Everything Penguin

Focusing on Linux-based Operating Systems
htDig Search:

Operating Systems
  • /pub/OS/Linux

  • Storage
  • File Systems
  • HPC
  • /pub/Storage

  • Networking
  • /pub/Networking

  • Network Services
  • /pub/NetworkServices

  • Security
  • /pub/Security
  • Keytool/OpenSSL

  • Clustering
  • HA
  • DRM

  • Development
  • Design
  • C/C++
  • Java
  • Perl
  • Python
  • Shell
  • Web / J2EE

  • Not Linux ?
  • BSD
  • HP-UX
  • Mac
  • Solaris
  • VM
  • Windows
  • /pub/OS

  • Other
  • /pub
  • /pub/3rdParty
  •  Parent Directory

    Sar - Part 1
    Brett Lee
    Sar is a part of Sysstat.
    Use the sar suite of commands to collect historical data.
    Sar includes these commands:  sar, sadc, sadf, sa1 and sa2.
    Here's how it works:
    Sar creates Data Files and Reports in the /var/log/sa directory.
    Sar considers:
          sa<DD> a data file
          sar<DD> as a report.
    Some details:
    "/usr/lib/sa/sa1" (shell script front end to sadc) writes to /var/log/sa/sa<DD>
     - sadc is the back end to sar.  It writes binary, so don't run it from the CLI.
    "/usr/lib/sa/sa2" (shell script front end to sar) writes to /var/log/sa/sar<DD>
    From cron:
    Every 10 minutes, sa1 runs and appends to the data "file" for that DAY.
    At the end of each hour, sa2 runs and parses the whole "file" into a report.
    At the end of the day there is 24 hours of data in the report.
    At the end of each run, sa2 deletes "old" files (see HISTORY=X variable).
    Suggested crontab:
    * Run sa1 every 10 minutes.
    * Run sa2 at 53 minutes past the hour.
            root:~ # cat /etc/cron.d/sysstat
            # run system activity accounting tool every 10 minutes
            */10 * * * * root /usr/lib64/sa/sa1 1 1
            # generate a daily summary of process accounting at 23:53
            53 23 * * * root /usr/lib64/sa/sa2 -A
    Analyze the data:
    1. "sar" - shows both current and historical data.  use for console output.
           Show current:
             $ sar -c 
               ...output follows...
           Show historical:
             $ sar -c -f /var/log/sa/sa17
               ...output follows...
    2. "sadf" - sar data format - prints sar dat in other formats (CSV, XML).
           Show current:
             $ sadf -p 
               ...TAB delimited output follows...
           Show historical:
             $ sadf -x /var/log/sa/sa17
               ...XML output follows...
    3.  So far, the above examples dealt with the /var/log/sa/saXX binary files.
        That's because the "sarXX" files have been converted into text files.
    4.  Graph the sysstat data!
              Sysstat Graph
    Report options:
    (from: http://mywiki.ncsa.uiuc.edu/wiki/Tips_and_Tricks)
    Note that these vary by version, in that newer (RHEL6)
    combines the output of -c and -w into two colums using the -w.
      sar -u       cpu utilization
      sar -q       queue lengths & load averages
      sar -c       process creation
      sar -w       context switching
      sar -r       memory & swap space
      sar -B       paging
      sar -W       swapping
      sar -b       I/O & transfer rates
      sar -n DEV   network rates
      sar -n EDEV  network errors
      sar -n NFS   NFS client
      sar -n NFSD  NFS server
      sar -n SOCK  sockets in use
      sar -P ALL   processors (individual cores)
      sar -v       kernel tables
      sar -R       memory
      sar -d -p    block devices (by default not collected by cronjob - 
                                  if needed must add -d option to sadc 
                                  command in /usr/lib64/sa/sa1)
      sar -I parm  irq (real-time only)
      sar -x <pid> pid (real-time only)
      sar -X <pid> child processes (real-time only)
    Data Collected:
    ** By default, sar does not collect disk statistics, nor does it collect all
       the data about the system interrupts.  To collect disk data, add "-d" to
       the "sa1" script; for interrupt information, add "-I".  For example:
            exec ${ENDIR}/sadc -d -I -F -L 1 1 -
            exec ${ENDIR}/sadc -d -I -F -L $* -
       For more details, see `man sadc`.
    ** As an aside, when a change to sa1 is made, data pursuant to the change is
       not available until the beginning of the next day.  As sa1 writes a binary
       file, and there is a data structure already in place in that file, the
       file is not modified mid-day; thus only when a new sa<DD> file is created
       are the new data points available.  It *may* be possible to force the 
       change to begin immediately using a "-F" to the sadc command.
    ** Note that this is the /var/log/sa/ directory a couple days after adding
       both the "-d" and the "-I" options to sadc:
         $ ll /var/log/sa
         total 10676
         -rw-r--r-- 1 root root  274416 Dec 13 23:50 sa13
         -rw-r--r-- 1 root root  274416 Dec 14 23:50 sa14
         -rw-r--r-- 1 root root  274416 Dec 15 23:50 sa15
         -rw-r--r-- 1 root root  274416 Dec 16 23:50 sa16
         -rw-r--r-- 1 root root  285792 Dec 17 23:50 sa17  <- change made this day
         -rw-r--r-- 1 root root  617712 Dec 18 23:50 sa18
         -rw-r--r-- 1 root root  617712 Dec 19 23:50 sa19
         -rw-r--r-- 1 root root  617712 Dec 20 23:50 sa20
         -rw-r--r-- 1 root root  497648 Dec 21 19:10 sa21
         -rw-r--r-- 1 root root  328959 Dec 12 23:53 sar12
         -rw-r--r-- 1 root root  328959 Dec 13 23:53 sar13
         -rw-r--r-- 1 root root  328959 Dec 14 23:53 sar14
         -rw-r--r-- 1 root root  328959 Dec 15 23:53 sar15
         -rw-r--r-- 1 root root  328959 Dec 16 23:53 sar16
         -rw-r--r-- 1 root root  332871 Dec 17 23:53 sar17 <-- change day
         -rw-r--r-- 1 root root 1706713 Dec 18 23:53 sar18
         -rw-r--r-- 1 root root 1706713 Dec 19 23:53 sar19
         -rw-r--r-- 1 root root 1706713 Dec 20 23:53 sar20
       As evident by the file size changes, *something* happened.
       But it did not take effect on the 17, but rather on the 18
         (when the new file was written).
       As mentioned above, the "-F" option to sadc may have forced this change
         to occur right away, but may have also disposed of existing data in
         that file.
         $ sar -d -f /var/log/sa/sa17
         Requested activities not available in file
         $ sar -I ALL -f /var/log/sa/sa17
         Requested activities not available in file
       Beginning on the 18th it worked just fine..
         $ sar -d -f /var/log/sa/sa18
         12:00:01 AM       DEV       tps  rd_sec/s  wr_sec/s  avgrq-sz  avgqu-sz await     svctm     %util
         12:10:01 AM    dev8-0     12.73     17.81    269.33     22.55      0.10 7.47      1.29      1.64
         12:10:01 AM   dev8-16      0.00      0.00      0.00      0.00      0.00 0.00      0.00      0.00
         12:10:01 AM  dev253-0      0.41      0.00      3.24      8.00      0.00 2.18      0.20      0.01

