What is sar

Sar is a command line utility installed by default on the CentOS servers. It is used to collect, report of save system activity. It is most in tracking down the cause of disk I/O. Sar uses a series of files in /var/log/sa/ to keep track of its data.

Sar History

To see a list of the previous month's

ll /var/log/sa/

This should provide you with a list that looks like the following.

-rw-r--r--  1 root root 484640 Aug  1 15:51 sa01
-rw-r--r--  1 root root 484176 Aug  2 23:50 sa02
-rw-r--r--  1 root root 228576 Aug  3 11:00 sa03
-rw-r--r--  1 root root 490992 Jul 26 23:50 sa26
-rw-r--r--  1 root root 490992 Jul 27 23:50 sa27
-rw-r--r--  1 root root 490992 Jul 28 23:50 sa28
-rw-r--r--  1 root root 481232 Jul 29 23:50 sa29
-rw-r--r--  1 root root 490992 Jul 30 23:50 sa30
-rw-r--r--  1 root root 485104 Jul 31 15:37 sa31
-rw-r--r--  1 root root 491873 Aug  1 23:53 sar01
-rw-r--r--  1 root root 491907 Aug  2 23:53 sar02
-rw-r--r--  1 root root 498737 Jul 25 23:53 sar25
-rw-r--r--  1 root root 498737 Jul 26 23:53 sar26
-rw-r--r--  1 root root 498737 Jul 27 23:53 sar27
-rw-r--r--  1 root root 498737 Jul 28 23:53 sar28
-rw-r--r--  1 root root 489709 Jul 29 23:53 sar29
-rw-r--r--  1 root root 498737 Jul 30 23:53 sar30
-rw-r--r--  1 root root 493163 Jul 31 23:53 sar31

Using sar

Without any flags, the sar command will show you breakdowns of CPU usage. This is similar to output given by the iostat command. Output will look something like this:

Template:Psar

12:30:01 PM       CPU     %user     %nice   %system   %iowait    %steal     %idle
12:40:01 PM       all      0.13      0.01      0.08      0.02      0.00     99.76
12:50:01 PM       all      0.13      0.02      0.07      0.02      0.00     99.76
01:00:01 PM       all      0.12      0.01      0.08      0.03      0.00     99.77
01:10:01 PM       all      0.22      0.01      0.09      0.05      0.00     99.63
Average:          all      0.15      0.01      0.08      0.03      0.00     99.73

Sar by itself is useful for tracking down CPU usage problems.

For memory related problems, run sar with the -r flag. -r show historical memory and swap usage, both in percentages and kilobytes. Output will look something like this.

Template:Psar -r

12:30:01 PM kbmemfree kbmemused  %memused kbbuffers  kbcached kbswpfree kbswpused  %swpused  kbswpcad
12:40:01 PM     70076   1687976     96.01    191540    984628   1959852        68      0.00         0
12:50:01 PM     69432   1688620     96.05    191540    984648   1959852        68      0.00         0
01:00:01 PM     69984   1688068     96.02    191548    984672   1959852        68      0.00         0
01:10:01 PM     67744   1690308     96.15    191564    985536   1959852        68      0.00         0
Average:        69309   1688743     96.06    191548    984871   1959852        68      0.00         0

Sar with the -W flag shows actual change in swapfile usage. Output looks like this following

Template:Psar -W
12:30:01 PM  pswpin/s pswpout/s
12:40:01 PM      0.00      0.00
12:50:01 PM      0.00      0.00
01:00:01 PM      0.00      0.00
01:10:01 PM      0.00      0.00
01:20:01 PM      0.00      0.00
Average:         0.00      0.00

The -s and -e flags can be used to specify start and end points with the sar output. Both are follow the format of HH:MM:SS.

Template:Psar -s 09:00:00 -e 10:30:00

09:00:01 AM       CPU     %user     %nice   %system   %iowait    %steal     %idle
09:10:01 AM       all      0.22      0.01      0.09      0.06      0.00     99.62
09:20:01 AM       all      0.13      0.01      0.07      0.06      0.00     99.73
09:30:01 AM       all      0.12      0.01      0.07      0.02      0.00     99.76
09:40:01 AM       all      0.13      0.01      0.07      0.03      0.00     99.76
09:50:01 AM       all      0.13      0.01      0.07      0.02      0.00     99.77
10:00:01 AM       all      0.13      0.01      0.07      0.05      0.00     99.73
10:10:01 AM       all      0.23      0.01      0.09      0.04      0.00     99.63
10:20:01 AM       all      0.13      0.02      0.08      0.03      0.00     99.75
Average:          all      0.15      0.01      0.08      0.04      0.00     99.72

There are more flags available to sar, and it is recommended that you search through the man page for more options.

