pogo8

from Pogo, Walt Kelly

Pig was hired to watch the logs.

1. Related Links

2. Monitoring Commands and Options

3. Table of Contents

4. Naming Conventions

The ntpd daemon includes a comprehensive monitoring facility which collects statistical data of various types and writes the data to files associated with each type at defined events or intervals. The files associated with a particular type are collectively called the generation file set for that type. The files in the file set are the members of that set.

File sets have names specific to the type and generation epoch. The names are constructed from three concatenated elements prefix, filename and suffix:

prefix

The directory path specified in the statsdir command.

name

The name specified by the file option of the filegen command.

suffix

A string of elements beginning with . (dot) followed by a number of elements depending on the file set type.

There is a visualization tool, ntpviz, which assists in making sense of statistics files.

5. Monitoring Commands and Options

Unless noted otherwise, further information about these commands is on the Event Messages and Status Codes page.

statistics name…​

Enables writing of statistics records. Currently, ten kinds of name statistics are supported.

clockstats

Enables recording of clock driver statistics information. Each update received from a clock driver appends a line of the following form to the file generation set named clockstats:

49213 525.624 SPECTRACOM(1) 93 226 00:08:29.606
Item Units Description

49213

MJD

modified Julian day number

525.624

s

time of day (s) past midnight UTC

SPECTRACOM(1)

receiver identifier (Spectracom unit 1)

93 226 00:08:29.606

timecode (format varies by refclock)

The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The next normally shows clock type and unit (but if you are running in strict Classic compatibility mode it will show the magic clock address in dotted-quad notation). The final field is the last timecode received from the clock in decoded ASCII format, where meaningful. For some clock drivers, a good deal of additional information can be gathered and displayed as well. See information specific to each clock for further details.

loopstats

Enables recording of loop filter statistics information. Each update of the local clock outputs a line of the following form to the file generation set named loopstats:

50935 75440.031 0.000006019 13.778190 0.000351733 0.0133806
Item Units Description

50935

MJD

date

75440.031

s

time past midnight

0.000006019

s

clock offset

13.778

PPM

drift (frequency offset)

0.000351733

s

RMS jitter

0.013380

PPM

RMS frequency jitter (aka wander)

6

log2 s

clock discipline loop time constant

The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The next five fields show time offset (seconds), frequency offset (parts per million - PPM), RMS jitter (seconds), Allan deviation (PPM) and clock discipline time constant.

ntsstats

Enables recording of NTS statistics counters on a periodic basis. Each hour a line of the following form is appended to the file generation set named ntsstats:

60209 77147.187 3600 1320 1239 0 2895 2895 11 4104 0 2897 2885 10 0 0 2 0
Item Units Description

60209

MJD

date

77147.187

s

time past midnight

3600

s

time since reset

1320

packets

client requests sent

1239

packets

client responses received good

0

packets

client responses received bad

2895

packets

server responses sent

2895

packets

server requests received good

11

packets

server requests received bad

4104

packets

cookies made

0

packets

cookie decodes not server

2897

packets

cookie decodes total

2885

packets

cookie decodes current

10

packets

cookie decodes 1-2 days

0

packets

cookie decodes 2-3 days

0

packets

cookie decodes 3-10 days

2

packets

cookie decodes too old

0

packets

cookie decodes error

These counters are also available via ntpq's nts command.

ntskestats

Enables recording of NTS-KE statistics counters on a periodic basis. Each hour a line of the following form is appended to the file generation set named ntskestats:

60209 77147.187 3600 10 2.914 0.026 2 3.218 0.004 0 0.000 0.000 0 0
Item Units Description

60209

MJD

date

77147.187

s

time past midnight

3600

s

time since reset

10

requests

server requests good

2.914

seconds

server good wall clock time

0.026

seconds

server good CPU time

2

requests

server requests no-TLS

3.218

seconds

server no-TLS wall clock time

0.004

seconds

server no-TLS CPU time

0

requests

server requests bad

0.000

seconds

server bad wall clock time

0.000

seconds

server bad CPU time

0

requests

client requests good

0

requests

client requests bad

These counters are also available via ntpq's nts command.

There are two types of failures for NTS-KE server processing. The no-TLS slots are for the path when the TLS connection doesn’t get setup. The bad slots are for the path when the TLS connection does get setup but there is an error during the NTS-KE exchange.

