Port Stat

haIntenance Commands portstat(1h)
Ih WebHostIng Last change: 20060614 portstat v.3.35.86

1l21
NAME
portstat - establIshed tcp/Ip connectIons monItorIng on defIned ports, wIth the possIbIlIty to
collect addItIonal InformatIons (lIke number of processes, ...) and support of predefIned tasks
executIon dependant of value range reached.

Current VersIon
The current versIon of portstat Is J.J5.86 (portstat -v to have It and use case)

SYNOPSIS
portstat [f table][Interval][count][header_Interval][keyword1keyword2..]

DESCRIPTION
The scrIptIng tool portstat Is desIgned to monItor establIshed connectIons on specIfIc tcp/Ip
ports defIned In table. Also, It was desIgned to consolIdate InformatIons wIth the count of
processes whIch match a predefIned pattern.

n more of these two types of dIrected uses monItorIng the table also accepts the defInItIon of
alarms whIch wIll be launch, If necessary, accordIng to a gIven threshold, wIth executIon of the
assocIated actIon(s).

The used table Is named by default portstat.tab. t's possIble to declare an other fIle name In
the command lIne, and may execute dIfferent tables dependIng of the need (the table 1 every 5
mInutes and another one (table 2) every 20 seconds between two 5 mInutes executIons due to
alarm reached).

The dIsplay follows the same logIcal as classIcal monItor tools (vmstat, Iostat,..), wIth one lIne
by measure, wIth dIsplayIng of the varIous InformatIon sought In the adequate number of
columns. The parameter settIng of the wIdth of the columns Is possIble, that It Is In table as a
lIne.

8y default only one measurement Is taken. t Is possIble, as for the other quoted tools of
monItorIng, to specIfy In command lIne the number of measurements to be carrIed out, as well
as the Interval between two consecutIve measurements.

OPTIONS

The followIng optIons were supported:

-v
0Isplay the versIon of scrIptIng tool and usage.

-f tabIe>
Allow to specIfy the table to use. 8y default, the fIle named Is portstat.tab.
The tables must be localIsed In the same dIrectory as the command portstat.

2l21
OPERANDS

The followIng operands were supported:

IntervaI>
nterval between two measurements, If the number of measurements Is dIfferent from 1.

count>
Number of measures done (default=1).

header_IntervaI>
FepetItIon rate of the headIng of columns. 8y default the header Is repeated all 20
measurements, as to be always apparent on the wIndow of dIsplayIng. A value of 0 lImIts InItIal
dIsplayIng wIth only the header (not of repetItIon).

KEYWORDS

LIst of authorIzed keywords.

Header display Keywords
nodIspIay
nformatIon of monItorIng does not appear (statIstIcal lIke headers). ThIs mode makes It possIble
to post wIth the screen only the only messages envIsaged for thIs purpose In the pre
programmed spots on release of alarms. ThIs mode avoIds a useless scrollIng wIth the screen, by
gIvIng access to a monItorIng 'passIve' beIng lImIted exclusIvely to the only 'real' messages of
alarm.

noheader
The header does not appear.

fuIIheader
The header appears In a more complete form, namely wIth recall of the local E remote
monItored ports In addItIon of the column headIngs.

Display format Keywords
adjust
The dIsplay of the columns Is done by adaptIng the wIdth of those to the wIdth of the headIngs
themselves, In command to optImIze as well as possIble the use of the screen (varIable column
wIdth). 8y default, If nothIng Is specIfIed In table, the wIdth of the columns Is fIxed on 6
characters.

Notce: by sc]ety recson, c mnmcl wdth o] J chcrccters s cppled, ths n commcnd to ensure
c correct dsplcy ]or vclues o] connecton mecsurements o] yony up to (usuclly su]]cent
3l21
vclue). Ths s true even ] the hecdny o] column cdopts the mnmcl wdth whch ccn be
cssyned to hm, ncmely 2 chcrccters. Ths ]ecture s e]]ectve snce verson J.24.84.
adjust:vaIue>
The dIsplay of the columns Is 'force' wIth the value passed In arguments. 8y default, If nothIng
Is specIfIed In table, the wIdth of the columns Is 6 characters. For InformatIon, It Is possIble to
post up to 15 columns on a screen of 80 characters broad, by usIng value J. f the label of
columns comprIses more characters than specIfIed In the parameter settIng of the keyword
adjust, those wIll be truncated wIth dIsplayIng, but the operatIon of the treatment of portstat
wIll not be affected. The accepted mInImal value Is of 2 characters.

Notce: ]or hstorccl recsons, the ]orm "cd]ust=" remcns cccepted under 0NlX. lt s ryorously
prohbted under Wndows, ]or recsons o] ncompctblty n the pcrsny o] the vcrcbles

Execution mode Keywords
exec
ActIvate the executIon mode. 8y default, no executIon of preprogrammed command In table Is
carrIed out In the absence of thIs explIcIt declaratIon In lIne of command, whIch makes It
possIble to carry out launchIngs of portstat wIthout the rIsk of executIng not desIred actIons.

fuIIexec
ActIvate the force mode. 8y default, the executIon mode Is InoperatIve for safety In certaIn
contexts:

mode debug actIve (see assocIate keywords)
execute portstat for one measure (no 'count' parameter).
execute portstat for several measures (defIned 'count' parameter), but wIth a too weak
Interval between measurements (parameter 'Interval' IndIcated, but wIth a value lower or
equal to 900 seconds, Is 15 mInutes).

n these partIcular confIguratIons, and If an executIon of commands In spIte of Is very wIshed,
the alternatIve 'fullexec' must then be used to replace the tradItIonal key word 'exec'.

Debug mode keywords
Iowdebug
ActIvate debug mode 'lIght'.
ThIs key word makes It possIble to obtaIn, In addItIon of measurement InformatIon themselves,
a number of tables and lIsts relatIng to the reached alerts or executed task, allowIng a debug
sessIon of monItorIng
debug
ActIvate debug mode.
n addItIon of InformatIon provIded vIa the keyword 'lowdebug', there are dIsplayed other
tables and lIsts allowIng a more thorough debug.
fuIIdebug
ActIvate full debug mode.
n addItIon of the InformatIon provIded vIa the keyword 'debug', there are dIsplayed the detaIl
of the whole of the encountered cases (exploItatIon of the output of the command netstat
called upon at the tIme of the treatment), as well as the lIst of the actIve processes durIng the
launchIng of the sessIon of portstat.

4l21
Dther Keywords
noptIm (v.3.24.78 and sup.)
0Isable the executIon optImIzatIon of the process monItorIng on callIng upon the command ps
ef actIvated by default (see the specIfIc sectIon at the end of the handbook).
nofIag (v.3.25.80 and sup.)
0Isable the use of the status flag of actIon normally dIsplayed by default.
coIor (v.3.2.83 and sup.)
ActIvate the colour mode for colorIzed dIsplay of supervIsed values and/or In alarm.
csv:fIIe> (v.3.34.84 and sup.)
ActIvate the generatIon of a trace to the format csv, for exploItatIon vIa a software such as a
spreadsheet, etc. The separator of fIeld Is by default the ';'. The complete name of the fIle
must be provIded In argument (wIthout spaces)

Sample: csv:/tmp/portstat.csv
csvsep:separator> (v.3.34.84 and sup.)
|odIfy the separator of fIeld used for the trace csv (default=';'). The separator must appear In
the followIng lIst:
E - # @ + _ = . , ; : and space

Sample: csvsep:''

FORMAT OF CONFIGURATION TABLE

A table of confIguratIon must necessarIly be IndIcated to be able to use portstat.

