Using ntpsec in the poll

Hal Murray hmurray at
Sat Jan 16 06:54:41 UTC 2016

>> Have you been logging it?  If so, we on the NTPsec team would like to see
>> it's logs, to see if there are any warnings or anything unexpected.

> Can you please give me the stanza I should add?

This is what I use:

logfile /var/log/ntp/ntpd.log
logconfig =syncall +clockall +peerall +sysall

statsdir /var/log/ntp/
filegen loopstats  type day link
filegen peerstats  type day link
filegen protostats type day link
filegen rawstats   type day link
filegen sysstats   type day link

The first two lines will put lots of syslog style messages into 
/var/log/ntp/ntpd.log  You can setup logrotate/newsyslog to rotate it, but 
ntpd won't switch to the new file until you restart it.  (So you don't want 
to compress it.)

There should be a batch of messages at startup and another batch at exit and 
not much in between.  If you find something that isn't reasonably obvious, 
ask me.

The second clump will put info into various files and rotate to new ones 
daily.  You probably want to add clockstats and turn on flag4 for the SHM 

Details on the stats files are in monopt.html
The clockstats info is different for each driver.  Look in the individual 
driverNN.html files.

You have to get the permissions on the directories right so ntpd can make new 
files after it has switched to a non-root user.


All that doesn't tell you much about what your clients are doing.

There is an hourly summary in sysstats.

You can collect client info per-IPaddress by making the mrulist much bigger.

I'm using:
  mru initmem 32000 maxmem 64000 maxage 86400000
That will use up to 64 megabytes of memory and drop slots after 1000 days.

I set the age to super-long so it wouldn't automatically discard info that I 
might want.  It will also drop the oldest if it needs room for a new slot.  I 
haven't seen that with 64 megabytes.

I'll probably drop the age to 2 days now that I have a nightly cron job to 
capture the data.

Then "ntpq -c mru" will print the list for you.  Details are in the ntpq man 
page.  There is a mincount option to skip the light users.

I print everything from a cron job at midnight.  For a system in the pool 
with the default bandwidth, the file from the cron job grows about 2 
megabytes per day.

The mrulist only records time requests, both requests and responses.  It 
doesn't count ntpq/ntpdc packets so it won't show bad guys probing for DoS 

I haven't seen any really nasty bad clients.

These are my opinions.  I hate spam.

These are my opinions.  I hate spam.

More information about the devel mailing list