Adding upstream version 1.44.3.upstream/1.44.3upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

18 files changed, 466 insertions, 0 deletions

diff --git a/collectors/ebpf.plugin/ebpf.d/cachestat.conf b/collectors/ebpf.plugin/ebpf.d/cachestat.conf
new file mode 100644
index 00000000..9c51b2c5
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/cachestat.conf
@@ -0,0 +1,42 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps.plugin`
+# or `cgroups.plugin`.
+# If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
+# the setting `apps` and `cgroups` to  'no'.
+#
+# The `pid table size` defines the maximum number of PIDs stored inside the application hash table.
+#
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `probe`     : This is the same as legacy code.
+#
+# The `collect pid` option defines the PID stored inside hash tables and accepts the following options:
+#   `real parent`: Only stores real parent inside PID
+#   `parent`     : Only stores parent PID.
+#   `all`        : Stores all PIDs used by software. This is the most expensive option.
+#
+# The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+# Uncomment lines to define specific options for thread.
+[global]
+#    ebpf load mode = entry
+#    apps = yes
+#    cgroups = no
+#    update every = 10
+#    pid table size = 32768
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
+    collect pid = real parent
+#    maps per core = yes
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/dcstat.conf b/collectors/ebpf.plugin/ebpf.d/dcstat.conf
new file mode 100644
index 00000000..614d814e
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/dcstat.conf
@@ -0,0 +1,40 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps.plugin`
+# or `cgroups.plugin`.
+# If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
+# the setting `apps` and `cgroups` to  'no'.
+#
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `probe`     : This is the same as legacy code.
+#
+# The `collect pid` option defines the PID stored inside hash tables and accepts the following options:
+#   `real parent`: Only stores real parent inside PID
+#   `parent`     : Only stores parent PID.
+#   `all`        : Stores all PIDs used by software. This is the most expensive option.
+#
+# The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+# Uncomment lines to define specific options for thread.
+[global]
+#    ebpf load mode = entry
+#    apps = yes
+#    cgroups = no
+#    update every = 10
+#    pid table size = 32768
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
+    collect pid = real parent
+#    maps per core = yes
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/disk.conf b/collectors/ebpf.plugin/ebpf.d/disk.conf
new file mode 100644
index 00000000..c5a0a270
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/disk.conf
@@ -0,0 +1,12 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+[global]
+#    ebpf load mode = entry
+#    update every = 10
+    lifetime = 300
+
diff --git a/collectors/ebpf.plugin/ebpf.d/ebpf_kernel_reject_list.txt b/collectors/ebpf.plugin/ebpf.d/ebpf_kernel_reject_list.txt
new file mode 100644
index 00000000..539bf357
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/ebpf_kernel_reject_list.txt
@@ -0,0 +1 @@
+Ubuntu 4.18.0
diff --git a/collectors/ebpf.plugin/ebpf.d/fd.conf b/collectors/ebpf.plugin/ebpf.d/fd.conf
new file mode 100644
index 00000000..d4823032
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/fd.conf
@@ -0,0 +1,27 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps.plugin`
+# or `cgroups.plugin`.
+# If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
+# the setting `apps` and `cgroups` to  'no'.
+#
+# The `pid table size` defines the maximum number of PIDs stored inside the hash table.
+#
+# The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+# Uncomment lines to define specific options for thread.
+[global]
+#    ebpf load mode = entry
+#    apps = yes
+#    cgroups = no
+#    update every = 10
+#    pid table size = 32768
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
+#    maps per core = yes
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/filesystem.conf b/collectors/ebpf.plugin/ebpf.d/filesystem.conf
new file mode 100644
index 00000000..209abba7
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/filesystem.conf
@@ -0,0 +1,23 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps plugin`.
+# If you want to disable the integration with `apps.plugin` along with the above charts, change the setting `apps` to
+# 'no'.
+#  
+[global]
+#    ebpf load mode = entry
+#    update every = 10
+    lifetime = 300
+
+# All filesystems are named as 'NAMEdist' where NAME is the filesystem name while 'dist' is a reference for distribution.
