20

I have logwatch enabled for my machine. Suddenly I see this line in my logwatch

/usr/lib64/sa/sa1 1 1 : 4297 times
/usr/lib64/sa/sa2 -A : 29 times
run-part /etc/cron.hourly : 716

I tried crontab -e but I dont see any entries?

biz14
  • 381
  • 1
  • 3
  • 10

1 Answers1

13

It is configured in /etc/cron.d/sysstat.

And what it is (quote man sa1):

sa1  -  Collect and store binary data in the system activity daily data file.

And (man sa2):

sa2 - Write a daily report in the /var/log/sa directory.
faker
  • 17,496
  • 2
  • 60
  • 70
  • 1
    How is it enabled by default is it? I have other machines same but dont have this cron in them ? – biz14 Sep 02 '13 at 15:45
  • 1
    @biz14 it is part of the `sysstat` package, hosts which have this package installed have this cronjob (See: `rpm -qf /etc/cron.d/sysstat`) – faker Sep 02 '13 at 15:51
  • @What surprise me I install all 3 machines with same centos 6.4 machine only this one having it I know that I did not installed it by myself else I am sure I am aware of it ? Could be any hacking into the machine ? – biz14 Sep 02 '13 at 15:56
  • 1
    @biz14 well, everything is possible I suppose. But I'd check `/var/log/yum.log` first to see if it was installed as a dependency. – faker Sep 02 '13 at 16:05
  • @Yes I am looking through my yum.log what to look for what is the name of this dependency? – biz14 Sep 02 '13 at 16:13
  • I saw this in the log May 09 02:07:21 Installed: 1:dmidecode-2.11-2.el6.x86_64 May 12 12:06:43 Installed: sysstat-9.0.4-20.el6.x86_64 but why is this installed ? – biz14 Sep 02 '13 at 16:22
  • I'd add here that `sa1` makes "snapshots" (usually) every 10 mins, and `sa2` transforms them into 1 daily report. It took me some time to figure it out. And generally, the connection between `sa1`, `sa2`, `sar`, `sadc`. What is front end to what. And what do the names even mean?.. I guess "r" means "report." :) – x-yuri Jan 14 '22 at 00:18