Access Control Options

From: Harlan Stenn Date: Tue, 12 May 2009 01:43:27 +0000 (-0400) Subject: [Bug 1182] Documentation typos and missing bits X-Git-Tag: NTP_4_2_5P175~4^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=213070c13b1fbc99ed5da9becaa806b4f9cf28a2;p=thirdparty%2Fntp.git [Bug 1182] Documentation typos and missing bits bk: 4a08d43f3DAXL1bc3qO5euWpvGUAFQ --- diff --git a/ChangeLog b/ChangeLog index 533eeee8a..1f778600e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,4 @@ +* [Bug 1182] Documentation typos and missing bits. (4.2.5p174) 2009/05/09 Released by Harlan Stenn * Stale leapsecond file fixes from Dave Mills. (4.2.5p173) 2009/05/08 Released by Harlan Stenn diff --git a/html/accopt.html b/html/accopt.html index 99fdb0acc..73b4943a0 100644 --- a/html/accopt.html +++ b/html/accopt.html @@ -1,81 +1,134 @@ + + + +Access Control Options + + - - - - Access Control Options - - - - -

Access Control Options

from Pogo, Walt Kelly -

The skunk watches for intruders and sprays.

Last update: 18:08 UTC Sunday, May 04, 2008

-
-

Access Control Support

- The ntpd daemon implements a general purpose access control list (ACL) containing address/match entries sorted first by increasing address values and and then by increasing mask values. A match occurs when the bitwise AND of the mask and the packet source address is equal to the bitwise AND of the mask and address in the list. The list is searched in order with the last match found defining the restriction flags associated with the entry. -

An example may clarify how it works. Our campus has two class-B networks, 128.4 for the ECE and CIS deparements and 128.175 for the rest of campus. Subnet 128.4.1 homes critical services like class rosters and spread sheets. A suitable ACL might be

+ + +

Access Control Options

+ +

from Pogo, Walt Kelly + +

The skunk watches for intruders and sprays.

Last update: +09-May-2009 20:23 + UTC

+
+ +

Access Control Support

+ +

The ntpd daemon implements a general purpose access control list (ACL) containing address/match entries sorted first by increasing address values and and then by increasing mask values. A match occurs when the bitwise AND of the mask and the packet source address is equal to the bitwise AND of the mask and address in the list. The list is searched in order with the last match found defining the restriction flags associated with the entry.

+ +

An example may clarify how it works. Our campus has two class-B networks, +128.4 for the ECE and CIS departments and 128.175 for the rest of campus. +Subnet 128.4.1 homes critical services like class rosters and spread sheets. +A suitable ACL might be

-restrict default nopeer # deny new association
+restrict default nopeer # deny new associations
 restrict 128.175.0.0 255.255.0.0 # allow campus access
 restrict 128.4.0.0 255.255.0.0 none # allow ECE and CIS access
 restrict 128.4.1.0 255.255.255.0 notrust # require auth
 restrict time.nist.gov # allow access

While this facility may be useful for keeping unwanted, broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.

Access Control Commands

discard [ average avg ][ minimum min ] [ monitor prob ] -

Set the parameters of the rate control facility which protects the server from client abuse. If the limited flag is present in the ACL, packets that violate these limits are discarded. If in addition the kod restriction is present, a kiss-o'-death packet is returned. -

average avg -: Sspecify the minimum average interpacket spacing (minimum average headway time) in log₂ s with default 3.
minimum min -: Specify the minimum interpacket spacing (guard time) in log₂ s with default 1.
monitor -: Specify the probability of discard for packets that overflow the rate-control window. This is a performance optimization for servers with aggregate arrivals of 1000 packets per second or more.