The default table Is portstat.tab. t Is possIble wIth the launchIng of the treatment to specIfy the
name of the table of Its choIce.

ThIs possIbIlIty makes It possIble to predefIne several types of tables, brIngIng each one theIr own
lIghtIng on connectIons In progress (table used for monItorIng vIa the crontab, table used for a
dIrect monItorIng, counts makIng It possIble to post the detaIl of certaIn types of connectIons for
more pushed analysIs, etc.).

The format Is as follows (the lInes vIrgIn or preceded by a sharp (#) are Ignored).

J types of lInes are supported:

lInes for monItorIng of connectIons (type 'port')
lInes for monItorIng of a number of actIve processes (type 'proc')
lInes for preconfIguratIon of commands to launch on raIsIng of threshold (type 'task')

Each lIne comprIses a number of varIable fIelds, whose detaIl depends on Its type. The separator of
fIeld Is the ';'

First case Port Type (port monitoring)

#Case: Dne Port
5l21
# Type;text;localP;localPort;remoteP;remotePort;columnwIdth ; taskIfmIn ;mInvalue ;taskIfbet ;
maxvalue ;taskIfmax ; equalvalue ;taskIfequal ; notequalvalue ;taskIfnotequal ;

Dnly fIeld 'type', 'text' and at least one of the fIelds 'localP','localPort','remotep' or
'remotePort' was requIred.

(n the descrIptIon, accordIng to the value between brackets corresponds to the defInIte pattern
'shorten' further In documentatIon)

fIeld01: type (In thIs case 'port')
fIeld02: text (the label of column)

fIeld0J: localp=local P address havIng to be monItored (If necessary)
fIeld04: localPort=local port havIng to be monItored (If necessary)

fIeld05: remotep=remote P adress havIng to be monItored (If necessary)
fIeld06: remotePort=remote port havIng to be monItored (If necessary)

fIeld07: columnwIdth=column wIdth of dIsplay (optIonal - default=6 characters
mInImum=2).

fIeld08: taskIfmIn=name of the spot havIng to be carrIed out If the number of connectIon
observed Is lower than the mInImum threshold IndIcated (mInvalue).
(short cut value='If')

fIeld09: mInvalue=value threshold 'mInImum'
(short cut value='I')

fIeld10: taskIfbet=name of the spot havIng to be carrIed out If the number of connectIon
observed Is greater or equal to the mInImum threshold IndIcated (mInvalue), and
lower than the maxImum threshold (maxvalue).
(short cut value='If8')

fIeld11: maxvalue=threshold value 'maxImum'
(short cut value='s')
fIeld12: taskIfmax= name of the spot havIng to be carrIed out If the number of connectIon
observed Is greater or equal to the maxImum threshold IndIcated (maxvalue).
(short cut value='IfS')

fIeld1J: equalvalue=threshold value 'equal'.
(short cut value='e')
fIeld14: taskIfequal=name of the spot havIng to be carrIed out If the number of connectIon
observed Is equal to the threshold equal IndIcated (equalvalue).
(short cut value='IfE')

fIeld15: notequalvalue=threshold value 'not equal'
(short cut value='d')
fIeld16: taskIfnotequal=name of the spot havIng to be carrIed out If the number of
connectIon observed Is dIfferent from the 'not equal' threshold IndIcated
(notequalvalue).

# sample: a number of connectIons HTTP on the local port 80, wIth release of an alarm If the
number of connectIons observed Is equal to or greater than 70. n thIs case the executed task wIll
have as a name ` httpsup70 ' (see the correspondIng entry of type ` task' for the detaIl of thIs one).

port;http;;80;;;;;;; 70,httpsup70 ;
6l21

Notce: t s possble to spec]y n c ]eld severcl tcsks to be ccrred out by sepcrctny those by c
commc (verson J.2.80 cnd ]ollowny)

Notice on the naming of column in the case of the port monitoring

The port monItorIng supports the monItorIng cumulated of several ports wIth dIsplayIng of the
result In a sIngle column. Dne speaks then about case of reference: If several monItorIng of
ports are declared In table by usIng the same label, then the fIrst declared case Is known as 'of
reference', and the actual values for the followIng wIll be cumulated In thIs fIrst column.

For example followIng declaratIons:
port;http;;80 ;;;
port;http;;8080 ;;;
port;http;;81 ;;;
allow to cumulate the totalIty of the connectIons observed on the local ports 80, 8080 and 81 In
only one column whIch wIll be made out 'http'.

t Is by extensIon possIble to reuse In several forms the same elements of port monItorIng.

Thus, the followIng form, a lIttle bIt more complex seemIngly:
port;http;;80 ;;;
port;http;;8080 ;;;
port;http;;81 ;;;
port;http80;;80 ;;;
port;http8008;;8080 ;;;
port;http81;;81 ;;;
allow to post same InformatIon of offIce pluralIty of connectIons HTTP 'any confounded' types
In the column 'http', but also to provIde of It dIspatchIng In columns dedIcated to each type of
port: In column 'http80' for connectIons on the local port 80, 'http8080' for those of the local
port 8080, etc..

Last precIsIon: the wIdth by default of the columns Is 6 characters. t Is consequently more than
judIcIous to choose Its label whIle beIng based on thIs maxImum sIze. n the contrary case
(name longer than 6 characters), a truncatIon Is operated wIth dIsplayIng: thIs beIng, the
possIble regroupIng of InformatIon on only one column Is always based on the complete name of
the column, and wIll thus correctly be carrIed out. t Is possIble to force wIth dIsplayIng the
column wIdth to a value other than 6 characters vIa the fIeld correspondIng of the entry In
table, Is stIll by usIng the keyword 'adjust' (see the detaIl of the keywords above).

