SO_LINGER, SO_PRIORITY, SO_NO_CHECK, SO_OOBINLINE, SO_KEEPALIVE, SO_RCVBUFFORCE, SO_SNDBUFFORCE, SO_RCVBUF, SO_SNDBUF, SO_BROADCAST, SO_DONTROUTE, SO_ERROR, SO_TYPE, SO_REUSEADDR, SO_DEBUG, UNKNOWN, DYNAMIC val, UINT32 optlen
Yes>sendmsgFD fd, UINT32 size, SOCKTUPLE tuple
Yes<sendmsgERRNO res, BYTEBUF data
No>sendmmsg
No<sendmmsg
Yes>recvmsgFD fd
Yes<recvmsgERRNO res, UINT32 size, BYTEBUF data, SOCKTUPLE tuple
No>recvmmsg
No<recvmmsg
Yes>creatFSPATH name, UINT32 mode
Yes<creatFD fd, FSPATH name, UINT32 mode, UINT32 dev, UINT64 ino
Yes>pipe
Yes<pipeERRNO res, FD fd1, FD fd2, UINT64 ino
Yes>eventfdUINT64 initval, FLAGS32 flags
Yes<eventfdFD res
Yes>futexUINT64 addr, ENUMFLAGS16 op: FUTEX_CLOCK_REALTIME, FUTEX_PRIVATE_FLAG, FUTEX_CMP_REQUEUE_PI, FUTEX_WAIT_REQUEUE_PI, FUTEX_WAKE_BITSET, FUTEX_WAIT_BITSET, FUTEX_TRYLOCK_PI, FUTEX_UNLOCK_PI, FUTEX_LOCK_PI, FUTEX_WAKE_OP, FUTEX_CMP_REQUEUE, FUTEX_REQUEUE, FUTEX_FD, FUTEX_WAKE, FUTEX_WAIT, UINT64 val
Yes<futexERRNO res
Yes>stat
Yes<statERRNO res, FSPATH path
Yes>lstat
Yes<lstatERRNO res, FSPATH path
Yes>fstatFD fd
Yes<fstatERRNO res
Yes>stat64
Yes<stat64ERRNO res, FSPATH path
Yes>lstat64
Yes<lstat64ERRNO res, FSPATH path
Yes>fstat64FD fd
Yes<fstat64ERRNO res
Yes>epoll_waitERRNO maxevents
Yes<epoll_waitERRNO res
Yes>pollFDLIST fds, INT64 timeout
Yes<pollERRNO res, FDLIST fds
Yes>select
Yes<selectERRNO res
Yes>lseekFD fd, UINT64 offset, ENUMFLAGS8 whence: SEEK_END, SEEK_CUR, SEEK_SET
Yes<lseekERRNO res
Yes>llseekFD fd, UINT64 offset, ENUMFLAGS8 whence: SEEK_END, SEEK_CUR, SEEK_SET
Yes<llseekERRNO res
Yes>getcwd
Yes<getcwdERRNO res, CHARBUF path
Yes>chdir
Yes<chdirERRNO res, CHARBUF path
Yes>fchdirFD fd
Yes<fchdirERRNO res
No>preadFD fd, UINT32 size, UINT64 pos
No<preadERRNO res, BYTEBUF data
No>pwriteFD fd, UINT32 size, UINT64 pos
No<pwriteERRNO res, BYTEBUF data
No>readvFD fd
No<readvERRNO res, UINT32 size, BYTEBUF data
No>writevFD fd, UINT32 size
No<writevERRNO res, BYTEBUF data
No>preadvFD fd, UINT64 pos
No<preadvERRNO res, UINT32 size, BYTEBUF data
No>pwritevFD fd, UINT32 size, UINT64 pos
No<pwritevERRNO res, BYTEBUF data
Yes>signalfdFD fd, UINT32 mask, FLAGS8 flags
Yes<signalfdFD res
Yes>killPID pid, SIGTYPE sig
Yes<killERRNO res
Yes>tkillPID tid, SIGTYPE sig
Yes<tkillERRNO res
Yes>tgkillPID pid, PID tid, SIGTYPE sig
Yes<tgkillERRNO res
Yes>nanosleepRELTIME interval
Yes<nanosleepERRNO res
Yes>timerfd_createUINT8 clockid, FLAGS8 flags
Yes<timerfd_createFD res
Yes>inotify_initFLAGS8 flags
Yes<inotify_initFD res
Yes>getrlimitENUMFLAGS8 resource: RLIMIT_UNKNOWN, RLIMIT_RTTIME, RLIMIT_RTPRIO, RLIMIT_NICE, RLIMIT_MSGQUEUE, RLIMIT_SIGPENDING, RLIMIT_LOCKS, RLIMIT_AS, RLIMIT_MEMLOCK, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, RLIMIT_CORE, RLIMIT_STACK, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_CPU
Yes<getrlimitERRNO res, INT64 cur, INT64 max
Yes>setrlimitENUMFLAGS8 resource: RLIMIT_UNKNOWN, RLIMIT_RTTIME, RLIMIT_RTPRIO, RLIMIT_NICE, RLIMIT_MSGQUEUE, RLIMIT_SIGPENDING, RLIMIT_LOCKS, RLIMIT_AS, RLIMIT_MEMLOCK, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, RLIMIT_CORE, RLIMIT_STACK, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_CPU
Yes<setrlimitERRNO res, INT64 cur, INT64 max
Yes>prlimitPID pid, ENUMFLAGS8 resource: RLIMIT_UNKNOWN, RLIMIT_RTTIME, RLIMIT_RTPRIO, RLIMIT_NICE, RLIMIT_MSGQUEUE, RLIMIT_SIGPENDING, RLIMIT_LOCKS, RLIMIT_AS, RLIMIT_MEMLOCK, RLIMIT_NOFILE, RLIMIT_NPROC, RLIMIT_RSS, RLIMIT_CORE, RLIMIT_STACK, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_CPU
Yes<prlimitERRNO res, INT64 newcur, INT64 newmax, INT64 oldcur, INT64 oldmax
Yes>fcntlFD fd, ENUMFLAGS8 cmd: F_GETPIPE_SZ, F_SETPIPE_SZ, F_NOTIFY, F_DUPFD_CLOEXEC, F_CANCELLK, F_GETLEASE, F_SETLEASE, F_GETOWN_EX, F_SETOWN_EX, F_SETLKW64, F_SETLK64, F_GETLK64, F_GETSIG, F_SETSIG, F_GETOWN, F_SETOWN, F_SETLKW, F_SETLK, F_GETLK, F_SETFL, F_GETFL, F_SETFD, F_GETFD, F_DUPFD, F_OFD_GETLK, F_OFD_SETLK, F_OFD_SETLKW, UNKNOWN
Yes<fcntlFD res
Yes>brkUINT64 addr
Yes<brkUINT64 res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap
Yes>mmapUINT64 addr, UINT64 length, FLAGS32 prot: PROT_READ, PROT_WRITE, PROT_EXEC, PROT_SEM, PROT_GROWSDOWN, PROT_GROWSUP, PROT_SAO, PROT_NONE, FLAGS32 flags: MAP_SHARED, MAP_PRIVATE, MAP_FIXED, MAP_ANONYMOUS, MAP_32BIT, MAP_RENAME, MAP_NORESERVE, MAP_POPULATE, MAP_NONBLOCK, MAP_GROWSDOWN, MAP_DENYWRITE, MAP_EXECUTABLE, MAP_INHERIT, MAP_FILE, MAP_LOCKED, FD fd, UINT64 offset
Yes<mmapERRNO res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap
Yes>mmap2UINT64 addr, UINT64 length, FLAGS32 prot: PROT_READ, PROT_WRITE, PROT_EXEC, PROT_SEM, PROT_GROWSDOWN, PROT_GROWSUP, PROT_SAO, PROT_NONE, FLAGS32 flags: MAP_SHARED, MAP_PRIVATE, MAP_FIXED, MAP_ANONYMOUS, MAP_32BIT, MAP_RENAME, MAP_NORESERVE, MAP_POPULATE, MAP_NONBLOCK, MAP_GROWSDOWN, MAP_DENYWRITE, MAP_EXECUTABLE, MAP_INHERIT, MAP_FILE, MAP_LOCKED, FD fd, UINT64 pgoffset
Yes<mmap2ERRNO res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap
Yes>munmapUINT64 addr, UINT64 length
Yes<munmapERRNO res, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap
Yes>spliceFD fd_in, FD fd_out, UINT64 size, FLAGS32 flags: SPLICE_F_MOVE, SPLICE_F_NONBLOCK, SPLICE_F_MORE, SPLICE_F_GIFT
Yes<spliceERRNO res
Yes>ptraceENUMFLAGS16 request: PTRACE_SINGLEBLOCK, PTRACE_SYSEMU_SINGLESTEP, PTRACE_SYSEMU, PTRACE_ARCH_PRCTL, PTRACE_SET_THREAD_AREA, PTRACE_GET_THREAD_AREA, PTRACE_OLDSETOPTIONS, PTRACE_SETFPXREGS, PTRACE_GETFPXREGS, PTRACE_SETFPREGS, PTRACE_GETFPREGS, PTRACE_SETREGS, PTRACE_GETREGS, PTRACE_SETSIGMASK, PTRACE_GETSIGMASK, PTRACE_PEEKSIGINFO, PTRACE_LISTEN, PTRACE_INTERRUPT, PTRACE_SEIZE, PTRACE_SETREGSET, PTRACE_GETREGSET, PTRACE_SETSIGINFO, PTRACE_GETSIGINFO, PTRACE_GETEVENTMSG, PTRACE_SETOPTIONS, PTRACE_SYSCALL, PTRACE_DETACH, PTRACE_ATTACH, PTRACE_SINGLESTEP, PTRACE_KILL, PTRACE_CONT, PTRACE_POKEUSR, PTRACE_POKEDATA, PTRACE_POKETEXT, PTRACE_PEEKUSR, PTRACE_PEEKDATA, PTRACE_PEEKTEXT, PTRACE_TRACEME, PTRACE_UNKNOWN, PID pid
Yes<ptraceERRNO res, DYNAMIC addr, DYNAMIC data
Yes>ioctlFD fd, UINT64 request, UINT64 argument
Yes<ioctlERRNO res
Yes>rename
Yes<renameERRNO res, FSPATH oldpath, FSPATH newpath
Yes>renameat
Yes<renameatERRNO res, FD olddirfd, FSRELPATH oldpath, FD newdirfd, FSRELPATH newpath
Yes>symlink
Yes<symlinkERRNO res, CHARBUF target, FSPATH linkpath
Yes>symlinkat
Yes<symlinkatERRNO res, CHARBUF target, FD linkdirfd, FSRELPATH linkpath
No>sendfileFD out_fd, FD in_fd, UINT64 offset, UINT64 size
No<sendfileERRNO res, UINT64 offset
Yes>quotactlFLAGS16 cmd: Q_QUOTAON, Q_QUOTAOFF, Q_GETFMT, Q_GETINFO, Q_SETINFO, Q_GETQUOTA, Q_SETQUOTA, Q_SYNC, Q_XQUOTAON, Q_XQUOTAOFF, Q_XGETQUOTA, Q_XSETQLIM, Q_XGETQSTAT, Q_XQUOTARM, Q_XQUOTASYNC, FLAGS8 type: USRQUOTA, GRPQUOTA, UINT32 id, FLAGS8 quota_fmt: QFMT_NOT_USED, QFMT_VFS_OLD, QFMT_VFS_V0, QFMT_VFS_V1
Yes<quotactlERRNO res, CHARBUF special, CHARBUF quotafilepath, UINT64 dqb_bhardlimit, UINT64 dqb_bsoftlimit, UINT64 dqb_curspace, UINT64 dqb_ihardlimit, UINT64 dqb_isoftlimit, RELTIME dqb_btime, RELTIME dqb_itime, RELTIME dqi_bgrace, RELTIME dqi_igrace, FLAGS8 dqi_flags: DQF_NONE, V1_DQF_RSQUASH, FLAGS8 quota_fmt_out: QFMT_NOT_USED, QFMT_VFS_OLD, QFMT_VFS_V0, QFMT_VFS_V1
Yes>setresuidUID ruid, UID euid, UID suid
Yes<setresuidERRNO res
Yes>setresgidGID rgid, GID egid, GID sgid
Yes<setresgidERRNO res
Yes>setuidUID uid
Yes<setuidERRNO res
Yes>setgidGID gid
Yes<setgidERRNO res
Yes>getuid
Yes<getuidUID uid
Yes>geteuid
Yes<geteuidUID euid
Yes>getgid
Yes<getgidGID gid
Yes>getegid
Yes<getegidGID egid
Yes>getresuid
Yes<getresuidERRNO res, UID ruid, UID euid, UID suid
Yes>getresgid
Yes<getresgidERRNO res, GID rgid, GID egid, GID sgid
Yes>clone
Yes<clonePID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP, UINT32 uid, UINT32 gid, PID vtid, PID vpid, UINT64 pidns_init_start_ts
Yes>fork
Yes<forkPID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP, UINT32 uid, UINT32 gid, PID vtid, PID vpid, UINT64 pidns_init_start_ts
Yes>vfork
Yes<vforkPID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP, UINT32 uid, UINT32 gid, PID vtid, PID vpid, UINT64 pidns_init_start_ts
Yes>getdentsFD fd
Yes<getdentsERRNO res
Yes>getdents64FD fd
Yes<getdents64ERRNO res
Yes>setnsFD fd, FLAGS32 nstype: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP
Yes<setnsERRNO res
Yes>flockFD fd, FLAGS32 operation: LOCK_SH, LOCK_EX, LOCK_NB, LOCK_UN, LOCK_NONE
Yes<flockERRNO res
Yes>accept
Yes<acceptFD fd, SOCKTUPLE tuple, UINT8 queuepct, UINT32 queuelen, UINT32 queuemax
Yes>semopINT32 semid
Yes<semopERRNO res, UINT32 nsops, UINT16 sem_num_0, INT16 sem_op_0, FLAGS16 sem_flg_0: IPC_NOWAIT, SEM_UNDO, UINT16 sem_num_1, INT16 sem_op_1, FLAGS16 sem_flg_1: IPC_NOWAIT, SEM_UNDO
Yes>semctlINT32 semid, INT32 semnum, FLAGS16 cmd: IPC_STAT, IPC_SET, IPC_RMID, IPC_INFO, SEM_INFO, SEM_STAT, GETALL, GETNCNT, GETPID, GETVAL, GETZCNT, SETALL, SETVAL, INT32 val
Yes<semctlERRNO res
Yes>ppollFDLIST fds, RELTIME timeout, SIGSET sigmask
Yes<ppollERRNO res, FDLIST fds
Yes>mountFLAGS32 flags: RDONLY, NOSUID, NODEV, NOEXEC, SYNCHRONOUS, REMOUNT, MANDLOCK, DIRSYNC, NOATIME, NODIRATIME, BIND, MOVE, REC, SILENT, POSIXACL, UNBINDABLE, PRIVATE, SLAVE, SHARED, RELATIME, KERNMOUNT, I_VERSION, STRICTATIME, LAZYTIME, NOSEC, BORN, ACTIVE, NOUSER
