Excessive resource usage: ntp (7326)

How do I fix the message below

lfd on server.example.com: Excessive resource usage: ntp (7326)

Time:         Thu Feb 24 11:02:04 2011 -0500
Account:      ntp
Resource:     Process Time
Exceeded:     83882 > 1800 (seconds)
Executable:   /usr/sbin/ntpd
Command Line: ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
PID:          7326
Killed:       No
sobeservices2Asked:
Who is Participating?
 
arnoldCommented:
stop ntp, confirm the timezone. run ntpdate to get the clock synchronized.
I might be misreading the error message, but it might be an issue that the time is off.
Does this error show up first thing when the system is booted?

hwclock --show to see whether your hardware clock is running behind.

You may need to run hwclock --systohc after you synchronize the system time using ntpdate. You may want to setup a cron job, or add to /etc/rc.local which will run after all other services loaded including ntpd sync the hwclock --systohc to get the hardware clock to the current time.
0
 
sobeservices2Author Commented:
stop ntp did not work?
stop command not found

hwclock shows
Thu 24 Feb 2011 12:34:46 PM EST  -0.316614 seconds
0
 
mooodiecrCommented:
I think the command you are looking for is

service ntpd stop
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
sobeservices2Author Commented:
ok then what should I do?
0
 
mooodiecrCommented:
you will want to watch your time on the server for a while and see if time is getting off by anything that you can actually measure.  -0.xxxxxxx seconds to me is acceptable.  you can run the hwclock command to see how far off the internal clock is running.  You will notice the more work the system sees that this can spike to -1.xxxx or even -2.xxxxx seconds.  This is visible if you run the hwclock command back to back as quick as the system can respond to you.  The -0.xxxxxx will grow.  if you stop for 4-5 seconds and run the command again you will see it back to the -0.0xxxxxx range.  Again to me this is acceptable.

Unless you have a reason to require that time is exact I would leave the NTP service off if it is negatively effecting your system.  But be sure to watch and see if time falls behind as there could be a completely different reason why the NTP service was using so many resources.  

0
 
sobeservices2Author Commented:
This is what I am getting
Time:    Thu Feb 24 14:02:32 2011 -0500
PID:     7326
Account: ntp
Uptime:  94710 seconds


Executable:

/usr/sbin/ntpd


Command Line (often faked in exploits):

ntpd -u ntp:ntp -p /var/run/ntpd.pid -g


Network connections by the process (if any):

udp: 0.0.0.0:123 -> 0.0.0.0:0
udp6: 0.0.0.0:123 -> 0.0.0.0:0
udp6: 254.227.31.117:123 -> 0.0.0.0:0
udp: 127.0.0.1:123 -> 0.0.0.0:0
udp: 000.13.222.000:123 -> 0.0.0.0:0



Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

00110000-00263000 r-xp 00000000 08:06 4587525    /lib/libc-2.5.so
00263000-00265000 r-xp 00152000 08:06 4587525    /lib/libc-2.5.so
00265000-00266000 rwxp 00154000 08:06 4587525    /lib/libc-2.5.so
00266000-00269000 rwxp 00266000 00:00 0
00269000-00279000 r-xp 00000000 08:06 4587767    /lib/libresolv-2.5.so
00279000-0027a000 r-xp 0000f000 08:06 4587767    /lib/libresolv-2.5.so
0027a000-0027b000 rwxp 00010000 08:06 4587767    /lib/libresolv-2.5.so
0027b000-0027d000 rwxp 0027b000 00:00 0
002a7000-002c2000 r-xp 00000000 08:06 4587522    /lib/ld-2.5.so
002c2000-002c3000 r-xp 0001a000 08:06 4587522    /lib/ld-2.5.so
002c3000-002c4000 rwxp 0001b000 08:06 4587522    /lib/ld-2.5.so
003c5000-003c8000 r-xp 00000000 08:06 4587654    /lib/libcap.so.1.10
003c8000-003c9000 rwxp 00002000 08:06 4587654    /lib/libcap.so.1.10
004b5000-00528000 r-xp 00000000 08:03 1428117    /usr/sbin/ntpd
00528000-0052e000 rwxp 00073000 08:03 1428117    /usr/sbin/ntpd
0052e000-005be000 rwxp 0052e000 00:00 0
005c7000-005ee000 r-xp 00000000 08:06 4587763    /lib/libm-2.5.so
005ee000-005ef000 r-xp 00026000 08:06 4587763    /lib/libm-2.5.so
005ef000-005f0000 rwxp 00027000 08:06 4587763    /lib/libm-2.5.so
006e8000-006ec000 r-xp 00000000 08:06 6947020    /lib/libnss_dns-2.5.so
006ec000-006ed000 r-xp 00003000 08:06 6947020    /lib/libnss_dns-2.5.so
006ed000-006ee000 rwxp 00004000 08:06 6947020    /lib/libnss_dns-2.5.so
0076a000-0076b000 r-xp 0076a000 00:00 0          [vdso]
00a5d000-00a67000 r-xp 00000000 08:06 6947022    /lib/libnss_files-2.5.so
00a67000-00a68000 r-xp 00009000 08:06 6947022    /lib/libnss_files-2.5.so
00a68000-00a69000 rwxp 0000a000 08:06 6947022    /lib/libnss_files-2.5.so
00ab4000-00bde000 r-xp 00000000 08:06 4590755    /lib/libcrypto.so.0.9.8e
00bde000-00bf1000 rwxp 00129000 08:06 4590755    /lib/libcrypto.so.0.9.8e
00bf1000-00bf5000 rwxp 00bf1000 00:00 0
00f1b000-00f2d000 r-xp 00000000 08:03 1270947    /usr/lib/libz.so.1.2.3
00f2d000-00f2e000 rwxp 00011000 08:03 1270947    /usr/lib/libz.so.1.2.3
00f7b000-00f7e000 r-xp 00000000 08:06 4587773    /lib/libdl-2.5.so
00f7e000-00f7f000 r-xp 00002000 08:06 4587773    /lib/libdl-2.5.so
00f7f000-00f80000 rwxp 00003000 08:06 4587773    /lib/libdl-2.5.so
08820000-08841000 rw-p 08820000 00:00 0          [heap]
b7f0a000-b7f0d000 rw-p b7f0a000 00:00 0
bfad9000-bfaef000 rw-p bffe8000 00:00 0          [stack]
0
 