Second case - Type proc (process monitoring)

# PFDCESS CASE
# Type; text; command;columnwIdth ; taskIfmIn ;mInvalue ;taskIfbet ; maxvalue ;taskIfmax ;
equalvalue ;taskIfequal ; notequalvalue ;taskIfnotequal ;

Dnly the fIelds 'type', 'text' and 'command' are necessary.
(n the descrIptIon accordIng to the value between brackets corresponds to the defInIte pattern
'shorten' further In documentatIon)

fIeld01: type (In thIs case 'proc')
fIeld02: text (the label of column)

fIeld0J: command (syntax of the command to execute)

7l21
fIeld04: columnwIdth= dIsplayIng column wIdth (optIonal default=6 characters
mInImum=2).

fIeld05: taskIfmIn=name of the task to execute If the number of connectIon observed Is
lower than the mInImum threshold IndIcated (mInvalue).
(short cut value='If')
fIeld06: mInvalue=valeur seuIl 'mInImum'
(short cut value='I')

fIeld07: taskIfbet=name of the task to execute If the number of connectIon observed Is
greater or equal to the mInImum threshold IndIcated (mInvalue), and lower than the
maxImum threshold IndIcated (maxvalue).

fIeld08: maxvalue=threshold value 'maxImum'
(short cut value ='s')
fIeld09: taskIfmax=name of the task to execute If the number of connectIon observed Is
greater or equal to the maxImum threshold IndIcated (maxvalue).
(short cut value ='IfS')

fIeld10: equalvalue=valeur seuIl 'equal'.
(short cut value ='e')
fIeld11: taskIfequal=name of the task to execute If the number of connectIon observed Is
equal to the 'equal' threshold IndIcated (equalvalue).
(short cut value ='IfE')

fIeld12: notequalvalue=valeur seuIl 'not equal'
(short cut value ='d')
fIeld1J: taskIfnotequal= name of the task to execute If the number of connectIon observed Is
dIfferent than the 'not equal' therehold IndIcated (notequalvalue).
(short cut value ='If0')

# example: number of apache monItored processes (one chose here a column wIdth of dIsplayIng of
5 characters, rather than to use the 6 envIsaged by default).
# proc;HTTP0;ps ef grep [h]ttpd grep v root wc -l ;5 ;

NotIce: It Is possIble to specIfy In a fIeld several tasks to be carrIed out by separatIng those by a
comma (versIon J.26.80 and followIng)

Notice on the naming of column in the case of the monitoring of process.

Contrary to the case of the monItorIng of port, the reuse of the same label of column Is
possIble In the monItorIng of process. ThIsknown as that Is dIsadvIsed for the legIbIlIty of the
output.

Third case - Type task (declaration of a pre-programmed
task)

# TASK CASE DF PFEPFDCFA||E0 TASK
#type;text;task;actIon

fIeld1 : type (In thIs case 'task')
fIeld2 : text (name of task)
fIeldJ : task (syntax of the command to execute when the alert was reached)
8l21
fIeld4 : actIonkeyword (keyword to specIfy how to treat thIs task)

#sample: launchIng of a task on attack of an alarm, comprIsIng a wrItIng of message In the logs and
the sendIng of a mall (footnote: the syntax of the commandIng of sendIng of mall Is to be adapted
accordIng to the operatIng system Involved). Here the task names 'httpsup70'.

#task;httpsup70;echo S1:S6 /var/log/portstat_alerts.log EE ( echo S1:S6\n\n\nF
or your InformatIon, the last 10 alerts:\n EE taIl /var/log/portstat_alerts.l
og) maIlx r TDTALws04@total.com s [portstat ws04] nb.connex. S2 : SJ S4 S5
my_maIl@fr.Ibm.com

Notice preliminary on the pre-programmed tasks

The last 10 fIelds of the entrIes of the type 'port' or 'proc' are reserved for the parameter
settIng of the executIon of spots on release of alarms. t should be noted that It Is possIble to
thus confIgure up to 5 dIfferent alarms by port/process monItored, accordIng to whether the
actual value Is lower, greater or IntermedIate of defIned thresholds mInImum/maxImum, or
equal and/or dIfferent from a value of predefIned reference In table.

Principle of operation of the pre-programmed tasks

To actIvate a preprogrammed task, It Is necessary that are met the followIng condItIons:

the mode 'execute' Is explIcItly IndIcated In the syntax of the lIne of command (see the
keywords 'exec' and 'fullexec' IndIcated greater).

8y default, no task Is launched, and thIs for safety and flexIbIlIty reasons In use of the
command: It Is thus possIble to call upon portstat wIthout puttIng prelImInary questIon about
the fact of knowIng If the admInIstrator of the system has or dId not Inform tasks. The use by
default of the command thus concerns specIfIcally monItorIng, except express traIn need.

that a couple threshold of 'release'/'preprogrammed task' was defIned In table of
confIguratIon.

ThIs poInt Is very Important: It Is possIble to defIne In table of the generIc entrIes of the type
'task' In advance, wIthout those beIng carrIed out. So that an entry correspondIng to a pre
programmed task Is effectIve, one needs that Its name appears lIke name of task In at least an
entry of the type 'port' or 'proc', as beIng the command for launchIng on attack or goIng
beyond of a threshold. The same task can be called upon by several entrIes: the lIst of the
entrIes of the type 'task' declared In table Is to be Included/understood lIke a lIst of reference
of the tasks lIkely to be used. ThIs lIst thus can very wIth fact beIng conceIved lIke an
exhaustIve generIc lIst common to several platforms.

n the example above, when the command portstat Is called upon wIth the keyword 'exec' or
'fullexec' (and only In these cases), the task 'httpsup70' declared as entered of type 'task' wIll
be executed wIth each tIme the number of connectIons on port 80 Is greater than 70, value
threshold IndIcated In the entry of the type 'port' correspondIng to thIs monItorIng. The name
'httpsup70' Is the element whIch establIshed the correspondence enters the elements of
monItorIng (here of port type), and lIsts It possIble tasks. ThIs operatIng mode Is IdentIcal that
the mode of monItorIng Is of type 'port' or of type 'proc' for monItorIng of process.

NotIce: thIs oblIgatIon of the agreement between a name of task declared In entry of the type
'task' (lIst of the possIble tasks) and that IndIcated In one of the 5 correspondIng fIelds In the
name of the command to call upon on release of an actIon on attack of threshold, makes It
l21
possIble consequently to predefIned alarms whIch wIll be effectIve only when the task appears
In the lIst. ThIs functIonalIty causes satellIte to allow a development easIer of the entrIes of the
port/proc type: It Is possIble to put unspecIfIed values In the fIelds so better controllIng the
format of the lIne... as a long tIme as the names used mIss of the lIst of the entrIes of the type
` task'.

ThIs prIncIple Is exploIted In the creatIon of reserved entrIes allowIng of predefIne easIly the
new entrIes of the table of confIguratIon

Entry reserved inactive and pattern type for configuration table

AccordIng to all thIs, and In command to facIlItate the formattIng of alarms In the table of
confIguratIon, It was envIsaged to be able preInform the part 'alert' of the proc/port
defInItIons of the table by usIng the followIng chaIns, whIch takes agaIn the 9 fIelds assocIated
by way of mnemonIc easIer to modIfy accordIng to the needs:
If ;I ;If8 ;s ;IfS ;e ;IfE ;d ;If0
ThIs form can completely be used lIke pattern by default for the defInItIon of the fIelds related
to alarms, the values If, If8, IfS, IfE and If0 for the unusable occasIon havIng been
decontamInated and of thIs fact as a name of real task.