    Other Sites

  • FAQ's
  • IETF
  • RFC Sourcebook

  • Linux
  • Linux - Intro
  • Linux Kernel
  • Linux Kernel (LKML)
  • Bash - Intro
  • Bash - Advanced
  • Command Line
  • System Administration
  • Network Administration
  • Man Pages (& more)
  • More Guides
  • Red Hat Manuals
  • HOWTO's

  • Reference/Tutorials
  • C++ @ cppreference
  • C++ @ cplusplus
  • CSS @ echoecho
  • DNS @ Zytrax
  • HTML @ W3 Schools
  • Java @ Sun
  • LDAP @ Zytrax
  • Linux @ YoLinux
  • MySQL
  • NetFilter
  • Network Protocols
  • OpenLDAP
  • Quagga
  • Samba
  • Unix Programming

  • This site contains many of my notes from research into different aspects of the Linux kernel as well as some of the software provided by GNU and others. Thouugh these notes are not fully comprehensive or even completetly accurate, they are part of my on-going attempt to better understand this complex field. And, they are your to use.

    Should you wish to report any errors or suggestions, please let me know.

    Should you wish to make a donation for anything you may have learned here, please direct that donation to the ASPCA, with my sincere thanks.

    Brett Lee
    Everything Penguin

    The code for this site, which is just a few CGI scripts, may be found on GitHub (https://github.com/userbrett/cgindex).

    For both data encryption and password protection, try Personal Data Security (https://www.trustpds.com).

    "We left all that stuff out. If there's an error, we have this routine called 'panic', and when its called, the machine crashes, and you holler down the hall, 'Hey, reboot it.'"

        - Dennis Ritchie on Unix (vs Multics)

    [ Powered by Red Hat Linux ] [ Powered by Apache Server] [ Powered by MySQL ]

    [ Statistics by AWStats ]