Yes<mountERRNO res, CHARBUF dev, FSPATH dir, CHARBUF type
Yes>semgetINT32 key, INT32 nsems, FLAGS32 semflg: IPC_EXCL, IPC_CREAT
Yes<semgetERRNO res
Yes>accessFLAGS32 mode: F_OK, R_OK, W_OK, X_OK
Yes<accessERRNO res, FSPATH name
Yes>chroot
Yes<chrootERRNO res, FSPATH path
Yes>setsid
Yes<setsidPID res
Yes>mkdirUINT32 mode
Yes<mkdirERRNO res, FSPATH path
Yes>rmdir
Yes<rmdirERRNO res, FSPATH path
Yes>unshareFLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP
Yes<unshareERRNO res
Yes>execveFSPATH filename
Yes<execveERRNO res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, UINT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, BYTEBUF env, INT32 tty, PID pgid, INT32 loginuid, FLAGS32 flags: EXE_WRITABLE, EXE_UPPER_LAYER, UINT64 cap_inheritable, UINT64 cap_permitted, UINT64 cap_effective, UINT64 exe_ino, ABSTIME exe_ino_ctime, ABSTIME exe_ino_mtime, INT32 uid
Yes>setpgidPID pid, PID pgid
Yes<setpgidPID res
Yes>seccompUINT64 op
Yes<seccompERRNO res
Yes>unlink
Yes<unlinkERRNO res, FSPATH path
Yes>unlinkat
Yes<unlinkatERRNO res, FD dirfd, FSRELPATH name, FLAGS32 flags: AT_REMOVEDIR
Yes>mkdirat
Yes<mkdiratERRNO res, FD dirfd, FSRELPATH path, UINT32 mode
Yes>openatFD dirfd, FSRELPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, UINT32 mode
Yes<openatFD fd, FD dirfd, FSRELPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, UINT32 mode, UINT32 dev, UINT64 ino
Yes>link
Yes<linkERRNO res, FSPATH oldpath, FSPATH newpath
Yes>linkat
Yes<linkatERRNO res, FD olddir, FSRELPATH oldpath, FD newdir, FSRELPATH newpath, FLAGS32 flags: AT_SYMLINK_FOLLOW, AT_EMPTY_PATH
Yes>fchmodat
Yes<fchmodatERRNO res, FD dirfd, FSRELPATH filename, MODE mode
Yes>chmod
Yes<chmodERRNO res, FSPATH filename, MODE mode
Yes>fchmod
Yes<fchmodERRNO res, FD fd, MODE mode
Yes>renameat2
Yes<renameat2ERRNO res, FD olddirfd, FSRELPATH oldpath, FD newdirfd, FSRELPATH newpath, FLAGS32 flags: RENAME_NOREPLACE, RENAME_EXCHANGE, RENAME_WHITEOUT
Yes>userfaultfd
Yes<userfaultfdERRNO res, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE
Yes>openat2FD dirfd, FSRELPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, UINT32 mode, FLAGS32 resolve: RESOLVE_BENEATH, RESOLVE_IN_ROOT, RESOLVE_NO_MAGICLINKS, RESOLVE_NO_SYMLINKS, RESOLVE_NO_XDEV, RESOLVE_CACHED
Yes<openat2FD fd, FD dirfd, FSRELPATH name, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, UINT32 mode, FLAGS32 resolve: RESOLVE_BENEATH, RESOLVE_IN_ROOT, RESOLVE_NO_MAGICLINKS, RESOLVE_NO_SYMLINKS, RESOLVE_NO_XDEV, RESOLVE_CACHED
Yes>mprotectUINT64 addr, UINT64 length, FLAGS32 prot: PROT_READ, PROT_WRITE, PROT_EXEC, PROT_SEM, PROT_GROWSDOWN, PROT_GROWSUP, PROT_SAO, PROT_NONE
Yes<mprotectERRNO res
Yes>execveatFD dirfd, FSRELPATH pathname, FLAGS32 flags: AT_EMPTY_PATH, AT_SYMLINK_NOFOLLOW
Yes<execveatERRNO res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, UINT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, BYTEBUF env, INT32 tty, PID pgid, INT32 loginuid, FLAGS32 flags: EXE_WRITABLE, EXE_UPPER_LAYER, UINT64 cap_inheritable, UINT64 cap_permitted, UINT64 cap_effective, UINT64 exe_ino, ABSTIME exe_ino_ctime, ABSTIME exe_ino_mtime, INT32 uid
Yes>copy_file_rangeFD fdin, UINT64 offin, UINT64 len
Yes<copy_file_rangeERRNO res, FD fdout, UINT64 offout
Yes>clone3
Yes<clone3PID res, CHARBUF exe, BYTEBUF args, PID tid, PID pid, PID ptid, CHARBUF cwd, INT64 fdlimit, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap, CHARBUF comm, BYTEBUF cgroups, FLAGS32 flags: CLONE_FILES, CLONE_FS, CLONE_IO, CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_PARENT, CLONE_PARENT_SETTID, CLONE_PTRACE, CLONE_SIGHAND, CLONE_SYSVSEM, CLONE_THREAD, CLONE_UNTRACED, CLONE_VM, CLONE_INVERTED, NAME_CHANGED, CLOSED, CLONE_NEWUSER, CLONE_CHILD_CLEARTID, CLONE_CHILD_SETTID, CLONE_SETTLS, CLONE_STOPPED, CLONE_VFORK, CLONE_NEWCGROUP, UINT32 uid, UINT32 gid, PID vtid, PID vpid, UINT64 pidns_init_start_ts
Yes>open_by_handle_at
Yes<open_by_handle_atFD fd, FD mountfd, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE, FSPATH path
Yes>io_uring_setup
Yes<io_uring_setupERRNO res, UINT32 entries, UINT32 sq_entries, UINT32 cq_entries, FLAGS32 flags: IORING_SETUP_IOPOLL, IORING_SETUP_SQPOLL, IORING_SQ_NEED_WAKEUP, IORING_SETUP_SQ_AFF, IORING_SETUP_CQSIZE, IORING_SETUP_CLAMP, IORING_SETUP_ATTACH_RW, IORING_SETUP_R_DISABLED, UINT32 sq_thread_cpu, UINT32 sq_thread_idle, FLAGS32 features: IORING_FEAT_SINGLE_MMAP, IORING_FEAT_NODROP, IORING_FEAT_SUBMIT_STABLE, IORING_FEAT_RW_CUR_POS, IORING_FEAT_CUR_PERSONALITY, IORING_FEAT_FAST_POLL, IORING_FEAT_POLL_32BITS, IORING_FEAT_SQPOLL_NONFIXED, IORING_FEAT_ENTER_EXT_ARG, IORING_FEAT_NATIVE_WORKERS, IORING_FEAT_RSRC_TAGS