The two resultIng models 'type' are those:

Case 'proc'
proc;text;command;6;If;I;If8;s;IfS;e;IfE;d;If0;
Case 'port'
port;text;localP;localPort;remoteP;remotePort;6;If;I;If8;s;IfS;e;IfE;d;If0;

wIth:
IfI = task If actual value mInImum threshold 'I' (case 'less If')
I = mInImum threshold
If = task If actual value threshold maxImum 's' and = mInImum threshold 'I'
(case 'If between of')
s = maxImum threshold
IfS = task If actual value = maxImum threshold 's' (case 'If greater')
e = value of reference for the equalIty
IfE = task If actual value = reference value 'e' (case 'If equal')
d = value of reference for the dIfference
If0 = task If actual value =/= value of reference 'e' (case 'If dIfferent')

7alId sample of command lIne:
port;text;localP;localPort;remoteP;remotePort;6;IfI;I;If;70;tomsup70;e;IfE;d;If0;

(here 'I' specIfy the case lesser: 'I' Is the 'mInImum' value threshold of alarm, and 'If' the
name of the dIsable pseudotask. 's' specIfy the greater case, 'e' to the equalIty case, 'd' to
the dIfferent case (not equal). It Is only a study sample. Dnly the task 'tomsup70' Is really
confIgured for the alarm of threshold 'maxImum', executed If the actual value Is greater or
equal to 70 connectIons).

NotIce: for obvIous reasons, It Is advIsed to comment on In the table all the notactIvated tasks.
ThIs at the same tIme makes It possIble to gaIn of legIbIlIty, In safety, but also In performances,
by reducIng the treatments.

10l21
Complement on the launching of the pre-programmed tasks: the passage
of arguments

ExecutIon of tasks Is always performed In a ksh context : all ksh functIonalItIes are avaIlable to
compose task.

To facIlItate the exploItatIon downstream In the tasks called upon themselves at the tIme of the
releases of alarms of the monItored parameters, the InvocatIon Is made wIth the passage of a
certaIn number of arguments, whIch can thus be dIrectly exploIted In scrIpts, etc...

These arguments are:

argument1 : date (format YYYY||00HH:||:SS)
argument2 : the column name
argumentJ : the actual value (a number of connectIons or processes, accordIng to the cases)
argument4 : the operator of the test of alarm (Inf, sup, between, equal or not_equal)
argument5 : the reference value or 'threshold' value
('mInImal' value In the case of a task of type TASKF8ET)
argument6 : the keyword 'and' (only In the case of a task of type TASKF8ET)
argument7 : the reference value 'maxImum'
(only In the case of a task of type TASKF8ET)
argument8 : preformatted chaIns IndIcatIng clearly the nature of alarm:

sample (here 'oracle' Is the label of column, '48' the actual value and '40' the value of
reference):
The parameter oracle match the followIng rule [found=48] = [reference=40]

argument9 : the lIne of headIng of the standard output of portstat

sample:
0ate/TIme HTTP0 8[02] TD|loc TD|rem Tfront lfront rfront Tcaree lcaree rcaree oracle load5'

argument10: the lIne of the values of the standard output of portstat

sample:
2005042015:06:00 74 J6 44 5J 67 29 J8 J0 15 15 28 0.54

argument11: local P address monItored (only In the case of a monItorIng of port)
argument12: local TCP port monItored (only In the case of a monItorIng of port)
argument1J: remote P address monItored (only In the case of a monItorIng of port)
argument14: remote TCP port monItored (only In the case of a monItorIng of port)

Complement on the launching of the pre-programmed tasks: the action
keyword

The actIon keyword permIts to defIne how a task Is launched.

8y default, If a task Is used In several entry of type 'port' or 'proc' thIs task wIll be launched
every tIme an alarm Is reached on one of thIs dIfferent monItored Items (default case).

For the moment only one keyword Is recognIze : once

n certaIn condItIon, It must be Important to InvalIdate several executIons of the same task, If
one only Is suffIcIent or more secure : for example a restart of software.

11l21
f the actIon keyword 'once' Is present the correspondIng task wIll be only performed one tIme
for the fIrst alarm reached assocIated wIth It, and the task wIll be InactIvated for all other
possIble InvocatIons.

Complement on the launching of the pre-programmed tasks:
programming of alarms on crossing of thresholds ` soft' and ` hard'

t Is easIly possIble to defIne the alarms based on thresholds of release 'soft' and 'hard',
whether It Is on numbers of process or connectIons.
WIth thIs IntentIon must be defIned the mInImal thresholds (mInvalue) and maxImum
(maxvalue).
The release of actIon on crossIng of the lImIt 'soft' wIll be programmed vIa the fIeld taskIfbet
(been worth between two thresholds), whereas that assocIated the crossIng of the threshold
hardware Is It vIa the fIeld taskIfsup.

The rules are the followIng ones:
'soft' alert : (mInImal value) = (measured value) (maxImum value)
'hard' alert : (maxImum value) = (measured value)

8eware to posItIon well maxvalue wIth a value greater than mInvalue, and to Inform the two
values well ;)

Optimization of the command ps (v.3.24.78 and sup)

Dne of the prIncIpal uses of the tasks of the types 'proc' Is the monItorIng of the number of
actIve processes dependIng such or such crIterIon.

ThIs type of request beIng at the same tIme very frequent and very consumer In resources
systems, hIs use was the subject of a specIfIc optImIzatIon.

Another reason wIth that Is the need for obtaInIng measurements the most synchronous ones
wIth the others. A dIsplayIng of the elements of monItorIng of ports (a number of connectIons)
whIch them Is establIshed startIng from same the netstat, each monItorIng of the type 'proc' Is
Independent of the others, and corresponds to the IndIvIdual launchIng of a specIfIc command.

Concretely, It Is possIble to obtaIn a treatment optImIzed of monItorIng of a number of actIve
processes accordIng to two dImensIons whIch Import us, namely sImultaneIty of measurements
and least consumptIon In resources systems (obtaInIng sImultaneous measurements establIshed
wIth fInal startIng from a sIngle ps) whIle followIng the followIng rules:

The lIne of command IndIcated In the table of confIguratIon must obey a model of the type:
ps -ef [e]grep pattern [ [e]grep -v pattern] wc -l

The poInts accordIng to must be scrupulously respected:
the lIne must start wIth the launchIng of ps wIth Its optIons 'ef', other than any other optIon.
the command grep of fIlterIng must be present wIth only one occurrence (If not only the last Is
treated) and wIthout optIons (It Is thus not possIble to use the optIon 'I' here...). The pattern
passed wIth grep can be surrounded of sImple or double quotes. t Is possIble to specIfy a
pattern of multIple researches wIth the provIso of usIng egrep and not grep (example: egrep
'Ibm8|)
a command grep of exclusIon can be IndIcated. The same rules as those specIfIed In the case
of the grep of fIlterIng apply here. The optIon 'v' must be the only present one.
The lIne must end wIth 'wc -l' other than any other optIon.
For more securIty, It Is strongly advIsed to Isolate the separator well from command ' ' vIa a
space In front of and behInd.

