The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

High 5 minute load average alert

Discussion in 'Workarounds and Optimization' started by LeGastronome, Nov 20, 2010.

  1. LeGastronome

    LeGastronome Member

    Joined:
    Oct 21, 2010
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Since 1 week, sometimes I have a email from firewall that said High Load average.

    Almost same hours (I think of a bad CRON or something ?)
    I don't understand log enough to find some infos, could you help me ?

    Code:
    Time:                    Sun Nov 21 01:03:24 2010 +0000
    1 Min Load Avg:          14.01
    5 Min Load Avg:          6.37
    15 Min Load Avg:         2.77
    Running/Total Processes: 2/109
    
    Code:
    Output from ps:
    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
     root         1  0.0  0.1   2156   660 ?        Ss   Nov19   0:00 init [3]      
     root      4009  0.0  0.1   2248   552 ?        S<s  Nov19   0:00 /sbin/udevd -d
     root      5662  0.0  0.1   1812   564 ?        Ds   Nov19   0:00 syslogd -m 0
     root      5700  0.0  0.2   7188  1068 ?        Ss   Nov19   0:00 /usr/sbin/sshd
     root      5725  0.0  0.1   2832   872 ?        Ss   Nov19   0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
     root      5743  0.0  0.2   3708  1296 ?        S    Nov19   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/vps17854.eukhost.com.pid
     mysql     5772  0.1 14.9 389596 78156 ?        Sl   Nov19   2:08  \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/vps17854.eukhost.com.pid --skip-external-locking
     mailnull  7991  0.0  0.5  10356  2652 ?        Ss   Nov19   0:00 /usr/sbin/exim -bd -q60m
     root      9655  0.0  0.1   2152   708 ?        Ss   Nov19   0:00 /usr/sbin/dovecot
     root      9659  0.0  0.1   2628  1012 ?        S    Nov19   0:00  \_ dovecot-auth
     dovecot   9664  0.0  0.3   5296  1980 ?        S    Nov19   0:00  \_ pop3-login
     dovecot   9665  0.0  0.3   5296  1984 ?        S    Nov19   0:00  \_ pop3-login
     root     11304  0.0  0.8   9284  4296 ?        Ss   Nov19   0:00 /usr/local/apache/bin/httpd -k start -DSSL
     nobody   15490  0.0  0.3   9284  2096 ?        S    Nov20   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     legastro 17595  0.0  2.6  45624 14048 ?        S    Nov20   0:00  |   \_ /usr/bin/php
     legastro 18336  0.0  0.0      0     0 ?        Z    Nov20   0:32  |   \_ [php] <defunct>
     legastro 18131  0.0  6.7  51640 35484 ?        S    Nov20   0:30  |   \_ /usr/bin/php
     legastro 25699  0.4  5.1  49780 27220 ?        S    Nov20   0:23  |   \_ /usr/bin/php
     legastro 23599  0.2  4.5  49056 23772 ?        S    00:04   0:07  |   \_ /usr/bin/php
     legastro 24477  0.1  4.7  50260 25068 ?        S    00:05   0:06  |   \_ /usr/bin/php
     legastro 28257  0.1  2.8  45640 14804 ?        D    01:00   0:00  |   \_ /usr/bin/php
     legastro 28492  0.1  2.8  45640 14804 ?        D    01:00   0:00  |   \_ /usr/bin/php
     legastro 29880  0.1  2.8  45640 14804 ?        D    01:01   0:00  |   \_ /usr/bin/php
     legastro 29891  0.1  2.8  45640 14808 ?        D    01:01   0:00  |   \_ /usr/bin/php
     legastro 29957  0.1  2.8  45640 14808 ?        D    01:01   0:00  |   \_ /usr/bin/php
     legastro 30027  0.1  2.8  45640 14804 ?        D    01:01   0:00  |   \_ /usr/bin/php
     legastro 30112  0.1  2.8  45640 14804 ?        D    01:01   0:00  |   \_ /usr/bin/php
     legastro 30416  0.1  2.0  45264 10988 ?        S    01:01   0:00  |   \_ /usr/bin/php
     legastro 31910  0.2  2.8  45640 14808 ?        D    01:01   0:00  |   \_ /usr/bin/php
     legastro 31914  0.2  2.8  45640 14800 ?        D    01:01   0:00  |   \_ /usr/bin/php
     legastro 32571  0.2  2.8  45640 14800 ?        D    01:02   0:00  |   \_ /usr/bin/php
     legastro  1741  0.3  2.8  45640 14812 ?        R    01:02   0:00  |   \_ /usr/bin/php
     nobody   30199  0.0  0.6   9732  3536 ?        S    Nov20   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody   20033  0.0  0.6   9580  3460 ?        S    00:33   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody    3965  0.0  0.6   9568  3452 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody    3966  0.0  0.6   9700  3500 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody    3967  0.0  0.6   9628  3480 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody    3968  0.0  0.6   9596  3388 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody    3969  0.0  0.6   9740  3628 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody    3970  0.0  0.6   9636  3500 ?        S    00:38   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody   13333  0.0  0.6  10028  3604 ?        S    00:40   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody   27733  0.0  0.5   9420  3076 ?        S    01:00   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody   27747  0.0  0.5   9420  3076 ?        