System Monitoring With sar And ksar


sar is one of the old and famous commandline utilities, which is often overlooked. It provides a wealth of information when you have kind of performance bottlenecks. By itself it only provides lengthy columns of numerical data, kind of hard to interpret. sar exists on most Linux distributions, for example Ubuntu, Debian, CentOS, Gentoo, and is also available on Solaris, AIX, and other commercial Unices.

ksar, on the other hand, is a Java based front end for sar's numerical data. It produces friendly graphs which could be exported to .pdf and some other formats.


Preliminary Note + Disclaimer

For using this tutorial you should be familiar using a shell, at least some basic knowledge is advantageous.

The following tutorial is a kind of cooking receipe using sar and ksar. It should easily be adoptable to nearly any kind of Linux or Unix, where the prerequisites are available. I can not issue any guarantee that this recipe works also for you.


1. sar

As already mentioned above sar is commandline driven. It is in a package named like sysstat (Ubuntu, Debian, CentOS, Gentoo, to name some). You should install it using your favourite package manager (apt-get, yum, synaptic, yumex, emerge, ..). Favourably sar could and should be used in conjunction with cron, so you may have a look into /etc/cron.d/sysstat or a similar named file. It should look like (CentOS in this case):

# run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib/sa/sa1 1 1
# generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib/sa/sa2 -A

Not to forget, sar should be installed on the system you like to monitor.

sar is run with the help of cron every 10 minutes, produces a kind of binary snapshot what is going on on the system, and at 23:53 a daily summary is produced. The "human friendly" daily summary and the binary database are stored in /var/log/sa (CentOS) or in /var/log/sysstat (Debian, Ubuntu). sar produces a file per day, and holds old databases for a month (default). But we want more, and this is where ksar comes into the game.


2. ksar

ksar is not in the repositories of the common systems, you have to download it from SourceForge.

ksar could be installed on your PC/workstation, it's not necessary to install it on the system to be monitored (often a server). Main prerequisite is Java, so you should take care that a recent Java is installed on the system you wish to run ksar. In this case the SUN-Java-6-jre was used.

ksar comes in a .zip archive, you should unpack it using unzip to a destination you like to have it, maybe /opt or /usr/local/bin.

It is unpacked into a directory of it's own, for instance like


Changing into this directory you should find a file named

-rwxr-xr-x 1 root root     276 2008-11-25 19:19*

I have changed it's permission to be executable. You can run ksar by issueing a

/usr/local/bin/kSar-5.0.6/ &

Then the really userfriendly GUI should start. It looks like


So far not very interesting ..

ksar has a builtin functionality to contact remote systems with the help of SSH. As chances are high that you already use SSH to administrate your systems with the help of SSH, this is quite handy. This functionality is under "Data/Launch SSH command".


Another easy possibilty to do offline examinations of sar's performance data is, to simply copy the ASCII reports produced by sar on the monitored system onto your workstation using scp, and examine them offline. First you get an overview about the data stored in the dataset you have loaded:


This is CPU load over a day:


Or Memory Usage over a day:


It's also possible to stretch the X-axis, to zoom into a smaller timerange:


It's up to you to further explore the possibilities of sar/ksar. In my opinion they are a dignified source of info regarding system performance and identification of bottlenecks, that could easily be made accessible.


3. URL's

Share this page:

3 Comment(s)

Add comment

Please register in our forum first to comment.


By: SamTzu

Thx. This appears to be one of the simplest historical monitoring system I have seen so far. I like simple. Keep it simple.


By: Charles Stepp

In the crontab entry, you should not be limiting the interval to 1 second. Sar uses the same system resources no matter how long the interval is. It reads kernel values, sleeps, reads the values again and records/prints the difference value. 1 second, 10 seconds, 1200 seconds are the same as far as sar’s resource usage. 99.99% of sar’s usage is sleep, which is what the kernel does anyway when it’s not doing anything. Note below that the first sar sample of only a second showed an average cpu of 3%. The longer samples, averaging over a longer period, show that 6% is probably more of an accurate average, at this time. The web pages I’ve seen so far feed each other with this 1 second sample thing, almost like someone is afraid sar might bog the system down. It won’t. The same two sets of kernel reads happens no matter what the interval is:<br><br>

time sar 1 1; time sar 10 1; time sar 100 1<br>
Linux 2.6.18-194.el5 (blahblah) 10/07/14<br>

12:04:51 CPU %user %nice %system %iowait %steal %idle<br>
12:04:52 all 3.00 0.00 0.75 0.00 0.00 96.25<br>
Average: all 3.00 0.00 0.75 0.00 0.00 96.25<br>
sar 1 1 0.00s user 0.00s system 0% cpu 1.005 total<br>
Linux 2.6.18-194.el5 (blahblah) 10/07/14<br>

12:04:52 CPU %user %nice %system %iowait %steal %idle<br>
12:05:02 all 6.21 0.00 0.93 0.20 0.00 92.67<br>
Average: all 6.21 0.00 0.93 0.20 0.00 92.67<br>
sar 10 1 0.00s user 0.00s system 0% cpu 10.005 total<br>
Linux 2.6.18-194.el5 (blahblah) 10/07/14<br>

12:05:02 CPU %user %nice %system %iowait %steal %idle<br>
12:06:42 all 6.32 0.00 0.97 0.24 0.00 92.47<br>
Average: all 6.32 0.00 0.97 0.24 0.00 92.47<br>
sar 100 1 0.00s user 0.00s system 0% cpu 1:40.01 total<br><br>

From the man page example it shows each hour having 3 20 minute samples. This provides accurate averaging and small sa## files. A 1 second interval each 10 minutes is 1/600th of the information available.<br>

To create a daily record of sar activities, place the following entry
in your root or adm crontab file:<br>

0 8-18 * * 1-5 /usr/lib/sa/sa1 1200 3 &<br>

By: Kansai

Can you run this command sar remotely? using SSH for example? How?