sobeservices2Author Commented:
Time:         Thu Feb 24 14:02:32 2011 -0500
Account:      ntp
Resource:     Process Time
Exceeded:     94710 > 1800 (seconds)
Executable:   /usr/sbin/ntpd
Command Line: ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
PID:          7326
Killed:       No
0
 
arnoldCommented:
I do not see external servers referenced with which ntp will synchronize.

add to /etc/ntp/ntp.conf
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org

and restart NTP
servce ntpd restart

See if this issue returns.
0
 
sobeservices2Author Commented:
I got this again

Time:    Thu Feb 24 14:35:37 2011 -0500
PID:     3006
Account: ntp
Uptime:  106 seconds


Executable:

/usr/sbin/ntpd


Command Line (often faked in exploits):

ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
0
 
sobeservices2Author Commented:
Like my CSF firewall

is t rigging the error
0
 
arnoldCommented:
you can try to use ntpq to see if it can reach the configured SNTP servers.
0
 
sobeservices2Author Commented:
how?
0
 
arnoldCommented:
/usr/sbin/ntpq lpeers
/usr/sbin/ntpq -p
http://support.ntp.org/bin/view/Support/TroubleshootingNTP

What/where is this error displayed?
0
 
woolmilkporcCommented:
This message just results of ntpd being a never-ending process, so it's process time will accumulate beyond the lfd default limit of 1800 seconds.

Add /usr/sbin/ntpd to the csf.pignore file and this message will not appear again

wmp
0
 
sobeservices2Author Commented:
A little lost now what should I do continuing to get it

Time:    Fri Feb 25 16:03:00 2011 -0500
PID:     3006
Account: ntp
Uptime:  91749 seconds


Executable:

/usr/sbin/ntpd


Command Line (often faked in exploits):

ntpd -u ntp:ntp -p /var/run/ntpd.pid -g


Network connections by the process (if any):
0
 
sobeservices2Author Commented:
arnold here is results of your post


root@server [~]# /usr/sbin/ntpq lpeers
Name or service not known
ntpq>


root@server [~]# /usr/sbin/ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+211.229.223.67. 72.26.217.210    3 u  776 1024  377   44.152   -9.862   0.119
*68.68.18.78.cus 192.43.244.18    2 u  232 1024  377   39.296   -9.311   0.175
+triangle.kansas 128.252.19.1     2 u  875 1024  377   19.077    3.481   7.149
 LOCAL(0)        .LOCL.          10 l   45   64  377    0.000    0.000   0.001
root@server [~]#
0
 
woolmilkporcCommented:
Did you try my "csf.pignore" suggestion? Don't forget to recycle csf!

wmp
0
 
sobeservices2Author Commented:
What didn't do anything when I typed in csf.pignore
How do I recycle csf? what does that mean
0
 
woolmilkporcCommented:
csf.pignore is a configuration file, not a command!
Recycle csf means stop then start csf.
0
 
arnoldCommented:
NTP seems to be configured and connecting, I do not know what generates the events you posted nor it is unclear to me what it is trying to alert.
0
 
sobeservices2Author Commented:
Overall ok
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.