Solved

Excessive resource usage: ntp (7326)

Posted on 2011-02-24
21
869 Views
Last Modified: 2012-05-11
How do I fix the message below

lfd on server.example.com: Excessive resource usage: ntp (7326)

Time:         Thu Feb 24 11:02:04 2011 -0500
Account:      ntp
Resource:     Process Time
Exceeded:     83882 > 1800 (seconds)
Executable:   /usr/sbin/ntpd
Command Line: ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
PID:          7326
Killed:       No
0
Comment
Question by:sobeservices2
  • 11
  • 5
  • 3
  • +1
21 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 334 total points
Comment Utility
stop ntp, confirm the timezone. run ntpdate to get the clock synchronized.
I might be misreading the error message, but it might be an issue that the time is off.
Does this error show up first thing when the system is booted?

hwclock --show to see whether your hardware clock is running behind.

You may need to run hwclock --systohc after you synchronize the system time using ntpdate. You may want to setup a cron job, or add to /etc/rc.local which will run after all other services loaded including ntpd sync the hwclock --systohc to get the hardware clock to the current time.
0
 

Author Comment

by:sobeservices2
Comment Utility
stop ntp did not work?
stop command not found

hwclock shows
Thu 24 Feb 2011 12:34:46 PM EST  -0.316614 seconds
0
 
LVL 5

Expert Comment

by:mooodiecr
Comment Utility
I think the command you are looking for is

service ntpd stop
0
 

Author Comment

by:sobeservices2
Comment Utility
ok then what should I do?
0
 
LVL 5

Assisted Solution

by:mooodiecr
mooodiecr earned 83 total points
Comment Utility
you will want to watch your time on the server for a while and see if time is getting off by anything that you can actually measure.  -0.xxxxxxx seconds to me is acceptable.  you can run the hwclock command to see how far off the internal clock is running.  You will notice the more work the system sees that this can spike to -1.xxxx or even -2.xxxxx seconds.  This is visible if you run the hwclock command back to back as quick as the system can respond to you.  The -0.xxxxxx will grow.  if you stop for 4-5 seconds and run the command again you will see it back to the -0.0xxxxxx range.  Again to me this is acceptable.

Unless you have a reason to require that time is exact I would leave the NTP service off if it is negatively effecting your system.  But be sure to watch and see if time falls behind as there could be a completely different reason why the NTP service was using so many resources.  

0
 

Author Comment

by:sobeservices2
Comment Utility
This is what I am getting
Time:    Thu Feb 24 14:02:32 2011 -0500
PID:     7326
Account: ntp
Uptime:  94710 seconds


Executable:

/usr/sbin/ntpd


Command Line (often faked in exploits):

ntpd -u ntp:ntp -p /var/run/ntpd.pid -g


Network connections by the process (if any):

udp: 0.0.0.0:123 -> 0.0.0.0:0
udp6: 0.0.0.0:123 -> 0.0.0.0:0
udp6: 254.227.31.117:123 -> 0.0.0.0:0
udp: 127.0.0.1:123 -> 0.0.0.0:0
udp: 000.13.222.000:123 -> 0.0.0.0:0



Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

00110000-00263000 r-xp 00000000 08:06 4587525    /lib/libc-2.5.so
00263000-00265000 r-xp 00152000 08:06 4587525    /lib/libc-2.5.so
00265000-00266000 rwxp 00154000 08:06 4587525    /lib/libc-2.5.so
00266000-00269000 rwxp 00266000 00:00 0
00269000-00279000 r-xp 00000000 08:06 4587767    /lib/libresolv-2.5.so
00279000-0027a000 r-xp 0000f000 08:06 4587767    /lib/libresolv-2.5.so
0027a000-0027b000 rwxp 00010000 08:06 4587767    /lib/libresolv-2.5.so
0027b000-0027d000 rwxp 0027b000 00:00 0
002a7000-002c2000 r-xp 00000000 08:06 4587522    /lib/ld-2.5.so
002c2000-002c3000 r-xp 0001a000 08:06 4587522    /lib/ld-2.5.so
002c3000-002c4000 rwxp 0001b000 08:06 4587522    /lib/ld-2.5.so
003c5000-003c8000 r-xp 00000000 08:06 4587654    /lib/libcap.so.1.10
003c8000-003c9000 rwxp 00002000 08:06 4587654    /lib/libcap.so.1.10
004b5000-00528000 r-xp 00000000 08:03 1428117    /usr/sbin/ntpd
00528000-0052e000 rwxp 00073000 08:03 1428117    /usr/sbin/ntpd
0052e000-005be000 rwxp 0052e000 00:00 0
005c7000-005ee000 r-xp 00000000 08:06 4587763    /lib/libm-2.5.so
005ee000-005ef000 r-xp 00026000 08:06 4587763    /lib/libm-2.5.so
005ef000-005f0000 rwxp 00027000 08:06 4587763    /lib/libm-2.5.so
006e8000-006ec000 r-xp 00000000 08:06 6947020    /lib/libnss_dns-2.5.so
006ec000-006ed000 r-xp 00003000 08:06 6947020    /lib/libnss_dns-2.5.so
006ed000-006ee000 rwxp 00004000 08:06 6947020    /lib/libnss_dns-2.5.so
0076a000-0076b000 r-xp 0076a000 00:00 0          [vdso]
00a5d000-00a67000 r-xp 00000000 08:06 6947022    /lib/libnss_files-2.5.so
00a67000-00a68000 r-xp 00009000 08:06 6947022    /lib/libnss_files-2.5.so
00a68000-00a69000 rwxp 0000a000 08:06 6947022    /lib/libnss_files-2.5.so
00ab4000-00bde000 r-xp 00000000 08:06 4590755    /lib/libcrypto.so.0.9.8e
00bde000-00bf1000 rwxp 00129000 08:06 4590755    /lib/libcrypto.so.0.9.8e
00bf1000-00bf5000 rwxp 00bf1000 00:00 0
00f1b000-00f2d000 r-xp 00000000 08:03 1270947    /usr/lib/libz.so.1.2.3
00f2d000-00f2e000 rwxp 00011000 08:03 1270947    /usr/lib/libz.so.1.2.3
00f7b000-00f7e000 r-xp 00000000 08:06 4587773    /lib/libdl-2.5.so
00f7e000-00f7f000 r-xp 00002000 08:06 4587773    /lib/libdl-2.5.so
00f7f000-00f80000 rwxp 00003000 08:06 4587773    /lib/libdl-2.5.so
08820000-08841000 rw-p 08820000 00:00 0          [heap]
b7f0a000-b7f0d000 rw-p b7f0a000 00:00 0
bfad9000-bfaef000 rw-p bffe8000 00:00 0          [stack]
0
 

