# microsoft/procmon-for-linux

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/microsoft-procmon-for-linux).**

4,695 stars · 289 forks · C · MIT

## Links

- GitHub: https://github.com/microsoft/ProcMon-for-Linux
- awesome-repositories: https://awesome-repositories.com/repository/microsoft-procmon-for-linux.md

## Description

ProcMon-for-Linux is an eBPF-based system observability tool and process monitor for Linux. It functions as a system call tracer and activity logger, capturing real-time kernel and user-space events to analyze operating system behavior.

The project features a text user interface for inspecting recorded trace files. It separates high-performance headless event recording from the analysis interface to prevent data loss during heavy system loads.

The tool provides capabilities for system call tracing and activity monitoring, including the ability to filter events by process identifiers or specific system call types. It supports low-level process debugging and the retrospective analysis of system activity.

## Tags

### System Administration & Monitoring

- [System Call Tracing](https://awesome-repositories.com/f/system-administration-monitoring/diagnostic-tools/diagnostics/execution-tracers/kernel-tracing-frameworks/system-call-tracing.md) — Provides real-time monitoring of Linux system calls to debug software behavior and identify failures.
- [TUI Trace Viewers](https://awesome-repositories.com/f/system-administration-monitoring/diagnostic-tools/diagnostics/execution-tracers/kernel-tracing-frameworks/system-call-tracing/trace-recording/tui-trace-viewers.md) — Provides a text user interface for opening and inspecting recorded trace files to analyze system activity. ([source](https://github.com/microsoft/procmon-for-linux#readme))
- [Linux](https://awesome-repositories.com/f/system-administration-monitoring/process-monitors/linux.md) — Monitors Linux process events and file system activity to analyze operating system behavior.
- [System Call Monitors](https://awesome-repositories.com/f/system-administration-monitoring/real-time-monitoring-systems/system-call-monitors.md) — Tracks real-time file system and process events to provide deep visibility into Linux system behavior.
- [System Activity Monitoring](https://awesome-repositories.com/f/system-administration-monitoring/system-activity-monitoring.md) — Tracks real-time file system, registry, and process events for visibility into OS behavior. ([source](https://github.com/microsoft/procmon-for-linux#readme))
- [eBPF-Based Activity Monitors](https://awesome-repositories.com/f/system-administration-monitoring/system-activity-monitoring/ebpf-based-activity-monitors.md) — Utilizes eBPF to capture high-performance traces of kernel and user-space activity for system observability.
- [System Event Recorders](https://awesome-repositories.com/f/system-administration-monitoring/audit-logging-systems/system-activity-auditors/system-event-recorders.md) — Records system-generated actions and events for retrospective diagnosis of intermittent execution issues.
- [Headless Recorders](https://awesome-repositories.com/f/system-administration-monitoring/audit-logging-systems/system-activity-auditors/system-event-recorders/headless-recorders.md) — Separates high-performance headless event recording from the analysis interface to prevent data loss. ([source](https://github.com/microsoft/procmon-for-linux#readme))
- [Selective Event Filtering](https://awesome-repositories.com/f/system-administration-monitoring/system-event-monitors/selective-event-filtering.md) — Allows restricting traced activity to specific process IDs or syscall types to reduce noise during capture. ([source](https://github.com/microsoft/procmon-for-linux#readme))
- [Syscall Filtering](https://awesome-repositories.com/f/system-administration-monitoring/system-event-monitors/syscall-filtering.md) — Applies kernel-level predicates to filter syscalls and reduce noise during event capture.

### Operating Systems & Systems Programming

- [eBPF Event Captures](https://awesome-repositories.com/f/operating-systems-systems-programming/ebpf-event-captures.md) — Provides high-performance event capture using eBPF bytecode executed within the Linux kernel.
- [Low-Level Debuggers](https://awesome-repositories.com/f/operating-systems-systems-programming/low-level-debuggers.md) — Enables low-level analysis of interactions between software and the Linux kernel to identify bottlenecks.

### User Interface & Experience

- [Event Trace Analyzers](https://awesome-repositories.com/f/user-interface-experience/navigation-systems/tui/event-trace-analyzers.md) — Provides a terminal user interface for opening and inspecting recorded trace files of system activity.
- [Trace Analysis Interfaces](https://awesome-repositories.com/f/user-interface-experience/navigation-systems/tui/trace-analysis-interfaces.md) — Ships a text-based user interface for inspecting and filtering recorded system activity files.

### Data & Databases

- [Kernel Ring Buffer Retrieval](https://awesome-repositories.com/f/data-databases/kernel-ring-buffer-retrieval.md) — Implements high-performance data transfer from the kernel to userspace using ring buffers.
- [SQLite Storage Adapters](https://awesome-repositories.com/f/data-databases/sqlite-drivers/sqlite-storage-adapters.md) — Uses a local SQLite database for persistent storage and efficient querying of captured trace data.
