Monitoring System Processes

Download this manual as a PDF file

This section describes how to view system processes for devices in SL1 using SNMP or the SL1 Agent. It also describes creating monitoring policies to monitor system processes and using system process reports.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

What is a Process?

A process is a program that is currently running or has been run in the past and is currently idle. Sometimes a process is called a task.

There are two methods for monitoring processes:

  • For devices monitored using SNMP, SL1 automatically collects a list of all processes running every two hours.
  • For devices monitored using the SL1 Agent, SL1 automatically collects a list of all processes running every five minutes.

SL1 allows you to create policies that monitor system processes every five minutes:

  • If a device is not monitored using the SL1 Agent, the policy collection is performed using SNMP.
  • If a device is monitored using the SL1 Agent, the policy collection is performed by the agent.

For each monitored process, you can create a policy that specifies:

  • Whether or not to generate an event if the process is running.
  • How much memory each instance of a process can use.
  • How many instances of a process can run simultaneously.
  • If policy collection is performed by the agent, how much memory all instances of a process can use in total.
  • If policy collection is performed by the agent, how much CPU all instances of a process can use in total.

Viewing the List of System Processes on All Devices

The Device Processes page displays a list of all processes discovered by SL1 on all devices.

To view the list of all processes running on all discovered devices:

  1. Go to the Device Processes page (Devices > Processes).
  2. The Device Processes page displays the following about each process:

To sort the list of processes, click on a column heading. The list will be sorted by the column value, in ascending order. To sort the list by descending order, click the column-heading again.

  • Device Name. Name of the device where the process resides. For devices running SNMP or with DNS entries, the name is discovered automatically. For devices without SNMP or DNS entries, the device's IP address will appear in this field.
  • Organization. Organization associated with the device where the process resides.
  • IP Address. IP address of the device where the process resides.
  • Device Classification / Sub-Class. The manufacturer (device class) and type of device (sub-class). The Device-Class/Sub-Class is automatically assigned during auto-discovery.
  • Process. The name of the process. A single process name can have multiple entries.
  • PID. A unique ID for the process. The device's operating system assigns this value.
  • Memory. The amount of memory currently used/reserved for the process.

  • Run State. The current state of the process:
  • Runnable. Process is ready to run as needed.

  • Running. Process is currently running.
  • Not Running. Process is in a "waiting" state.
  • Invalid. Process is part of an operation that failed. Process was not ended gracefully.

NOTE: Run states are defined by a device's operating system and/or installed agents. Run states may differ between devices.

  • Monitored. Specifies whether or not SL1 monitors the process:
  • Yes. SL1 currently monitors this process.
  • No. SL1 does not currently monitor this process.

Filtering the List of System Processes

You can filter the list on the Device Processes page by one or more parameters. Only processes that meet all the filter criteria will be displayed in the Device Processes page.

To filter by parameter, enter text into the desired filter-while-you-type field. The Device Processes page searches for processes that match the text, including partial matches. By default, the cursor is placed in the left-most filter-while-you-type field. You can use the <Tab> key or your mouse to move your cursor through the fields. The list is dynamically updated as you type. Text matches are not case-sensitive.

You can also use special characters to filter each parameter.

Filter by one or more of the following parameters:

  • Device Name. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Device Processes page will display only processes that have a matching device name.
  • Organization. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Device Processes page will display only processes that have a matching organization.
  • IP Address. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Device Processes page will display only processes that have a matching IP address.
  • Device Class. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Device Processes page will display only processes that have a matching device class.
  • Process. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Device Processes page will display only processes that have a matching process name
  • PID. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Device Processes page will display only processes that have a matching process ID.
  • Memory. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Device Processes page will display only processes that have a matching amount of memory currently used/reserved for the process.
  • Run State. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Device Processes page will display only processes that have a matching run state.
  • Monitored. You can enter text to match, including special characters (comma, ampersand, and exclamation mark), and the Device Processes page will display only processes that have a matching monitoring status.

Viewing a List of System Processes on a Single Device

On the Processes tab of the Device Investigator, you can view information about the processes running on the device. The Processes tab displays a combined list of processes collected via SNMP and the agent, where applicable.

