# [Public] Falco native resource utilization and stats metrics Links: - [Falco issue: Falco native resource utilization metrics logs support](https://github.com/falcosecurity/falco/issues/2222) - [Falco staging PR](https://github.com/falcosecurity/falco/pull/2333) ## PRs Done - [scap refactor](https://github.com/falcosecurity/libs/pull/880) to expose some constants - [sinsp resource utilization metrics](https://github.com/falcosecurity/libs/pull/881), such as CPU and memory usage - [libbpf stats](https://github.com/falcosecurity/libs/pull/1021), such as avg time spent in each bpf program ## PRs TODO: - Add per syscall or event category counters (suggested by @Happy-Dude) -> try to bucket events - Convert [Falco staging PR](https://github.com/falcosecurity/falco/pull/2333) to a ready first Falco PR given that now we moved a lot of things to libs making it easier in Falco to construct the internal metrics snapshot logs. ## Design ### What metrics, log schema? See log schema suggestions below ... ### Software interface - Falco resource utilization metrics manager shall only consume and invoke APIs exposed in libs `libsinsp` - Consider refactoring Falco and have one combined `stats` manager for event_drop, resource_utilization and stats_writer - Opt-in mode (user input / config) - Customizable emmitter interval (user input / config) - See output modes ... ### Stats intervals - [Keep submitting verbose `event_drop` logs only when kernel side drops occur, don't change] - For resource utilization and stats logs expose "interval" user input - Re-use `--stats-interval` from stats writer - Or expose new presets, e.g. `10sec, 15min, 30min, 1h, 2h, 4h, 6h, 12h, 24h` ### Verbosity modes - Option for more verbose metrics/stats when CPU or memory usages exceed a threshold ### Output modes - Opt-in new prometheus exporter option - Opt-in "Falco internal" rule option - Keep stats writer file output option for backward compatibility ## Log schema ### New metrics logs schema so far: Current suggestion from [Falco staging PR](https://github.com/falcosecurity/falco/pull/2333). Try finding shorter names if possible. ``` output_fields["evt.time"] /* Current epoch in nanoseconds. */ output_fields["machine.n_cpus"] /* Total number of CPUs / processors. */ output_fields["machine.boot_time"] /* Host