12l21
FInal notIce: thIs optImIzatIon Is automatIcally used by default If the descrIbed rules are
satIsfIed. f one of the rules Is not satIsfIed the command wIll be executed such as It, and wIll
thus be carrIed out to a specIfIc executIon of the ps In questIon (mechanIsm of safety). f, for an
unspecIfIed reason, thIs optImIzatIon Is not wIshed, It Is enough to specIfy on the lIne '/bIn/ps -
ef' Instead of 'ps - ef' to InvalIdate the takIng Into account of It. SInce the versIon J.24.79
keywords 'noptIm' can be called upon wIth launchIng to InvalIdate any attempt at optImIzatIon.

Thanks for makIng In kInd pass most systematIcally possIble by thIs case of fIgure by respectIng
the descrIbed methods: the measurements taken by portstat wIll be only more sIgnIfIcant. and
lIght for the system ;)

SAMPLES OF EXECUTION

# portstat 60 1000 25

(dIsplay 1000 measures, done every 60 seconds of Interval, wIth the repeat of header every 25
measures). The table by default portstat.tab Is used.

# portstat f test.tab 20 adjust:5 fullexec

(contInuous dIsplay of measures, done every 20 seconds of Interval, wIth repeat of header every
20 measures by default). The table test.tab Is used. ThIs one must be In the same repertory as
portstat. The wIdth of the columns Is fIxed at 5 characters. The keyword 'fullexec' Is specIfIed
here to force the executIon of the commands preconfIgured If necessary, If an alarm Is
programmed and executed.

Sample or Dutput:

0ate/TIme HTTP0 8[02] TD|loc TD|rem Tfront lfront rfront Tback lback rback Tcaree lcaree rcaree oracle load5'
2005042015:06:00 74 J6 44 5J 67 29 J8 0 0 0 J0 15 15 28 0.54

Preserve of a trace in file

8y default portstat uses the standard output to post the result of Its measurements.

t Is possIble to preserve a trace of Its actIvIty In a dIsk fIle by redIrectIng the standard output
towards the selected destInatIon. ThIs Is for example essentIal at the tIme of an InvocatIon vIa
the crontab.

Sample:
# portstat -f oracle.tab 60 1000 25 /var/log/portstat.log

Preserve of a trace to the format csv

n more of the standard trace It can be InterestIng to have a trace wIth the format csv, more
easIly Interpretable by thIrd softwares (for example of the spreadsheves, etc.)

The format csv (comma separated value) Is characterIzed by the use of a separator of standard
fIeld, here `;' by default.

csv:fIIe>

13l21
The actIvatIon of thIs trace Is done vIa the keyword 'csv' wIth whIch one assocIates the
complete name of the fIle concerned.

Sample:
# portstat -f oracle.tab 60 1000 25 csv:/var/log/portstat.csv /var/log/portstat.log
(In thIs example, the two traces are actIvated)

NotIces
portstat never carrIes out the crushIng of an exIstIng fIle. f data are already present In the
fIle IndIcated, the news wIll be added at the end of the fIle. The purgIng of the fIle wIll thus
have, If necessary, beIng managed apart from the use of portstat.
the trace wIth the format csv Is always carrIed out by usIng a column wIdth based over the full
wIdth of the headIngs (wIth a mInImum of J characters, as In the employment case of the
keyword 'adjust') and thIs some Is the selected parameters for the formattIng of the standard
output. |oreover the specIal sequences Inserted In the text at the tIme of the use of the
keyword 'color' are not added here, In command not to dIsturb the later InterpretatIon of the
results.

csvsep :separator>
The separator of value (by default ';') can be replaced by one of the followIng values:
E - # @ + _ = . , ; : and space

Sample:
# portstat -f oracle.tab 60 1000 25 csv:/var/log/portstat.csv csvsep:''
(In thIs example, the trace wIll be generated wIth a pseudocolumn headIngs usIng the
character '')

Launching of portstat via the crontab

The launchIng of portstat Is envIsaged to be carrIed out vIa the crontab, at ends of recurrIng
monItorIng.

An example of ImplementatIon can be as follows (lInes added to the crontab of root):

06 * * * 06 /usr/local/exploIt/shells/portstat f web.tab adjust:4 fullexec /var/log/portstat.log 2E1
11,16,21,26,J1,J6,41,46,51,56,01 62J * * 15 /usr/local/exploIt/shells/portstat f web.tab adjust:4 fullexec
noheader/var/log/portstat.log 2E1

n thIs case, two lInes were added In the crontab.
the fIrst one allows monItorIng every days of the week, and thIs every hour at 06 mInutes
(example 10:06, 11:06..) wIth wrItIng of the header.
the second adds a monItorIng carrIed out every 5 mInutes of |onday to FrIday, and thIs
between 6 a.m. and 2J hours (very exactly from 06:01 to 2J:56). n thIs second case the header
Is not posted to reduce the trace and to facIlItate Its readIng.

The output fIle Is /var/log/portstat.log, and the table of confIguratIon of portstat Is web.tab.
0Isplay Is done wIth a column wIdth forced wIth 4 characters.

The keyword 'fullexec' IndIcate that the executIon of possIble tasks programmed on release of
alarms Is actIvated.

n thIs second example, same monItorIng Is carrIed out In 7j/7, and thIs 24h24.
The headIng of column Is posted once per hour.

01 * * * * /usr/local/exploIt/shells/portstat f web.tab adjust:4 fullexec /var/log/portstat.log 2E1
06,11,16,21,26,J1,J6,41,46,51,56 * * * * /usr/local/exploIt/shells/portstat f web.tab adjust:4 fullexec noheader
/var/log/portstat.log 2E1
14l21

NOTES

Management of the maintenance mode

At the tIme of the maIntenance actIons It Is possIble of ` forcer' a nonfulfIlment of the pre
programmed tasks vIa the creatIon of a fIle flag. ThIs possIbIlIty has as an aIm of block that a
stop planned of a software for example Imply the launchIng of the actIons normally planned for
a context of dysfunctIon: sendIng of maIls, starts agaIn automatIc software In questIon, etc...
The fIle flag must be creates In the current dIrectory of portstat. ts name Is
portstat_flag_maIntenance. The return to the normal mode Is done by the remove/rename of
thIs fIle. Not to forget to proceed at the end of the maIntenance ;)

NotIce: The return code gIven at exIt by portstat Is In thIs modIfIed case (see the followIng
sectIon).

Value of portstat return code

Portstat gIve back as return code the value '0' If no alarm Is reached (no predefIned threshold
reached), or numbers It the alarms found In the contrary case (more exactly the number of
tasks launched on alert releasIng). ThIs InformatIon Is returned only If the procedure Is
actIvated by the use of the adequate keywords ('exec' or 'fullexec') or that a mode of debug Is
actIve (keyword 'debug' or 'fulldebug'), thIs at ends of specIfIc monItorIng and debug.

PartIcular case: maIntenance mode actIvated
When the pIlot fIle flag of maIntenance In progress Is created (see above) to decontamInate the
automatIc executIon of tasks, the code return Is modIfIed In the followIng way.
The returned code If no alarm Is reached Is 100 (Instead of '0')
The returned code If alarms are present Is 100 Increased number of alarms met (101 for an
alarm, etc.).

