sar System Activity

sar cheatsheet — collect and report system activity. sar -u (CPU), sar -r (memory), sar -b (disk I/O), sar -n DEV (network). Historical performance data with sysstat.

6 min read

What it is

sar is a system monitoring tool that collects, reports, and saves system activity information, making it useful for performance analysis and troubleshooting over time.

Installation

Linux (Debian/Ubuntu):

sudo apt update
sudo apt install sysstat

Linux (RHEL/CentOS/Fedora):

sudo yum install sysstat
# or
sudo dnf install sysstat

macOS: sar is not typically installed by default on macOS. You can install it via Homebrew:

brew install osx-cpu-diagnostics
# Note: This package provides a GUI and command-line tools,
# including a version of sar. The exact command might vary.
# For a more direct sar equivalent, consider using tools like `atop` or `htop`.

Windows: sar is not a native Windows tool. For similar functionality, consider using:

  • Performance Monitor (perfmon): Built-in GUI tool.
  • Resource Monitor: Built-in GUI tool.
  • Third-party tools: e.g., Sysinternals suite (like Procmon).

Core Concepts

  • Data Collection: sar relies on the sadc (System Activity Data Collector) utility, which runs in the background (often via cron) to collect system statistics at regular intervals.
  • Data Storage: Collected data is typically stored in binary files under /var/log/sa/ (or similar paths depending on distribution). These files are named saDD, where DD is the day of the month.
  • Reporting: sar reads these binary files to generate human-readable reports for specified time periods and metrics.

Commands / Usage

Reporting System Activity for Today

CPU Utilization:

sar -u 1 5

Report CPU utilization every 1 second for 5 samples.

sar -u

Report CPU utilization for the entire day using the default interval (usually 10 minutes).

Memory Utilization:

sar -r 1 5

Report memory utilization every 1 second for 5 samples.

sar -r

Report memory utilization for the entire day.

Swap Activity:

sar -S 1 5

Report swap activity every 1 second for 5 samples.

sar -S

Report swap activity for the entire day.

I/O and Transfer Statistics:

sar -b 1 5

Report I/O and transfer statistics (blocks read/written, transfers made) every 1 second for 5 samples.

sar -b

Report I/O and transfer statistics for the entire day.

Network Statistics (Ethernet):

sar -n DEV 1 5

Report network interface statistics (packets, bytes) every 1 second for 5 samples.

sar -n DEV

Report network interface statistics for the entire day.

Network Statistics (TCP/IP):

sar -n TCP 1 5

Report TCP/IP statistics (segments retransmitted) every 1 second for 5 samples.

sar -n TCP

Report TCP/IP statistics for the entire day.

Load Average and CPU Utilization:

sar -q 1 5

Report load average (run queue length and 1, 5, 15 minute averages) and CPU utilization every 1 second for 5 samples.

sar -q

Report load average and CPU utilization for the entire day.

Process Creation:

sar -w 1 5

Report process creation statistics (new processes created per second) every 1 second for 5 samples.

sar -w

Report process creation statistics for the entire day.

Disk Activity (per device):

sar -d 1 5

Report disk activity (reads/writes per second, average queue length) every 1 second for 5 samples.

sar -d

Report disk activity for the entire day.

Interrupts:

sar -I SUM 1 5

Report summary of interrupts every 1 second for 5 samples.

sar -I SUM

Report summary of interrupts for the entire day.

All-in-one report (CPU, Memory, I/O, Network):

sar -A 1 5

Report all available statistics every 1 second for 5 samples.

sar -A

Report all available statistics for the entire day.

Reporting Activity for a Specific Day

Using a specific date:

sar -u -f /var/log/sa/sa23

Report CPU utilization from the data file for the 23rd day of the month.

sar -r -f /var/log/sa/sa23

Report memory utilization from the data file for the 23rd day of the month.

Using a date range (requires sadf or manual processing): sar itself doesn’t have a direct flag for date ranges across multiple files. You often combine sar with other tools or use sadf for more advanced extraction.

Example using sadf to extract CSV for a specific day:

sadf -d /var/log/sa/sa23 -- -u

Extracts CPU data in CSV format from the sa23 file.

Configuring Data Collection (/etc/cron.d/sysstat or /etc/cron.d/sysstat-collect)

The interval and retention of sar data are configured via cron jobs.

  • Debian/Ubuntu: Look in /etc/cron.d/sysstat.
  • RHEL/CentOS/Fedora: Look in /etc/cron.d/sysstat-collect.

You can edit these files to change the collection interval (e.g., from 10 minutes to 1 minute) or the number of days data is kept.

Changing the Interval and Count

sar -u -i 60

Report CPU utilization every 60 seconds (default count is 1).

sar -u 10 5

Report CPU utilization every 10 seconds for 5 samples.

Common Patterns

Analyzing CPU usage over the past hour:

sar -u -f /var/log/sa/sa$(date +%d)

This command will display CPU usage from the log file for the current day. To analyze a specific hour, you’d typically run sar with a short interval and then visually inspect the output or pipe it to grep and awk.

Finding the busiest time for disk I/O yesterday:

sar -d -f /var/log/sa/sa$(printf "%02d" $(($(date +%d)-1)))

This command reports disk activity for yesterday. You would then look for the highest values in the %util or await columns.

Checking network traffic spikes:

sar -n DEV -i 300 -f /var/log/sa/sa$(date +%d) | grep -A 5 "eth0"

Report network stats for eth0 every 5 minutes (-i 300) from today’s log file, showing 5 lines after a match.

Comparing CPU usage between two time points:

sar -u -s 10:00:00 -e 11:00:00

Report CPU utilization between 10:00 AM and 11:00 AM today.

Exporting data for plotting (e.g., to a CSV):

sar -u -f /var/log/sa/sa$(date +%d) > cpu_today.txt
# Then process cpu_today.txt with awk or other tools
awk '/Average:/ {next} {print $1 "," $3}' cpu_today.txt > cpu_usage.csv

This extracts timestamp and %user CPU usage into a CSV file.

Gotchas

  • Data Collection Must Be Enabled: sar only reports on data that sadc has collected. If sysstat is not installed, or sadc is not running (check cron jobs), sar will report "No data collected".
  • Log File Rotation: sar log files (saDD) are typically rotated daily. If you need data from previous days, ensure your sysstat configuration keeps enough historical data.
  • Default Interval: When no interval is specified (e.g., sar -u), sar reports based on the interval defined in the sysstat cron configuration (often 10 minutes).
  • Timezones: sar reports timestamps based on the system’s timezone. Be mindful of this when analyzing data from different servers or across DST changes.
  • -f Flag Usage: The -f flag expects the full path to the data file (e.g., /var/log/sa/sa23), not just the filename.
  • Specific Metrics: Some metrics are only available when sadc is configured to collect them. For example, detailed disk I/O (-d) might require specific options enabled during sadc setup.
  • Non-Standard Log Locations: On some systems, log files might be in /var/log/sysstat/ or other locations. Check your sysstat configuration.