Yes>io_uring_enter
Yes<io_uring_enterERRNO res, FD fd, UINT32 to_submit, UINT32 min_complete, FLAGS32 flags: IORING_ENTER_GETEVENTS, IORING_ENTER_SQ_WAKEUP, IORING_ENTER_SQ_WAIT, IORING_ENTER_EXT_ARG, SIGSET sig
Yes>io_uring_register
Yes<io_uring_registerERRNO res, FD fd, ENUMFLAGS16 opcode: IORING_REGISTER_BUFFERS, IORING_UNREGISTER_BUFFERS, IORING_REGISTER_FILES, IORING_UNREGISTER_FILES, IORING_REGISTER_EVENTFD, IORING_UNREGISTER_EVENTFD, IORING_REGISTER_FILES_UPDATE, IORING_REGISTER_EVENTFD_ASYNC, IORING_REGISTER_PROBE, IORING_REGISTER_PERSONALITY, IORING_UNREGISTER_PERSONALITY, IORING_REGISTER_RESTRICTIONS, IORING_REGISTER_ENABLE_RINGS, IORING_REGISTER_FILES2, IORING_REGISTER_FILES_UPDATE2, IORING_REGISTER_BUFFERS2, IORING_REGISTER_BUFFERS_UPDATE, IORING_REGISTER_IOWQ_AFF, IORING_UNREGISTER_IOWQ_AFF, IORING_REGISTER_IOWQ_MAX_WORKERS, IORING_REGISTER_RING_FDS, IORING_UNREGISTER_RING_FDS, UINT64 arg, UINT32 nr_args
Yes>mlock
Yes<mlockERRNO res, UINT64 addr, UINT64 len
Yes>munlock
Yes<munlockERRNO res, UINT64 addr, UINT64 len
Yes>mlockall
Yes<mlockallERRNO res, FLAGS32 flags: MCL_CURRENT, MCL_FUTURE, MCL_ONFAULT
Yes>munlockall
Yes<munlockallERRNO res
Yes>capset
Yes<capsetERRNO res, UINT64 cap_inheritable, UINT64 cap_permitted, UINT64 cap_effective
Yes>dup2FD fd
Yes<dup2FD res, FD oldfd, FD newfd
Yes>dup3FD fd
Yes<dup3FD res, FD oldfd, FD newfd, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE
Yes>dupFD fd
Yes<dupFD res, FD oldfd
Yes>bpfINT64 cmd
Yes<bpfFD fd
Yes>mlock2
Yes<mlock2ERRNO res, UINT64 addr, UINT64 len, UINT32 flags
Yes>fsconfig
Yes<fsconfigERRNO res, FD fd, ENUMFLAGS32 cmd: FSCONFIG_SET_FLAG, FSCONFIG_SET_STRING, FSCONFIG_SET_BINARY, FSCONFIG_SET_PATH, FSCONFIG_SET_PATH_EMPTY, FSCONFIG_SET_FD, FSCONFIG_CMD_CREATE, FSCONFIG_CMD_RECONFIGURE, CHARBUF key, BYTEBUF value_bytebuf, CHARBUF value_charbuf, INT32 aux
Yes>epoll_createINT32 size
Yes<epoll_createERRNO res
Yes>epoll_create1FLAGS32 flags: EPOLL_CLOEXEC
Yes<epoll_create1ERRNO res
Yes>chown
Yes<chownERRNO res, FSPATH path, UINT32 uid, UINT32 gid
Yes>lchown
Yes<lchownERRNO res, FSPATH path, UINT32 uid, UINT32 gid
Yes>fchown
Yes<fchownERRNO res, FD fd, UINT32 uid, UINT32 gid
Yes>fchownat
Yes<fchownatERRNO res, FD dirfd, FSRELPATH pathname, UINT32 uid, UINT32 gid, FLAGS32 flags: AT_SYMLINK_NOFOLLOW, AT_EMPTY_PATH
Yes>umount
Yes<umountERRNO res, FSPATH name
Yes>accept4INT32 flags
Yes<accept4FD fd, SOCKTUPLE tuple, UINT8 queuepct, UINT32 queuelen, UINT32 queuemax
Yes>umount2FLAGS32 flags: FORCE, DETACH, EXPIRE, NOFOLLOW
Yes<umount2ERRNO res, FSPATH name
Yes>pipe2
Yes<pipe2ERRNO res, FD fd1, FD fd2, UINT64 ino, FLAGS32 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE
Yes>inotify_init1
Yes<inotify_init1FD res, FLAGS16 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE
Yes>eventfd2UINT64 initval
Yes<eventfd2FD res, FLAGS16 flags: O_LARGEFILE, O_DIRECTORY, O_DIRECT, O_TRUNC, O_SYNC, O_NONBLOCK, O_EXCL, O_DSYNC, O_APPEND, O_CREAT, O_RDWR, O_WRONLY, O_RDONLY, O_CLOEXEC, O_NONE, O_TMPFILE
Yes>signalfd4FD fd, UINT32 mask
Yes<signalfd4FD res, FLAGS16 flags
Yes>prctl
Yes<prctlERRNO res, ENUMFLAGS32 option: PR_GET_DUMPABLE, PR_SET_DUMPABLE, PR_GET_KEEPCAPS, PR_SET_KEEPCAPS, PR_SET_NAME, PR_GET_NAME, PR_GET_SECCOMP, PR_SET_SECCOMP, PR_CAPBSET_READ, PR_CAPBSET_DROP, PR_GET_SECUREBITS, PR_SET_SECUREBITS, PR_MCE_KILL, PR_MCE_KILL, PR_SET_MM, PR_SET_CHILD_SUBREAPER, PR_GET_CHILD_SUBREAPER, PR_SET_NO_NEW_PRIVS, PR_GET_NO_NEW_PRIVS, PR_GET_TID_ADDRESS, PR_SET_THP_DISABLE, PR_GET_THP_DISABLE, PR_CAP_AMBIENT, CHARBUF arg2_str, INT64 arg2_int
Yes>sigreturnSYSCALLID ID, UINT16 nativeID
Yes<sigreturnSYSCALLID ID
Yes>s390_runtime_instrSYSCALLID ID, UINT16 nativeID
Yes<s390_runtime_instrSYSCALLID ID
Yes>s390_sthyiSYSCALLID ID, UINT16 nativeID
Yes<s390_sthyiSYSCALLID ID
Yes>readdirSYSCALLID ID, UINT16 nativeID
Yes<readdirSYSCALLID ID
Yes>sync_file_rangeSYSCALLID ID, UINT16 nativeID
Yes<sync_file_rangeSYSCALLID ID
Yes>faccessat2SYSCALLID ID, UINT16 nativeID
Yes<faccessat2SYSCALLID ID
Yes>sched_getattrSYSCALLID ID, UINT16 nativeID
Yes<sched_getattrSYSCALLID ID
Yes>rseqSYSCALLID ID, UINT16 nativeID
Yes<rseqSYSCALLID ID
Yes>nfsservctlSYSCALLID ID, UINT16 nativeID
Yes<nfsservctlSYSCALLID ID
Yes>sigsuspendSYSCALLID ID, UINT16 nativeID
Yes<sigsuspendSYSCALLID ID
Yes>getpmsgSYSCALLID ID, UINT16 nativeID
