does sysdig comprehensively show all system events?

[hor...@gmail.com]

All,

I was writing an sysdig script where the intent was to show all file opens and accesses. However, it is missing some. 

For example, I'd expect to see any files opened by touch in:

sysdig -p '":%proc.pid: :%proc.ppid: :%proc.cwd: :%fd.filename:" "(proc.exeline contains touch)"

yet after extensive tests on an ubuntu20 vm, these events do NOT show up.

So this is really odd to me. Is it a sampling issue? I don't see an issue with a centos7 box.

Is there a way to see if sysdig is dropping system events?