boot time - epoch in nanoseconds. */ output_fields["machine.hostname"] /* Explicitly add hostname to log msg in case hostname rule output field is disabled. */ output_fields["falco.version"] /* Falco version. */ output_fields["falco.start_time"] /* Falco start time - epoch in nanoseconds. */ output_fields["falco.duration_sec"] /* Number of nanoseconds between Falco start time and now. */ output_fields["falco.n_evts"] /* Monotonic counter number of events Falco has processed. */ output_fields["falco.n_evts_prev"] /* Previous metrics run - Monotonic counter number of events Falco has processed. */ output_fields["falco.evt_rate"] / duration_sec); /* Number of Falco events per second. */ output_fields["falco.linux.cpu_usage_percentage"] /* Falco CPU usage percentage of one CPU, compare to `ps` linux util */ output_fields["falco.linux.memory_rss_bytes"] /* Retrieved from /proc/<pid>/status, RSS - resident set size in bytes, compare to `ps` linux util */ output_fields["falco.linux.memory_vsize_bytes"] /* Retrieved from /proc/<pid>/status, VSZ - virtual size in bytes, compare to `ps` linux util */ output_fields["falco.cgroup.memory_usage_in_bytes"] /* Kubernetes only, container memory usage in bytes. */ output_fields["falco.kernel_driver"] /* Falco kernel driver type. */ output_fields["kernel.release"] /* Kernel release `uname -r`. */ output_fields["kernel.n_evts"] /* Monotonic counter number of total kernel side events the driver has actively traced. */ output_fields["kernel.n_evts_prev"] /* Previous metrics run - Monotonic counter number of total kernel side events the driver has actively traced. */ output_fields["kernel.evt_rate"] /* Number of kernel side events per second. */ output_fields["kernel.n_drops"] /* Monotonic counter number of total kernel side drops. */ ``` ### Syscall or event category counters: @Happy-Dude kindly asking for help to create the correct buckets, thanks a bunch in advance! - category `spawned_process` ``` case PPME_SYSCALL_EXECVE_18_E: case PPME_SYSCALL_EXECVE_19_E: case PPME_SYSCALL_EXECVEAT_E: case PPME_SYSCALL_CLONE_11_X: case PPME_SYSCALL_CLONE_16_X: case PPME_SYSCALL_CLONE_17_X: case PPME_SYSCALL_CLONE_20_X: case PPME_SYSCALL_FORK_X: case PPME_SYSCALL_FORK_17_X: case PPME_SYSCALL_FORK_20_X: case PPME_SYSCALL_VFORK_X: case PPME_SYSCALL_VFORK_17_X: case PPME_SYSCALL_VFORK_20_X: case PPME_SYSCALL_CLONE3_X: case PPME_SYSCALL_EXECVE_8_X: case PPME_SYSCALL_EXECVE_13_X: case PPME_SYSCALL_EXECVE_14_X: case PPME_SYSCALL_EXECVE_15_X: case PPME_SYSCALL_EXECVE_16_X: case PPME_SYSCALL_EXECVE_17_X: case PPME_SYSCALL_EXECVE_18_X: case PPME_SYSCALL_EXECVE_19_X: case PPME_SYSCALL_EXECVEAT_X: ``` - category `open` family of syscalls ``` PPME_SYSCALL_OPEN_E PPME_SYSCALL_OPEN_X PPME_SYSCALL_CREAT_E PPME_SYSCALL_CREAT_X PPME_SYSCALL_OPENAT_E PPME_SYSCALL_OPENAT_X PPME_SYSCALL_TIMERFD_CREATE_E PPME_SYSCALL_TIMERFD_CREATE_X PPME_SYSCALL_OPENAT_2_E PPME_SYSCALL_OPENAT_2_X PPME_SYSCALL_OPENAT2_E PPME_SYSCALL_OPENAT2_X PPME_SYSCALL_OPEN_BY_HANDLE_AT_E PPME_SYSCALL_OPEN_BY_HANDLE_AT_X PPME_SYSCALL_EPOLL_CREATE_E PPME_SYSCALL_EPOLL_CREATE_X PPME_SYSCALL_EPOLL_CREATE1_E PPME_SYSCALL_EPOLL_CREATE1_X ``` - category `socket` family fo syscalls ``` PPME_SOCKET_SOCKET_E PPME_SOCKET_SOCKET_X PPME_SOCKET_BIND_E PPME_SOCKET_BIND_X PPME_SOCKET_LISTEN_E PPME_SOCKET_LISTEN_X PPME_SOCKET_SENDTO_E PPME_SOCKET_SENDTO_X PPME_SOCKET_RECV_E PPME_SOCKET_RECV_X PPME_SOCKET_RECVFROM_E PPME_SOCKET_RECVFROM_X PPME_SOCKET_SHUTDOWN_E PPME_SOCKET_SHUTDOWN_X PPME_SOCKET_GETSOCKNAME_E PPME_SOCKET_GETSOCKNAME_X PPME_SOCKET_GETPEERNAME_E PPME_SOCKET_GETPEERNAME_X PPME_SOCKET_SOCKETPAIR_E PPME_SOCKET_SOCKETPAIR_X PPME_SOCKET_SETSOCKOPT_E PPME_SOCKET_SETSOCKOPT_X PPME_SOCKET_GETSOCKOPT_E PPME_SOCKET_GETSOCKOPT_X PPME_SOCKET_SENDMSG_E PPME_SOCKET_SENDMSG_X PPME_SOCKET_SENDMMSG_E PPME_SOCKET_SENDMMSG_X PPME_SOCKET_RECVMSG_E PPME_SOCKET_RECVMSG_X PPME_SOCKET_RECVMMSG_E PPME_SOCKET_RECVMMSG_X ``` - category `socket_connect` family fo syscalls ``` PPME_SOCKET_CONNECT_E PPME_SOCKET_CONNECT_X ``` - category `socket_accept` family fo syscalls ``` PPME_SOCKET_ACCEPT_E PPME_SOCKET_ACCEPT_X PPME_SOCKET_ACCEPT4_E PPME_SOCKET_ACCEPT4_X PPME_SOCKET_ACCEPT_5_E PPME_SOCKET_ACCEPT_5_X PPME_SOCKET_ACCEPT4_5_E PPME_SOCKET_ACCEPT4_5_X ``` - category `user_group_id` family fo syscalls adn events ``` PPME_SYSCALL_SETRESUID_E PPME_SYSCALL_SETRESUID_X PPME_SYSCALL_SETRESGID_E PPME_SYSCALL_SETRESGID_X PPME_SYSCALL_SETUID_E PPME_SYSCALL_SETUID_X PPME_SYSCALL_SETGID_E PPME_SYSCALL_SETGID_X PPME_SYSCALL_GETUID_E PPME_SYSCALL_GETUID_X PPME_SYSCALL_GETEUID_E