+[filesystem]
+    btrfsdist = yes
+    ext4dist = yes
+    nfsdist = yes
+    xfsdist = yes
+    zfsdist = yes
diff --git a/collectors/ebpf.plugin/ebpf.d/functions.conf b/collectors/ebpf.plugin/ebpf.d/functions.conf
new file mode 100644
index 00000000..a4f57f64
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/functions.conf
@@ -0,0 +1,3 @@
+#[global]
+#    update every = 5
+
diff --git a/collectors/ebpf.plugin/ebpf.d/hardirq.conf b/collectors/ebpf.plugin/ebpf.d/hardirq.conf
new file mode 100644
index 00000000..6a47a94b
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/hardirq.conf
@@ -0,0 +1,11 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+[global]
+#    ebpf load mode = entry
+#    update every = 10
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/mdflush.conf b/collectors/ebpf.plugin/ebpf.d/mdflush.conf
new file mode 100644
index 00000000..ea97ebe8
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/mdflush.conf
@@ -0,0 +1,11 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+[global]
+#    ebpf load mode = entry
+#    update every = 1
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/mount.conf b/collectors/ebpf.plugin/ebpf.d/mount.conf
new file mode 100644
index 00000000..ff9a2948
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/mount.conf
@@ -0,0 +1,23 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall.
+#   `probe`     : This is the same as legacy code.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+[global]
+#    ebpf load mode = entry
+#    update every = 1
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/network.conf b/collectors/ebpf.plugin/ebpf.d/network.conf
new file mode 100644
index 00000000..99c32edc
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/network.conf
@@ -0,0 +1,66 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps.plugin`
+# or `cgroups.plugin`.
+# If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
+# the setting `apps` and `cgroups` to  'no'.
+#
+# The following options change the hash table size:
+#  `bandwidth table size`: Maximum number of connections monitored
+#  `ipv4 connection table size`: Maximum number of IPV4 connections monitored
+#  `ipv6 connection table size`: Maximum number of IPV6 connections monitored
+#  `udp connection table size`: Maximum number of UDP connections monitored
+#
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values:
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall.
+#   `probe`     : This is the same as legacy code.
+#
+# The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6.
+#
+# The `collect pid` option defines the PID stored inside hash tables and accepts the following options:
+#   `real parent`: Only stores real parent inside PID
+#   `parent`     : Only stores parent PID.
+#   `all`        : Stores all PIDs used by software. This is the most expensive option.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+# Uncomment lines to define specific options for thread.
+[global]
+#    ebpf load mode = entry
+#    apps = yes
+#    cgroups = no
+#    update every = 10
+    bandwidth table size = 16384
+    socket monitoring table size = 16384
+    udp connection table size = 4096
+    ebpf type format = auto
+    ebpf co-re tracing = probe
+    maps per core = no
+    collect pid = all
+    lifetime = 300
+
+#
+# Network Connection
+#
+# This is a feature with status WIP(Work in Progress)
+#
+[network connections]
+    enabled = yes
+    resolve hostnames = no
+    resolve service names = yes
+    ports = *
+#    ips = !127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7 !::1/128
+    ips = *
+    hostnames = *
+
+[service name]
+    19999 = Netdata
diff --git a/collectors/ebpf.plugin/ebpf.d/oomkill.conf b/collectors/ebpf.plugin/ebpf.d/oomkill.conf
new file mode 100644
index 00000000..ea97ebe8
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/oomkill.conf
@@ -0,0 +1,11 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+[global]
+#    ebpf load mode = entry
+#    update every = 1
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/process.conf b/collectors/ebpf.plugin/ebpf.d/process.conf
new file mode 100644
index 00000000..150c5792
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/process.conf
@@ -0,0 +1,31 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps.plugin`
+# or `cgroups.plugin`.
+# If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
+# the setting `apps` and `cgroups` to  'no'.
+#
+# The `pid table size` defines the maximum number of PIDs stored inside the hash table.
+# 
+# The `collect pid` option defines the PID stored inside hash tables and accepts the following options:
+#   `real parent`: Only stores real parent inside PID
+#   `parent`     : Only stores parent PID.
+#   `all`        : Stores all PIDs used by software. This is the most expensive option.
+#
+# The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+# Uncomment lines to define specific options for thread.
