You are probably already familiar with the system monitoring tool top or similar programs such as htop, iotop or mytop.

Atop is another related command line monitoring tool that provides extended functionality. It displays more information than top and can for example report the resource usage of completed processes.

The most useful feature of atop is that it runs in the background and saves system metrics in its log files. This is extremely helpful when investigating the cause of a system problem for example.

Linux servers can sometimes crash without any apparent cause and no relevant entries are found in the system logs. In such a case, investigating atop’s logs can help a system administrator identify and fix the issue.

Installing atop

The installation of atop is very easy in any major distribution. In CentOS 6/7, you first have to install and enable the Epel repository:

yum install epel-release

You can now install the package directly:

yum install atop

We will use systemd in order for the service to start and be active when the system boots up:

systemctl start atop
systemctl enable atop

If you want atop to also monitor network traffic, the netatop kernel module must be installed separately. Install its dependencies first:

yum install kernel-devel zlib-devel

The module must be built from source, so download and unpack the tarball, and then build it:

tar -xvf netatop-2.0.tar.gz
cd netatop-2.0
make install

Netatop has to be started and enabled separately:

service netatop start
chkconfig --add netatop

Configure the service

By default, atop saves system information at an interval of 10 minutes (600 seconds), but this is not very useful after a server crash.

Edit the file /etc/sysconfig/atop and change the INTERVAL value to 60 seconds or less, then restart the atop service:

systemctl restart atop

Using atop as a monitoring tool

If you simply execute the atop command, you will see a screen similar to the one displayed by top, with a lot of information such as CPU use, RAM use, disk activity and so on. By default, the data is updated every 10 seconds.

Since so much information is quite difficult to read, you can use one of the available command line options (most also function as interactive keys) to filter it. The most useful options are:

-C – displays CPU usage
-M – shows RAM usage
-d – shows disk activity
-u – show active users, as well as the total resources used by their processes (which helps detecting hacked accounts, for example)
-p – this option also cumulates resource use, based on the program that started the process
-1 – use this option if you want information to refresh every second, instead of the 10 seconds default
-a – only show active processes
-c – show the entire command line of each process
-D – sort processes in order of disk activity
-N – sort processes in order of network activity
-j – show cumulated process-info per container
-v – display more detailed process information (such as ppid, user/group, date/time)
-h – shows the help menu, access the program’s man page for the full documentation

Using atop to troubleshoot system events

The most useful feature of atop is that past logs are saved on the disk (the default duration is 28 days) and can be investigated later in order to find the cause of a crash or other issues.

These logs files are found in the /var/log/atop/ folder and are named atop_date. Since they are written in a binary format and compressed, you can’t read them with any text editor and you’ll have to use the atop command:

atop –r /var/log/atop/atop_file

Once a file is opened, press t to go to the next log file or T to read the previous one. All the filter keys are active in this mode (such as C, M, d and so on).

You can also read the logs starting with a specified time, for example this command will display the logs after 10:00:

atop -r -b 10:00 -l 1

The atopsar command is even more powerful and allows you to filter the data and generate reports based on various parameters. Run the command with the –A flag for a long list of all reports available on your server.

Mastering the syntax takes a bit of practice but a typical command will look similar to this one:

atopsar -C -b 13:00 -e 14:00

In this example, it will generate a CPU usage report starting at 13:00 and ending at 14:00 server time. You can filter by any of the system parameters recorded by atop.



As you can see, atop is a very versatile tool in the arsenal of a modern system administrator. It saves information about system processes without causing load on the server and provides powerful command line utilities that allow very quick access to data from the logs, filtered based on a number of key metrics.