Netdata penetrates the apache log

ozzWANTED

Verified User
Joined
Mar 10, 2015
Messages
45
So, netdata says CPU is 100%, and maybe it is due some user with a WP plugin.

But anyway, it is hard to inspect that, as if I go to Logs -> Apache logs, i see:

"127.0.0.1 - - [22/Jun/2020:16:04:30 +0300] "GET /server-status?auto HTTP/1.1" 200 1821"
that is ever second.
And no way to see anything else.

I enter to grep line the "auto" and i select "invert" but it still shows this lines. So apache log the is useless.
 
The grep search does not work. server-status page does not exist. Or how to know what is domain. Namehost ist srv.<AAA>.lt but srv.<AAA>.lt/server-status - does not exist.
GREP Search does not work, I cannot exclude "server-status" from results. There is input box in search page of logs in DAAdmin for GREP. But it does not work.
 
Do it from the command line. You can do anything from the command line.
 
server-status page does not exist.
It's normally disabled, as said, you have to enable this in the httpd info file.
/etc/httpd/conf/extra/httpd-info.conf
set extended status to on and allow your ip to connect. This is for apache. i don't know about nginx and OLS.

Logfiles mentioned can be read. like Floyd said. Use command line, or otherwise said, login via SSH.
 
It's normally disabled, as said, you have to enable this in the httpd info file.
/etc/httpd/conf/extra/httpd-info.conf
set extended status to on and allow your ip to connect. This is for apache. i don't know about nginx and OLS.

Logfiles mentioned can be read. like Floyd said. Use command line, or otherwise said, login via SSH.
Hi, I don't want to login via other apps to server, then putty, run commands etc. All this is cumbersome process for server-gurus and time-wasters. I log viewer of DirectAdmin, there is GREP line THAT SHOULD WORK, but it does not work. It is a bug in DirectAdmin.

Also how to set, that it would not ping the server every second, but do this every 5 seconds.

Also, we use separate MariaDB Ubuntu VPS for databases, linked to Ubuntu DirectAdmin VPS. 2nd server protects from direct DDOS to Database server. Now, how can I see netdata from the DB server as well, as DirectAdmin DOES SUPPORT the 2ndary MariaDB server and it all works there with database management. Also, why the DA 1.6.1 on heavy queries does not gives that information from the database server, only it would work from 1 DaServer. But DA has full support for dual-vps (DA Ubuntu Server and MariaDB Ubuntu server)
 
Hi, I don't want to login via other apps to server, then putty, run commands etc. All this is cumbersome process for server-gurus and time-wasters.

Using the command line the way real server admins do things. A control panel is generally for end users. I have never used a control panel for server administration because its a lot slower.

You said Netdata is saying the CPU is at 100%. Then you started looking at Apache logs. Why?? One may not have anything to do with the other. First find out what process is causing the CPU to be at 100%. You can only really do that from the command line.
 
Hi, I don't want to login via other apps to server, then putty, run commands etc. All this is cumbersome process for server-gurus and time-wasters. I log viewer of DirectAdmin, there is GREP line THAT SHOULD WORK, but it does not work. It is a bug in DirectAdmin.
LoL, oke you're just a user then, not a sysadmin.
It's not another app, if enabled you can just visit via the browser, it's plain and very basic admin knowledge, nothing guru about it.
Grep works, but then you have to grep the correct log files anyway which you did not.
 
I told you, GREP does not work. I enter in that 'correct' log, the 'status' and select INVERT checkbox, and it does work, I can enter anythin in grep field nothing works, nor with commas, nor with -v, nor with GREP word. That field is just a bug.

And yes, I'm a user. More likely PHP Developer, and definitely not a sysadmin. That's why we believe Ubuntu Server is the best OS, much better than any other paid OS or enterprise OS.
 
A user with admin rights in DA..... Hmm..... If you have admin rights, then you should have a bit of sysadmin knowledge? Or was everything set up for you?

This sounds like one of my VPS clients, asked me to setup everything up, then expects me to continue to maintain the VPS......
Doesn't work like that.
 
A user with admin rights in DA..... Hmm..... If you have admin rights, then you should have a bit of sysadmin knowledge? Or was everything set up for you?

This sounds like one of my VPS clients, asked me to setup everything up, then expects me to continue to maintain the VPS......
Doesn't work like that.
How does your reply answers to my question about bug report that GREP does not work?
 
Then you don't have access to the proper logs anyway. You have to be an administrator to really find out the problem.
I do have access: Direct Admin -> Logs. All list of log files. You have 20 there of them. I select apache access log, but grep field does not work.
 
Pick log
1593112657891.png

Type word or part of word in box them hit load log. You must be doing something wrong or something is missing on your server.

