000031540 - How to use ProcDump to monitor memory/CPU usage for RSA ECAT 4.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000031540
Applies ToRSA Product Set: ECAT
RSA Product/Service Type: ECAT Agent
RSA Version/Condition: 4.x
TasksThis article describes using Sysinternals ProcDump to monitor Memory/CPU usage for ECAT agent (EcatService).
ResolutionFollow the instructions below to monitor ECAT agent's CPU/Memory usage.
First, download Sysinternals ProcDump from the following link and install on the monitored system.
https://technet.microsoft.com/en-au/sysinternals/dd996900.aspx
After the ECAT service has started, attach to it by using:
procdump EcatService -accepteula -ma -n 5 -m 300 -s 20 c:\temp\procdump\  
procdump EcatService -accepteula -ma -n 5 -c 90 -s 5 c:\temp\procdump\

The 1st command will monitor RAM, the 2nd command will monitor CPU.
Run the 2 commands from 2 different command prompts started with Administrative rights.
Explanation on arguments/usage for RAM:
EcatService:  Replace this by the name of the ECAT service in your environment
-accepteula: To automatically accept the Sysinternals license agreement.
-ma: Do a full memory dump of the process (mandatory)
-n 5:  Take 5 dumps. One dump often is not enough, 5 dumps will give the analysts a chance to detect what changes and what remains the same over time
-m 300: Create a dump if the memory goes above a threshold of 300 MB. This number is above what is expected from a normal ECAT behavior, even during scans.
-s 20:  The dumps will be created if the problematic situation lasts for more that 20 seconds.
c:\temp\procdump\: Set the destination of the dumps.
 
Explanation on arguments/usage for CPU:
EcatService:  Replace this by the name of the ECAT service in your environment
-accepteula: To automatically accept the Sysinternals license agreement.
-ma: Do a full memory dump of the process (mandatory)
-n 5:  Take 5 dumps. One dump often is not enough, 5 dumps will give the analysts a chance to detect what changes and what remains the same over time
-c 90: Create a dump if the CPU goes above a threshold of 90%. This number is above what is expected from a normal ECAT behavior, even during scans.
-s 5: The dumps will be created if the problematic situation lasts for more that 5 seconds.
c:\temp\procdump\: Set the destination of the dumps.
 
NOTE: This article is a guideline; all those parameters can change depending on circumstances.
 
Example results -
User-added image
1. The call to procdump is made. Note that EcatService must already be running at this moment.
2. The parameters are being displayed. An error will appear if the usage is wrong.
3. You can see a 1st sequence starting at 11:29:34, and when the situation remains after 20 seconds, a dump is created.
4. A second sequence automatically starts, as the situation is still present.

 

Attachments

    Outcomes