Notice on the specific values likely to be posted

a dIsplayed value of '::' IndIcate not only that no connectIon Is actIve on the monItored port
(In whIch case the value 'normal' waIted then Is of '0'), but moreover that thIs port Is not In
lIstenIng: portstat Indeed systematIcally carrIes out a checkIng of the good lIstenIng of the ports
whIch It Is In responsIbIlIty of supervIse. Such InformatIon can return to a case of fall of process,
and thus a faIlure of monItored software. A good solutIon Is to use the preprogrammed tasks to
execute an actIon when the actual value Is precIsely '::'

a dIsplayed value of '' IndIcate that no connectIon Is observed at the tIme of a monItorIng of
dIstant port (remote): It Is not Indeed relevant to post the value ` 0' In thIs case, whereas thIs
value Is used In the case of the local ports to IndIcate the port Is well wIth lIstenIng, but that no
connectIon Is however establIshed. NothIng makes It possIble to valIdate the fact that the port
Is well lIstens some on the dIstant one: also one prefers to pass by sImple a ` ` to dIstInguIsh
thIs partIcular case.

15l21
Flag of Alarm status (v.3.27.81)

A status flag alarms Is posted by default In last column of monItorIng.

ThIs flag Is appeared as a nature surrounded of brackets, makIng It possIble to determIne 'a
posterIorI' the precIse state of the complete context of alarms at thIs tIme very precIse.

7ery concretely, the followIng values can be dIsplayed:

A/Context with the execmode disabled

(_) No alert reached
(!) Alert(s) reached - see followIng note

(AlternatIves If the mode 'maIntenance' Is actIve)
(-) No reached alarm /|ode maIntenance actIve
(S) Alarm(s) reached /|ode maIntenance actIve to see note so below

B/ Context with the execmode enabled

() No alert reached
(+) Alert(s) reached

(AlternatIves If the mode 'maIntenance' Is actIve)
(-) No reached alarm /|ode maIntenance actIve
(S) Alert(s) reached /|ode maIntenance actIve

NotIce on the cases (!) and (S)
The executIon mode not beIng actIve, thIs message must be regarded as a warnIng: a confIgured
crItIcal poInt was crossed, and an actIon would have been launched (so present) If the executIon
mode had been requIred. ThIs functIonalIty Is partIcularly practIcal when portstat Is used In
InteractIve monItorIng, for example at the tIme of problems noted on the machIne. n thIs case
Indeed the procedure Is usually not specIfIed In the launchIng of the command.

The whole of the values are summarIzed In the followIng table:

Problem: Exec |ode: |aIntenance: flag

no (_)
No
yes (-)
no ()
No
Yes
yes (=)

no (!)
No
yes (S)
no (+)
Yes
Yes
yes (#)

The usual values classIcally observed are thus:

'exec' mode dIsable wIthout (_) or wIth ( !) problem.
'exec' mode enable wIthout () or wIth (+) problem.

16l21
When the maIntenance mode Is present, these values become:

'exec' mode dIsable wIthout (-) or wIth ( S) problem.
'exec' mode enable wIth (=) or wIth (#) problem.

The dIsplayIng of thIs flag can be InvalIdated by usIng the keyword ` noflag'

Example of output (In thIs case one/several alarm(s) was detected, and gave place to the executIon
of the assocIated actIons In table: the flag Is '+'. t would have been '#' If the launchIng of the
actIons envIsaged In thIs case had been InvalIdated by the presence of a maIntenance mode actIve)

2005042015:06:00 74 J6 44 5J 67 29 J8 0 0 0 J0 15 15 28 0.54(+)

Colour (v.3.29.83)

The use of the keyword 'color' allows the dIsplayIng of a colour applIcatIon of the values
accordIng to followIng logIc:

the monItored values (whIch alarms are assocIated) appear In bold.
the monItored values havIng gIven place to a release of alarm (crossed threshold) appear In
vIdeo reverse.

ThIs optIon Is Intended to facIlItate InteractIve monItorIng, whIle makIng emerge the crItIcal
values In alarm. t Intervenes In complement of the flag of statute of alarms, of whIch It
specIfIes the detaIl.

Example of output (In thIs case an alarm was occurred ('lfront', In vIdeo reverse), and gave place to
the executIon of the assocIated actIons In table: the flag Is '+'. Dne second value Is monItorIng
('oracle', In bold) but no threshold relatIng to It Is crossed).

2005042015:06:00 74 J6 44 5J 67 29 J8 0 0 0 J0 15 15 28 0.54(+)

Note: the use of the mode colour applIcatIon provoke an InsertIon In the text of sequences of
specIal characters Intended for the formattIng of InformatIon In bold and/or opposIte mode
vIdeo. n the event of redIrectIon of the standard output for conservatIon of the traces In fIle
these characters are also Inserted In the fIle buIlt on dIsc.

ThIs can In Impact the readIng and alter InterpretatIon: problems wIll be thus notIced wIth
commands vI or more, but dIsplayIng wIll be on the other hand correct wIth head, taIl, cat or
pg.

INSTALLATION AND DOCUMENTATION

Portstat Localization

The whole of the components of portstat, namely Shell scrIpt Itself, Its satellIte scrIpt awk
portstat.awk lIke table of confIguratIon (portstat.tab by default, etc.) must be In the same
dIrectory (/usr/local/exploIt/shells by default). The command portstat can be called upon vIa
Its absolute path /usr/local/exploIt/shells/portstat (for example In crontab).

17l21
Portstat Documentation

The reference materIal Is contaIned In portstat.pdf

t Is essentIal to refer wIth the versIon of handbook correspondIng to the versIon of portstat
Installed.

System Environment
The portstat executIon was valIdated on the followIng envIronments:

8| AX [45].x, HewlettPackard HPUX 11.x, SUN SolarIs 8.x (UNX), Fed Hat enterprIse J
(LNUX) and under u/wIn, UNX envIronment of ATET for WIndows XP/200[0J].
NotIce: the support of the envIronment cygwIn under WIndows Is suspended for IncompatIbIlIty
reasons wIth the Implemented alternatIve awk. Dnly u/wIn must from now on be used under
WIndows.

Portstat Is lIkely to functIon wIthout problem on other envIronments, and supposes lIke
prerequIsItes an Interpreter ksh, a compatIble alternatIve of nawk (gawk,..), as well as the use
of the command netstat wIth Its optIons 'na' and that of ps wIth Its optIons 'ef'. 7ery
generally It requIres lIke adaptatIon only one possIble takIng Into account of a local alternatIve
of the output of the command netstat.

Thanks for makIng go up any request for bearIng on a new envIronment.

Annex A : known problems

Q1. When I trace an alarm by using field $8 passed in argument, I obtain
something of the type:
The parameter oracle match the followIng rule [found=48] = x
nstead of:
The parameter oracle match the followIng rule [found=48] = [reference=40]

F1. 0o not to forget the quotes In the table of confIguratIon. n the job analysIs you have certaInly
one:
echo S1:S8 .
nstead of:
echo S1:S8 .