+ +

Access Control Commands

+ +

discard [ average avg ][ minimum min ] [ monitor prob ]

average avg: Specify the minimum average interpacket spacing (minimum average headway +time) in log₂ s with default 3.
minimum min: Specify the minimum interpacket spacing (guard time) in log₂ s with default 1.
monitor: Specify the probability of discard for packets that overflow the rate-control window. This is a performance optimization for servers with aggregate arrivals of 1000 packets per second or more.

restrict address [mask mask] [flag][...] -

The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in dotted-quad form defaults to 255.255.255.255, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0) is always included and is always the first entry in the list. Note that the text string default, with no mask option, may be used to indicate the default entry. -

In the current implementation, flag always restricts access, i.e., an entry with no flags indicates no restrictions. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two catagories, those which restrict time service and those which restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:

frac -: Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This is for testing and amusement. The name comes from Bob Braden's flakeway, which once did a similar thing for early Internet testing.
ignore -: Deny packets of all kinds, including ntpq and ntpdc queries. -
kod -: Send a kiss-o'-death (KoD) packet if the limited flag is present and a packet violates the rate limits established by the discard command. KoD packets are themselves rate limited for each source address separately. Packets that violate the rate limit are discarded.
limited -: Deny time service if the packet violates the rate limits established by the discard command. This does not apply to ntpq and ntpdc queries.
lowpriotrap -: Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. -
nomodify -: Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted. -
noquery -: Deny ntpq and ntpq queries. Time service is not affected.
nopeer -: Deny packets which would result in mobilizing a new association. This includes broadcast, symmetric-active and manycast client packets when a configured association does not exist. -
noserve -: Deny all packets except ntpq and ntpdc queries. -
notrap -: Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdq control message protocol which is intended for use by remote event logging programs. -
notrust -: Deny packets that are not cryptographically authenticated.
ntpport -
non-ntpport -: This is actually a match algorithm modifier, rather than a restriction flag. Its presence causes the restriction entry to be matched only if the source port in the packet is the standard NTP UDP port (123). Both ntpport and non-ntpport may be specified. The ntpport is considered more specific and is sorted later in the list. -
version -: Deny packets that do not match the current NTP version. -

Default restriction list entries with the flags ignore, interface, ntpport, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted). -

- - +

restrict address [mask mask] [flag][...]

The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in dotted-quad form defaults to 255.255.255.255, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0) is always included and is always the first entry in the list. Note that the text string default, with no mask option, may be used to indicate the default entry.

In the current implementation, flag always restricts access, i.e., an entry with no flags indicates no restrictions. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two categories, those which restrict time service and those which restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:

flake: Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This is for testing and amusement. The name comes from Bob Braden's flakeway, which once did a similar thing for early Internet testing.
ignore: Deny packets of all kinds, including ntpq and ntpdc queries.
kod: Send a kiss-o'-death (KoD) packet if the limited flag is present and a packet violates the rate limits established by the discard command. KoD packets are themselves rate limited for each source address separately. Packets that violate the rate limit are discarded.
limited: Deny time service if the packet violates the rate limits established by the discard command. This does not apply to ntpq and ntpdc queries.
lowpriotrap: Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.
nomodify: Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.
noquery: Deny ntpq and ntpq queries. Time service is not affected.
nopeer: Deny packets which would result in mobilizing a new association. This includes broadcast, symmetric-active and manycast client packets when a configured association does not exist.
noserve: Deny all packets except ntpq and ntpdc queries.
notrap: Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdc control message protocol which is intended for use by remote event logging programs.
notrust: Deny packets that are not cryptographically authenticated.
ntpport
non-ntpport: This is actually a match algorithm modifier, rather than a restriction flag. Its presence causes the restriction entry to be matched only if the source port in the packet is the standard NTP UDP port (123). Both ntpport and non-ntpport may be specified. The ntpport is considered more specific and is sorted later in the list.
version: Deny packets that do not match the current NTP version.

Default restriction list entries with the flags ignore, ntpport, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).

+ +

+ + + \ No newline at end of file diff --git a/html/decode.html b/html/decode.html index 6fe34becf..e39df6789 100644 --- a/html/decode.html +++ b/html/decode.html @@ -13,7 +13,7 @@

Caterpillar knows all the error codes, which is more than most of us do.

Last update: -03-May-2009 3:28 +09-May-2009 3:31 UTC

@@ -37,11 +37,11 @@ UTC

Introduction

This page lists the status and event messages and error codes used for status reporting and monitoring. Status words are used to display the current status of the running program. There is one system status word and a peer status word for each association. There is a clock status word for each association that supports a reference clock driver. There is a flash code for each association which shows errors found in the last packet received (pkt) and during protocol processing (peer). These are commonly viewed using the ntpq program.

