High 5 minute load average alert

[LeGastronome]

Hello,

Since 1 week, sometimes I have a email from firewall that said High Load average.

Almost same hours (I think of a bad CRON or something ?)
I don't understand log enough to find some infos, could you help me ?

Time:                    Sun Nov 21 01:03:24 2010 +0000
1 Min Load Avg:          14.01
5 Min Load Avg:          6.37
15 Min Load Avg:         2.77
Running/Total Processes: 2/109

Output from ps:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
 root         1  0.0  0.1   2156   660 ?        Ss   Nov19   0:00 init [3]      
 root      4009  0.0  0.1   2248   552 ?        S<s  Nov19   0:00 /sbin/udevd -d
 root      5662  0.0  0.1   1812   564 ?        Ds   Nov19   0:00 syslogd -m 0
 root      5700  0.0  0.2   7188  1068 ?        Ss   Nov19   0:00 /usr/sbin/sshd
 root      5725  0.0  0.1   2832   872 ?        Ss   Nov19   0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
 root      5743  0.0  0.2   3708  1296 ?        S    Nov19   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/vps17854.eukhost.com.pid
 mysql     5772  0.1 14.9 389596 78156 ?        Sl   Nov19   2:08  \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/vps17854.eukhost.com.pid --skip-external-locking
 mailnull  7991  0.0  0.5  10356  2652 ?        Ss   Nov19   0:00 /usr/sbin/exim -bd -q60m
 root      9655  0.0  0.1   2152   708 ?        Ss   Nov19   0:00 /usr/sbin/dovecot
 root      9659  0.0  0.1   2628  1012 ?        S    Nov19   0:00  \_ dovecot-auth
 dovecot   9664  0.0  0.3   5296  1980 ?        S    Nov19   0:00  \_ pop3-login
 dovecot   9665  0.0  0.3   5296  1984 ?        S    Nov19   0:00  \_ pop3-login
 root     11304  0.0  0.8   9284  4296 ?        Ss   Nov19   0:00 /usr/local/apache/bin/httpd -k start -DSSL
 nobody   15490  0.0  0.3   9284  2096 ?        S    Nov20   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 legastro 17595  0.0  2.6  45624 14048 ?        S    Nov20   0:00  |   \_ /usr/bin/php
 legastro 18336  0.0  0.0      0     0 ?        Z    Nov20   0:32  |   \_ [php] <defunct>
 legastro 18131  0.0  6.7  51640 35484 ?        S    Nov20   0:30  |   \_ /usr/bin/php
 legastro 25699  0.4  5.1  49780 27220 ?        S    Nov20   0:23  |   \_ /usr/bin/php
 legastro 23599  0.2  4.5  49056 23772 ?        S    00:04   0:07  |   \_ /usr/bin/php
 legastro 24477  0.1  4.7  50260 25068 ?        S    00:05   0:06  |   \_ /usr/bin/php
 legastro 28257  0.1  2.8  45640 14804 ?        D    01:00   0:00  |   \_ /usr/bin/php
 legastro 28492  0.1  2.8  45640 14804 ?        D    01:00   0:00  |   \_ /usr/bin/php
 legastro 29880  0.1  2.8  45640 14804 ?        D    01:01   0:00  |   \_ /usr/bin/php
 legastro 29891  0.1  2.8  45640 14808 ?        D    01:01   0:00  |   \_ /usr/bin/php
 legastro 29957  0.1  2.8  45640 14808 ?        D    01:01   0:00  |   \_ /usr/bin/php
 legastro 30027  0.1  2.8  45640 14804 ?        D    01:01   0:00  |   \_ /usr/bin/php
 legastro 30112  0.1  2.8  45640 14804 ?        D    01:01   0:00  |   \_ /usr/bin/php
 legastro 30416  0.1  2.0  45264 10988 ?        S    01:01   0:00  |   \_ /usr/bin/php
 legastro 31910  0.2  2.8  45640 14808 ?        D    01:01   0:00  |   \_ /usr/bin/php
 legastro 31914  0.2  2.8  45640 14800 ?        D    01:01   0:00  |   \_ /usr/bin/php
 legastro 32571  0.2  2.8  45640 14800 ?        D    01:02   0:00  |   \_ /usr/bin/php
 legastro  1741  0.3  2.8  45640 14812 ?        R    01:02   0:00  |   \_ /usr/bin/php
 nobody   30199  0.0  0.6   9732  3536 ?        S    Nov20   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody   20033  0.0  0.6   9580  3460 ?        S    00:33   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody    3965  0.0  0.6   9568  3452 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody    3966  0.0  0.6   9700  3500 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody    3967  0.0  0.6   9628  3480 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody    3968  0.0  0.6   9596  3388 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody    3969  0.0  0.6   9740  3628 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody    3970  0.0  0.6   9636  3500 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody   13333  0.0  0.6  10028  3604 ?        S    00:40   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody   27733  0.0  0.5   9420  3076 ?        S    01:00   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody   27747  0.0  0.5   9420  3076 ?        