Here you will get all Good tricks and tips how to monitor
Linux Server or how to manage Linux Server if its causing load, How to
find Spammer, how to check http and mysql processes.
General Commands :-
To check server load and which users are logged on the
server with IP address you can fire this command
w
w
To check for the server load and watch for process
top
top –d2
top –c d2
Memory status
free –m
To see all processes running on the server
ps –aufx
With above commands you can which process is causing load
on the server after that you can go with next steps.
If you see many processes of exim then you can check exim
in more detail. shows the total no of email in qmail
exim –bpc
Print a listing of the messages in the queue
exim -bp
Following command will show path to the script being
utilized to send mail
ps -C exim -fH eww
ps -C exim -fH eww | grep home
cd /var/spool/exim/input/
egrep "X-PHP-Script" * -R
Shows no of frozen emails
exim -bpr | grep frozen | wc -l
To remove FROZEN mails from the server
exim -bp | exiqgrep -i | xargs exim -Mrm
exiqgrep -z -i | xargs exim –Mrm
exiqgrep -z -i | xargs exim –Mrm
Check for spamming if anybody is using php script for
sending mail through home
tail -f /var/log/exim_mainlog | grep home
If anyone is spamming from /tmp
tail -f /var/log/exim_mainlog | grep /tmp
To display the IP and no of tries done bu the IP to send
mail but rejected by the server.
tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk
‘{print$4}’|awk -F\[ '{print $2} '|awk -F\] ‘{print $1} ‘|sort | uniq -c | sort
-k 1 -nr | head -n 5
Shows the connections from a certain ip to the
SMTP server
netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f
1|sort|uniq -c|sort -nk 1
To shows the domain name and the no of emails sent
by that domain
exim -bp | exiqsumm | more
If spamming from outside domain then you can block
that domain or email id on the server
pico /etc/antivirus.exim
Add the following lines:
if $header_from: contains “name@domain.com”
then
seen finish
endif
then
seen finish
endif
Catching spammer
Check mail stats
exim -bp | exiqsumm | more
Following command will show you the maximum no of email
currently in the mail queue have from or to the email address in the mail queue
with exact figure.
exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v
“<>” | sort | uniq -c | sort -n
That will show you the maximum no of email currently in the
mail queue have for the domain or from the domain with number.
exim -bpr | grep “<*@*>” | awk ‘{print $4}’|grep -v
“<>” |awk -F “@” ‘{ print $2}’ | sort | uniq -c | sort -n
Check if any php script is causing the mass mailing with
cd /var/spool/exim/input
egrep “X-PHP-Script” * -R
egrep “X-PHP-Script” * -R
Just cat the ID that you get and you will be able to
check which script is here causing problem for you.
To Remove particular email account email
exim -bpr |grep “ragnarockradio.org”|awk {‘print $3′}|xargs
exim -Mrm
If Mysql causing the load so you can use following
commands to check it.
mysqladmin pr
mysqladmin -u root processlist
mysqladmin version
watch mysqladmin proc
mysqladmin -u root processlist
mysqladmin version
watch mysqladmin proc
If Apache causing the load so check using following
commands.
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq
-c | sort –n
netstat -an |grep :80 |wc –l
netstat -n | grep :80 | wc -l;uptime ; netstat -n | wc –l
netstat –tupl
pidof httpd
history | netstat
lsof -p pid
netstat -an |grep :80 |wc –l
netstat -n | grep :80 | wc -l;uptime ; netstat -n | wc –l
netstat –tupl
pidof httpd
history | netstat
lsof -p pid
If mysql is causing load so you can check it using
following commands.
mysqladmin -u root processlist
mysqladmin version
watch mysqladmin proc
mysqladmin -u root processlist
Other Useful Commands
To check ipd of php
pidof php
lsof -p pid
netstat -an |grep :80 |wc –l
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
netstat -na |grep :80 |sort
lsof -p pid
netstat -an |grep :80 |wc –l
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
netstat -na |grep :80 |sort
Use below mentioned command to get top memory consuming
processes
ps aux | head -1;ps aux –no-headers| sort -rn +3 | head
Use below command to get top cpu consuming processes
ps aux | head -1;ps aux –no-headers | sort -rn +2 |more
You can check if any backup is going on, run the
following commands
ps aux | grep pkg
ps aux | grep gzip
ps aux | grep backup
ps aux | grep gzip
ps aux | grep backup
We can trace the user responsible for high web server
resource usage by the following command
cat /etc/httpd/logs/access_log | grep mp3
cat /etc/httpd/logs/access_log | grep rar
cat /etc/httpd/logs/access_log | grep wav etc
cat /etc/httpd/logs/access_log | grep 408 can be used to check for DDOS attacks on the server.
cat /etc/httpd/logs/access_log | grep rar
cat /etc/httpd/logs/access_log | grep wav etc
cat /etc/httpd/logs/access_log | grep 408 can be used to check for DDOS attacks on the server.
cat /etc/httpd/logs/access_log | grep rar
16 Linux Server Monitoring Commands You Really Need To
Know..
