====== sar (system activity report) ======
**General Information**
sar is used for displaying collected activity counters of various OS stats, including CPU, memory, swap, and disk I/O.
**Checklist**
* Distro(s): Any
* Package: sar is a command provided by the "sysstat" package.
----
===== Installation and Configuration =====
1) Install sysstat (Red Hat or Debian)
yum install sysstat
or
apt-get install sysstat
2) Enable collection
vim /etc/default/sysstat
Change (Enabled="false") to (Enabled="true").
3) Modify Collection Interval (optional)
vim /etc/cron.d/sysstat
Look for a line like this to edit:
# Activity reports every 10 minutes everyday
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
4) Start the service
service sysstat start
5) Enable on boot (Red Hat or Debian)
chkconfig sysstat on
or
update-rc.d sysstat defaults
----
===== Usage =====
After sysstat has collected data for a while, you can start to view the information with sar.
==== Log location ====
Sar logs to either:
* /var/log/sysstat/
* /var/log/sa/
With each log file named after the day of the month it is.
Best by visual example:
ls -l /var/log/sysstat/
-rw-r--r-- 1 root root 116880 Dec 1 22:35 sa01
-rw-r--r-- 1 root root 105984 Dec 2 22:05 sa02
-rw-r--r-- 1 root root 66032 Dec 3 20:15 sa03
These files can be read by sar using the "-f
sar -u (displays for current day until that point)
sar -u 1 5 (display real time CPU every 1 second, 5 times)
sar -u -f /var/log/sysstat/sa01 (display CPU usage on the 1st day of the month)
Linux 3.13.0-39-generic (dt-bill) 12/03/2014 _x86_64_ (4 CPU)
05:22:31 PM LINUX RESTART
05:25:01 PM CPU %user %nice %system %iowait %steal %idle
05:35:01 PM all 3.70 0.09 0.50 0.56 0.00 95.15
05:45:01 PM all 4.26 0.25 0.62 0.23 0.00 94.64
Columns:
* CPU => Which CPU the rest of the columns are about. (Default is all)
* %user => % spent running user level (applications) processes.
* %nice => % spent running user level (applications) with nice priority.
* %system => % spent running at system level. (kernel)
* %iowait => % that CPU(s) were idle while the system was waiting on disk I/O request(s).
* %steal => % spent involutarily waiting by virtual CPU(s) while the hypervisor was servicing another virtual processor.
* %idle => % that CPU(s) were idle and system was not waiting on disk I/O request(s).
----
==== Memory (RAM) Stats ====
sar -r (display todays memory stats)
sar -r 2 10 (display real time memory stats every 2 seconds, 10 times)
sar -r
Linux 3.13.0-39-generic (dt-bill) 12/03/2014 _x86_64_ (4 CPU)
05:25:01 PM kbmemfree kbmemused %memused kbbuffers kbcached kbcommit %commit kbactive kbinact kbdirty
05:35:01 PM 6514076 1661656 20.32 94056 657736 2300940 13.89 1008760 455492 580
Columns (probably the only ones you care about):
* kbmemfree => memory free in kilobytes
* kbmemused => memory used in kilobytes
* %memused => % memory used
----
==== Swap Stats ====
sar -S (todays swap usage)
sar -S
Linux 3.13.0-39-generic (dt-bill) 12/03/2014 _x86_64_ (4 CPU)
05:25:01 PM kbswpfree kbswpused %swpused kbswpcad %swpcad
05:35:01 PM 8388604 0 0.00 0 0.00
Columns:
* kbswpfree => Free swap space in kilobytes
* kbswpused => Used swap space in kilobytes
* %swpused => % used swap space
* kbswpcad => Cached swap in kilobytes. This is memory that once was swapped out, is swapped back in but still also is in the swap area (if memory is needed it doesn't need to be swapped out again because it is already in the swap area. This saves disk I/O)
* **Explanation**: If the kernel needs more space in memory(RAM), it moves aging processes to slower disk swap space.(swap out of memory) If those processes are needed again, they are moved back to RAM (swapped in). The copies are NOT deleted from disk swap space; there is no need to waste disk I/O on doing this unless something else needs the disk swap space.
----
==== Disk I/O ====
sar -b (todays disk I/O and transfer rates)
sar -b
Linux 3.13.0-39-generic (dt-bill) 12/03/2014 _x86_64_ (4 CPU)
05:25:01 PM tps rtps wtps bread/s bwrtn/s
05:35:01 PM 26.47 23.27 3.20 765.51 464.86
Columns:
* tps => transfers per second (both disk reads and writes)
* rtps => read requests per second
* wtps => write requests per second
* bread/s => blocks read per second (block = sector = 512 bytes)
* bwrtn/s => blocks written per second (block = sector = 512 bytes)
----
==== Network Stats ====
sar -n TYPE (todays network statistics)
TYPE can be:
* DEV => devices vital stats (eth0, eth1, etc)
* EDEV => device failure stats
* NFS => NFS client activity
* NFSD => NFS server activity
* IP => IPv4 network traffic
* TCP => TCPv4 network traffic
* UDP => UDPv4 network traffic
* ALL => All of the above (and more). Warning: this will be very long.
Example (device stats for just eth1 from 5pm to 6pm today)
sar -n DEV -s 17:00:00 -e 18:00:00 | grep eth1
05:25:01 PM IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s %ifutil
05:35:01 PM eth1 13.77 11.45 12.31 1.37 0.00 0.00 0.05 0.01
05:45:01 PM eth1 23.35 17.53 27.06 2.09 0.00 0.00 0.04 0.02
05:55:01 PM eth1 50.00 35.92 63.80 3.92 0.00 0.00 0.04 0.05
Average: eth1 29.04 21.64 34.39 2.46 0.00 0.00 0.04 0.03
----
==== Start and End ====
Report only specfic time periods
CPU stats for today, from 6pm to 6:30pm
sar -u -s 18:00:00 -e 18:30:00
Memory stats 1pm to 3pm, from the 1st day of the month
sar -r -s 13:00:00 -e 15:00:00 -f /var/log/sysstat/sa01