This page lists the status words, event messages and error codes used for ntpd reporting and monitoring. Status words are used to display the current status of the running program. There is one system status word and a peer status word for each association. There is a clock status word for each association that supports a reference clock. There is a flash code for each association which shows errors found in the last packet received (pkt) and during protocol processing (peer). These are commonly viewed using the ntpq program.

Significant changes in program state are reported as events. There is one set of system events and a set of peer events for each association. In adition, there is a set of clock events for each association that supports a reference clock driver. Events are normally reported to the protostats file and optionally to the system log. In addition, if the trap facility is configured, traps can be reported to a remote program that can page an administrator.

Significant changes in program state are reported as events. There is one set of system events and a set of peer events for each association. In adition, there is a set of clock events for each association that supports a reference clock. Events are normally reported to the protostats monitoring file and optionally to the system log. In addition, if the trap facility is configured, events can be reported to a remote program that can page an administrator.

This page also includes a description of the error messages produced by the Autokey protocol. These messages are normally sent to the cryptostats file.

This page also includes a description of the error messages produced by the Autokey protocol. These messages are normally sent to the cryptostats monitoring file.

In the following tables the Code Field is the status or event code assigned and the Message Field a short string used for display and event reporting. The Description field contains a longer explanation of the status or event. Some messages include additional information useful for error diagnosis and performance assessment.

@@ -107,7 +107,7 @@ UTC

0 +0 sync_unspec not yet synchronized @@ -179,89 +179,101 @@ UTC

-0 +00 unspecified unspecified -1 +01 freq_not_set frequency file not available -2 +02 freq_set frequency set from frequency file -3 +03 spike_detect spike detected -4 +04 freq_mode initial frequency training mode -5 +05 clock_sync clock synchronized -6 +06 restart program restart -7 +07 panic_stop clock error more than 600 s -8 -

no_system_peer +08 +no_system_peer no system peer -9 +09 leap_armed leap second armed from file or Autokey -10 +0a leap_disarmed leap second disarmed -11 +0b leap_event leap event -12 +0c clock_step clock stepped -13 +0d kern kernel information message + +0e +TAI... +leapsecond values update from file + + + +0f +stale leapsecond values +new NIST leapseconds file needed + +

Peer Status Word

@@ -299,7 +311,7 @@ UTC

10 reach host reachable -/tr> + 20 @@ -354,7 +366,7 @@ UTC

3 +3 sel_outlyer - discarded by the cluster algorithm @@ -474,7 +486,7 @@ UTC

0d -[popcorn/tt> +popcorn popcorn spike suppressor @@ -487,7 +499,7 @@ UTC 0f interleave_error -interleave error (recoverable) +interleave error (recovered) @@ -512,7 +524,7 @@ vvv -

The Count Field displays the number of events since the last lockvar command, while the Event Field displays the most recent event message coded as follows:

The Count Field displays the number of events since the last lockvar command, while the Event Field displays the most recent event message coded as follows:

diff --git a/html/monopt.html b/html/monopt.html index 4736c2ac9..cd9f3c656 100644 --- a/html/monopt.html +++ b/html/monopt.html @@ -1,465 +1,519 @@ - - - - - - Monitoring Options - - - - -

Monitoring Options

from Pogo, Walt Kelly -

Pig was hired to watch the logs.

Last update: - 08-Apr-2009 2:46 - UTC

+ + + +Monitoring Options + + + +

Monitoring Options

from Pogo, +Walt Kelly +

Pig was hired to watch the logs.

Last update: + 10-May-2009 16:19 + UTC

Introduction

The ntpd includes a comprehensive monitoring facility which collects statistical data of various types and writes the data to files associated with each type at defined events or intervals. The files associated with a particular type are collectively called the generation file set for that type. The files in the file set are the members of that set.

File sets have names specific to the type and generation epoch. The names are constructed from three concatenated elements prefix, filename and suffix:

Introduction

The ntpd includes a comprehensive monitoring facility which collects + statistical data of various types and writes the data to files associated with + each type at defined events or intervals. The files associated with a particular + type are collectively called the generation file set for that type. The files + in the file set are the members of that set.

File sets have names specific to the type and generation epoch. The names + are constructed from three concatenated elements prefix, filename and suffix:

prefix: The directory path specified in the statsdir command.
name: The name specified by the file option of the filegen command.
suffix: A string of elements bdginning with . (dot) followed by a number of elements + depending on the file set type.

