How to find what processes were running at a time in the past?

I am asked to investigate a high CPU usage alert which occurred this morning. I used sar -p and saw the high CPU usage showing up at that time

Next I used ps -eo pcpu,pid,user,args | sort -r -k1 | less to list the top 10 memory hogs at this hour

Now how do I find out what processes caused the bottleneck at that specific time in the morning. I am a java developer and not a Linux expert.

Is it even possible?


Solution 1:

There are several options:

  1. use a script which writes needed data on a regular basis to a logfile. You could use cron to write the output of ps (and other commands) every x minutes into a logfile.
  2. Better it would be to use a specialized program, which does this for you. atop is very good at this, at it takes care of logfile retention.

atop is available via the EPEL repo for CentOS/RHEL/Fedora and via the default repos of Debian/Ubuntu.

You can use atop like a normal real-time top utility, with slightly different behaviour (check out the manpage for keystrokes).

The more interesting part is: Once installed a daemon starts logging data into /var/log/atop and you can read these files with atop again:

atop -r /var/log/atop/atop_20160128

You have then access to all 'top' like functions (sorting/looking at memory/CPU/IO usage, etc.) and you can jump 10 minutes forward in time via 't' and 10 minutes back with 'T' or jump at a specific time via 'b'.

Check out the atop manpage and google has lots of howtos about it.

There might be other solutions, but atop is easy to understand and use and a good start before doing some more bespoke setups.