Using sar

sar (System Activity Reporter) is the best tool for analyzing historical server performance. While top and vmstat show current state, sar lets you look back in time: "what was CPU utilization yesterday at 2pm?" or "when did memory pressure start last week?" This makes it invaluable for post-incident analysis, capacity planning, and finding the time correlation between a performance event and a deployment or cron job.

What sar does

sar data collection:
  sysstat package installs:
    /etc/cron.d/sysstat     ← runs sa1 every 10 minutes
    sa1 collects:           CPU, memory, I/O, network, load average
    Data saved to:          /var/log/sysstat/sa{DD}  (one file per day)

  sar reads these files on demand:
    sar -u      → CPU history
    sar -r      → memory history
    sar -d      → disk I/O history
    sar -n DEV  → network interface history

Real-time monitoring

sudo apt install -y sysstat
sudo systemctl enable --now sysstat

# Real-time sar (like vmstat/iostat):
sar -u 1 5     # CPU utilization, 1-second intervals, 5 samples
sar -r 1 5     # Memory utilization
sar -d 1 5     # Disk I/O

sar -u output

14:30:00    CPU  %user  %system  %iowait  %idle
14:30:01    all   34.5     8.2      2.1   55.2
14:30:02    all   45.1    10.4      1.5   43.0
14:30:03    all   22.3     7.8      8.4   61.5

Querying historical data

# Today's CPU history (all recorded intervals):
sar -u

# Specific time range from today:
sar -u -s 14:00:00 -e 16:00:00

# Yesterday's data:
sar -u -1    # -1 = yesterday

# Data from a specific date (uses /var/log/sysstat/sa09 for day 9):
sar -u -f /var/log/sysstat/sa09

# Memory at 10-minute intervals today:
sar -r

# Disk I/O history:
sar -d -p    # -p = device names instead of numbers

sar -r output (memory history)

14:00:00  kbmemfree  kbmemused  %memused  kbbuffers  kbcached  kbavail
14:10:00    412000    3250000     79.2%      98000   4100000   4200000
14:20:00    380000    3282000     80.0%      98000   4090000   4170000
14:30:00    156000    3506000     85.5%      98000   3980000   3940000
14:40:00     82000    3580000     87.3%      98000   3820000   3780000
→ Memory usage rising steadily — investigate what's growing

sar for capacity planning

# Find peak CPU usage over the past month:
for f in /var/log/sysstat/sa*; do
    echo "$(basename $f): $(sar -u -f $f 2>/dev/null | awk 'NF>5 && $1!="Average:" {print $5}' | sort -n | tail -1)% peak %usr"
done 2>/dev/null

# Average CPU by hour over the last week:
sar -u 2>/dev/null | awk 'NF>5 && $1!="Average:" {split($1,t,":"); print t[1], $5}' |     awk '{sum[$1]+=$2; count[$1]++} END {for(h in sum) print h, sum[h]/count[h]}' | sort -n

Conclusion

sar is the tool to install immediately on every server — it runs silently in the background and gives you historical data you cannot reconstruct after the fact. When an incident occurs at 2am and you investigate at 8am, sar shows exactly what CPU, memory, and I/O looked like at 2am. The default 10-minute collection interval from sysstat is sufficient for most post-incident analysis and capacity planning.

FAQ

Is Using sar important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support