S    01:00   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody   27787  0.0  0.5   9420  2984 ?        S    01:00   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody   27788  0.0  0.5   9420  3052 ?        S    01:00   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody   30630  0.0  0.5   9420  2988 ?        S    01:01   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody   30647  0.0  0.5   9420  3076 ?        S    01:01   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody   30648  0.0  0.5   9420  3080 ?        S    01:01   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody    1747  0.0  0.4   9284  2116 ?        S    01:02   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody    1756  0.0  0.4   9284  2116 ?        S    01:02   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     nobody    1758  0.0  0.4   9284  2116 ?        S    01:02   0:00  \_ /usr/local/apache/bin/httpd -k start -DSSL
     root     11313  0.0  0.2   6468  1484 ?        Ss   Nov19   0:00 pure-ftpd (SERVER)                                                                                                                                                                                                                                      
     root     11316  0.0  0.2   6196  1224 ?        S    Nov19   0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth
     root     11328  0.0  0.2   4496  1120 ?        Ss   Nov19   0:00 crond
     root     26029  0.0  0.2   5056  1500 ?        S    01:00   0:00  \_ crond
     root     26419  0.0  0.1   2492  1040 ?        Ss   01:00   0:00      \_ /bin/bash /usr/bin/run-parts /etc/cron.daily
     root     30566  0.0  0.1   2492   960 ?        S    01:01   0:00          \_ /bin/sh /etc/cron.daily/rpm
     root     30604  0.0  0.5   9592  2952 ?        D    01:01   0:00          |   \_ /usr/lib/rpm/rpmq -q --all --qf %{name}-%{version}-%{release}.%{arch}.rpm\n
     root     30606  0.0  0.0  27388   524 ?        S    01:01   0:00          |   \_ /bin/sort
     root     30567  0.0  0.1   2240   620 ?        S    01:01   0:00          \_ awk -v progname=/etc/cron.daily/rpm progname {?????   print progname ":\n"?????   progname="";????       }????       { print; }
     root     11957  0.0  0.7   5696  3828 ?        S    Nov19   0:04 queueprocd - wait to process a task
     root     11977  0.0  0.4   4916  2592 ?        S    Nov19   0:00 tailwatchd
     root     12076  0.0  0.2   3916  1544 ?        SN   Nov19   0:00 cpanellogd - sleeping for logs
     root     12101  0.0  0.1   5672   704 ?        Ss   Nov19   0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2
     root     12138  0.0  0.0   5672   436 ?        S    Nov19   0:00  \_ /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 2
     named    15580  0.0  0.8 194276  4688 ?        Ssl  Nov19   0:01 /usr/sbin/named -u named
     root     17922  0.0  1.4  14800  7768 ?        S    Nov19   0:00 cpsrvd - waiting for connections
     root      5490  0.0  2.7  18052 14608 ?        Ss   00:00   0:00 lfd - sleeping
     root      3887  0.0  2.6  18052 13824 ?        S    01:02   0:00  \_ lfd - (child) checking load...
     root      3888  0.0  0.1   2528   840 ?        R    01:02   0:00      \_ /bin/ps axuf
    
    
     
  2. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Usually when you get that its an possible attack but you dont have enough connections for that but I seen that just before this there is a poplogin so it could be possible that the user was sending emails out in to bigger values.

    I have had this several time but I then limited the domains that can send emails out per hour which stopped this, You can set limits in the tweek settings.

    Now I'm not saying this could be the cause of it but it may be a possability, You should wait abit longer for more suggestions from other users.
     
  3. pascalfringe

    pascalfringe Member

    Joined:
    Dec 6, 2010
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Delhi, India
    15 min load avg is low, means it was probably an instant resource utilization
     
  4. kunnusingh

    kunnusingh Member

    Joined:
    Mar 23, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Front of PC
    cPanel Access Level:
    Root Administrator
    Hello,

    If you're getting this alert on every few minute or hours then first try to detect high user account.

    Some time you will get a continually alert for High Resource uses from "ExampleUser" then suspend and unsuspend "ExampleUser" (Its my trick, Lots of time its work because of I think when I suspend user and unsuspend then also his Process is killed...)
     
  5. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I wouldn't trust ANYTHING the 'firewall' OR cPanel says about 'high load usage'. These scripts don't take into account the fact that sometimes, load is actually HIGH for a reason (ie: the server's working).
     
Loading...

Share This Page