Statistics files can be managed using scripts, examples of which are in the ./scripts directory. + Using these or similar scripts and Unix cron jobs, the files can be + automatically summarized and archived for retrospective analysis.

Monitoring Commands

filegen name file filename [type type] + [link | nolink] [enable | disable]

prefix -: The directory path specified in the statsdir command. - -
name -: The name specified by the file option of the filegen command. - -
suffix -: A string of elements bdginning with . (dot) followed by a number of elements depending on the file set type. -

Statistics files can be managed using scripts, examples of which are in the ./scripts directory. Using these or similar scripts and Unix cron jobs, the files can be automatically summarized and archived for retrospective analysis.

Monitoring Commands

filegen name file filename [type type] [link | nolink] [enable | disable] +

name

Specifies the file set type from the list in the next section.

file filename

Specfies the file set name.

type typename

Specifies the file set interval. The following intervals are supported + with default day:

name -

Specifies the file set type from the list in the next section. - -

file filename -

Specfies the file set name. - -

type typename -

Specifies the file set interval. The following intervals are supported with default day: -

none -: The file set is actually a single plain file. - -
pid -: One file set member is created for every incarnation of ntpd. The file name suffix is the string .n, where n is the process ID of the ntpd server process. - -
day -: One file set member is created per day. A day is defined as the period between 00:00 and 23:59 UTC. The file name suffix is the string .yyyymmdd, where yyyy is the year, mm the month of the year and dd the day of the month. Thus, member created on 10 December 1992 would have suffix .19921210. - -
week -: One file set member is created per week. The week is defined as the day of year modulo 7. The file name suffix is the string .yyyyWww, where yyyy is the year, W stands for itself and ww the week number starting from 0. For example, The member created on 10 January 1992 would have suffix .1992W1. - -
month -: One file set member is created per month. The file name suffix is the string .yyyymm, where yyyy is the year and mm the month of the year starting from 1. For example, The member created on 10 January 1992 would have suffix .199201. - -
year -: One file set member is generated per year. The file name suffix is the string .yyyy, where yyyy is the year. For example, The member created on 1 January 1992 would have suffix .1992. - -
age -: One file set member is generated every 24 hours of ntpd operation. The filename suffix is the string .adddddddd, where a stands for itself and dddddddd is the ntpd running time in seconds at the start of the corresponding 24-hour period. - -

link | nolink -

It is convenient to be able to access the current file set members by file name, but without the suffix. This feature is enabled by link and disabled by nolink. If enabled, which is the default, a hard link from the current file set member to a file without suffix is created. When there is already a file with this name and the number of links to this file is one, it is renamed by appending a dot, the letter C, and the pid of the ntpd server process. When the number of links is greater than one, the file is unlinked. This allows the current file to be accessed by a constant name. - -

enable | disable -

Enable or disable the recording function, with default enable. These options are intended for remote configutation commands. - +

none

The file set is actually a single plain file.

pid

One file set member is created for every incarnation of ntpd. + The file name suffix is the string .n, where n is the + process ID of the ntpd server process.

day

One file set member is created per day. A day is defined as the period + between 00:00 and 23:59 UTC. The file name suffix is the string .yyyymmdd, + where yyyy is the year, mm the month of the year and dd the + day of the month. Thus, member created on 10 December 1992 would have suffix .19921210.

week

One file set member is created per week. The week is defined as the + day of year modulo 7. The file name suffix is the string .yyyyWww, + where yyyy is the year, W stands for itself and ww the + week number starting from 0. For example, The member created on 10 January + 1992 would have suffix .1992W1.

month

One file set member is created per month. The file name suffix is the + string .yyyymm, where yyyy is the year and mm the + month of the year starting from 1. For example, The member created on 10 + January 1992 would have suffix .199201.

year

One file set member is generated per year. The file name suffix is the + string .yyyy, where yyyy is the year. For example, The + member created on 1 January 1992 would have suffix .1992.

age

One file set member is generated every 24 hours of ntpd operation. + The filename suffix is the string .adddddddd, where a stands + for itself and dddddddd is the ntpd running time in seconds + at the start of the corresponding 24-hour period.

