Netdata penetrates the apache log

ozzWANTED

Verified User
Joined
Mar 10, 2015
Messages
24
So, netdata says CPU is 100%, and maybe it is due some user with a WP plugin.

But anyway, it is hard to inspect that, as if I go to Logs -> Apache logs, i see:

"127.0.0.1 - - [22/Jun/2020:16:04:30 +0300] "GET /server-status?auto HTTP/1.1" 200 1821"
that is ever second.
And no way to see anything else.

I enter to grep line the "auto" and i select "invert" but it still shows this lines. So apache log the is useless.
 

ozzWANTED

Verified User
Joined
Mar 10, 2015
Messages
24
The grep search does not work. server-status page does not exist. Or how to know what is domain. Namehost ist srv.<AAA>.lt but srv.<AAA>.lt/server-status - does not exist.
GREP Search does not work, I cannot exclude "server-status" from results. There is input box in search page of logs in DAAdmin for GREP. But it does not work.
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,482
Do it from the command line. You can do anything from the command line.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,254
Location
Maastricht
server-status page does not exist.
It's normally disabled, as said, you have to enable this in the httpd info file.
/etc/httpd/conf/extra/httpd-info.conf
set extended status to on and allow your ip to connect. This is for apache. i don't know about nginx and OLS.

Logfiles mentioned can be read. like Floyd said. Use command line, or otherwise said, login via SSH.
 

ozzWANTED

Verified User
Joined
Mar 10, 2015
Messages
24
It's normally disabled, as said, you have to enable this in the httpd info file.
/etc/httpd/conf/extra/httpd-info.conf
set extended status to on and allow your ip to connect. This is for apache. i don't know about nginx and OLS.

Logfiles mentioned can be read. like Floyd said. Use command line, or otherwise said, login via SSH.
Hi, I don't want to login via other apps to server, then putty, run commands etc. All this is cumbersome process for server-gurus and time-wasters. I log viewer of DirectAdmin, there is GREP line THAT SHOULD WORK, but it does not work. It is a bug in DirectAdmin.

Also how to set, that it would not ping the server every second, but do this every 5 seconds.

Also, we use separate MariaDB Ubuntu VPS for databases, linked to Ubuntu DirectAdmin VPS. 2nd server protects from direct DDOS to Database server. Now, how can I see netdata from the DB server as well, as DirectAdmin DOES SUPPORT the 2ndary MariaDB server and it all works there with database management. Also, why the DA 1.6.1 on heavy queries does not gives that information from the database server, only it would work from 1 DaServer. But DA has full support for dual-vps (DA Ubuntu Server and MariaDB Ubuntu server)
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,482
Hi, I don't want to login via other apps to server, then putty, run commands etc. All this is cumbersome process for server-gurus and time-wasters.
Using the command line the way real server admins do things. A control panel is generally for end users. I have never used a control panel for server administration because its a lot slower.

You said Netdata is saying the CPU is at 100%. Then you started looking at Apache logs. Why?? One may not have anything to do with the other. First find out what process is causing the CPU to be at 100%. You can only really do that from the command line.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,254
Location
Maastricht
Hi, I don't want to login via other apps to server, then putty, run commands etc. All this is cumbersome process for server-gurus and time-wasters. I log viewer of DirectAdmin, there is GREP line THAT SHOULD WORK, but it does not work. It is a bug in DirectAdmin.
LoL, oke you're just a user then, not a sysadmin.
It's not another app, if enabled you can just visit via the browser, it's plain and very basic admin knowledge, nothing guru about it.
Grep works, but then you have to grep the correct log files anyway which you did not.
 

ozzWANTED

Verified User
Joined
Mar 10, 2015
Messages
24
I told you, GREP does not work. I enter in that 'correct' log, the 'status' and select INVERT checkbox, and it does work, I can enter anythin in grep field nothing works, nor with commas, nor with -v, nor with GREP word. That field is just a bug.

And yes, I'm a user. More likely PHP Developer, and definitely not a sysadmin. That's why we believe Ubuntu Server is the best OS, much better than any other paid OS or enterprise OS.
 

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
1,826
Location
London UK
A user with admin rights in DA..... Hmm..... If you have admin rights, then you should have a bit of sysadmin knowledge? Or was everything set up for you?

This sounds like one of my VPS clients, asked me to setup everything up, then expects me to continue to maintain the VPS......
Doesn't work like that.
 

ozzWANTED

Verified User
Joined
Mar 10, 2015
Messages
24
A user with admin rights in DA..... Hmm..... If you have admin rights, then you should have a bit of sysadmin knowledge? Or was everything set up for you?

This sounds like one of my VPS clients, asked me to setup everything up, then expects me to continue to maintain the VPS......
Doesn't work like that.
How does your reply answers to my question about bug report that GREP does not work?
 

ozzWANTED

Verified User
Joined
Mar 10, 2015
Messages
24
Then you don't have access to the proper logs anyway. You have to be an administrator to really find out the problem.
I do have access: Direct Admin -> Logs. All list of log files. You have 20 there of them. I select apache access log, but grep field does not work.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,254
Location
Maastricht
I enter in that 'correct' log,
And I told you that you're not in the correct log. You have to be in the domains log, not the apache error log. You can't reach these from within the panel, you have to login via SSH or login via DA to the domain user and check domain logs from there.