PPME_SYSCALL_GETEUID_X PPME_SYSCALL_GETGID_E PPME_SYSCALL_GETGID_X PPME_SYSCALL_GETEGID_E PPME_SYSCALL_GETEGID_X PPME_SYSCALL_GETRESUID_E PPME_SYSCALL_GETRESUID_X PPME_SYSCALL_GETRESGID_E PPME_SYSCALL_GETRESGID_X PPME_SYSCALL_SETPGID_E PPME_SYSCALL_SETPGID_X PPME_GROUP_ADDED_E PPME_GROUP_ADDED_X PPME_GROUP_DELETED_E PPME_GROUP_DELETED_X ``` - category `container` event ``` PPME_CONTAINER_E PPME_CONTAINER_X PPME_CONTAINER_JSON_E PPME_CONTAINER_JSON_X PPME_CONTAINER_JSON_2_E PPME_CONTAINER_JSON_2_X ``` ... more buckets and then have one bucket for all other events? --- ALL PPME events, see https://github.com/falcosecurity/libs/blob/master/driver/event_table.c ``` cat event_table.c | grep -e PPME | cut -d '*' -f2 ``` ``` PPME_GENERIC_E PPME_GENERIC_X PPME_SYSCALL_OPEN_E PPME_SYSCALL_OPEN_X PPME_SYSCALL_CLOSE_E PPME_SYSCALL_CLOSE_X PPME_SYSCALL_READ_E PPME_SYSCALL_READ_X PPME_SYSCALL_WRITE_E PPME_SYSCALL_WRITE_X PPME_SYSCALL_BRK_1_E PPME_SYSCALL_BRK_1_X PPME_SYSCALL_EXECVE_8_E PPME_SYSCALL_EXECVE_8_X PPME_SYSCALL_CLONE_11_E PPME_SYSCALL_CLONE_11_X PPME_PROCEXIT_E PPME_NA1 PPME_SOCKET_SOCKET_E PPME_SOCKET_SOCKET_X PPME_SOCKET_BIND_E PPME_SOCKET_BIND_X PPME_SOCKET_CONNECT_E PPME_SOCKET_CONNECT_X PPME_SOCKET_LISTEN_E PPME_SOCKET_LISTEN_X PPME_SOCKET_ACCEPT_E PPME_SOCKET_ACCEPT_X PPME_SYSCALL_SEND_E PPME_SYSCALL_SEND_X PPME_SOCKET_SENDTO_E PPME_SOCKET_SENDTO_X PPME_SOCKET_RECV_E PPME_SOCKET_RECV_X PPME_SOCKET_RECVFROM_E PPME_SOCKET_RECVFROM_X PPME_SOCKET_SHUTDOWN_E PPME_SOCKET_SHUTDOWN_X PPME_SOCKET_GETSOCKNAME_E PPME_SOCKET_GETSOCKNAME_X PPME_SOCKET_GETPEERNAME_E PPME_SOCKET_GETPEERNAME_X PPME_SOCKET_SOCKETPAIR_E PPME_SOCKET_SOCKETPAIR_X PPME_SOCKET_SETSOCKOPT_E PPME_SOCKET_SETSOCKOPT_X PPME_SOCKET_GETSOCKOPT_E PPME_SOCKET_GETSOCKOPT_X PPME_SOCKET_SENDMSG_E PPME_SOCKET_SENDMSG_X PPME_SOCKET_SENDMMSG_E PPME_SOCKET_SENDMMSG_X PPME_SOCKET_RECVMSG_E PPME_SOCKET_RECVMSG_X PPME_SOCKET_RECVMMSG_E PPME_SOCKET_RECVMMSG_X PPME_SOCKET_ACCEPT4_E PPME_SOCKET_ACCEPT4_X PPME_SYSCALL_CREAT_E PPME_SYSCALL_CREAT_X PPME_SYSCALL_PIPE_E PPME_SYSCALL_PIPE_X PPME_SYSCALL_EVENTFD_E PPME_SYSCALL_EVENTFD_X PPME_SYSCALL_FUTEX_E PPME_SYSCALL_FUTEX_X PPME_SYSCALL_STAT_E PPME_SYSCALL_STAT_X PPME_SYSCALL_LSTAT_E PPME_SYSCALL_LSTAT_X PPME_SYSCALL_FSTAT_E PPME_SYSCALL_FSTAT_X