Want to know what's really going on with your server? Then
you need to know these essential commands. Once you've mastered them, you'll be
well on your way to being an expert Linux system administrator.
Depending on the Linux distribution, you can run pull up much of the information that these shell commands can give you from a GUI program. SUSE Linux, for example, has an excellent, graphical configuration and management tool, YaST, and KDE's KDE System Guard is also excellent.
However, it's a Linux administrator truism that you should run a GUI on a server only when you absolutely must. That's because Linux GUIs take up system resources that could be better used elsewhere. So, while using a GUI program is fine for basic server health checkups, if you want to know what's really happening, turn off the GUI and use these tools from the Linux command shell.
This also means that you should only start a GUI on a server when it's required; don’t leave it running. For optimum performance, a Linux server should run at runlevel 3, which fully supports networking and multiple users but doesn't start the GUI when the machine boots. If you really need a graphical desktop, you can always get one by running startx from a shell prompt.
If your server starts by booting into a graphical desktop, you need to change this. To do so, head to a terminal window, su to the root user, and use your favorite editor on /etc/inittab.
Once there, find the initdefault line and change it from id:5:initdefault: toid:3:initdefault:
If there is no inittab file, create it, and add the id:3 line. Save and exit. The next time you boot into your server it will boot into runlevel 3. If you don't want to reboot after this change, you can also set your server's run level immediately with the command: init 3
Once your server is running at init 3, you can start using the following shell programs to see what's happening inside your server.
Depending on the Linux distribution, you can run pull up much of the information that these shell commands can give you from a GUI program. SUSE Linux, for example, has an excellent, graphical configuration and management tool, YaST, and KDE's KDE System Guard is also excellent.
However, it's a Linux administrator truism that you should run a GUI on a server only when you absolutely must. That's because Linux GUIs take up system resources that could be better used elsewhere. So, while using a GUI program is fine for basic server health checkups, if you want to know what's really happening, turn off the GUI and use these tools from the Linux command shell.
This also means that you should only start a GUI on a server when it's required; don’t leave it running. For optimum performance, a Linux server should run at runlevel 3, which fully supports networking and multiple users but doesn't start the GUI when the machine boots. If you really need a graphical desktop, you can always get one by running startx from a shell prompt.
If your server starts by booting into a graphical desktop, you need to change this. To do so, head to a terminal window, su to the root user, and use your favorite editor on /etc/inittab.
Once there, find the initdefault line and change it from id:5:initdefault: toid:3:initdefault:
If there is no inittab file, create it, and add the id:3 line. Save and exit. The next time you boot into your server it will boot into runlevel 3. If you don't want to reboot after this change, you can also set your server's run level immediately with the command: init 3
Once your server is running at init 3, you can start using the following shell programs to see what's happening inside your server.
iostat
The iostat command shows in detail what your storage
subsystem is up to. You usually useiostat to monitor how well your storage
sub-systems are working in general and to spot slow input/output problems
before your clients notice that the server is running slowly. Trust me, you
want to spot these problems before your users do!
meminfo and free
Meminfo gives you a detailed list of what's going on
in memory. Typically you access meminfo's data by using another program such
as cat or grep. For example,
cat /proc/meminfo
gives you the details of what's going on in your server’s memory at any given moment.
For a quick “just the facts” look at memory, you can use the free command. In short, free gives you the overview; meminfo gives you the details.
cat /proc/meminfo
gives you the details of what's going on in your server’s memory at any given moment.
For a quick “just the facts” look at memory, you can use the free command. In short, free gives you the overview; meminfo gives you the details.
mpstat
The mpstat command
reports on the activities of each of the available CPUs on a multi-processor
server. These days, thanks to multi-core processors, that’s almost all
servers. mpstat also reports on the average activities of all your
server's CPUs. It enables you to display overall CPU statistics per system or
per processor. This overview can alert you to possible application problems
before they get to the point of annoying users.
netstat
Netstat, like ps, is a Linux tool that administrators
use every day. It displays a lot of network related information, such as socket
usage, routing, interface, protocol, network statistics, and more. Some of the
most commonly used options are:
-a Show all socket information
-r Show routing information
-i Show network interface statistics
-s Show network protocol statistics
-r Show routing information
-i Show network interface statistics
-s Show network protocol statistics
nmon
Nmon, short for Nigel's Monitor, is a popular open-source tool to monitor Linux systems performance.
Nmon watches the performance information for several subsystems, such as
processor utilization, memory utilization, run queue information, disk I/O
statistics, network I/O statistics, paging activity, and process metrics. You
can then view nmon's real-time system measurements via
its curses “graphical” interface.