+[global]
+#    ebpf load mode = entry
+#    apps = yes
+#    cgroups = no
+#    update every = 10
+#    pid table size = 32768
+    collect pid = real parent
+#    maps per core = yes
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/shm.conf b/collectors/ebpf.plugin/ebpf.d/shm.conf
new file mode 100644
index 00000000..95fb54e0
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/shm.conf
@@ -0,0 +1,42 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps.plugin`
+# or `cgroups.plugin`.
+# If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
+# the setting `apps` and `cgroups` to  'no'.
+#
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall.
+#   `probe`     : This is the same as legacy code.
+#
+# The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+# Uncomment lines to define specific options for thread.
+[global]
+#    ebpf load mode = entry
+#    apps = yes
+#    cgroups = no
+#    update every = 10
+#    pid table size = 32768
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
+#    maps per core = yes
+    lifetime = 300
+
+# List of monitored syscalls
+[syscalls]
+    shmget = yes
+    shmat = yes
+    shmdt = yes
+    shmctl = yes
diff --git a/collectors/ebpf.plugin/ebpf.d/softirq.conf b/collectors/ebpf.plugin/ebpf.d/softirq.conf
new file mode 100644
index 00000000..6a47a94b
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/softirq.conf
@@ -0,0 +1,11 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+[global]
+#    ebpf load mode = entry
+#    update every = 10
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/swap.conf b/collectors/ebpf.plugin/ebpf.d/swap.conf
new file mode 100644
index 00000000..29d9b420
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/swap.conf
@@ -0,0 +1,34 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps.plugin`
+# or `cgroups.plugin`.
+# If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
+# the setting `apps` and `cgroups` to  'no'.
+#
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `probe`     : This is the same as legacy code.
+#
+# The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+# Uncomment lines to define specific options for thread.
+[global]
+#    ebpf load mode = entry
+#    apps = yes
+#    cgroups = no
+#    update every = 10
+#    pid table size = 32768
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
+#    maps per core = yes
+    lifetime = 300
diff --git a/collectors/ebpf.plugin/ebpf.d/sync.conf b/collectors/ebpf.plugin/ebpf.d/sync.conf
new file mode 100644
index 00000000..a086ed4d
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/sync.conf
@@ -0,0 +1,43 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps.plugin`
+# or `cgroups.plugin`.
+# If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
+# the setting `apps` and `cgroups` to  'no'.
+#
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall.
+#   `probe`     : This is the same as legacy code.
+#
+# The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#  
+# Uncomment lines to define specific options for thread.
+[global]
+#    ebpf load mode = entry
+#    apps = yes
+#    cgroups = no
+#    update every = 10
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
+#    maps per core = yes
+    lifetime = 300
+
+# List of monitored syscalls 
+[syscalls]
+    sync = yes
+    msync = yes
+    fsync = yes
+    fdatasync = yes
+    syncfs = yes
+    sync_file_range = yes
diff --git a/collectors/ebpf.plugin/ebpf.d/vfs.conf b/collectors/ebpf.plugin/ebpf.d/vfs.conf
new file mode 100644
index 00000000..f511581b
--- /dev/null
+++ b/collectors/ebpf.plugin/ebpf.d/vfs.conf
@@ -0,0 +1,35 @@
+# The `ebpf load mode` option accepts the following values :
+#  `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors.
+#  `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates
+#            new charts for the return of these functions, such as errors.
+#
+# The eBPF collector also creates charts for each running application through an integration with the `apps.plugin`
+# or `cgroups.plugin`.
+# If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change
+# the setting `apps` and `cgroups` to  'no'.
+#
+# The `ebpf type format` option accepts the following values :
+#  `auto`  : The eBPF collector will investigate hardware and select between the two next options.
+#  `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload.
+#  `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms.
+#
+# The `ebpf co-re tracing` option accepts the following values: 
+#   `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host.
+#   `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall.
+#   `probe`     : This is the same as legacy code.
+#
+# The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6.
+#
+# The `lifetime` defines the time length a thread will run when it is enabled by a function.
+#
+# Uncomment lines to define specific options for thread.
+[global]
+#    ebpf load mode = entry
+#    apps = yes
+#    cgroups = no
+#    update every = 10
+#    pid table size = 32768
+    ebpf type format = auto
+    ebpf co-re tracing = trampoline
+#    maps per core = yes
+    lifetime = 300