Author Comment

by:sobeservices2
Comment Utility
Time:         Thu Feb 24 14:02:32 2011 -0500
Account:      ntp
Resource:     Process Time
Exceeded:     94710 > 1800 (seconds)
Executable:   /usr/sbin/ntpd
Command Line: ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
PID:          7326
Killed:       No
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 334 total points
Comment Utility
I do not see external servers referenced with which ntp will synchronize.

add to /etc/ntp/ntp.conf
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org

and restart NTP
servce ntpd restart

See if this issue returns.
0
 

Author Comment

by:sobeservices2
Comment Utility
I got this again

Time:    Thu Feb 24 14:35:37 2011 -0500
PID:     3006
Account: ntp
Uptime:  106 seconds


Executable:

/usr/sbin/ntpd


Command Line (often faked in exploits):

ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
0
 

Author Comment

by:sobeservices2
Comment Utility
Like my CSF firewall

is t rigging the error
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 76

Expert Comment

by:arnold
Comment Utility
you can try to use ntpq to see if it can reach the configured SNTP servers.
0
 

Author Comment

by:sobeservices2
Comment Utility
how?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 334 total points
Comment Utility
/usr/sbin/ntpq lpeers
/usr/sbin/ntpq -p
http://support.ntp.org/bin/view/Support/TroubleshootingNTP

What/where is this error displayed?
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 83 total points
Comment Utility
This message just results of ntpd being a never-ending process, so it's process time will accumulate beyond the lfd default limit of 1800 seconds.

Add /usr/sbin/ntpd to the csf.pignore file and this message will not appear again

wmp
0
 

Author Comment

by:sobeservices2
Comment Utility
A little lost now what should I do continuing to get it

Time:    Fri Feb 25 16:03:00 2011 -0500
PID:     3006
Account: ntp
Uptime:  91749 seconds


Executable:

/usr/sbin/ntpd


Command Line (often faked in exploits):

ntpd -u ntp:ntp -p /var/run/ntpd.pid -g


Network connections by the process (if any):
0
 

Author Comment

by:sobeservices2
Comment Utility
arnold here is results of your post


root@server [~]# /usr/sbin/ntpq lpeers
Name or service not known
ntpq>


root@server [~]# /usr/sbin/ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+211.229.223.67. 72.26.217.210    3 u  776 1024  377   44.152   -9.862   0.119
*68.68.18.78.cus 192.43.244.18    2 u  232 1024  377   39.296   -9.311   0.175
+triangle.kansas 128.252.19.1     2 u  875 1024  377   19.077    3.481   7.149
 LOCAL(0)        .LOCL.          10 l   45   64  377    0.000    0.000   0.001
root@server [~]#
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Did you try my "csf.pignore" suggestion? Don't forget to recycle csf!

wmp
0
 

Author Comment

by:sobeservices2
Comment Utility
What didn't do anything when I typed in csf.pignore
How do I recycle csf? what does that mean
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
csf.pignore is a configuration file, not a command!
Recycle csf means stop then start csf.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 334 total points
Comment Utility
NTP seems to be configured and connecting, I do not know what generates the events you posted nor it is unclear to me what it is trying to alert.
0
 

Author Closing Comment

by:sobeservices2
Comment Utility
Overall ok
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now