PPME_SYSCALL_STAT64_E PPME_SYSCALL_STAT64_X PPME_SYSCALL_LSTAT64_E PPME_SYSCALL_LSTAT64_X PPME_SYSCALL_FSTAT64_E PPME_SYSCALL_FSTAT64_X PPME_SYSCALL_EPOLLWAIT_E PPME_SYSCALL_EPOLLWAIT_X PPME_SYSCALL_POLL_E PPME_SYSCALL_POLL_X PPME_SYSCALL_SELECT_E PPME_SYSCALL_SELECT_X PPME_SYSCALL_NEWSELECT_E PPME_SYSCALL_NEWSELECT_X PPME_SYSCALL_LSEEK_E PPME_SYSCALL_LSEEK_X PPME_SYSCALL_LLSEEK_E PPME_SYSCALL_LLSEEK_X PPME_SYSCALL_IOCTL_2_E PPME_SYSCALL_IOCTL_2_X PPME_SYSCALL_GETCWD_E PPME_SYSCALL_GETCWD_X PPME_SYSCALL_CHDIR_E PPME_SYSCALL_CHDIR_X PPME_SYSCALL_FCHDIR_E PPME_SYSCALL_FCHDIR_X PPME_SYSCALL_MKDIR_E PPME_SYSCALL_MKDIR_X PPME_SYSCALL_RMDIR_E PPME_SYSCALL_RMDIR_X PPME_SYSCALL_OPENAT_E PPME_SYSCALL_OPENAT_X PPME_SYSCALL_LINK_E PPME_SYSCALL_LINK_X PPME_SYSCALL_LINKAT_E PPME_SYSCALL_LINKAT_X PPME_SYSCALL_UNLINK_E PPME_SYSCALL_UNLINK_X PPME_SYSCALL_UNLINKAT_E PPME_SYSCALL_UNLINKAT_X PPME_SYSCALL_PREAD_E PPME_SYSCALL_PREAD_X PPME_SYSCALL_PWRITE_E PPME_SYSCALL_PWRITE_X PPME_SYSCALL_READV_E PPME_SYSCALL_READV_X PPME_SYSCALL_WRITEV_E PPME_SYSCALL_WRITEV_X PPME_SYSCALL_PREADV_E PPME_SYSCALL_PREADV_X PPME_SYSCALL_PWRITEV_E PPME_SYSCALL_PWRITEV_X PPME_SYSCALL_DUP_E PPME_SYSCALL_DUP_X PPME_SYSCALL_SIGNALFD_E PPME_SYSCALL_SIGNALFD_X PPME_SYSCALL_KILL_E PPME_SYSCALL_KILL_X PPME_SYSCALL_TKILL_E PPME_SYSCALL_TKILL_X PPME_SYSCALL_TGKILL_E PPME_SYSCALL_TGKILL_X PPME_SYSCALL_NANOSLEEP_E PPME_SYSCALL_NANOSLEEP_X PPME_SYSCALL_TIMERFD_CREATE_E PPME_SYSCALL_TIMERFD_CREATE_X PPME_SYSCALL_INOTIFY_INIT_E PPME_SYSCALL_INOTIFY_INIT_X PPME_SYSCALL_GETRLIMIT_E PPME_SYSCALL_GETRLIMIT_X PPME_SYSCALL_SETRLIMIT_E PPME_SYSCALL_SETRLIMIT_X PPME_SYSCALL_PRLIMIT_E PPME_SYSCALL_PRLIMIT_X PPME_SCHEDSWITCH_1_E PPME_SCHEDSWITCH_1_X PPME_DROP_E PPME_DROP_X PPME_SYSCALL_FCNTL_E PPME_SYSCALL_FCNTL_X PPME_SCHEDSWITCH_6_E PPME_SCHEDSWITCH_6_X PPME_SYSCALL_EXECVE_13_E PPME_SYSCALL_EXECVE_13_X PPME_SYSCALL_CLONE_16_E PPME_SYSCALL_CLONE_16_X PPME_SYSCALL_BRK_4_E PPME_SYSCALL_BRK_4_X PPME_SYSCALL_MMAP_E PPME_SYSCALL_MMAP_X PPME_SYSCALL_MMAP2_E PPME_SYSCALL_MMAP2_X PPME_SYSCALL_MUNMAP_E PPME_SYSCALL_MUNMAP_X PPME_SYSCALL_SPLICE_E PPME_SYSCALL_SPLICE_X PPME_SYSCALL_PTRACE_E PPME_SYSCALL_PTRACE_X PPME_SYSCALL_IOCTL_3_E PPME_SYSCALL_IOCTL_3_X PPME_SYSCALL_EXECVE_14_E PPME_SYSCALL_EXECVE_14_X PPME_SYSCALL_RENAME_E