[lttng-dev] Possibilities to customize lttng tracepoints in kernel space
mathieu.desnoyers at efficios.com
Thu Dec 17 10:27:27 EST 2020
----- On Dec 16, 2020, at 4:19 AM, lttng-dev <lttng-dev at lists.lttng.org> wrote:
> I send this email to consult that whether it is possible to customize lttng
> tracepoints in kernel space. I have learnt that lttng leverages linux
> tracepoint to collect audit logs like system calls. Also, I have found that
> user can define their customized tracepoints in user space by using lttng-ust
> so that they can trace their user applications.
> Is it possible for lttng users to customize the existing tracepoints in kernel
> space? For example, after the system call sys_clone, or read, called and then
> collected by lttng, I want to process some data ( e.g., the return value of the
> syscall ), and place the result in a new field in the audit log ( or using
> another approach, by emitting a new type of event in the audit log ), and later
> when parsed by babeltrace, we can see the newly-added field or event in the
> parsed result.
> Looking forward to your reply.
You will want to start by having a look at this section of the LTTng documentation: https://lttng.org/docs/v2.12/#doc-instrumenting-linux-kernel
You can indeed modify lttng-modules to change the fields gathered by the system call tracing facility (see include/instrumentation/syscalls/README section (3)).
Those changes will be reflected in the resulting trace data.
> Best wishes,
> lttng-dev mailing list
> lttng-dev at lists.lttng.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the lttng-dev