Q2a. When I launch a counting of a number of processes (monitoring of
the type proc), the column posts me nothing, not even a 0.
Q2b. When I launch a counting of a number of processes (monitoring of
the type proc), the column does not post me what I wish.

F2. The command specIfIed In table Is IncompatIble wIth the mechanIsm of optImIzatIon set up by
default for thIs type of need. Normally ImpossIbIlIty of actIvatIng optImIzatIon leads automatIcally
and In a transparent way to launchIng of the command In tradItIonal mode, that Is to say thus In a
separate process. f such a behavIour Is observed, for example In the case of an command more
complex than the awaIted standard model, to proceed In 'force' the InvalIdatIon of optImIzatIon by
18l21
replace the 'ps' by a '/bIn/ps'. ThIs can for example occurs when the command carrIes out more
grep of fIlterIng (except grep v of exclusIon).

For memory the basIc model Is as follows:

ps -ef [e]grep pattern [ [e]grep -v pattern] wc -l

Q3. When I launch a complex command (monitoring of the type proc),
the totality of the actions do not seem to be carried out, and the column
thus does not post me what I wish.

FJ. The command Is not It composIte several controls separate by a ';' : portstat uses thIs character
as separator of standard fIeld In Its table of confIguratIon, and thIs constItutes a constraInt on the
composItIon of the commands lIkely to be Inserted there

You can replace ';' character wIth '[P7]' strIng (wIthout quotes), If several commands are needed.

Q4. When I use the keyword ` adjust' the displaying of measurements
seems truncated.

F4. The keyword 'adjust' Is Intended to force a dIsplayIng formatted accordIng to wIdths of the
headIngs of column. A value whose wIdth would be more Important than the wIdth of the headIng of
column whIch relates to It wIll be necessarIly truncated: It Is thus Important to choose Its headIngs
carefully.

ThIsknown as, and for reasons of securIty, the mInImal wIdth of a column cannot be lower than J
characters, even whenever the headIng adopts Its own mInImal value, namely 2 characters. The
purpose of thIs Is to allow a correct dIsplayIng of the numbers of connectIons up to 999, some Is the
headIng selected.

Last note: thIs relates to only dIsplayIng. The determInatIons of the cases of crossIng of alarms are
always carrIed out accordIng to the actual value of the measurements, as preserved In table.

Q5. I positioned an alarm well on my line of monitoring (type port or
proc), but this alarm was not launch
Q5. I positioned a task well has to carry out in an entry of the type task,
but this task was not executed

F5. Alarms are actIvated only when:
Is the keyword 'exec' or 'fullexec' Is present on the lIne of command:
the maIntenance mode Is not actIvated (see If the flag of maIntenance dId not forget to be
removed after last maIntenance, for example.)
the actual value corresponds well so that one wIshes monItored: Is the threshold well reach/over:
Is alarm well posItIoned In the correct fIeld (not to posItIon an alarm In the fIeld used for alarms
'hIgher or equal to' whereas one wIshes to treat the case 'lower than', etc.):
If the name of the executed task Is at the same tIme present In the lIne of monItorIng ('port' or
'proc') AN0 In one of the entrIes of the type 'task': thIs correspondence Is essentIal.

f all thIs seems correct Isn't It a problem of formattIng (an Incorrect number of fIelds, etc.):
1l21

Another track: It Is possIble that alarm Is well reached by portstat, but that the concern resIdes on
the sIde of the contents of the task carrIed out It: to check the syntax of the launchIng of command
IndIcated In the entry 'task' and/or the contents of called upon scrIpt If It acts of a scrIpt.

To dIstInguIsh thIs last case, and to put out of cause the confIguratIon of the table of portstat, It Is
enough to replace the task by a sImpler task (for example a sImple echo), and to check that thIs one
Is well carrIed out.

Annex B : Portstat v3.x : Some ExampIes
(reaI cases, from productIon envIronments)

Example A : Apache and Tomcat (WebServer)

monitoring of two webservers running apache and load balanced tomcat
software

Date/Time HTTPD 80 rem80 TOMARK lark inA outA Dark ssh load5
20060607-12:22:46 16 2 -- up 16 7 9 0 1 1.10 (_)
20060607-12:23:02 16 5 -- up 16 7 9 0 1 1.22 (_)
20060607-12:23:17 16 5 -- up 16 10 9 0 1 1.17 (_)
20060607-12:23:32 16 1 -- up 16 10 9 0 1 1.13 (_)
20060607-12:23:47 16 6 -- up 16 10 8 0 1 1.10 (_)
20060607-12:24:03 16 2 -- up 16 11 8 0 1 1.08 (_)

n thIs example two webservers are runnIng httpd server (apache) confIgured wIth mod_jk to
support load balancIng functIonalItIes between local/remote tomcat software.

The fIeld TD|AFK represent a sImple test of tomcat avaIlabIlIty (process Is present : IllustratIon of
'proc' monItorIng possIbIlItIes)
The J fIelds lark, InA and outA represents connectIons monItorIng on thIs software, In the J
possIbles cases:
lark for connectIons between local httpd and local tomcat
InA for connectIons between local tomcat and remote httpd
outA for connectIons between local httpd and remote tomcat

The last Item, 0ark, Is present for monItorIng connectIons establIshed dIrectly on tomcat software
port (here 8080), bypassIng httpd.

The others fIelds are:
HTTP0 = number of httpd actIve processes
80 = number of establIshed connectIons on local standard http port (80)
rem80 = number of establIshed connectIons on remote standard http port (80)
ssh = number of establIshed connectIons on local ssh port (22)
load5 = system load for the 5 last mInutes (from standard UNX uptIme command)

Here are the relevant confIguratIon table entrIes:
#
# PDFT and PFDC monItorIng
#
proc;HTTP0;ps ef grep [h]ttpd grep v root wc l ;6;If;I;If8;s;IfS;0;ServIce0own;d;If0;
port;80;;80;;;6;If;I;If8;s;IfS;e;IfE;d;If0;
port;rem80;;;;80;6;If;I;If8;s;IfS;e;IfE;d;If0;
proc;TD|AFK;ps ef grep 'tomadmIn .*[j]ava.*/opt/tomcat/arkema' 2E1 /dev/null EE echo up echo
KD;6;If;I;If8;s;IfS;e;IfE;up;ServIce0own;
port;lark;127.0.0.1;8009;;;6;If;I;If8;s;IfS;e;IfE;d;If0;
port;InA;129.J5.16J.28;8009;;;6;If;I;If8;s;IfS;e;IfE;d;If0;
port;outA;;;129.J5.16J.29;8009;6;If;I;If8;s;IfS;e;IfE;d;If0;
port;0ark;;8080;;;6;If;I;If8;s;IfS;e;IfE;d;If0;
port;ssh;;22;;;6;If;I;If8;s;IfS;e;IfE;d;If0;
20l21
proc;load5;uptIme awk '[prInt S(NF2)]' tr d ,;6;If;I;If8;s;IfS;e;IfE;d;If0;
#
# TASKS
#
task;ServIce0own;echo S1:S8 /var/log/portstat_alerts.log EE ( echo S1:S8\n\nS9\nS[10]\n\nFor InformatIon, the 10 last
alerts:\n EE taIl /var/log/portstat_alerts.log) maIl s [portstat ws000] SEF7CE S2 down : SJ S4 S5 S6 S7 unIx

(please note that In several case a task called 'ServIce0own' Is launched, If correspondIng servIce Is down : see HTTP0 and
TD|AFK)

8enefIce:
actIve alertIng on servIce faIlure (apache or tomcat down)
actIve alertIng on number of establIshed http or tomcat connectIons, and thIs software by
software. t's possIble to know precIsely wItch database Is heavy loaded, and explaIn a global cpu
overload on a system.
possIbIlIty to survey load balancIng qualIty between webservers.. and If one of us seems to not
respondIng (connectIons=0)
etc..

