# The `ebpf load mode` option accepts the following values : # `entry` : The eBPF collector only monitors calls for the functions, and does not show charts related to errors. # `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates # new charts for the return of these functions, such as errors. # # The eBPF collector also creates charts for each running application through an integration with the `apps.plugin` # or `cgroups.plugin`. # If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change # the setting `apps` and `cgroups` to 'no'. # # The `ebpf type format` option accepts the following values : # `auto` : The eBPF collector will investigate hardware and select between the two next options. # `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload. # `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms. # # The `ebpf co-re tracing` option accepts the following values: # `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host. # `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall. # `probe` : This is the same as legacy code. # # The `maps per core` defines if hash tables will be per core or not. This option is ignored on kernels older than 4.6. # # The `lifetime` defines the time length a thread will run when it is enabled by a function. # # Uncomment lines to define specific options for thread. [global] # ebpf load mode = entry # apps = yes # cgroups = no # update every = 10 # pid table size = 32768 ebpf type format = auto ebpf co-re tracing = trampoline collect pid = real parent # maps per core = yes lifetime = 300 # List of monitored syscalls [syscalls] shmget = yes shmat = yes shmdt = yes shmctl = yes