Yes<getpmsgSYSCALLID ID
Yes>set_mempolicy_home_nodeSYSCALLID ID, UINT16 nativeID
Yes<set_mempolicy_home_nodeSYSCALLID ID
Yes>io_pgeteventsSYSCALLID ID, UINT16 nativeID
Yes<io_pgeteventsSYSCALLID ID
Yes>statxSYSCALLID ID, UINT16 nativeID
Yes<statxSYSCALLID ID
Yes>epoll_ctl_oldSYSCALLID ID, UINT16 nativeID
Yes<epoll_ctl_oldSYSCALLID ID
Yes>mbindSYSCALLID ID, UINT16 nativeID
Yes<mbindSYSCALLID ID
Yes>move_pagesSYSCALLID ID, UINT16 nativeID
Yes<move_pagesSYSCALLID ID
Yes>migrate_pagesSYSCALLID ID, UINT16 nativeID
Yes<migrate_pagesSYSCALLID ID
Yes>landlock_add_ruleSYSCALLID ID, UINT16 nativeID
Yes<landlock_add_ruleSYSCALLID ID
Yes>landlock_restrict_selfSYSCALLID ID, UINT16 nativeID
Yes<landlock_restrict_selfSYSCALLID ID
Yes>pkey_allocSYSCALLID ID, UINT16 nativeID
Yes<pkey_allocSYSCALLID ID
Yes>pidfd_openSYSCALLID ID, UINT16 nativeID
Yes<pidfd_openSYSCALLID ID
Yes>close_rangeSYSCALLID ID, UINT16 nativeID
Yes<close_rangeSYSCALLID ID
Yes>kexec_file_loadSYSCALLID ID, UINT16 nativeID
Yes<kexec_file_loadSYSCALLID ID
Yes>memfd_secretSYSCALLID ID, UINT16 nativeID
Yes<memfd_secretSYSCALLID ID
Yes>memfd_createSYSCALLID ID, UINT16 nativeID
Yes<memfd_createSYSCALLID ID
Yes>fadvise64SYSCALLID ID, UINT16 nativeID
Yes<fadvise64SYSCALLID ID
Yes>getrandomSYSCALLID ID, UINT16 nativeID
Yes<getrandomSYSCALLID ID
Yes>sigaltstackSYSCALLID ID, UINT16 nativeID
Yes<sigaltstackSYSCALLID ID
Yes>finit_moduleSYSCALLID ID, UINT16 nativeID
Yes<finit_moduleSYSCALLID ID
Yes>process_vm_writevSYSCALLID ID, UINT16 nativeID
Yes<process_vm_writevSYSCALLID ID
Yes>fallocateSYSCALLID ID, UINT16 nativeID
Yes<fallocateSYSCALLID ID
Yes>waitpidSYSCALLID ID, UINT16 nativeID
Yes<waitpidSYSCALLID ID
Yes>niceSYSCALLID ID, UINT16 nativeID
Yes<niceSYSCALLID ID
Yes>oldunameSYSCALLID ID, UINT16 nativeID
Yes<oldunameSYSCALLID ID
Yes>sgetmaskSYSCALLID ID, UINT16 nativeID
Yes<sgetmaskSYSCALLID ID
Yes>_newselectSYSCALLID ID, UINT16 nativeID
Yes<_newselectSYSCALLID ID
Yes>socketcallSYSCALLID ID, UINT16 nativeID
Yes<socketcallSYSCALLID ID
Yes>sigprocmaskSYSCALLID ID, UINT16 nativeID
Yes<sigprocmaskSYSCALLID ID
Yes>fstatat64SYSCALLID ID, UINT16 nativeID
Yes<fstatat64SYSCALLID ID
Yes>process_vm_readvSYSCALLID ID, UINT16 nativeID
Yes<process_vm_readvSYSCALLID ID
Yes>fstatfs64SYSCALLID ID, UINT16 nativeID
Yes<fstatfs64SYSCALLID ID
Yes>statfs64SYSCALLID ID, UINT16 nativeID
Yes<statfs64SYSCALLID ID
Yes>msgctlSYSCALLID ID, UINT16 nativeID
Yes<msgctlSYSCALLID ID
Yes>msggetSYSCALLID ID, UINT16 nativeID
Yes<msggetSYSCALLID ID
Yes>process_mreleaseSYSCALLID ID, UINT16 nativeID
Yes<process_mreleaseSYSCALLID ID
Yes>msgrcvSYSCALLID ID, UINT16 nativeID
Yes<msgrcvSYSCALLID ID
Yes>perf_event_openSYSCALLID ID, UINT16 nativeID
Yes<perf_event_openSYSCALLID ID
Yes>getcpuSYSCALLID ID, UINT16 nativeID
Yes<getcpuSYSCALLID ID
Yes>shmctlSYSCALLID ID, UINT16 nativeID
Yes<shmctlSYSCALLID ID
Yes>set_robust_listSYSCALLID ID, UINT16 nativeID
Yes<set_robust_listSYSCALLID ID
Yes>pselect6SYSCALLID ID, UINT16 nativeID
Yes<pselect6SYSCALLID ID
Yes>modify_ldtSYSCALLID ID, UINT16 nativeID
Yes<modify_ldtSYSCALLID ID
Yes>timerfd_settimeSYSCALLID ID, UINT16 nativeID
Yes<timerfd_settimeSYSCALLID ID
Yes>getitimerSYSCALLID ID, UINT16 nativeID
Yes<getitimerSYSCALLID ID
Yes>sched_getschedulerSYSCALLID ID, UINT16 nativeID
Yes<sched_getschedulerSYSCALLID ID
Yes>kcmpSYSCALLID ID, UINT16 nativeID
Yes<kcmpSYSCALLID ID
Yes>open_treeSYSCALLID ID, UINT16 nativeID
Yes<open_treeSYSCALLID ID
Yes>setprioritySYSCALLID ID, UINT16 nativeID
Yes<setprioritySYSCALLID ID
Yes>sched_setschedulerSYSCALLID ID, UINT16 nativeID
Yes<sched_setschedulerSYSCALLID ID
Yes>fdatasyncSYSCALLID ID, UINT16 nativeID
Yes<fdatasyncSYSCALLID ID
Yes>pkey_mprotectSYSCALLID ID, UINT16 nativeID
Yes<pkey_mprotectSYSCALLID ID
Yes>clock_nanosleepSYSCALLID ID, UINT16 nativeID
Yes<clock_nanosleepSYSCALLID ID
Yes>signalSYSCALLID ID, UINT16 nativeID
Yes<signalSYSCALLID ID
Yes>sched_yieldSYSCALLID ID, UINT16 nativeID
Yes<sched_yieldSYSCALLID ID
Yes>pidfd_getfdSYSCALLID ID, UINT16 nativeID
Yes<pidfd_getfdSYSCALLID ID
Yes>get_robust_listSYSCALLID ID, UINT16 nativeID
Yes<get_robust_listSYSCALLID ID
Yes>set_tid_addressSYSCALLID ID, UINT16 nativeID
Yes<set_tid_addressSYSCALLID ID
Yes>getpgidSYSCALLID ID, UINT16 nativeID
Yes<getpgidSYSCALLID ID
Yes>getsidSYSCALLID ID, UINT16 nativeID
Yes<getsidSYSCALLID ID
Yes>sched_getparamSYSCALLID ID, UINT16 nativeID
Yes<sched_getparamSYSCALLID ID
Yes>init_moduleSYSCALLID ID, UINT16 nativeID
Yes<init_moduleSYSCALLID ID
Yes>iopermSYSCALLID ID, UINT16 nativeID
Yes<iopermSYSCALLID ID