To run nmon, you start the tool from the shell. Once up, you select the subsystems to monitor by typing in its one-key commands. For example, to get CPU, memory, and disk statistics, you typec, m, and d. You can also use nmon with the -f flag to save performance statistics to a CSV file for later analysis.
For day to day server monitoring I find nmon to be the single most useful program in my Linux system management tool-kit.
To run nmon, you start the tool from the shell. Once up, you select the subsystems to monitor by typing in its one-key commands. For example, to get CPU, memory, and disk statistics, you typec, m, and d. You can also use nmon with the -f flag to save performance statistics to a CSV file for later analysis.
For day to day server monitoring I find nmon to be the single most useful program in my Linux system management tool-kit.
pmap
The pmap command
reports the amount of memory that your server's processes are using. You can
use this tool to determine which processes on the server are being allocated
memory and whether any of these processes are being piggy with RAM.
ps and pstree
The ps and pstree commands
are two of the Linux administrator’s best friends. They both provide a list of
all currently running processes. Ps tells you how much memory and
processor time the server’s programs are using. Pstree shows less
information, but highlights which processes are the children of other
processes. Armed with this information, you can spot out–of-control processes
and kill them off with Linux's “take no prisoners” kill command.
sar
The sar program
is a Swiss-army knife of a system monitoring tool. The sar command is
actually made up of three programs: sar, which displays the data,
and sa1 and sa2, which collect and store it. Once
installed, sar creates a detailed overview of CPU utilization, memory
paging, network I/O and transfer statistics, process creation activity,
and storage device activity. The big difference
between sar and nmon is that the former is better at
long-term system monitoring, while I find nmon to be better at giving
me a quick read on my server's status.
strace
strace is often thought of a programmer's debugging
tool, but it's more than that. It intercepts and records the system calls that
are called by a process. This makes it a useful diagnostic, instructional, and
debugging tool. For example, you can use strace to find out which
configuration file a program is actually using when it starts up.
Strace does have one flaw though. When it's checking out a specific process, that process' performance will fall through the floor. Thus, I only use strace when I already have a darned good reason to think that that program is causing trouble.
Strace does have one flaw though. When it's checking out a specific process, that process' performance will fall through the floor. Thus, I only use strace when I already have a darned good reason to think that that program is causing trouble.
tcpdump
Tcpdump is a simple, robust network monitoring
utility. Its basic protocol analyzing capability enables you to get a rough
view of what is happening on your network. To really dig into
what's going on with your network however, you'll want to use Wireshark.
top
The top command shows what's going on with your active
processes. By default, it displays the most CPU-intensive tasks running on the
server and updates the list every five seconds. You can sort the processes by
PID (Process ID); age, newest first; time, by cumulative time; and resident
memory usage and total time it's been using the CPU since startup. I find this
a fast and easy way to see if any process is starting to go out of control and
about to get into trouble.
uptime
Use uptime to
see how long the server has been running and how many users are logged on. It
also gives you an overview of the average server load. The optimal value of the
load is 1 or less, which means that each process has immediate access to the
CPU and there are no CPU cycles lost.
vmstat
For the most part, you use vmstat to
monitor what's going on with virtual memory. Linux constantly uses virtual
memory to get the best possible storage performance.
If your applications are taking up too much memory you get excessive page-outs — programs moving from RAM to your system's swap space, which is on the hard drive. Your server can reach a point where it's spending more time managing memory paging than running your applications, a condition called thrashing. When your computer is thrashing, its performance falls through the floor. Vmstat, which can display either average data or actual samples, can help you spot memory pig programs and processes before they bring your server to a crawl.
If your applications are taking up too much memory you get excessive page-outs — programs moving from RAM to your system's swap space, which is on the hard drive. Your server can reach a point where it's spending more time managing memory paging than running your applications, a condition called thrashing. When your computer is thrashing, its performance falls through the floor. Vmstat, which can display either average data or actual samples, can help you spot memory pig programs and processes before they bring your server to a crawl.
Wireshark
Wireshark,
formerly known as Ethereal (and still often referred to that way),
is tcpdump's big brother, though it is more sophisticated and with far
more advanced protocol analyzing and reporting. Wireshark has both a GUI
interface and a shell interface. If you do any serious network administration,
you must use ethereal. And, if you're using
Wireshark/ethereal, I highly recommend Chris Sander's Practical Packet Analysis, a great book on how to get the
most out of this useful program.
This has only been a 10,000 foot overview of some of Linux's most valuable system monitoring programs. Still, if you can master these programs you'll be well on your way to being a top Linux system administrator.
This has only been a 10,000 foot overview of some of Linux's most valuable system monitoring programs. Still, if you can master these programs you'll be well on your way to being a top Linux system administrator.
No comments:
Post a Comment