And grep works. I tested and Brent also shown you. So it's not bug, it's an issue on your side.
Seems something is wrong with your system if it doesn't work. You can always send in a ticket, unless you're on a personal license.
However, if you have a personal license and want help, I would suggest to be less clever and a bit more friendly.
 

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
1,826
Location
London UK
I do have access: Direct Admin -> Logs. All list of log files. You have 20 there of them. I select apache access log, but grep field does not work.
Well, just GREP'ing stuff doesn't fix anything...... You need to delve deeper, via shell.....

I was just stipulating, as you have admin access to DA, you'd know a bit about sysadmin, that's all.
 

floyd

Verified User
Joined
Mar 29, 2005
Messages
5,482
I do have access: Direct Admin -> Logs. All list of log files. You have 20 there of them. I select apache access log, but grep field does not work.
Just to add to Peter's thought DirectAdmin does not give you access to all of the logs. AND WHY are you looking at the apache logs as if that is the only thing that could cause high CPU????????? You don't even know that it has anything to do with apache. This is why you need to access the shell. Look at how we have been using DirectAdmin. Look at the experience we have as actual system administrators. LISTEN to us.
 

ozzWANTED

Verified User
Joined
Mar 10, 2015
Messages
24
And I told you that you're not in the correct log. You have to be in the domains log, not the apache error log. You can't reach these from within the panel, you have to login via SSH or login via DA to the domain user and check domain logs from there.

And grep works. I tested and Brent also shown you. So it's not bug, it's an issue on your side.
Seems something is wrong with your system if it doesn't work. You can always send in a ticket, unless you're on a personal license.
However, if you have a personal license and want help, I would suggest to be less clever and a bit more friendly.
So how does this answer the question. With netdata I see that one user <THE_USER> with test.<THE_DOMAIN>.com loads CPU by 192 percents average. I see the Apache access_log, and I see the checkbox 'Invert' which should find opposite to what is entered in GREP, right? What do you type in GREP fields in DA Admin -> Logs to exclude lines with "server-status".

Now regarding servers status, It had gone somewhy (maybe datacenter admins removed it from my logs), but now I see this:
Code:
::1 - - [30/Jun/2020:13:29:14 +0300] "OPTIONS * HTTP/1.0" 200 112
::1 - - [30/Jun/2020:13:29:15 +0300] "OPTIONS * HTTP/1.0" 200 112
::1 - - [30/Jun/2020:13:29:16 +0300] "OPTIONS * HTTP/1.0" 200 112
::1 - - [30/Jun/2020:13:29:46 +0300] "OPTIONS * HTTP/1.0" 200 112
127.0.0.1 - - [30/Jun/2020:13:29:55 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:29:55 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:29:55 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:29:55 +0300] "GET /lookup/503 Over" 400 0
186.101.230.155 - - [30/Jun/2020:13:30:05 +0300] "POST /cgi-bin/mainfunction.cgi HTTP/1.1" 400 394 "-" "XTC"
127.0.0.1 - - [30/Jun/2020:13:30:32 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:32 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:32 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:32 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
127.0.0.1 - - [30/Jun/2020:13:30:33 +0300] "GET /lookup/503 Over" 400 0
On which domain and why /lookup/503 is called so often?

But if I go to to DA Admin -> Process Monitor I see a strange file, that keeps servers CPU loaded to 176 percents for over 2 weeks now:
Code:
30217    <THE_USER>   20    0    2938476    2.289g    3832    S    176.5    23.4    1173:14    /home/<THE_USER>/domains/test.<THE_DOMAIN>.com/private_html/wp-admin/wp-update -B -l /dev/null
And if I open that file, it is a binary file, does not look like WordPress update.
So is that a virus, or is it due netdata. As I asked server admin to reduce refresh rate to 5 seconds, maybe it is related to that?

Also if I go to http://checkfiletype.com/upload-and-check , and upload that file, I get:
Code:
File Type: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x8d292bfaf2b7358c244b6a11ae8bc9b42bb11607, stripped

MIME Type: application/x-executable
Suggested file extension(s): so

File Meta Data
File Size    2.6 MB
File Type    ELF executable
File Type Extension    
MIME Type    application/octet-stream
CPU Architecture    64 bit
CPU Byte Order    Little endian
Object File Type    Executable file
CPU Type    AMD x86-64
~~~~~~~~~~~~~~~~~
 
Last edited:

ozzWANTED

Verified User
Joined
Mar 10, 2015
Messages
24
On WordPress forum it says it is a hack. ( https://wordpress.org/support/topic/wp-admin-wp-update-a-virus/#post-13053934 )
But how this executable file can be damaging if this us only a user, not a root. Is it come via one of plugins? As we keep all up to date, and buy premium plugins only. The file causes hi CPU load, and is fully writable. Appears it is .so file, but regular WP users cannot execute server files, so is that is a server hack? And if this is a server hack, why then it is only on this test domain website, not in server root?
 
Top