Yes>syslogSYSCALLID ID, UINT16 nativeID
Yes<syslogSYSCALLID ID
Yes>wait4SYSCALLID ID, UINT16 nativeID
Yes<wait4SYSCALLID ID
Yes>rt_sigactionSYSCALLID ID, UINT16 nativeID
Yes<rt_sigactionSYSCALLID ID
Yes>mq_timedreceiveSYSCALLID ID, UINT16 nativeID
Yes<mq_timedreceiveSYSCALLID ID
Yes>rt_tgsigqueueinfoSYSCALLID ID, UINT16 nativeID
Yes<rt_tgsigqueueinfoSYSCALLID ID
Yes>rt_sigprocmaskSYSCALLID ID, UINT16 nativeID
Yes<rt_sigprocmaskSYSCALLID ID
Yes>_sysctlSYSCALLID ID, UINT16 nativeID
Yes<_sysctlSYSCALLID ID
Yes>epoll_wait_oldSYSCALLID ID, UINT16 nativeID
Yes<epoll_wait_oldSYSCALLID ID
Yes>vhangupSYSCALLID ID, UINT16 nativeID
Yes<vhangupSYSCALLID ID
Yes>sched_get_priority_minSYSCALLID ID, UINT16 nativeID
Yes<sched_get_priority_minSYSCALLID ID
Yes>semtimedopSYSCALLID ID, UINT16 nativeID
Yes<semtimedopSYSCALLID ID
Yes>rt_sigreturnSYSCALLID ID, UINT16 nativeID
Yes<rt_sigreturnSYSCALLID ID
Yes>rt_sigpendingSYSCALLID ID, UINT16 nativeID
Yes<rt_sigpendingSYSCALLID ID
Yes>io_destroySYSCALLID ID, UINT16 nativeID
Yes<io_destroySYSCALLID ID
Yes>pivot_rootSYSCALLID ID, UINT16 nativeID
Yes<pivot_rootSYSCALLID ID
Yes>mincoreSYSCALLID ID, UINT16 nativeID
Yes<mincoreSYSCALLID ID
Yes>msgsndSYSCALLID ID, UINT16 nativeID
Yes<msgsndSYSCALLID ID
Yes>sysinfoSYSCALLID ID, UINT16 nativeID
Yes<sysinfoSYSCALLID ID
Yes>acctSYSCALLID ID, UINT16 nativeID
Yes<acctSYSCALLID ID
Yes>epoll_pwaitSYSCALLID ID, UINT16 nativeID
Yes<epoll_pwaitSYSCALLID ID
Yes>sysfsSYSCALLID ID, UINT16 nativeID
Yes<sysfsSYSCALLID ID
Yes>clock_adjtimeSYSCALLID ID, UINT16 nativeID
Yes<clock_adjtimeSYSCALLID ID
Yes>syncSYSCALLID ID, UINT16 nativeID
Yes<syncSYSCALLID ID
Yes>name_to_handle_atSYSCALLID ID, UINT16 nativeID
Yes<name_to_handle_atSYSCALLID ID
Yes>sched_setparamSYSCALLID ID, UINT16 nativeID
Yes<sched_setparamSYSCALLID ID
Yes>stimeSYSCALLID ID, UINT16 nativeID
Yes<stimeSYSCALLID ID
Yes>pauseSYSCALLID ID, UINT16 nativeID
Yes<pauseSYSCALLID ID
Yes>timerfdSYSCALLID ID, UINT16 nativeID
Yes<timerfdSYSCALLID ID
Yes>msyncSYSCALLID ID, UINT16 nativeID
Yes<msyncSYSCALLID ID
Yes>rt_sigsuspendSYSCALLID ID, UINT16 nativeID
Yes<rt_sigsuspendSYSCALLID ID
Yes>landlock_create_rulesetSYSCALLID ID, UINT16 nativeID
Yes<landlock_create_rulesetSYSCALLID ID
Yes>lremovexattrSYSCALLID ID, UINT16 nativeID
Yes<lremovexattrSYSCALLID ID
Yes>remap_file_pagesSYSCALLID ID, UINT16 nativeID
Yes<remap_file_pagesSYSCALLID ID
Yes>restart_syscallSYSCALLID ID, UINT16 nativeID
Yes<restart_syscallSYSCALLID ID
Yes>timesSYSCALLID ID, UINT16 nativeID
Yes<timesSYSCALLID ID
Yes>sched_get_priority_maxSYSCALLID ID, UINT16 nativeID
Yes<sched_get_priority_maxSYSCALLID ID
Yes>fanotify_markSYSCALLID ID, UINT16 nativeID
Yes<fanotify_markSYSCALLID ID
Yes>statfsSYSCALLID ID, UINT16 nativeID
Yes<statfsSYSCALLID ID
Yes>utimeSYSCALLID ID, UINT16 nativeID
Yes<utimeSYSCALLID ID
Yes>getpidSYSCALLID ID, UINT16 nativeID
Yes<getpidSYSCALLID ID
Yes>mknodSYSCALLID ID, UINT16 nativeID
Yes<mknodSYSCALLID ID
Yes>unameSYSCALLID ID, UINT16 nativeID
Yes<unameSYSCALLID ID
Yes>process_madviseSYSCALLID ID, UINT16 nativeID
Yes<process_madviseSYSCALLID ID
Yes>ioprio_getSYSCALLID ID, UINT16 nativeID
Yes<ioprio_getSYSCALLID ID
Yes>swaponSYSCALLID ID, UINT16 nativeID
Yes<swaponSYSCALLID ID
Yes>readaheadSYSCALLID ID, UINT16 nativeID
Yes<readaheadSYSCALLID ID
Yes>pkey_freeSYSCALLID ID, UINT16 nativeID
Yes<pkey_freeSYSCALLID ID
Yes>timeSYSCALLID ID, UINT16 nativeID
Yes<timeSYSCALLID ID
Yes>settimeofdaySYSCALLID ID, UINT16 nativeID
Yes<settimeofdaySYSCALLID ID
Yes>ioplSYSCALLID ID, UINT16 nativeID
Yes<ioplSYSCALLID ID
Yes>set_mempolicySYSCALLID ID, UINT16 nativeID
Yes<set_mempolicySYSCALLID ID
Yes>ftruncateSYSCALLID ID, UINT16 nativeID
Yes<ftruncateSYSCALLID ID
Yes>syncfsSYSCALLID ID, UINT16 nativeID
Yes<syncfsSYSCALLID ID
Yes>readlinkSYSCALLID ID, UINT16 nativeID
Yes<readlinkSYSCALLID ID
Yes>gettimeofdaySYSCALLID ID, UINT16 nativeID
Yes<gettimeofdaySYSCALLID ID
Yes>s390_guarded_storageSYSCALLID ID, UINT16 nativeID
Yes<s390_guarded_storageSYSCALLID ID
Yes>sched_rr_get_intervalSYSCALLID ID, UINT16 nativeID
Yes<sched_rr_get_intervalSYSCALLID ID
Yes>setgroupsSYSCALLID ID, UINT16 nativeID
Yes<setgroupsSYSCALLID ID
Yes>timer_gettimeSYSCALLID ID, UINT16 nativeID
Yes<timer_gettimeSYSCALLID ID
Yes>ioprio_setSYSCALLID ID, UINT16 nativeID
Yes<ioprio_setSYSCALLID ID
Yes>futimesatSYSCALLID ID, UINT16 nativeID
Yes<futimesatSYSCALLID ID
Yes>rebootSYSCALLID ID, UINT16 nativeID
Yes<rebootSYSCALLID ID
Yes>get_kernel_symsSYSCALLID ID, UINT16 nativeID
Yes<get_kernel_symsSYSCALLID ID
Yes>uselibSYSCALLID ID, UINT16 nativeID
