- Clustered Data ONTAP: McAfee
- Clustered Data ONTAP: Sophos
- Clustered Data ONTAP: Symantec
- Clustered Data ONTAP: Trend Micro
- Clustered Data ONTAP 8
- Clustered Data ONTAP 9
For information regarding statistics collected under normal circumstances, see section 9.2. Monitoring Status and Performance Activities of the following individual Technical Reports.
- TR-4286: Antivirus Solution Guide for Clustered Data ONTAP: McAfee
- TR-4309: Antivirus Solution Guide for Clustered Data ONTAP: Sophos
- TR-4304: Antivirus Solution Guide for Clustered Data ONTAP: Symantec
- TR-4312: Antivirus Solution Guide for Clustered Data ONTAP: Trend Micro
What are Data ONTAP Vscan counters?
Vscan relevant counters are categorized as follows:
offbox_scan_status: Collected in dblade per-node basis. Available in the diag mode.
offbox_vscan: Collected in nblade per Vserver basis. Available in the admin mode.
offbox_vscan_server: Collected in nblade per [Vserver, server, node] basis. Available in the diag mode. This contains basic stats collected from the Vscan server.
offbox_scan_status counters on a per-node basis are used to monitor the rate of Vscan server requests that are dispatched and received per second, and the server latencies specific to that physical node.
offbox_vscan counters on a per SVM basis are used to monitor the rate of Vscan.
Server requests are dispatched and received per second, and the server latencies are across all Vscan servers.
offbox_vscan_server counters are Vscan server-side utilization statistics. These statistics are tracked on a per SVM, per off-box Vscan server, and per-node basis. They include CPU utilization on the Vscan server; queue depth for operations to be scanned on the Vscan server, both current and maximum; memory used; and network used.
These statistics are forwarded by Antivirus Connector to the statistics counters within Data ONTAP. They are based on data that is polled every 20 seconds and must be collected multiple times for accuracy; otherwise, the values seen in the statistics reflect only the last polling. CPU utilization and queues are particularly important to monitor and analyze. A high value for an average queue can indicate that the Vscan server has a bottleneck.
How do Data ONTAP Vscan counters look from a high-level perspective?
- Antivirus Software:
The antivirus software is installed and configured on the Vscan server to scan files for viruses or other malicious data. The antivirus software must be compliant with clustered Data ONTAP. Specify the remedial actions to be taken on infected files in the configuration of the antivirus software.
- Antivirus Connector:
Antivirus Connector is installed on the Vscan server to process scan requests and provide communication between the antivirus software and the server virtual machines (SVMs; formerly called Vservers) in the storage system running clustered Data ONTAP.
This is where the SVMVserver resides. This holds the specific Vscan configuration for each specific Vserver. This spans the whole cluster.
Where are Data ONTAP offbox_vscan overall and server counters?
They will usually be collected in a perfstat.
Or collected manually:
cifs_tbs2::*> statistics start -object offbox_scan_status -sample-id vscan1
Statistics collection is being started for Sample-id: vscan1
cifs_tbs2::*> statistics start -object offbox_vscan -sample-id vscan2
Statistics collection is being started for Sample-id: vscan2
cifs_tbs2::*> statistics start -object offbox_vscan_server -sample-id vscan3
Statistics collection is being started for Sample-id: vscan3
Where can I get descriptions of what these counters mean?
Run the following commands:
::*> statistics catalog counter show -object offbox_scan_status
::*> statistics catalog counter show -object offbox_vscan
::*> statistics catalog counter show -object offbox_vscan_server
For more information, see the following examples in the Additional Information section below:
- statistics catalog counter show -object offbox_scan_status.txt
- statistics catalog counter show -object offbox_vscan_server.txt
- statistics catalog counter show -object offbox_vscan.txt
How can I gauge the health of the Vscan server and Vscan Engine using these counters?
scanner_stats_* counters are gathered from the Vscan server through the AVSHIM. These can give us a general idea of the overall health of the Vscan server. These counters are provided to the AVSHIM and are usually a good representation of the previous 30 secs.
Each of those counters measures as follows:
Represents the current state of
If the value is 1, there are currently 2000 pending requests in the queue.
||CPU utilization on the Vscan server. In case of multiple CPUs, the cumulative average should be provided.|
||Percentage of received scan requests that are dropped by the scanner|
An average queue of scan requests on the Vscan server.
It is the average of the last reported and the current calculated value of the pending request queue length in AVSHIM. So, if the last reported value was 50% and the current value is 60%, then the avg is 55%. The percentage is calculated by using the base of
||Percentage of total memory consumed on the Vscan server|
Note: AVSHIM has a global queue limit of 2000 requests, shared by all connections/Vservers. Since AVSHIM works on the pull-based mechanism, it will stop pulling requests from Data ONTAP, until slots are freed (after receiving confirmation of completion from the scan engine, AVSHIM will pull more requests. If there are more scanners connected to that node, then the scan-requests will be pulled by other Vscan servers.)
Data ONTAP does not trigger secondary scanner-pool, until the connection between AVSHIM and Data ONTAP is healthy.
What other counters are available to check for the health of the Vscan server and Vscan Engine?
Statistics are gathered on the AVSHIM and send to the storage system through ZAPI, which can give you an indication of the health of the Vscan server. These provide a per connection statistic for each Vserver to the Vscanner.
cifs_tbs2::*> vscan connection-status show-extended-stats
(vserver vscan connection-status show-extended-stats)Connection
Vserver Node Server Status Extended Stats
----------- ----------------- --------------- -------------- -----------------
fpol1 cifs_tbs2-01 10.251.198.221 connected ts=1:22:10 PM Jun 08,2015
mempage/s=91, procs=60, threads=821, %cpu=3.53, procqlen=1,
ifmac=00:50:56:AF:16:05 [VMware], tcpstat=retrans:14930,connfail:2734,connreset:8524,inerr:0 **
OS Name:Microsoft Windows Server 2008 R2 Enterprise
OS Version:6.1.7601 Service Pack 1 Build 7601
System Boot Time:5/25/2015, 1:02:47 PM
System Manufacturer:VMware, Inc.
System Model:VMware Virtual Platform
System Type:x64-based PC
Processor(s):2 Processor(s) Installed.
:Intel64 Family 6 Model 15 Stepping 1 GenuineIntel ~2600 Mhz
Note: A large value of the TCP retransmits and connection failures can indicate an issue between the networks of the storage system and the Vscanner.
||Memory pages per second of the Vscan server.
(It is the rate at which pages are read from or written to a disk to resolve the hard page faults. This counter is a primary indicator of the kinds of faults that cause system-wide delays.)
||Number of threads running in the Vscan server.
(It is the number of threads in the computer at the time of data collection. This is an instantaneous count, not an average over-the-time interval.)
||Percentage of CPU utilization in the Vscan server.
(It is the percentage of elapsed time that the processor spends to execute a non-idle thread.)
||Processor queue length of the Vscan server.
(This indicates the number of threads in the processor queue.)
||Disk input/output per second of the Vscan server.
(This is the rate of read and write operations on the disk)
||SMB byte transfers per second of the Vscan server.
(The rate at which the redirector is processing data bytes. This includes all application and file data in addition to protocol information, such as packet headers.)
||MAC address of the Vscan server.|
||TCP statistics of the Vscan server.|
||System information of the Vscan server.|