PPME_SYSCALL_RENAME_X PPME_SYSCALL_RENAMEAT_E PPME_SYSCALL_RENAMEAT_X PPME_SYSCALL_SYMLINK_E PPME_SYSCALL_SYMLINK_X PPME_SYSCALL_SYMLINKAT_E PPME_SYSCALL_SYMLINKAT_X PPME_SYSCALL_FORK_E PPME_SYSCALL_FORK_X PPME_SYSCALL_VFORK_E PPME_SYSCALL_VFORK_X PPME_PROCEXIT_1_E PPME_NA1 PPME_SYSCALL_SENDFILE_E PPME_SYSCALL_SENDFILE_X PPME_SYSCALL_QUOTACTL_E PPME_SYSCALL_QUOTACTL_X PPME_SYSCALL_SETRESUID_E PPME_SYSCALL_SETRESUID_X PPME_SYSCALL_SETRESGID_E PPME_SYSCALL_SETRESGID_X PPME_SCAPEVENT_E PPME_SCAPEVENT_X PPME_SYSCALL_SETUID_E PPME_SYSCALL_SETUID_X PPME_SYSCALL_SETGID_E PPME_SYSCALL_SETGID_X PPME_SYSCALL_GETUID_E PPME_SYSCALL_GETUID_X PPME_SYSCALL_GETEUID_E PPME_SYSCALL_GETEUID_X PPME_SYSCALL_GETGID_E PPME_SYSCALL_GETGID_X PPME_SYSCALL_GETEGID_E PPME_SYSCALL_GETEGID_X PPME_SYSCALL_GETRESUID_E PPME_SYSCALL_GETRESUID_X PPME_SYSCALL_GETRESGID_E PPME_SYSCALL_GETRESGID_X PPME_SYSCALL_EXECVE_15_E PPME_SYSCALL_EXECVE_15_X PPME_SYSCALL_CLONE_17_E PPME_SYSCALL_CLONE_17_X PPME_SYSCALL_FORK_17_E PPME_SYSCALL_FORK_17_X PPME_SYSCALL_VFORK_17_E PPME_SYSCALL_VFORK_17_X PPME_SYSCALL_CLONE_20_E PPME_SYSCALL_CLONE_20_X PPME_SYSCALL_FORK_20_E PPME_SYSCALL_FORK_20_X PPME_SYSCALL_VFORK_20_E PPME_SYSCALL_VFORK_20_X PPME_CONTAINER_E PPME_CONTAINER_X PPME_SYSCALL_EXECVE_16_E PPME_SYSCALL_EXECVE_16_X PPME_SIGNALDELIVER_E PPME_SIGNALDELIVER_X PPME_PROCINFO_E PPME_PROCINFO_X PPME_SYSCALL_GETDENTS_E PPME_SYSCALL_GETDENTS_X PPME_SYSCALL_GETDENTS64_E PPME_SYSCALL_GETDENTS64_X PPME_SYSCALL_SETNS_E PPME_SYSCALL_SETNS_X PPME_SYSCALL_FLOCK_E PPME_SYSCALL_FLOCK_X PPME_CPU_HOTPLUG_E PPME_CPU_HOTPLUG_X PPME_SOCKET_ACCEPT_5_E PPME_SOCKET_ACCEPT_5_X PPME_SOCKET_ACCEPT4_5_E PPME_SOCKET_ACCEPT4_5_X PPME_SYSCALL_SEMOP_E PPME_SYSCALL_SEMOP_X PPME_SYSCALL_SEMCTL_E PPME_SYSCALL_SEMCTL_X PPME_SYSCALL_PPOLL_E PPME_SYSCALL_PPOLL_X PPME_SYSCALL_MOUNT_E PPME_SYSCALL_MOUNT_X PPME_SYSCALL_UMOUNT_E PPME_SYSCALL_UMOUNT_X PPME_K8S_E PPME_K8S_X PPME_SYSCALL_SEMGET_E PPME_SYSCALL_SEMGET_X PPME_SYSCALL_ACCESS_E PPME_SYSCALL_ACCESS_X PPME_SYSCALL_CHROOT_E PPME_SYSCALL_CHROOT_X PPME_TRACER_E PPME_TRACER_X PPME_MESOS_E PPME_MESOS_X PPME_CONTAINER_JSON_E PPME_CONTAINER_JSON_X PPME_SYSCALL_SETSID_E PPME_SYSCALL_SETSID_X PPME_SYSCALL_MKDIR_2_E PPME_SYSCALL_MKDIR_2_X PPME_SYSCALL_RMDIR_2_E PPME_SYSCALL_RMDIR_2_X PPME_NOTIFICATION_E