To keep the server running smoothly, it is important to monitor CPU load and identify which processes are using the most resources.
For this purpose, utilities like vmstat, top, and htop are used.
A summary indicator of server load is LA (load average). In top, it is represented by three numbers—metrics for the last 5, 10, and 15 minutes. These values are relative and depend on the number of cores in your server. For example, if your server has one core and the LA is 1, it means the server is fully loaded and some processes are using all available resources. This, in turn, means that other processes are lacking resources and the server as a whole is operating unstably. The same value of 1 on a quad-core processor would indicate that the server is only a quarter loaded and all functions are working normally.
In all these tools, the following characteristics are tracked:
total: total RAM;
free: truly free RAM, i.e., the amount of memory not being used. Linux always tries to minimize it;
used: shows how much RAM is currently being used;
shared: memory shared by processes. It is often used for inter-process communication to avoid unnecessary system calls to the kernel;
cached: cached RAM (e.g., data that is frequently accessed by a program can be cached from the hard disk to RAM for quicker access);
buffered: buffered RAM (e.g., intermediate storage of data before processing or moving it to disk). Often buffered/cached are seen together, logically showing the area of memory that can be freed if necessary.
available: the amount of memory that can be used without needing to access swap (i.e., memory that will be free if everything is cleared from caches, etc.);
active: memory actively used by processes;
inactive: memory that was allocated to a process but is currently not being used by it;
swapped: in swap (on the hard disk—in a partition or file);
You don’t need to keep all these parameters in mind constantly. They are required only when server issues arise, as they help in understanding where to investigate to find the root cause of the load.
All these commands show the top processes currently running on the server. The top process is using the most resources. If it's mysql or apache, this is normal. In case these processes exceed resource limits, you should check for the possibility of a DDoS attack.
If you see processes like:
./annizod -B
./milemined -B
./cnrig -a cryptonight
it is worth checking the server for viruses. These processes are typical of miners—special malicious programs that mine cryptocurrency using your machine's resources. In such cases, we recommend stopping the web server service and scanning the server with the ai-bolit antivirus or another similar tool.