Article Number
000031540
Applies To
RSA Product Set: ECAT
RSA Product/Service Type: ECAT Agent
RSA Version/Condition: 4.x
RSA Product/Service Type: ECAT Agent
RSA Version/Condition: 4.x
Task
This article describes using Sysinternals ProcDump to monitor Memory/CPU usage for ECAT agent (EcatService).
Resolution
Follow the instructions below to monitor ECAT agent's CPU/Memory usage.
First, download Sysinternals ProcDump from the following link and install on the monitored system.
https://technet.microsoft.com/en-au/sysinternals/dd996900.aspx
After the ECAT service has started, attach to it by using:
The 1st command will monitor RAM, the 2nd command will monitor CPU.
Run the 2 commands from 2 different command prompts started with Administrative rights.
Explanation on arguments/usage for RAM:
EcatService: Replace this by the name of the ECAT service in your environment
-accepteula: To automatically accept the Sysinternals license agreement.
-ma: Do a full memory dump of the process (mandatory)
-n 5: Take 5 dumps. One dump often is not enough, 5 dumps will give the analysts a chance to detect what changes and what remains the same over time
-m 300: Create a dump if the memory goes above a threshold of 300 MB. This number is above what is expected from a normal ECAT behavior, even during scans.
-s 20: The dumps will be created if the problematic situation lasts for more that 20 seconds.
c:\temp\procdump\: Set the destination of the dumps.
Explanation on arguments/usage for CPU:
EcatService: Replace this by the name of the ECAT service in your environment
-accepteula: To automatically accept the Sysinternals license agreement.
-ma: Do a full memory dump of the process (mandatory)
-n 5: Take 5 dumps. One dump often is not enough, 5 dumps will give the analysts a chance to detect what changes and what remains the same over time
-c 90: Create a dump if the CPU goes above a threshold of 90%. This number is above what is expected from a normal ECAT behavior, even during scans.
-s 5: The dumps will be created if the problematic situation lasts for more that 5 seconds.
c:\temp\procdump\: Set the destination of the dumps.
NOTE: This article is a guideline; all those parameters can change depending on circumstances.
Example results -
Image description
1. The call to procdump is made. Note that EcatService must already be running at this moment.
2. The parameters are being displayed. An error will appear if the usage is wrong.
3. You can see a 1st sequence starting at 11:29:34, and when the situation remains after 20 seconds, a dump is created.
4. A second sequence automatically starts, as the situation is still present.
First, download Sysinternals ProcDump from the following link and install on the monitored system.
https://technet.microsoft.com/en-au/sysinternals/dd996900.aspx
After the ECAT service has started, attach to it by using:
procdump EcatService -accepteula -ma -n 5 -m 300 -s 20 c:\temp\procdump\
procdump EcatService -accepteula -ma -n 5 -c 90 -s 5 c:\temp\procdump\The 1st command will monitor RAM, the 2nd command will monitor CPU.
Run the 2 commands from 2 different command prompts started with Administrative rights.
Explanation on arguments/usage for RAM:
EcatService: Replace this by the name of the ECAT service in your environment
-accepteula: To automatically accept the Sysinternals license agreement.
-ma: Do a full memory dump of the process (mandatory)
-n 5: Take 5 dumps. One dump often is not enough, 5 dumps will give the analysts a chance to detect what changes and what remains the same over time
-m 300: Create a dump if the memory goes above a threshold of 300 MB. This number is above what is expected from a normal ECAT behavior, even during scans.
-s 20: The dumps will be created if the problematic situation lasts for more that 20 seconds.
c:\temp\procdump\: Set the destination of the dumps.
Explanation on arguments/usage for CPU:
EcatService: Replace this by the name of the ECAT service in your environment
-accepteula: To automatically accept the Sysinternals license agreement.
-ma: Do a full memory dump of the process (mandatory)
-n 5: Take 5 dumps. One dump often is not enough, 5 dumps will give the analysts a chance to detect what changes and what remains the same over time
-c 90: Create a dump if the CPU goes above a threshold of 90%. This number is above what is expected from a normal ECAT behavior, even during scans.
-s 5: The dumps will be created if the problematic situation lasts for more that 5 seconds.
c:\temp\procdump\: Set the destination of the dumps.
NOTE: This article is a guideline; all those parameters can change depending on circumstances.
Example results -
Image description1. The call to procdump is made. Note that EcatService must already be running at this moment.
2. The parameters are being displayed. An error will appear if the usage is wrong.
3. You can see a 1st sequence starting at 11:29:34, and when the situation remains after 20 seconds, a dump is created.
4. A second sequence automatically starts, as the situation is still present.
In this article
