topic Re: SAR - System Activity Report - multi day information report in Firewall and Security Management

SAR - System Activity Report - multi day information report

Paul_Gademsky — Fri, 01 Jul 2022 23:29:34 GMT

I have been trying to find a good way to review the System Activity Reports (besides using the 'SmartConsole - Monitor function/graphs' and finally found a good solution after digging around the internet for a while.

The SAR data is stored in /var/log/sa/ directory.

There are two types of files contained there. The sa## file is the binary information and the sar## files are in human readable format.

By running the following command, you can get file 01 to 30 concatenated into a single file.

ls /var/log/sa/sa?? | xargs -i sar -A -f {} > /tmp/sar_$(uname -n).txt

Once you have this file (it's 50 to 100 mb) you can then go to this web site (https://sarchart.dotsuresh.com/) and drag the file across to it, and it will then parse it and provide the ability to dig into the graphs that are available.

Let me know if anyone else has a better solution.

Paul G, CCSM

Re: SAR - System Activity Report - multi day information report

G_W_Albrecht — Sun, 03 Jul 2022 08:45:55 GMT

sk112734: How to collect System Activity Report using the "sar" command

sk98348: Best Practices - Security Gateway Performance

Re: SAR - System Activity Report - multi day information report

Paul_Gademsky — Tue, 05 Jul 2022 15:48:20 GMT

@G_W_Albrecht

Thanks for the 2 sk's.

I still like the graphics part mentioned in the original post

I like this part the best from the SK

Analysis:

Look at the load in "User Space" - counter user
High CPU consumption in "User Space" can be caused by processes that perform heavy tasks (e.g., too much logging by fwd, reloading the configuration during policy installation, etc.)
Look at the load in "System (kernel) Space" - counter system
High CPU consumption in "System (kernel) Space" can be caused by heavy tasks (e.g., deep inspection of packets, enabling of all blades, enabling of all IPS protections in Prevent mode, etc.)
Look at the amount of "Idle" - counter idle
The more CPU is idle, the better the machine's performance is
Look at the amount of "I/O waiting" - counter iowait
High amount of "I/O waiting" is caused by heavy reading from/writing to hard disk (e.g., during policy installation, heavy logging, insufficient RAM, etc.)
Look at the counter steal - Percentage of time spent in involuntary wait by the virtual CPU or CPUs while the hypervisor was servicing another virtual processor.

Re: SAR - System Activity Report - multi day information report

Danny — Tue, 05 Jul 2022 18:21:03 GMT

I put this on my backlog: Create a SmartConsole extension to sar graphs in SmartConsole.

Re: SAR - System Activity Report - multi day information report

Paul_Gademsky — Tue, 05 Jul 2022 18:55:24 GMT

@Danny

That would be a nice feature to have available. Look forward to it when you get to it.

Thank you,

Paul G

Re: SAR - System Activity Report - multi day information report

G_W_Albrecht — Wed, 06 Jul 2022 07:29:06 GMT

SAR is a linux feature, not part of CP SW. What of all this information can not be found in cpview ?

Re: SAR - System Activity Report - multi day information report

Paul_Gademsky — Wed, 06 Jul 2022 18:01:33 GMT

@G_W_Albrecht

With enough digging into cpview it can probably be found.

The reason that I was looking for this capability was the result of health check reports with statements like:

CPU 30-Day Peak - WARNING
CPU 1 Peak Usage: 99
CPU 2 Peak Usage: 100
CPU 3 Peak Usage: 100
3 core(s) out of 4 went over 80% in the last month.
Please review the CPU usage on this device to see if a configuration change or hardware upgrade is needed.

I figured a graph of the CPUs was a faster way to identify where in the past 30 days this was occurring, and then dig into it from there.

Paul G. CCSM