The Processes tab of the Device Investigator page

For each process, the System Processes page displays the following information:

You can filter the items on this inventory page by typing filter text or selecting filter options in one or more of the filters found above the columns on the page. For more information, see Filtering Inventory Pages.

You can adjust the size of the rows and the size of the row text on this inventory page. For more information, see the section on Adjusting the Row Density.

  • Process. The name of the process. A single process name can have multiple entries.
  • Argument(s). The arguments with which the process was invoked.
  • Path/User. The path where the process executable resides. The value in this field varies, depending on the device's operating system and installed agents.
  • PID. A unique ID for the process. The device's operating system assigns this value.
  • Memory. The amount of memory currently being used/reserved for the process.
  • Run State. The current state of the process. This can be one of the following:
  • Runnable. Process is ready to run as needed.
  • Running. Process is currently running.
  • Not Running. Process is in a "waiting" state.
  • Invalid. Process is part of an operation that failed. Process was not ended gracefully.

NOTE: Run states are defined by a device's operating system and/or installed agents. Run states may differ between devices.

  • Monitored. Specifies whether or not SL1 is monitoring this process.

Viewing a List of System Processes on a Single Device in the Classic SL1 User Interface

The System Processes page displays a list of all of the processes that are running on a single device. The System Processes page displays a combined list of processes collected via SNMP and the agent, where applicable.

To view the list of processes on a single device:

  1. Go to the Device Manager page (Devices > Device Manager).
  2. Find the device where you want to view the list of processes. Select the bar graph icon () for that device.
  3. In the Device Reports panel, select the Processes tab. The System Processes page appears.
  4. For each process, the System Processes page displays the following information:

To sort the list of processes, click on a column heading. The list will be sorted by the column value, in ascending order. To sort the list by descending order, click the column heading again.

  • Process. The name of the process. A single process name can have multiple entries.
  • Argument(s). The arguments with which the process was invoked.
  • Path/User. The path where the process executable resides. The value in this field varies, depending on the device's operating system and installed agents.
  • PID. A unique ID for the process. The device's operating system assigns this value.
  • Memory. The amount of memory currently being used/reserved for the process.
  • Run State. The current state of the process. This can be one of the following:
  • Runnable. Process is ready to run as needed.
  • Running. Process is currently running.
  • Not Running. Process is in a "waiting" state.
  • Invalid. Process is part of an operation that failed. Process was not ended gracefully.

NOTE: Run states are defined by a device's operating system and/or installed agents. Run states may differ between devices.

  • Monitored. Specifies whether or not SL1 is monitoring this process.

Viewing the System Process Monitoring Policies

You can view a list of system process monitoring policies from the System Process Monitoring page (Registry > Monitors > System Processes).

The System Process Monitoring page displays the following information about each system process:

  • Process Name. Name of the policy.
  • Memory Limit. The maximum amount of memory that can be used or reserved by a single instance of the process, as specified in the process policy.
  • Policy ID. Unique, numeric ID, assigned to the policy automatically by SL1.
  • State. Whether the policy is enabled or disabled.
  • Device Name. Name of the device associated with the policy.
  • IP Address. IP address of the device associated with the policy. This is the IP address SL1 uses to communicate with the device.
  • Device Category. Device category of the device associated with the policy.
  • Organization. Organization for the device associated with the policy.

From the list of policies, you can select the checkbox for one or more policies and choose one of the following bulk actions from the Select Action drop-down at the bottom right of the page:

  • Delete Monitors. Deletes the selected policies from SL1. The associated reports (from the Device Reports > Performance tab) are also deleted.
  • Enable Monitors. Enables the selected policies so that SL1 can collect the data for these policies.
  • Disable Monitors. Disables the selected policies. SL1 will not collect the data specified in these policies.

Filtering the List of System Process Monitoring Policies

You can filter the list on the System Process Monitoring page by one or more parameters. Only policies that meet all the filter criteria will be displayed in the System Process Monitoring page.

