Skip to main content
NetApp Knowledge Base

Understanding ONTAP Offbox Vscan Server Extended Metrics

Views:
4,146
Visibility:
Public
Votes:
6
Category:
clustered-data-ontap-8
Specialty:
nas
Last Updated:

 

Applies to

  • ONTAP 9
  • VSCAN
  • ONTAP AV Connector
  • Clustered Data ONTAP 8
  • Clustered Data ONTAP: McAfee
  • Clustered Data ONTAP: Sophos
  • Clustered Data ONTAP: Symantec
  • Clustered Data ONTAP: Trend Micro

Answer

For information regarding statistics collected under normal circumstances, see section 9.2. Monitoring Status and Performance Activities of the following individual Technical Reports.

  • TR-4286: Antivirus Solution Guide for Clustered Data ONTAP: McAfee
  • TR-4309: Antivirus Solution Guide for Clustered Data ONTAP: Sophos
  • TR-4304: Antivirus Solution Guide for Clustered Data ONTAP: Symantec
  • TR-4312: Antivirus Solution Guide for Clustered Data ONTAP: Trend Micro
What ONTAP VSCAN counters are available?

Vscan relevant counters are categorized as follows:

  • offbox_scan_status: Collected in dblade per-node basis.
    • Available in the diag mode.
    • ONTAP offbox_scan_status counters on a per-node basis are used to monitor the rate of Vscan server requests that are dispatched and received per second, and the server latencies specific to that physical node.
  • offbox_vscan: Collected in nblade per Vserver basis.
    • Available in the admin mode.
    • ONTAP offbox_vscan counters on a per SVM basis are used to monitor the rate of Vscan.
    • Server requests are dispatched and received per second, and the server latencies are across all Vscan servers.
  • offbox_vscan_server: Collected in nblade per [Vserver, server, node] basis.
    • Available in the diag mode.
    • This contains basic stats collected from the Vscan server.
    • ONTAP offbox_vscan_server counters are Vscan server-side utilization statistics.
      • These statistics are tracked on a per SVM, per off-box Vscan server, and per-node basis.
      • They include CPU utilization on the Vscan server; queue depth for operations to be scanned on the Vscan server, both current and maximum; memory used; and network used.
  • These statistics are forwarded by the ONTAP AV Connector to the statistics counters within ONTAP.
  • They are based on data that is polled every 20 seconds and must be collected multiple times for accuracy; otherwise, the values seen in the statistics reflect only the last polling. CPU utilization and queues are particularly important to monitor and analyze.
  • A high value for an average queue can indicate that the Vscan server has a bottleneck.
How do ONTAP Vscan counters look from a high-level perspective?

1001315-1.jpg

  • Antivirus Software: The antivirus software is installed and configured on the Vscan server to scan files for viruses or other malicious data. The antivirus software must be compliant with clustered Data ONTAP. Specify the remedial actions to be taken on infected files in the configuration of the antivirus software.
  • Antivirus Connector: Antivirus Connector is installed on the Vscan server to process scan requests and provide communication between the antivirus software and the server virtual machines (SVMs; formerly called Vservers) in the storage system running clustered Data ONTAP.
  • SVMVserver: This is where the SVMVserver resides. This holds the specific Vscan configuration for each specific SVM. This spans the whole cluster.
Where are ONTAP offbox_vscan overall and server counters?

They will usually be collected in a perfstat.

1001315-2.jpg

Or collected manually:

Example 1: offbox_scan_status
::*> statistics start -object offbox_scan_status -sample-id vscan1
Statistics collection is being started for Sample-id: vscan1



Example 2: offbox_vscan
::*> statistics start -object offbox_vscan -sample-id vscan2
Statistics collection is being started for Sample-id: vscan2

Example 3: offbox_vscan_server
::*> statistics start -object offbox_vscan_server -sample-id vscan3
Statistics collection is being started for Sample-id: vscan3

Where can I get descriptions of what these counters mean?

Run the following commands:

::*> statistics catalog counter show -object offbox_scan_status
::*> statistics catalog counter show -object offbox_vscan
::*> statistics catalog counter show -object offbox_vscan_server

For more information, see the following examples in the Additional Information section below:

  • statistics catalog counter show -object offbox_scan_status.txt
  • statistics catalog counter show -object offbox_vscan_server.txt
  • statistics catalog counter show -object offbox_vscan.txt
How can I gauge the health of the Vscan server and Vscan Engine using these counters?

The scanner_stats_* counters are gathered from the Vscan server through the AVSHIM. These can give us a general idea of the overall health of the Vscan server. These counters are provided to the AVSHIM and are usually a good representation of the previous 30 secs.

