[lttng-dev] Possibilities to customize lttng tracepoints in kernel space

Mathieu Desnoyers mathieu.desnoyers at efficios.com
Thu Dec 17 10:27:27 EST 2020

----- On Dec 16, 2020, at 4:19 AM, lttng-dev <lttng-dev at lists.lttng.org> wrote: 

> Hi,

> I send this email to consult that whether it is possible to customize lttng
> tracepoints in kernel space. I have learnt that lttng leverages linux
> tracepoint to collect audit logs like system calls. Also, I have found that
> user can define their customized tracepoints in user space by using lttng-ust
> so that they can trace their user applications.

> Is it possible for lttng users to customize the existing tracepoints in kernel
> space? For example, after the system call sys_clone, or read, called and then
> collected by lttng, I want to process some data ( e.g., the return value of the
> syscall ), and place the result in a new field in the audit log ( or using
> another approach, by emitting a new type of event in the audit log ), and later
> when parsed by babeltrace, we can see the newly-added field or event in the
> parsed result.

> Looking forward to your reply.


You will want to start by having a look at this section of the LTTng documentation: https://lttng.org/docs/v2.12/#doc-instrumenting-linux-kernel 

You can indeed modify lttng-modules to change the fields gathered by the system call tracing facility (see include/instrumentation/syscalls/README section (3)). 
Those changes will be reflected in the resulting trace data. 



> Best wishes,

> Serica

> _______________________________________________
> lttng-dev mailing list
> lttng-dev at lists.lttng.org
> https://lists.lttng.org/cgi-bin/mailman/listinfo/lttng-dev

Mathieu Desnoyers 
EfficiOS Inc. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.lttng.org/pipermail/lttng-dev/attachments/20201217/da13dc5e/attachment.htm>

More information about the lttng-dev mailing list