statsdir directory_path -

Specify the directory path prefix for statistics file names. - -

File Set Types

clockstats -: Record reference clock statistics. Each update received from a reference clock driver appends one line to the clockstats file set: - -; 49213 525.624 127.127.4.1 93 226 00:08:29.606 D -; -

- - - - - - - - - - - - - - - - - - - - - - - - - -

Item	Units	Description
`49213`	MJD	date
`525.624`	s	time past midnight
`127.127.4.1`	IP	reference clock address
`message`	text	log message

The message field includes the last timecode received in decoded ASCII format, where meaningful. In some cases a good deal of additional information is displayed. See information specific to each reference clock for further details. - -

cryptostats -

Record significant events in the Autokey protocol. This option requires the OpenSSL cryptographic software library. Each event appends one line to the cryptostats file set: -

49213 525.624 128.4.1.1 message -

- - - - - - - - - - - - - - - - - - - - - - - - - - -

Item	Units	Description
`49213`	MJD	date
`525.624`	s	time past midnight
`128.4.1.1`	IP	source address (`0.0.0.0` for system)
`message`	text	log message

The message field includes the message type and certain ancillary information. See the Authentication Options page for further information. - -

loopstats -

Record clock discipline loop statistics. Each system clock update appends one line to the loopstats oopstats file set: -

50935 75440.031 0.000006019 13.778 0.000351733 0.013380 6 -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Item	Units	Description
`50935`	MJD	date
`75440.031`	s	time past midnight
`0.000006019`	s	clock offset
`13.778`	PPM	frequency offset
`0.000351733`	s	RMS jitter
`0.013380`	PPM	RMS wander
`6`	log₂ s	clock discipline loop time constant

peerstats -

Record peer statistics. Each NTP packet or reference clock update received appends one line to the peerstats file set: -

48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 0.000958674 -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Item	Units	Description
`48773`	MJD	date
`10847.650`	s	time past midnight
`127.127.4.1`	IP	source address
`9714`	hex	status word
`-0.001605376`	s	clock offset
`0.000000000`	s	roundtrip delay
`0.001424877`	s	dispersion
`0.000958674`	s	RMS jitter

The status field is encoded in hex format as described in Appendix B of the NTP specification RFC 1305. - -

protostats -

Record significant peer, system and [rptpcp; events. Each significant event appends one line to the protostats file set: -

49213 525.624 128.4.1.1 message -

- - - - - - - - - - - - - - - - - - - - - - - - - - -

Item	Units	Description
`49213`	MJD	date
`525.624`	s	time past midnight
`128.4.1.1`	IP	source address (`0.0.0.0` for system)
`message`	text	log message

The message field includes the message type and certain ancillary information. -

rawstats -

Record timestamp statistics. Each NTP packet received appends one line to the rawstats file set: - -

50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 02453332.540806000 3102453332.541458000 -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Item	Units	Description
`50928`	MJD	date
`2132.543`	s	time past midnight
`128.4.1.1`	IP	source address
`128.4.1.20`	IP	destination address
`3102453281.584327000`	NTP s	originate timestamp
`3102453281.586228000`	NTP s	receive timestamp
`3102453332.540806000`	NTP s	transmit timestamp
`3102453332.541458000`	NTP s	destination timestamp

sysstats -

Record system statistics. Each hour one line is appended to the sysstats file set in the following format: -

50928 2132.543 3600 81965 0 9546 56 512 540 10 4 147 1 -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Item	Units	Description
`50928`	MJD	date
`2132.543`	s	time past midnight
`3600`	s	time since reset
`81965`	#	packets received
`0`	#	packets for this host
`9546`	#	current versions
`56`	#	old version
`512`	#	access denied
`540`	#	bad length or format
`10`	#	bad authentication
`4`	#	declined
`147`	#	rate exceeded
`1`	#	kiss-o'-death packets sent

timingstats -

(Only available when the deamon is compiled with process time debugging support (--enable-debug-timing - costs performance). Record processing time statistics for various selected code paths. -

53876 36.920 10.0.3.5 1 0.000014592 input processing delay -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Item	Units	Description
`53876`	MJD	date
`36.920`	s	time past midnight
`10.0.3.5`	IP	server address
`1`	#	event count
`0.000014592`	s	total time
`message`	text	code path description (see source)

link | nolink

It is convenient to be able to access the current file set members by + file name, but without the suffix. This feature is enabled by link and + disabled by nolink. If enabled, which is the default, a hard link + from the current file set member to a file without suffix is created. When + there is already a file with this name and the number of links to this file + is one, it is renamed by appending a dot, the letter C, and the + pid of the ntpd server process. When the number of links is greater + than one, the file is unlinked. This allows the current file to be accessed + by a constant name.

enable | disable

Enable or disable the recording function, with default enable. + These options are intended for remote configutation commands.