S    01:00   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody   27787  0.0  0.5   9420  2984 ?        S    01:00   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody   27788  0.0  0.5   9420  3052 ?        S    01:00   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody   30630  0.0  0.5   9420  2988 ?        S    01:01   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody   30647  0.0  0.5   9420  3076 ?        S    01:01   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody   30648  0.0  0.5   9420  3080 ?        S    01:01   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody    1747  0.0  0.4   9284  2116 ?        S    01:02   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody    1756  0.0  0.4   9284  2116 ?        S    01:02   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 nobody    1758  0.0  0.4   9284  2116 ?        S    01:02   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
 root     11313  0.0  0.2   6468  1484 ?        Ss   Nov19   0:00 pure-ftpd (SERVER)                                                                                                                                                                                                                                      
 root     11316  0.0  0.2   6196  1224 ?        S    Nov19   0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth
 root     11328  0.0  0.2   4496  1120 ?        Ss   Nov19   0:00 crond
 root     26029  0.0  0.2   5056  1500 ?        S    01:00   0:00  \_ crond
 root     26419  0.0  0.1   2492  1040 ?        Ss   01:00   0:00      \_ /bin/bash /usr/bin/run-parts /etc/cron.daily
 root     30566  0.0  0.1   2492   960 ?        S    01:01   0:00          \_ /bin/sh /etc/cron.daily/rpm
 root     30604  0.0  0.5   9592  2952 ?        D    01:01   0:00          |   \_ /usr/lib/rpm/rpmq -q --all --qf %{name}-%{version}-%{release}.%{arch}.rpm\n
 root     30606  0.0  0.0  27388   524 ?        S    01:01   0:00          |   \_ /bin/sort
 root     30567  0.0  0.1   2240   620 ?        S    01:01   0:00          \_ awk -v progname=/etc/cron.daily/rpm progname {?????   print progname ":\n"?????   progname="";????       }????       { print; }
 root     11957  0.0  0.7   5696  3828 ?        S    Nov19   0:04 queueprocd - wait to process a task
 root     11977  0.0  0.4   4916  2592 ?        S    Nov19   0:00 tailwatchd
 root     12076  0.0  0.2   3916  1544 ?        SN   Nov19   0:00 cpanellogd - sleeping for logs
 root     12101  0.0  0.1   5672   704 ?        Ss   Nov19   0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2
 root     12138  0.0  0.0   5672   436 ?        S    Nov19   0:00  \_ /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2
 named    15580  0.0  0.8 194276  4688 ?        Ssl  Nov19   0:01 /usr/sbin/named -u named
 root     17922  0.0  1.4  14800  7768 ?        S    Nov19   0:00 cpsrvd - waiting for connections
 root      5490  0.0  2.7  18052 14608 ?        Ss   00:00   0:00 lfd - sleeping
 root      3887  0.0  2.6  18052 13824 ?        S    01:02   0:00  \_ lfd - (child) checking load...
 root      3888  0.0  0.1   2528   840 ?        R    01:02   0:00      \_ /bin/ps axuf

 

[GaryT]

Usually when you get that its an possible attack but you dont have enough connections for that but I seen that just before this there is a poplogin so it could be possible that the user was sending emails out in to bigger values.

I have had this several time but I then limited the domains that can send emails out per hour which stopped this, You can set limits in the tweek settings.

Now I'm not saying this could be the cause of it but it may be a possability, You should wait abit longer for more suggestions from other users.

 

[pascalfringe]

15 min load avg is low, means it was probably an instant resource utilization

 

[kunnusingh]

Hello,

If you're getting this alert on every few minute or hours then first try to detect high user account.

Some time you will get a continually alert for High Resource uses from "ExampleUser" then suspend and unsuspend "ExampleUser" (Its my trick, Lots of time its work because of I think when I suspend user and unsuspend then also his Process is killed...)

 

[twhiting9275]

I wouldn't trust ANYTHING the 'firewall' OR cPanel says about 'high load usage'. These scripts don't take into account the fact that sometimes, load is actually HIGH for a reason (ie: the server's working).