Yes<uselibSYSCALLID ID
Yes>mremapSYSCALLID ID, UINT16 nativeID
Yes<mremapSYSCALLID ID
Yes>truncateSYSCALLID ID, UINT16 nativeID
Yes<truncateSYSCALLID ID
Yes>ustatSYSCALLID ID, UINT16 nativeID
Yes<ustatSYSCALLID ID
Yes>timer_settimeSYSCALLID ID, UINT16 nativeID
Yes<timer_settimeSYSCALLID ID
Yes>quotactl_fdSYSCALLID ID, UINT16 nativeID
Yes<quotactl_fdSYSCALLID ID
Yes>umaskSYSCALLID ID, UINT16 nativeID
Yes<umaskSYSCALLID ID
Yes>clock_settimeSYSCALLID ID, UINT16 nativeID
Yes<clock_settimeSYSCALLID ID
Yes>mount_setattrSYSCALLID ID, UINT16 nativeID
Yes<mount_setattrSYSCALLID ID
Yes>getprioritySYSCALLID ID, UINT16 nativeID
Yes<getprioritySYSCALLID ID
Yes>get_mempolicySYSCALLID ID, UINT16 nativeID
Yes<get_mempolicySYSCALLID ID
Yes>move_mountSYSCALLID ID, UINT16 nativeID
Yes<move_mountSYSCALLID ID
Yes>alarmSYSCALLID ID, UINT16 nativeID
Yes<alarmSYSCALLID ID
Yes>getxattrSYSCALLID ID, UINT16 nativeID
Yes<getxattrSYSCALLID ID
Yes>personalitySYSCALLID ID, UINT16 nativeID
Yes<personalitySYSCALLID ID
Yes>getpgrpSYSCALLID ID, UINT16 nativeID
Yes<getpgrpSYSCALLID ID
Yes>fstatfsSYSCALLID ID, UINT16 nativeID
Yes<fstatfsSYSCALLID ID
Yes>create_moduleSYSCALLID ID, UINT16 nativeID
Yes<create_moduleSYSCALLID ID
Yes>preadv2SYSCALLID ID, UINT16 nativeID
Yes<preadv2SYSCALLID ID
Yes>vmspliceSYSCALLID ID, UINT16 nativeID
Yes<vmspliceSYSCALLID ID
Yes>rt_sigtimedwaitSYSCALLID ID, UINT16 nativeID
Yes<rt_sigtimedwaitSYSCALLID ID
Yes>mq_openSYSCALLID ID, UINT16 nativeID
Yes<mq_openSYSCALLID ID
Yes>mq_getsetattrSYSCALLID ID, UINT16 nativeID
Yes<mq_getsetattrSYSCALLID ID
Yes>fspickSYSCALLID ID, UINT16 nativeID
Yes<fspickSYSCALLID ID
Yes>newfstatatSYSCALLID ID, UINT16 nativeID
Yes<newfstatatSYSCALLID ID
Yes>faccessatSYSCALLID ID, UINT16 nativeID
Yes<faccessatSYSCALLID ID
Yes>capgetSYSCALLID ID, UINT16 nativeID
Yes<capgetSYSCALLID ID
Yes>setreuidSYSCALLID ID, UINT16 nativeID
Yes<setreuidSYSCALLID ID
Yes>setregidSYSCALLID ID, UINT16 nativeID
Yes<setregidSYSCALLID ID
Yes>setfsuidSYSCALLID ID, UINT16 nativeID
Yes<setfsuidSYSCALLID ID
Yes>setfsgidSYSCALLID ID, UINT16 nativeID
Yes<setfsgidSYSCALLID ID
Yes>s390_pci_mmio_readSYSCALLID ID, UINT16 nativeID
Yes<s390_pci_mmio_readSYSCALLID ID
Yes>ssetmaskSYSCALLID ID, UINT16 nativeID
Yes<ssetmaskSYSCALLID ID
Yes>madviseSYSCALLID ID, UINT16 nativeID
Yes<madviseSYSCALLID ID
Yes>swapoffSYSCALLID ID, UINT16 nativeID
Yes<swapoffSYSCALLID ID
Yes>add_keySYSCALLID ID, UINT16 nativeID
Yes<add_keySYSCALLID ID
Yes>membarrierSYSCALLID ID, UINT16 nativeID
Yes<membarrierSYSCALLID ID
Yes>gettidSYSCALLID ID, UINT16 nativeID
Yes<gettidSYSCALLID ID
Yes>query_moduleSYSCALLID ID, UINT16 nativeID
Yes<query_moduleSYSCALLID ID
Yes>shmatSYSCALLID ID, UINT16 nativeID
Yes<shmatSYSCALLID ID
Yes>lsetxattrSYSCALLID ID, UINT16 nativeID
Yes<lsetxattrSYSCALLID ID
Yes>lookup_dcookieSYSCALLID ID, UINT16 nativeID
Yes<lookup_dcookieSYSCALLID ID
Yes>fsetxattrSYSCALLID ID, UINT16 nativeID
Yes<fsetxattrSYSCALLID ID
Yes>ipcSYSCALLID ID, UINT16 nativeID
Yes<ipcSYSCALLID ID
Yes>fsyncSYSCALLID ID, UINT16 nativeID
Yes<fsyncSYSCALLID ID
Yes>lgetxattrSYSCALLID ID, UINT16 nativeID
Yes<lgetxattrSYSCALLID ID
Yes>futex_waitvSYSCALLID ID, UINT16 nativeID
Yes<futex_waitvSYSCALLID ID
Yes>fgetxattrSYSCALLID ID, UINT16 nativeID
Yes<fgetxattrSYSCALLID ID
Yes>sigpendingSYSCALLID ID, UINT16 nativeID
Yes<sigpendingSYSCALLID ID
Yes>shmdtSYSCALLID ID, UINT16 nativeID
Yes<shmdtSYSCALLID ID
Yes>listxattrSYSCALLID ID, UINT16 nativeID
Yes<listxattrSYSCALLID ID
Yes>setxattrSYSCALLID ID, UINT16 nativeID
Yes<setxattrSYSCALLID ID
Yes>mq_timedsendSYSCALLID ID, UINT16 nativeID
Yes<mq_timedsendSYSCALLID ID
Yes>sigactionSYSCALLID ID, UINT16 nativeID
Yes<sigactionSYSCALLID ID
Yes>arch_prctlSYSCALLID ID, UINT16 nativeID
Yes<arch_prctlSYSCALLID ID
Yes>waitidSYSCALLID ID, UINT16 nativeID
Yes<waitidSYSCALLID ID
Yes>llistxattrSYSCALLID ID, UINT16 nativeID
Yes<llistxattrSYSCALLID ID
Yes>flistxattrSYSCALLID ID, UINT16 nativeID
Yes<flistxattrSYSCALLID ID
Yes>timer_createSYSCALLID ID, UINT16 nativeID
Yes<timer_createSYSCALLID ID
Yes>removexattrSYSCALLID ID, UINT16 nativeID
Yes<removexattrSYSCALLID ID
Yes>delete_moduleSYSCALLID ID, UINT16 nativeID
Yes<delete_moduleSYSCALLID ID
Yes>fremovexattrSYSCALLID ID, UINT16 nativeID
Yes<fremovexattrSYSCALLID ID
Yes>utimensatSYSCALLID ID, UINT16 nativeID
Yes<utimensatSYSCALLID ID
Yes>rt_sigqueueinfoSYSCALLID ID, UINT16 nativeID
Yes<rt_sigqueueinfoSYSCALLID ID
Yes>sched_getaffinitySYSCALLID ID, UINT16 nativeID
Yes<sched_getaffinitySYSCALLID ID
Yes>sched_setattrSYSCALLID ID, UINT16 nativeID