To filter by parameter, enter text into the desired filter-while-you-type field. The System Process Monitoring page searches for policies that match the text, including partial matches. By default, the cursor is placed in the left-most filter-while-you-type field. You can use the <Tab> key or your mouse to move your cursor through the fields. The list is dynamically updated as you type. Text matches are not case-sensitive.

You can also use special characters to filter each parameter.

Filter by one or more of the following parameters:

  • Process Name. You can enter text to match, including special characters, and the System Process Monitoring page will display only policies that monitor a process that has a matching process name.
  • Memory Limit. You can enter text to match, including special characters, and the System Process Monitoring page will display only policies that contain a matching per-process memory limit.
  • Policy ID. You can enter text to match, including special characters, and the System Process Monitoring page will display only policies that have a matching policy ID.
  • Device Name. You can enter text to match, including special characters, and the System Process Monitoring page will display only policies aligned with a device with a matching device name.
  • IP Address. You can enter text to match, including special characters, and the System Process Monitoring page will display only policies aligned with a device with a matching IP address.
  • Device Category. You can enter text to match, including special characters, and the System Process Monitoring page will display only policies aligned with a device with a matching device category.
  • Organization. You can enter text to match, including special characters, and the System Process Monitoring page will display only policies that have a matching organization.

Defining a System Process Monitoring Policy

You can define a system process monitoring policy for a device on the Monitors tab of the Device Investigator.

To define a system process monitoring policy:

  1. Go to the Devices page and click the Device Name of the device for which you want to define a system process monitoring policy. The Device Investigator displays.
  2. Click the Monitors tab.
  3. Click Create, and then select Create System Process Policy. The System Process Policy modal appears,
  4. In the System Process Policy modal, supply a value in each of the following fields:
  • Process Name. The name of the process. You can either:
  • Select from a list of all processes running on this device.
  • Click on the "+" icon and manually enter the name of a process.
  • Ignore Case. Select this option if you want SL1 to ignore case-sensitivity in this process name when determining whether to run the system process policy.
  • Process Argument (regular expression). The arguments with which the process is invoked. This field includes a drop-down list of all arguments currently in use by the current device for the specified process (specified in the Process Name field). If you don't want to use an argument from the drop-down, you can manually enter a valid regular expression in this field. If you want to include special characters in this regular expression, be sure to escape those special characters. The Create System Process Policy modal will display an error message if the regular expression is not valid. SL1 will match the policy to a process if the value in this field appears anywhere in the argument string for that process. For example "win" would match arguments for "windows" and "win2k".
  • Process User. Search for the following process user or process owner when the process is running. This field is helpful for finding processes running as root that should not be.

NOTE: Some hardware includes information about a process user or owner for each process in the SNMP data; some does not. Do not specify a value in the Process User field if the device does not include process user or process owner information in its SNMP data. If you specify a process user, and a device does not include process user in its SNMP data, SL1 will not generate an alert, even if it finds this process running

  • Alert if Restarted. You can use this field to generate an alert in the Device Log if a system process restarts. Your choices are:
  • Yes. Use this setting to check for system processes that have restarted. SL1 checks every 5 minutes to determine if a system process has restarted. If SL1 finds a restarted system process, it will generate an alert in the Device Log.
  • No. Use this setting if you do not want SL1 to check for system processes that have restarted.

NOTE: When a system process has been restarted, it receives a new process ID number. It might take up to 2 hours for this new ID to appear on the Process Manager page (System > Settings > Processes).

NOTE: In some cases, this alert might appear if a device is restarted.