Example B : Oracle server (DataBase Server)

monitoring of a database server running oracle with several different
databases and several webservers

Date/Time oracle ORA TOT tot CAR car LEX lex unix ws11 ws12 ELF elf nt ws16 ws17 load5
20060607-12:46:44 29 29 up 22 up 0 up 0 22 11 11 up 7 7 4 3 1.04 (_)
20060607-12:47:00 29 29 up 22 up 0 up 0 22 11 11 up 7 7 4 3 1.11 (_)
20060607-12:47:16 29 29 up 22 up 0 up 0 22 11 11 up 7 7 4 3 1.05 (_)
20060607-12:47:31 29 29 up 22 up 0 up 0 22 11 11 up 7 7 4 3 1.10 (_)
20060607-12:47:47 29 29 up 22 up 0 up 0 22 11 11 up 7 7 4 3 1.04 (_)

n thIs example a dataserver support several oracle database, and these databases are used by
several webservers.

DFA Item Is a count of number of oracle processes, and oracle the number of establIshed
connectIons on all databases.

4 databases are Installed here.

J of them, tot, car and lex are used by 2 UNX webservers (ws11 and ws12)

For each database, the fIrst fIeld (In uppercase) Is present to IndIcate the servIce Is up (database
started), and the second (lowercase) dIsplays number of establIshed connectIon on thIs base (port
1521).

The fIelds ws11 and ws12 are present to Inform of number of establIshed connectIons from each of
these servers (for the J prevIous databases)

unIx fIeld represents the sum of all the connectIons.

n the same way, several Items concerns the fourth and last database, lex, used by 2 WIndowsNT
webservers ws16 and ws17.

Please not that unIx and nt Items Illustrates the possIbIlIty to use an unIq column to add several
InformatIons about establIshed connectIons (for example unIx represents the sum of connectIons
from both servers). The same InformatIons are used to tImes, one server by server and an other
tIme for the total.

The load5 Item IndIcates system load for the 5 last mInutes (from standard UNX uptIme command)

Here are the relevant confIguratIon table entrIes:
21l21
#
# PDFT and PFDC monItorIng
#
port;oracle;;1521;10.149.76.*;;;
proc;DFA;ps ef grep oracle.*[L]DCAL=ND wc l ;;If;I;If8;s;IfS;0;oracledown;d;If0;
proc;TDT;ps ef grep [o]ra_pmon_TDTAL 2E1 /dev/null EE echo up echo KD ;;If;I;If8;s;IfS;KD;oracledown;d
;If0;
proc;tot;ps ef grep oracle[T]DTAL.*=ND wc l ;;If;I;If8;40;totsup40;e;IfE;d;If0;
proc;CAF;ps ef grep [o]ra_pmon_careers 2E1 /dev/null EE echo up echo KD ;;If;I;If8;s;IfS;KD;oracledown
;d;If0;
proc;car;ps ef grep oracle[c]areers.*=ND wc l ;;If;I;If8;J5;carsupJ5;e;IfE;d;If0;
proc;car;ps ef grep oracle[c]areers.*=ND wc l ;;If;I;If8;J5;carsupJ5;e;IfE;d;If0;
proc;LEX;ps ef grep [o]ra_pmon_lexIs 2E1 /dev/null EE echo up echo KD ;;If;I;If8;s;IfS;KD;oracledown;d;If0;
proc;lex;ps ef grep oracle[l]exIs.*=ND wc l ;;If;I;If8;s;IfS;e;IfE;d;If0;
port;unIx;;1521;10.149.76.101;;;
port;unIx;;1521;10.149.76.102;;;
port;ws11;;1521;10.149.76.101;;;
port;ws12;;1521;10.149.76.102;;;
proc;ELF;ps ef grep [o]ra_pmon_ELF 2E1 /dev/null EE echo up echo KD ;;If;I;If8;s;IfS;KD;oracledown;d;If0;
proc;elf;ps ef grep oracle[E]LF.*=ND wc l ;;If;I;If8;s;IfS;e;IfE;d;If0;
port;nt;;1521;10.149.76.10J;;;
port;nt;;1521;10.149.76.104;;;
port;ws16;;1521;10.149.76.10J;;;
port;ws17;;1521;10.149.76.104;;;
proc;load5;uptIme awk '[prInt S(NF2)]' tr d ,;
#
# TASKS
#

task;totsup40;echo S1:S8 /var/log/portstat_alerts.log EE ( echo S1:S8\n\nS9\nS[10]\n\nFor InformatIon, the 10 last
alerts:\n EE taIl /var/log/portstat_alerts.log) maIlx r TDTALds07@total.com s [portstat ds07] nb.connex. S2 : SJ S4 S5
unIx
task;carsupJ5;echo S1:S8 /var/log/portstat_alerts.log EE ( echo S1:S8\n\nS9\nS[10]\n\nFor InformatIon, the 10 last
alerts:\n EE taIl /var/log/portstat_alerts.log) maIlx r TDTALds07@total.com s [portstat ds07] nb.connex. S2 : SJ S4 S5
unIx
task;oracledown;echo S1:S8 /var/log/portstat_alerts.log EE ( echo S1:S8\n\nS9\nS[10]\n\nFor InformatIon, the 10 last
alerts:\n EE taIl /var/log/portstat_alerts.log) maIlx r TDTALds07@total.com s [portstat ds07] DFACLE down : S2 S4 S5
unIx

(please note that In several case tasks are confIgured to be executed on servIce down (oracledown for DFA Item) or threshold
raIsIng (totsup40 for tot Item, carsupJ5 for car Item, etc..)

8enefIce:
actIve alertIng on servIce faIlure (database down)
actIve alertIng on number of establIshed oracle connectIons, and thIs database by database,
wIthout need of any oracle admInIstratIve access. t's possIble to know precIsely wItch database Is
heavy loaded, and explaIn a global cpu overload on a system.
possIbIlIty of monItorIng 'load balancIng' between the dIfferent webservers, and determIne If load
Is not dIstrIbuted equally.. or If a webserver Is 'out' wIth no connectIons assocIated wIth It!
etc..

Port Stat

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Port Stat

Caricato da

Copyright:

Formati disponibili

haIntenance Commands portstat(1h)

Ih WebHostIng Last change: 20060614 portstat v.3.35.86

Potrebbero piacerti anche