Yes<sched_setattrSYSCALLID ID
Yes>epoll_pwait2SYSCALLID ID, UINT16 nativeID
Yes<epoll_pwait2SYSCALLID ID
Yes>fsopenSYSCALLID ID, UINT16 nativeID
Yes<fsopenSYSCALLID ID
Yes>fanotify_initSYSCALLID ID, UINT16 nativeID
Yes<fanotify_initSYSCALLID ID
Yes>request_keySYSCALLID ID, UINT16 nativeID
Yes<request_keySYSCALLID ID
Yes>sched_setaffinitySYSCALLID ID, UINT16 nativeID
Yes<sched_setaffinitySYSCALLID ID
Yes>io_submitSYSCALLID ID, UINT16 nativeID
Yes<io_submitSYSCALLID ID
Yes>set_thread_areaSYSCALLID ID, UINT16 nativeID
Yes<set_thread_areaSYSCALLID ID
Yes>get_thread_areaSYSCALLID ID, UINT16 nativeID
Yes<get_thread_areaSYSCALLID ID
Yes>epoll_ctlSYSCALLID ID, UINT16 nativeID
Yes<epoll_ctlSYSCALLID ID
Yes>pidfd_send_signalSYSCALLID ID, UINT16 nativeID
Yes<pidfd_send_signalSYSCALLID ID
Yes>inotify_add_watchSYSCALLID ID, UINT16 nativeID
Yes<inotify_add_watchSYSCALLID ID
Yes>setdomainnameSYSCALLID ID, UINT16 nativeID
Yes<setdomainnameSYSCALLID ID
Yes>io_setupSYSCALLID ID, UINT16 nativeID
Yes<io_setupSYSCALLID ID
Yes>s390_pci_mmio_writeSYSCALLID ID, UINT16 nativeID
Yes<s390_pci_mmio_writeSYSCALLID ID
Yes>io_geteventsSYSCALLID ID, UINT16 nativeID
Yes<io_geteventsSYSCALLID ID
Yes>io_cancelSYSCALLID ID, UINT16 nativeID
Yes<io_cancelSYSCALLID ID
Yes>timer_getoverrunSYSCALLID ID, UINT16 nativeID
Yes<timer_getoverrunSYSCALLID ID
Yes>timerfd_gettimeSYSCALLID ID, UINT16 nativeID
Yes<timerfd_gettimeSYSCALLID ID
Yes>setitimerSYSCALLID ID, UINT16 nativeID
Yes<setitimerSYSCALLID ID
Yes>clock_gettimeSYSCALLID ID, UINT16 nativeID
Yes<clock_gettimeSYSCALLID ID
Yes>fsmountSYSCALLID ID, UINT16 nativeID
Yes<fsmountSYSCALLID ID
Yes>exit_groupSYSCALLID ID, UINT16 nativeID
Yes<exit_groupSYSCALLID ID
Yes>getrusageSYSCALLID ID, UINT16 nativeID
Yes<getrusageSYSCALLID ID
Yes>sethostnameSYSCALLID ID, UINT16 nativeID
Yes<sethostnameSYSCALLID ID
Yes>timer_deleteSYSCALLID ID, UINT16 nativeID
Yes<timer_deleteSYSCALLID ID
Yes>idleSYSCALLID ID, UINT16 nativeID
Yes<idleSYSCALLID ID
Yes>shmgetSYSCALLID ID, UINT16 nativeID
Yes<shmgetSYSCALLID ID
Yes>readlinkatSYSCALLID ID, UINT16 nativeID
Yes<readlinkatSYSCALLID ID
Yes>utimesSYSCALLID ID, UINT16 nativeID
Yes<utimesSYSCALLID ID
Yes>adjtimexSYSCALLID ID, UINT16 nativeID
Yes<adjtimexSYSCALLID ID
Yes>mq_unlinkSYSCALLID ID, UINT16 nativeID
Yes<mq_unlinkSYSCALLID ID
Yes>pwritev2SYSCALLID ID, UINT16 nativeID
Yes<pwritev2SYSCALLID ID
Yes>mq_notifySYSCALLID ID, UINT16 nativeID
Yes<mq_notifySYSCALLID ID
Yes>kexec_loadSYSCALLID ID, UINT16 nativeID
Yes<kexec_loadSYSCALLID ID
Yes>clock_getresSYSCALLID ID, UINT16 nativeID
Yes<clock_getresSYSCALLID ID
Yes>keyctlSYSCALLID ID, UINT16 nativeID
Yes<keyctlSYSCALLID ID
Yes>bdflushSYSCALLID ID, UINT16 nativeID
Yes<bdflushSYSCALLID ID
Yes>teeSYSCALLID ID, UINT16 nativeID
Yes<teeSYSCALLID ID
Yes>getgroupsSYSCALLID ID, UINT16 nativeID
Yes<getgroupsSYSCALLID ID
Yes>inotify_rm_watchSYSCALLID ID, UINT16 nativeID
Yes<inotify_rm_watchSYSCALLID ID
Yes>exitSYSCALLID ID, UINT16 nativeID
Yes<exitSYSCALLID ID
Yes>getppidSYSCALLID ID, UINT16 nativeID
Yes<getppidSYSCALLID ID
Yes>mknodatSYSCALLID ID, UINT16 nativeID
Yes<mknodatSYSCALLID ID

Tracepoint events

DefaultDirNameArgs
Yes>switchPID next, UINT64 pgft_maj, UINT64 pgft_min, UINT32 vm_size, UINT32 vm_rss, UINT32 vm_swap
Yes>procexitERRNO status, ERRNO ret, SIGTYPE sig, UINT8 core
Yes>signaldeliverPID spid, PID dpid, SIGTYPE sig
Yes>page_faultUINT64 addr, UINT64 ip, FLAGS32 error: PROTECTION_VIOLATION, PAGE_NOT_PRESENT, WRITE_ACCESS, READ_ACCESS, USER_FAULT, SUPERVISOR_FAULT, RESERVED_PAGE, INSTRUCTION_FETCH

Plugin events

DefaultDirNameArgs
Yes>plugineventUINT32 plugin_id, BYTEBUF event_data

Metaevents

DefaultDirNameArgs
Yes>dropUINT32 ratio
Yes<dropUINT32 ratio
Yes>scapeventUINT32 event_type, UINT64 event_data
Yes>procinfoUINT64 cpu_usr, UINT64 cpu_sys
Yes>cpu_hotplugUINT32 cpu, UINT32 action
Yes>k8sCHARBUF json
Yes>tracerINT64 id, CHARBUFARRAY tags, CHARBUF_PAIR_ARRAY args
Yes<tracerINT64 id, CHARBUFARRAY tags, CHARBUF_PAIR_ARRAY args
Yes>mesosCHARBUF json
Yes>notificationCHARBUF id, CHARBUF desc
Yes>infraCHARBUF source, CHARBUF name, CHARBUF description, CHARBUF scope
Yes>containerCHARBUF json
Yes>useraddedUINT32 uid, UINT32 gid, CHARBUF name, CHARBUF home, CHARBUF shell, CHARBUF container_id
Yes>userdeletedUINT32 uid, UINT32 gid, CHARBUF name, CHARBUF home, CHARBUF shell, CHARBUF container_id
Yes>groupaddedUINT32 gid, CHARBUF name, CHARBUF container_id
Yes>groupdeletedUINT32 gid, CHARBUF name, CHARBUF container_id
Yes>asynceventUINT32 plugin_id, CHARBUF name, BYTEBUF data