  • Alert if Found. You can use this field in one of two ways: generate an event when a required system process is not running or generate an event when an illicit system process is running. Your choices are:
  • Yes. Use this setting to look for illicit processes.
  • If SL1 finds the illicit process (specified in the Process Name field), SL1 will generate an event.
  • If SL1 does not find the illicit process running, SL1 will not generate an event.
  • No. Use this setting to ensure that a required process is running.
  • If SL1 finds the required (specified in the Process Name field) running, SL1 does not generate an event.
  • If SL1 does not find the required process running, SL1 generates an event.
  • Memory Limit (Kilobytes per instance). The amount of memory, in kilobytes, you will allow each instance of the process to use. This is an optional field.
  • Total Memory Limit (Kilobytes). This setting is modifiable only if the SL1 Agent is running on the selected device. The amount of memory, in kilobytes, you will all instances of the process to use in total. This is an optional field.
  • Min Instances. The minimum number of instances of the process that should be running. If the minimum instances are not running, SL1 generates an event. The event will be of severity "major" and will say "too few processes running."
  • Max Instances. The maximum number of instances of the process you will allow to run. If the maximum number of instances is exceeded, SL1 generates an event. The event will be of severity "major" and will say "too many processes process running."
  • Total CPU Utilization Limit (%). This setting is modifiable only if the SL1 Agent is running on the selected device. The amount of overall CPU you will allow all instances of the process to use in total. This is an optional field.
  • State. Specifies whether SL1 should start collecting data specified in this policy from the device. Choices are:
  • Enabled. SL1 will collect the data specified in this policy, from the device, at the frequency specified in the Process Manager page (System > Settings > Admin Processes) for the Data Collection: OS Process Check process.
  • Disabled. SL1 will not collect the data specified in this policy, from the device, until the State field is set to Enabled.
  1. Click Save.

Defining a Monitoring Policy for a System Process in the Classic SL1 User Interface

You can define a process monitoring policy in the System Process Policy modal. You can access the System Process Policy page either from the Device Manager page (Devices > Device Manager) or from the System Process Monitoring page (Registry > Monitors > System Processes).

To access the System Process Policy modal from the Device Manager page:

  1. Go to the Device Manager page (Devices > Device Manager)

  1. In the Device Manager page, find the device that you want to associate with the monitoring policy. Select wrench icon () for the device.
  2. In the Device Administration panel for the device, select the Monitors tab.
  3. From the Create menu in the upper right, select Create System Process Policy.
  4. The System Process Policy modal appears.

To access the System Process Policy modal from the System Process Monitoring page:

  1. Go to the System Process Monitoring page (Registry > Monitors > System Processes).
  2. Select the Create button.
  3. Click the device icon () for the device you want to align to policy with.
  4. The System Process Policy modal appears.

For information about completing the fields in the System Process Policy modal, see the section on Defining a Monitoring Policy for a System Process.

Editing a System Process Monitoring Policy

To edit a system process monitoring policy:

  1. Go to the Devices page and click the name of the device for which you want to edit a monitoring policy. The Device Investigator displays.
  2. Click the Monitors tab.
  3. Find the policy you want to edit and click its wrench icon (). The System Process Policy modal appears.
  4. In the System Process Policy modal, you can change the values in one or more of the fields described in the section on Defining a Monitoring Policy for System Processes.
  5. Click Save.

Editing a Monitoring Policy for a System Process in the Classic SL1 User Interface

There are two places in SL1 from which you can edit a monitoring policy for a system process:

  1. From the Device Manager page (Devices > Device Manager):
  • In the Device Manager page, find the device that you want to associate with the monitoring policy. Click the wrench icon () for the device.

  • In the Device Administration panel, click the Monitors tab.
  • In the Monitoring Policies page, find the policy you want to edit and click its wrench icon ().

Or:

  1. From the System Process Monitoring page (Registry > Monitors > System Processes):
  • In the System Process Monitoring page, find the policy you want to edit and click its wrench icon ().
  1. The System Process Policy modal appears.
  2. In the System Process Policy modal, you can change the values in one or more of the fields described in the section on Defining a Monitoring Policy for System Processes.
  3. Click Save.

Executing a System Process Monitoring Policy

After creating or editing a system process monitoring policy, you can manually execute the policy and view detailed logs of each step during the execution.

NOTE: After you define a system process monitoring policy and enable the policy, SL1 will automatically execute the policy every five minutes. However, you can use the steps in this section to execute the policy immediately and see debug information about the execution of the policy.

To execute a system process monitoring policy:

  1. Go to the Devices page and click the name of the device for which you want to execute the monitoring policy. The Device Investigator displays.
  2. Click the Monitors tab.
  3. Find the policy you want to run manually and click its lightning bolt icon ().
  4. The Session Logs modal opens while the policy is executing. The Session Logs page provides detailed descriptions of each step during the execution. This is very helpful for diagnosing possible problems with a policy.

