2023-06-27 15:02:12 +00:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
|
|
set -e
|
|
|
|
|
|
|
|
|
|
# Requirements:
|
|
|
|
|
# - ripgrep
|
|
|
|
|
# - gnuplot
|
|
|
|
|
|
|
|
|
|
# Get PID of the osquery worker process.
|
2023-08-18 20:32:22 +00:00
|
|
|
if [ -n "$OSQUERYD_PID" ]; then
|
|
|
|
|
osquery_pid=$OSQUERYD_PID
|
|
|
|
|
else
|
|
|
|
|
osquery_pid=$(ps aux | grep -E "osqueryd\s*$" | awk {'print $2'})
|
|
|
|
|
fi
|
2023-06-27 15:02:12 +00:00
|
|
|
|
|
|
|
|
# Extract CPU and memory data points from logs.
|
|
|
|
|
rg " (\d\d:\d\d:\d\d).* pid: $osquery_pid, cpu: (\d+)ms/\d+ms, memory: ([\d.]+)" -or '$1 $2 $3' /tmp/osqueryd.log > /tmp/osqueryd.dat
|
|
|
|
|
|
|
|
|
|
# Generate gnuplot commands and render CPU and memory data points.
|
|
|
|
|
cat <<EOF > gnuplot_commands.txt
|
|
|
|
|
set xdata time
|
|
|
|
|
set timefmt "%H:%M:%S"
|
|
|
|
|
set format x "%H:%M"
|
|
|
|
|
set key off
|
|
|
|
|
set xtics rotate by -45
|
|
|
|
|
set terminal jpeg
|
|
|
|
|
|
|
|
|
|
set title 'Memory (MB)'
|
|
|
|
|
set output 'osquery_worker_memory.jpg'
|
2023-06-29 19:22:41 +00:00
|
|
|
plot '/tmp/osqueryd.dat' using 1:3 with linespoints linetype -1 linewidth 1 title 'Memory (MB)'
|
2023-06-27 15:02:12 +00:00
|
|
|
|
|
|
|
|
set title 'CPU'
|
|
|
|
|
set output 'osquery_worker_cpu.jpg'
|
|
|
|
|
set yrange [0:24000]
|
|
|
|
|
#
|
|
|
|
|
# The calculation used by osquery for CPU limit is:
|
|
|
|
|
# check_interval * number_of_physical_cores * (percent_cpu_limit / 100)
|
|
|
|
|
# where default values are: check_interval=3000ms, percent_cpu_limit=10%.
|
|
|
|
|
# On my Macbook with 4 physical core this gives 1200ms.
|
|
|
|
|
#
|
2023-06-29 19:22:41 +00:00
|
|
|
plot '/tmp/osqueryd.dat' using 1:2 with linespoints linetype -1 linewidth 1 title 'CPU', 1200 linecolor 1
|
2023-06-27 15:02:12 +00:00
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
gnuplot < gnuplot_commands.txt
|
|
|
|
|
rm gnuplot_commands.txt
|
|
|
|
|
|
2023-06-29 19:22:41 +00:00
|
|
|
open osquery_worker_cpu.jpg osquery_worker_memory.jpg
|