Both are typically caused by bad guys probing for servers to abuse. A no-TLS event would be caused by a bad guy using unencrypted SMTP while a bad event would be caused by SMTP over TLS.

protostats

Record significant peer and system events. Each significant event appends one line to the protostats file set:

49213 525.624 128.4.1.1 963a 8a message
Item Units Description

49213

MJD

date

525.624

s

time past midnight

128.4.1.1

IP

source address (0.0.0.0 for system)

963a

code

status word

8a

code

event message code

message

text

event message

The event message code and message field are described on the "Event Messages and Status Words" page.

peerstats

Enables recording of peer statistics information. This includes statistics records of all peers of an NTP server and of special signals, where present and configured. Each valid update appends a line of the following form to the current element of a file generation set named peerstats:

48773 10847.650 SPECTRACOM(4) 9714 -0.001605376 0.000000000 0.001424877 0.000958674
Item Units Description

48773

MJD

date

10847.650

s

time past midnight

SPECTRACOM(4)

clock name (unit) or source address

9714

hex

status word

-0.001605376

s

clock offset

0.000000000

s

roundtrip delay

0.001424877

s

dispersion

0.000958674

s

RMS jitter

The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The third field shows the reference clock type and unit number (but if you are running in the peer address in dotted-quad notation instead) The fourth field is a status word, encoded in hex in the format described in Appendix A of the NTP specification RFC 1305. The final four fields show the offset, delay, dispersion and RMS jitter, all in seconds.

rawstats

Enables recording of raw-timestamp statistics information. This includes statistics records of all peers of an NTP server and of special signals, where present and configured. Each NTP message received from a peer or clock driver appends a line of the following form to the file generation set named rawstats:

59786 36302.768 2610:20:6f15:15::27 2604:a880:1:20::17:5001 3867818701.119346355 3867818701.152009264 3867818701.152010426 3867818702.768490825 0 3 4 1 13 -29 0.000244 0.000488 .NIST. 0 1 2000

Item

Units

Description

59786

MJD

date

36302.768

s

time past midnight

2610:20:6f15:15::27

IP

source address

2604:a880:1:20::17:5001

IP

destination address

3867818701.119346355

NTP s

origin timestamp

3867818701.152009264

NTP s

receive timestamp

3867818701.152010426

NTP s

transmit timestamp

3867818702.768490825

NTP s

destination timestamp

0

0: OK, 1: insert pending, 2: delete pending, 3: not synced

leap warning indicator

3

4 was current in 2012

NTP version

4

3: client, 4: server, 6: ntpq

mode

1

1-15, 16: not synced

stratum

13

log2 seconds

poll

-29

log2 seconds

precision

0.000244

seconds

total roundtrip delay from the remote server to the primary reference clock

0.000488

seconds

total dispersion from the remote server to the primary reference clock

.NIST.

IP or text

refid, association ID

0

integer

lost packets since last response

1

integer

dropped packets since last request

2000

hex integer

0 if packet accecpted, BOGON flag if packet is discarded

The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The next two fields show the remote IP Address followed by the local address. The next four fields show the originate, receive, transmit and final NTP timestamps in order. The timestamp values are as received and before processing by the various data smoothing and mitigation algorithms.

A packet that is accecpted is logged. At most the first dropped packet per request is logged. That avoids DDoSing the log file.

The BOGON flags are decoded here.

sysstats

Enables recording of ntpd statistics counters on a periodic basis. Each hour a line of the following form is appended to the file generation set named sysstats:

59935 82782.547 3600 36082754 31287166 26510580 4779042 113 19698 1997 428 4773352 0 366120
Item Units Description

59935

MJD

date

82782.547

s

time past midnight

3600

s

time since reset

36082754

#

packets received

31287166

#

packets processed

26510580

#

current version

4779042

#

old version(s)

113

#

access denied

19698

#

bad length or format

1997

#

bad authentication

428

#

declined

4773352

#

rate exceeded

0

#

kiss-o'-death packets sent

366120

#

NTPv1 packets received

The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The remaining ten fields show the statistics counter values accumulated since the last generated line.

usestats

Enables recording of ntpd resource usage statistics. Each hour a line of the following form is appended to the file generation set named usestats:

57570 83399.541 3600 0.902 1.451 164 0 0 0 2328 64226 1 0 4308
Item Units Description

57570

MJD

date

83399.541

s

time past midnight

3600

s

time since reset

0.902

s

ru_utime: CPU seconds - user mode

1.451

s

ru_stime: CPU seconds - system

164

#

ru_minflt: page faults - reclaim/soft (no I/O)