Checking the log of a different day

Looking at the current day's files are helpful, but more often than not, you'll have to go through the older logs. You can do this with the -f flag.

Template:P sar -f /var/log/sa/sa01

Linux 2.6.18-164.11.1.el5 (training.p-hawk.com) 	08/01/2010

12:00:01 AM       CPU     %user     %nice   %system   %iowait    %steal     %idle
12:10:01 AM       all      0.24      0.01      0.09      0.54      0.00     99.11
12:20:01 AM       all      0.14      0.01      0.08      0.21      0.00     99.57
12:30:01 AM       all      0.13      0.01      0.07      0.03      0.00     99.76
12:40:01 AM       all      0.14      0.01      0.07      0.07      0.00     99.71
12:50:01 AM       all      0.13      0.02      0.09      0.03      0.00     99.74
01:00:01 AM       all      0.13      0.01      0.08      0.40      0.00     99.39
01:10:01 AM       all      0.22      0.01      0.09      0.11      0.00     99.57
01:20:01 AM       all      0.12      0.01      0.08      0.05      0.00     99.74
01:30:01 AM       all      0.12      0.01      0.07      0.02      0.00     99.79
01:40:01 AM       all      0.12      0.02      0.08      0.03      0.00     99.76
01:50:01 AM       all      1.35      0.01      0.20      0.13      0.00     98.31
02:00:01 AM       all      0.14      0.01      0.08      0.05      0.00     99.73
02:10:01 AM       all      0.23      0.01      0.09      0.04      0.00     99.64

The -f can be combined with other sar flags, to get you the information you require.

Template:Psar -f /var/log/sa/sa01 -W

Linux 2.6.18-164.11.1.el5 (training.p-hawk.com) 	08/01/2010

12:00:01 AM  pswpin/s pswpout/s
12:10:01 AM      0.00      0.00
12:20:01 AM      0.00      0.00
12:30:01 AM      0.00      0.00
12:40:01 AM      0.00      0.00
12:50:01 AM      0.00      0.00
01:00:01 AM      0.00      0.00
01:10:01 AM      0.00      0.00
01:20:01 AM      0.00      0.00
01:30:01 AM      0.00      0.00
01:40:01 AM      0.00      0.00
01:50:01 AM      0.00      0.00

Adjusting Sar

You can also adjust the frequency that sysstat collects data at. All you have to do is modify the time on the cron.

cat /etc/cron.d/sysstat
# run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib/sa/sa1 1 1

Change the */10 to however many minutes you want it to run and then restart crond.

/etc/init.d/crond restart

Please remember to revert your changes after you have aquired the information that you needed.

Troubleshooting

Sar is a pretty straight forward command, but every once in a while you will notice that sar is no longer updating. You may see something like the following

Template:Pll /var/log/sa

total 2932
drwxr-xr-x   2 root root   4096 Aug  3 11:36 ./
drwxr-xr-x  10 root root   4096 Dec 13  2009 ../
-rw-r--r--   1 root root 143088 Dec  8  2009 sa08
-rw-r--r--   1 root root 143088 Dec  9  2009 sa09
-rw-r--r--   1 root root 143088 Dec 10  2009 sa10
-rw-r--r--   1 root root 143088 Dec 11  2009 sa11
-rw-r--r--   1 root root 143088 Dec 12  2009 sa12
-rw-r--r--   1 root root 143088 Dec 13  2009 sa13
-rw-r--r--   1 root root 143088 Dec 14  2009 sa14
-rw-r--r--   1 root root 143088 Dec 15  2009 sa15
-rw-r--r--   1 root root 134160 Dec 16  2009 sa16
-rw-r--r--   1 root root 202085 Dec  8  2009 sar08
-rw-r--r--   1 root root 202085 Dec  9  2009 sar09
-rw-r--r--   1 root root 202085 Dec 10  2009 sar10
-rw-r--r--   1 root root 202085 Dec 11  2009 sar11
-rw-r--r--   1 root root 202085 Dec 12  2009 sar12
-rw-r--r--   1 root root 202085 Dec 13  2009 sar13
-rw-r--r--   1 root root 202085 Dec 14  2009 sar14
-rw-r--r--   1 root root 202085 Dec 15  2009 sar15

The dates on those are old, so you'll want to restart sysstat using the following method:

rm /var/lock/subsys/sysstat
/etc/init.d/sysstat restart

This will force sysstat to restart and in turn force sar updates