PPME_NOTIFICATION_X PPME_SYSCALL_EXECVE_17_E PPME_SYSCALL_EXECVE_17_X PPME_SYSCALL_UNSHARE_E PPME_SYSCALL_UNSHARE_X PPME_INFRASTRUCTURE_EVENT_E PPME_INFRASTRUCTURE_EVENT_X PPME_SYSCALL_EXECVE_18_E PPME_SYSCALL_EXECVE_18_X PPME_PAGE_FAULT_E PPME_PAGE_FAULT_X PPME_SYSCALL_EXECVE_19_E PPME_SYSCALL_EXECVE_19_X PPME_SYSCALL_SETPGID_E PPME_SYSCALL_SETPGID_X PPME_SYSCALL_BPF_E PPME_SYSCALL_BPF_X PPME_SYSCALL_SECCOMP_E PPME_SYSCALL_SECCOMP_X PPME_SYSCALL_UNLINK_2_E PPME_SYSCALL_UNLINK_2_X PPME_SYSCALL_UNLINKAT_2_E PPME_SYSCALL_UNLINKAT_2_X PPME_SYSCALL_MKDIRAT_E PPME_SYSCALL_MKDIRAT_X PPME_SYSCALL_OPENAT_2_E PPME_SYSCALL_OPENAT_2_X PPME_SYSCALL_LINK_2_E PPME_SYSCALL_LINK_2_X PPME_SYSCALL_LINKAT_2_E PPME_SYSCALL_LINKAT_2_X PPME_SYSCALL_FCHMODAT_E PPME_SYSCALL_FCHMODAT_X PPME_SYSCALL_CHMOD_E PPME_SYSCALL_CHMOD_X PPME_SYSCALL_FCHMOD_E PPME_SYSCALL_FCHMOD_X PPME_SYSCALL_RENAMEAT2_E PPME_SYSCALL_RENAMEAT2_X PPME_SYSCALL_USERFAULTFD_E PPME_SYSCALL_USERFAULTFD_X PPME_PLUGINEVENT_E PPME_NA1 PPME_CONTAINER_JSON_2_E PPME_CONTAINER_JSON_2_X PPME_SYSCALL_OPENAT2_E PPME_SYSCALL_OPENAT2_X PPME_SYSCALL_MPROTECT_E PPME_SYSCALL_MPROTECT_X PPME_SYSCALL_EXECVEAT_E PPME_SYSCALL_EXECVEAT_X PPME_SYSCALL_COPY_FILE_RANGE_E PPME_SYSCALL_COPY_FILE_RANGE_X PPME_SYSCALL_CLONE3_E PPME_SYSCALL_CLONE3_X PPME_SYSCALL_OPEN_BY_HANDLE_AT_E PPME_SYSCALL_OPEN_BY_HANDLE_AT_X PPME_SYSCALL_IO_URING_SETUP_E PPME_SYSCALL_IO_URING_SETUP_X PPME_SYSCALL_IO_URING_ENTER_E PPME_SYSCALL_IO_URING_ENTER_X PPME_SYSCALL_IO_URING_REGISTER_E PPME_SYSCALL_IO_URING_REGISTER_X PPME_SYSCALL_MLOCK_E PPME_SYSCALL_MLOCK_X PPME_SYSCALL_MUNLOCK_E PPME_SYSCALL_MUNLOCK_X PPME_SYSCALL_MLOCKALL_E PPME_SYSCALL_MLOCKALL_X PPME_SYSCALL_MUNLOCKALL_E PPME_SYSCALL_MUNLOCKALL_X PPME_SYSCALL_CAPSET_E PPME_SYSCALL_CAPSET_X PPME_USER_ADDED_E PPME_USER_ADDED_X PPME_USER_DELETED_E PPME_USER_DELETED_X PPME_GROUP_ADDED_E PPME_GROUP_ADDED_X PPME_GROUP_DELETED_E PPME_GROUP_DELETED_X PPME_SYSCALL_DUP2_E PPME_SYSCALL_DUP2_X PPME_SYSCALL_DUP3_E PPME_SYSCALL_DUP3_X PPME_SYSCALL_DUP_1_E PPME_SYSCALL_DUP_1_X PPME_SYSCALL_BPF_2_E PPME_SYSCALL_BPF_2_X PPME_SYSCALL_MLOCK2_E PPME_SYSCALL_MLOCK2_X PPME_SYSCALL_FSCONFIG_E PPME_SYSCALL_FSCONFIG_X PPME_SYSCALL_EPOLL_CREATE_E PPME_SYSCALL_EPOLL_CREATE_X PPME_SYSCALL_EPOLL_CREATE1_E PPME_SYSCALL_EPOLL_CREATE1_X ```