0

#

ru_majflt: page faults - I/O

0

#

ru_nswap: process swapped out

0

#

ru_inblock: file blocks in

2328

#

ru_oublock: file blocks out

64226

#

ru_nvcsw: context switches, wait

1

#

ru_nivcsw: context switches, preempts

0

#

ru_nsignals: signals

4308

#

ru_maxrss: resident set size, kilobytes

The first two fields show the date (Modified Julian Day) and time (seconds and fraction past UTC midnight). The ru_ tags are the names from the rusage struct. See man getrusage for details. (The NetBSD and FreeBSD man pages have more details.) The maxrss column is the high water mark since the process was started. The remaining fields show the values used since the last report.

statsdir directory_path

Indicates the full path of a directory where statistics files should be created (see below). This keyword allows the (otherwise constant) filegen filename prefix to be modified for file generation sets, which is useful for handling statistics logs.

filegen name [file filename] [type typename] [link | nolink] [enable | disable]

Configures setting of the generation file set name. Generation file sets provide a means for handling files that are continuously growing during the lifetime of a server. Server statistics are a typical example for such files. Generation file sets provide access to a set of files used to store the actual data. At any time at most one element of the set is being written to. The type given specifies when and how data will be directed to a new element of the set. This way, information stored in elements of a file set that are currently unused are available for administrative operations without the risk of disturbing the operation of ntpd. (Most important: they can be removed to free space for new data produced.)

Note that this command can be sent from the ntpq(1) program running at a remote location.

name

This is the type of the statistics records, as shown in the statistics command.

file filename

This is the file name for the statistics records. Filenames of set members are built from three concatenated elements prefix, filename and suffix:

Attribute Description

prefix

This is a constant filename path. It is not subject to modifications via the filegen option. It is defined by the server, usually specified as a compile-time constant. It may, however, be configurable for individual file generation sets via other commands. For example, the prefix used with loopstats and peerstats generation can be configured using the statsdir option explained above.

filename

This string is directly concatenated to the prefix mentioned above (no intervening ‘/’). This can be modified using the file argument to the filegen statement. No .. elements are allowed in this component to prevent filenames referring to parts outside the filesystem hierarchy denoted by prefix.

suffix

This part is reflects individual elements of a file set. It is generated according to the type of a file set.
type typename

A file generation set is characterized by its type. The following types are supported: // The following are tables only because indent lists cannot be // nested more than 2 deep.

Attribute Description

none

The file set is actually a single plain file.

pid

One element of file set is used per incarnation of a ntpd server. This type does not perform any changes to file set members during runtime, however it provides an easy way of separating files belonging to different ntpd(8) server incarnations. The set member filename is built by appending a ‘.’ to concatenated prefix and filename strings, and appending the decimal representation of the process ID of the ntpd(8) server process.

day

One file generation set element is created per day. A day is defined as the period between 00:00 and 24:00 UTC. The file set member suffix consists of a ‘.’ and a day specification in the form YYYYMMdd. YYYY is a 4-digit year number (e.g., 1992). MM is a two digit month number. dd is a two digit day number. Thus, all information written at 10 December 1992 would end up in a file named prefix filename.19921210.

week

Any file set member contains data related to a certain week of a year. The term week is defined by computing day-of-year modulo 7. Elements of such a file generation set are distinguished by appending the following suffix to the file set filename base: A dot, a 4-digit year number, the letter W, and a 2-digit week number. For example, information from January, 10th 1992 would end up in a file with suffix 1992W1.

month

One generation file set element is generated per month. The file name suffix consists of a dot, a 4-digit year number, and a 2-digit month.

year

One generation file element is generated per year. The filename suffix consists of a dot and a 4 digit year number.

age

This type of file generation sets changes to a new element of the file set every 24 hours of server operation. The filename suffix consists of a dot, the letter a, and an 8-digit number. This number is taken to be the number of seconds the server is running at the start of the corresponding 24-hour period.
link | nolink

It is convenient to be able to access the current element of a file generation set by a fixed name. This feature is enabled by specifying link and disabled using nolink. If link is specified, a hard link from the current file set element to a file without suffix is created. When there is already a file with this name and the number of links of this file is one, it is renamed appending a dot, the letter C, and the pid of the ntpd server process. When the number of links is greater than one, the file is unlinked. This allows the current file to be accessed by a constant name.

enable | disable

Enables or disables the recording function. Information is only written to a file generation by specifying enable; output is prevented by specifying disable.

homeHome Page

sitemapSite Map

mail2Contacts