Each of those counters measures as follows:

Counter Information Displayed
scanner_stats_is_queue_full

Represents the current state of scan-request-queue on scanner, increments if the pending request queue** is FULL on AVSHIM. (value is either FULL’1’ or NOT FULL ‘0’)

If the value is 1, there are currently 2000 pending requests in the queue.

scanner_stats_pct_cpu_used CPU utilization on the Vscan server. In case of multiple CPUs, the cumulative average should be provided.
scanner_stats_pct_dropped_requests Percentage of received scan requests that are dropped by the scanner
scanner_stats_pct_input_queue_avg

An average queue of scan requests on the Vscan server.

It is the average of the last reported and the current calculated value of the pending request queue length in AVSHIM. So, if the last reported value was 50% and the current value is 60%, then the avg is 55%. The percentage is calculated by using the base of max_queue_length of pending requests in AVSHIM, which is 2000**.

scanner_stats_pct_input_queue_hiwatermark

Maximum scan-request-queue length on the scanner (as a percentage of queue length) (% is calculated from a base of the last 2000 requests), that is, the value of 50 means 50% of base 2000 is a high watermark. (scan-request-queue maxed at 1000 requests)

scanner_stats_pct_mem_used Percentage of total memory consumed on the Vscan server
scanner_stats_pct_network_

Percentage of total-input-queue-length currently being used on the Vscan server.
Note: In case the scanner is multi-homed, this is the utilization of the network interface that is the busiest.

Note: AVSHIM has a global queue limit of 2000 requests, shared by all connections/Vservers. Since AVSHIM works on the pull-based mechanism, it will stop pulling requests from ONTAP, until slots are freed (after receiving confirmation of completion from the scan engine, AVSHIM will pull more requests. If there are more scanners connected to that node, then the scan-requests will be pulled by other Vscan servers.)
ONTAP does not trigger secondary scanner-pool, until the connection between AVSHIM and ONTAP is healthy.

What other counters are available to check for the health of the Vscan server and Vscan Engine?

Statistics are gathered on the AVSHIM and send to the storage system through ZAPI, which can give you an indication of the health of the Vscan server. These provide a per connection statistic for each Vserver to the Vscanner.
 cifs_tbs2::*> vscan connection-status show-extended-stats
(vserver vscan connection-status show-extended-stats)Connection

Vserver    Node                   Server                  Status                Extended Stats
----------- -----------------     ---------------          --------------     -----------------
fpol1          cifs_tbs2-01       10.251.198.221   connected        ts=1:22:10 PM Jun 08,2015
                                          scans=sent:18,compok:18,comperr:0,compnotfnd:0,ms/comp:1253
                                          mempage/s=91, procs=60, threads=821, %cpu=3.53, procqlen=1,

diskio/s=15, smbbytes/s=208,
                                          ifmac=00:50:56:AF:16:05 [VMware], tcpstat=retrans:14930,connfail:2734,connreset:8524,inerr:0 **
                                          cfg=Host Name:CIFS-TBS-WIN
                                          OS Name:Microsoft Windows Server 2008 R2 Enterprise
                                          OS Version:6.1.7601 Service Pack 1 Build 7601
                                          System Boot Time:5/25/2015, 1:02:47 PM
                                          System Manufacturer:VMware, Inc.
                                          System Model:VMware Virtual Platform
                                          System Type:x64-based PC
                                          Processor(s):2 Processor(s) Installed.
                                          [01]:Intel64 Family 6 Model 15 Stepping 1 GenuineIntel ~2600 Mhz

 Note: A large value of the TCP retransmits and connection failures can indicate an issue between the networks of the storage system and the Vscanner.

Counter Information Displayed
mempage/s Memory pages per second of the Vscan server.
(It is the rate at which pages are read from or written to a disk to resolve the hard page faults. This counter is a primary indicator of the kinds of faults that cause system-wide delays.)
procs Number of threads running in the Vscan server.
(It is the number of threads in the computer at the time of data collection. This is an instantaneous count, not an average over-the-time interval.)
%cpu Percentage of CPU utilization in the Vscan server.
(It is the percentage of elapsed time that the processor spends to execute a non-idle thread.)
procqlen Processor queue length of the Vscan server.
(This indicates the number of threads in the processor queue.)
diskio/s Disk input/output per second of the Vscan server.
(This is the rate of read and write operations on the disk)
smbbytes/s SMB byte transfers per second of the Vscan server.
(The rate at which the redirector is processing data bytes. This includes all application and file data in addition to protocol information, such as packet headers.)
ifmac MAC address of the Vscan server.
tcpstat TCP statistics of the Vscan server.
Cfg System information of the Vscan server.

Additional Information

Statistics examples:

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.