Executing a System Process Monitoring Policy in the Classic SL1 User Interface

To execute a system process monitoring policy in the classic SL1 user interface:

  1. In the System Process Monitoring page (Registry > Monitors > System Processes), find the policy you want to run manually.

  1. Click the lightning bolt icon () to manually execute the policy.
  2. While the policy is executing, SL1 spawns a modal page called Session Logs. The Session Logs page provides detailed descriptions of each step during the execution. This is very helpful for diagnosing possible problems with a policy.

Deleting a System Process Monitoring Policy

You can delete a system process monitoring policy from the Monitors tab of the Device Investigator. When you delete a monitoring policy, SL1 no longer uses the policy to collect data from the aligned device. Deleting a monitoring policy will also remove all data that was previously collected by the policy.

To delete a system process policy:

  1. Go to the Devices page and click the name of the device for which you want to delete the monitoring policy. The Device Investigator displays.
  2. Click the Monitors tab.
  3. Find the policy you want to delete and click its bomb icon (). A confirmation prompt appears.
  4. Click OK.

Deleting a System Process Monitoring Policy in the Classic SL1 User Interface

You can delete one or more system process policies from the System Process Monitoring page. When you delete a monitoring policy, SL1 no longer uses the policy to collect data from the aligned device. Deleting a monitoring policy will also remove all data that was previously collected by the policy.

To delete a system process policy in the classic SL1 user interface:

  1. Go to the System Process Monitoring page (Registry > Monitors > System Processes).
  2. In the System Process Monitoring page, select the checkbox(es) for each system process policy you want to delete. Click the checkmark icon () to select all of the system process policies.
  3. In the Select Action menu in the bottom right of the page, select Delete Monitors.
  4. Click Go.
  5. The policy is deleted from SL1. The associated reports (from the Device Reports > Performance tab) are also deleted.

Generating a Report on Multiple System Processes

From the Device Processes page (Devices > Processes) you can generate a report on all, multiple, or a single process in SL1.

The report will contain all the columns displayed in the Device Processes page.

To generate a report on all or multiple device processes in SL1:

  1. Go to the Device Processes page (Devices > Processes).

  2. On the Device Processes page, click the Report button. The Export current view as a report modal appears.

    If you want to include only certain processes in the report, use the "search as you type" fields at the top of each column. You can filter the list by one or more column headings. You can then select the Report button, and only the processes displayed in the Device Processes page will appear in the report.

  3. In the Export current view as a report modal, select the format in which SL1 will generate the report. Your choices are:

  • Comma-separated values (.csv)
  • Web page (.html)
  • OpenDocument Spreadsheet (.ods)
  • Excel spreadsheet (.xlsx)
  • Acrobat document (.pdf)
  1. Click Generate. The report will contain all the information displayed in the Device Processes page. You can immediately view the report or save it to a file for later viewing.

Generating an Exclusion Report for a Single System Process

From the Device Processes page (Devices > Processes), you can generate an exclusion report for a process. SL1 will generate the report in MS Word format. An exclusion report specifies all devices where the selected process is running and all devices where the selected process is not running. SL1 lists only appropriate servers in this report. For example, Linux servers would not appear in a report for Windows-based processes.

A Process Exclusion Report displays the following:

  • Name of the process.
  • List of all devices in SL1 where the process is running.
  • List of all devices in SL1 where the process is not running. SL1 includes only appropriate servers in this report. For example, Solaris servers would not appear in a report for a Windows 2000 patch.
  • The last row in the report displays:
  • Total number of devices in report.
  • Total number of device categories included in the report.
  • Total number of device classes included in the report.
  • Total number of devices where process is running
  • Total number of devices where process is not running.

To generate an exclusion report about a process:

  1. On the Device Processes page (Devices > Processes), find an instance of the process you want to generate an exclusion report for.
  2. Click its printer icon (). You will be prompted to save or view the generated report.

Viewing Reports for a System Process Policy

See the section on Viewing Performance Graphs for information and examples of reports for system processes.