[ntp:questions] Monitoring Number of Clients
Johannes Weber
johannes at webernetz.net
Wed May 17 08:42:12 UTC 2017
Hi list,
some months ago I asked about NTP monitoring. Thanks for your answers!
I tried Brians' version which sets some mru parameters. But it's not
working as I expected. Does anyone see my mistake?
I set the following parameter: "mru mindepth 30 maxage 1200" in order to
delete all addresses that are older than 1200 seconds in case the list
is longer than 30.
However, this is not the case. I hit my NTP server with 50 probes (via
RIPE Atlas) yesterday, but they are still stored as you can see the "78"
addresses:
pi at ntp2:~ $ ntpq -c mon
enabled: 0x1
addresses: 78
peak addresses: 78
maximum addresses: 14563
reclaim above count: 30
reclaim older than: 1200
kilobytes: 5
maximum kilobytes: 1024
They are all still in the list:
pi at ntp2:~ $ ntpq -c mru
Ctrl-C will stop MRU retrieval and display partial results.
Retrieved 78 unique MRU entries and 0 updates.
lstint avgint rstr r m v count rport remote address
==============================================================================
[...]
69885 0 1d0 . 3 4 3 55430 2001:67c:10ec:3548:8000::1337
69885 0 1d0 . 3 4 3 38038 2a02:a40:300::12
69885 0 1d0 . 3 4 3 36528 2a01:360:1:18:c24a:ff:fecc:59ac
69885 0 1d0 . 3 4 3 45882
2a02:29b0:1004:0:c66e:1fff:fe5b:cc64
69885 0 1d0 . 3 4 3 39951
2a00:ca60:11:6000:f6f2:6dff:fe5d:971a
69885 0 1d0 . 3 4 3 48751 2a02:f48:1:200:16cc:20ff:fe48:d0e2
69885 0 1d0 . 3 4 3 43509 2a06:eac0:3000::4
69885 0 1d0 . 3 4 3 37525 2a03:1ae0:0:270:185:65:96:253
69885 0 1d0 . 3 4 3 40210 2a06:6bc0:0:2:ea94:f6ff:fee3:6d5a
69885 0 1d0 . 3 4 3 58714 2001:638:80a:2:6666:b3ff:feb0:e194
69885 0 1d0 . 3 4 3 42365
2a00:4ae0:4000:0:6666:b3ff:feb0:d85c
69885 0 1d0 . 3 4 3 43873 2a0b:2f00:29:0:fa1a:67ff:fe4d:847f
Any ideas?
Thanks again,
Johannes
---
Johannes Weber
Webernetz.net - Network Security Consulting
mail: johannes at webernetz.net
mobile: +49 174 1880211
blog: https://blog.webernetz.net
twitter: @webernetz [1]
Am 14.02.2017 23:31, schrieb Brian Inglis:
> On 2017-02-06 13:10, Johannes Weber wrote:
>
>> I have one question concerning the monstats and mrulist commands. I am
>> monitoring my NTP servers and I want to graph the current clients. I am
>> using the "addresses" line from the monstats output.
>> However, it seems that every client that is gone many days ago (!) is
>> still listed within the "addresses" section and not only in the "peak
>> addresses". Same is true within the mrulist output which lists addresses
>> that have a lstint many days ago.
>>
>> So my question is: How can I get a number of the "most recent" clients,
>> i.e., clients that have a lstint < 2000 or the like. (One bad approach
>> might be to use the mrulist output and to grep all lines that have an
>> lstint < 2000. But I am searching for a better way to do it.)
>
> You can tweak the monitor stats collection with the mru conf statement:
>
> mru [maxdepth count | maxmem kilobytes | mindepth count | maxage seconds
> | initalloc count | initmem kilobytes | incalloc count
> | incmem kilobytes]
>
> https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#mru
>
> e.g. you may want to increase maxage to e.g. 86400s from default 64s
> and reduce mindepth to your max peak addresses count from default 600,
> so when you hit your peak addresses count, anything older than a day
> is evicted and replaced by a newer entry.
>
> I'd use awk for simple filtering of values like this e.g.
>
> $ ntpq -c mrulist 2> /dev/null | awk '$8 == "123" && $1 <= 86400'
>
> which you can easily expand on to do stats, or pass to a plot package.
Links:
------
[1] https://twitter.com/webernetz
More information about the questions
mailing list