1593112514555.png
 

Attachments

  • 1593112629927.png
    1593112629927.png
    212.4 KB · Views: 3
I enter in that 'correct' log,
And I told you that you're not in the correct log. You have to be in the domains log, not the apache error log. You can't reach these from within the panel, you have to login via SSH or login via DA to the domain user and check domain logs from there.

And grep works. I tested and Brent also shown you. So it's not bug, it's an issue on your side.
Seems something is wrong with your system if it doesn't work. You can always send in a ticket, unless you're on a personal license.
However, if you have a personal license and want help, I would suggest to be less clever and a bit more friendly.
 
I do have access: Direct Admin -> Logs. All list of log files. You have 20 there of them. I select apache access log, but grep field does not work.
Well, just GREP'ing stuff doesn't fix anything...... You need to delve deeper, via shell.....

I was just stipulating, as you have admin access to DA, you'd know a bit about sysadmin, that's all.
 
I do have access: Direct Admin -> Logs. All list of log files. You have 20 there of them. I select apache access log, but grep field does not work.

Just to add to Peter's thought DirectAdmin does not give you access to all of the logs. AND WHY are you looking at the apache logs as if that is the only thing that could cause high CPU????????? You don't even know that it has anything to do with apache. This is why you need to access the shell. Look at how we have been using DirectAdmin. Look at the experience we have as actual system administrators. LISTEN to us.
 
And I told you that you're not in the correct log. You have to be in the domains log, not the apache error log. You can't reach these from within the panel, you have to login via SSH or login via DA to the domain user and check domain logs from there.

And grep works. I tested and Brent also shown you. So it's not bug, it's an issue on your side.
Seems something is wrong with your system if it doesn't work. You can always send in a ticket, unless you're on a personal license.
However, if you have a personal license and want help, I would suggest to be less clever and a bit more friendly.
So how does this answer the question. With netdata I see that one user <THE_USER> with test.<THE_DOMAIN>.com loads CPU by 192 percents average. I see the Apache access_log, and I see the checkbox 'Invert' which should find opposite to what is entered in GREP, right? What do you type in GREP fields in DA Admin -> Logs to exclude lines with "server-status".

Now regarding servers status, It had gone somewhy (maybe datacenter admins removed it from my logs), but now I see this:
Code:
::1 - - [30/Jun/2020:13:29:14 +0300] "OPTIONS * HTTP/1.0" 200 112
::1 - - [30/Jun/2020:13:29:15 +0300] "OPTIONS * HTTP/1.0" 200 112
::1 - - [30/Jun/2020:13:29:16 +0300] "OPTIONS * HTTP/1.0" 200 112
::1 - - [30/Jun/2020:13:29:46 +0300] "OPTIONS * HTTP/1.0" 200 112
127.0.0.1 - - [30/Jun/2020:13:29:55 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:29:55 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:29:55 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:29:55 +0300] "GET /lookup/503 Over" 400 0
186.101.230.155 - - [30/Jun/2020:13:30:05 +0300] "POST /cgi-bin/mainfunction.cgi HTTP/1.1" 400 394 "-" "XTC"
127.0.0.1 - - [30/Jun/2020:13:30:32 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:32 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:32 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:32 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0

On which domain and why /lookup/503 is called so often?

But if I go to to DA Admin -> Process Monitor I see a strange file, that keeps servers CPU loaded to 176 percents for over 2 weeks now:
Code:
30217    <THE_USER>   20    0    2938476    2.289g    3832    S    176.5    23.4    1173:14    /home/<THE_USER>/domains/test.<THE_DOMAIN>.com/private_html/wp-admin/wp-update -B -l /dev/null

And if I open that file, it is a binary file, does not look like WordPress update.
So is that a virus, or is it due netdata. As I asked server admin to reduce refresh rate to 5 seconds, maybe it is related to that?

Also if I go to http://checkfiletype.com/upload-and-check , and upload that file, I get:
Code:
File Type: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x8d292bfaf2b7358c244b6a11ae8bc9b42bb11607, stripped

MIME Type: application/x-executable
Suggested file extension(s): so

File Meta Data
File Size    2.6 MB
File Type    ELF executable
File Type Extension    
MIME Type    application/octet-stream
CPU Architecture    64 bit
CPU Byte Order    Little endian
Object File Type    Executable file
CPU Type    AMD x86-64
~~~~~~~~~~~~~~~~~
 
Last edited:
On WordPress forum it says it is a hack. ( https://wordpress.org/support/topic/wp-admin-wp-update-a-virus/#post-13053934 )
But how this executable file can be damaging if this us only a user, not a root. Is it come via one of plugins? As we keep all up to date, and buy premium plugins only. The file causes hi CPU load, and is fully writable. Appears it is .so file, but regular WP users cannot execute server files, so is that is a server hack? And if this is a server hack, why then it is only on this test domain website, not in server root?
 
Back
Top