- - - - \ No newline at end of file + +

statsdir directory_path

Specify the directory path prefix for statistics file names.

+ +

File Set Types

clockstats

Record reference clock statistics. Each update received from a reference + clock driver appends one line to the clockstats file set:

49213 525.624 127.127.4.1 93 226 00:08:29.606 D

+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Item	Units	Description
`49213`	MJD	date
`525.624`	s	time past midnight
`127.127.4.1`	IP	reference clock address
`message`	text	log message

The message field includes the last timecode received in + decoded ASCII format, where meaningful. In some cases a good deal of additional + information is displayed. See information specific to each reference clock + for further details.

cryptostats

Record significant events in the Autokey protocol. This option requires + the OpenSSL cryptographic software library. Each event appends one line to + the cryptostats file set:

49213 525.624 128.4.1.1 message

+ + + + + + + + + + + + + + + + + + + + + + + + + + +

Item	Units	Description
`49213`	MJD	date
`525.624`	s	time past midnight
`128.4.1.1`	IP	source address (`0.0.0.0` for system)
`message`	text	log message

The message field includes the message type and certain + ancillary information. See the Authentication Options page + for further information.

loopstats

Record clock discipline loop statistics. Each system clock update appends + one line to the loopstats file set:

50935 75440.031 0.000006019 13.778 0.000351733 0.013380 6

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item	Units	Description
`50935`	MJD	date
`75440.031`	s	time past midnight
`0.000006019`	s	clock offset
`13.778`	PPM	frequency offset
`0.000351733`	s	RMS jitter
`0.013380`	PPM	RMS frequency jitter (aka wander)
`6`	log₂ s	clock discipline loop time constant

peerstats

Record peer statistics. Each NTP packet or reference clock update received + appends one line to the peerstats file set:

48773 10847.650 127.127.4.1 9714 -0.001605376 0.000000000 0.001424877 + 0.000958674

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item	Units	Description
`48773`	MJD	date
`10847.650`	s	time past midnight
`127.127.4.1`	IP	source address
`9714`	hex	status word
`-0.001605376`	s	clock offset
`0.000000000`	s	roundtrip delay
`0.001424877`	s	dispersion
`0.000958674`	s	RMS jitter

The status field is encoded in hex format as described in Appendix B of + the NTP specification RFC 1305.

protostats

Record significant peer, system and [rptpcp; events. Each significant event + appends one line to the protostats file set:

49213 525.624 128.4.1.1 963a 8a message

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item	Units	Description
`49213`	MJD	date
`525.624`	s	time past midnight
`128.4.1.1`	IP	source address (`0.0.0.0` for system)
`963a`	code	status word
`8a`	code	event message code
`message`	text	event message

The event message code and message field are described on + the Event Messages and Status Words page.

rawstats

Record timestamp statistics. Each NTP packet received appends one line to + the rawstats file set:

50928 2132.543 128.4.1.1 128.4.1.20 3102453281.584327000 3102453281.58622800031 + 02453332.540806000 3102453332.541458000

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item	Units	Description
`50928`	MJD	date
`2132.543`	s	time past midnight
`128.4.1.1`	IP	source address
`128.4.1.20`	IP	destination address
`3102453281.584327000`	NTP s	origin timestamp
`3102453281.586228000`	NTP s	receive timestamp
`3102453332.540806000`	NTP s	transmit timestamp
`3102453332.541458000`	NTP s	destination timestamp

sysstats

Record system statistics. Each hour one line is appended to the sysstats file + set in the following format:

50928 2132.543 3600 81965 0 9546 56 512 540 10 4 147 1

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item	Units	Description
`50928`	MJD	date
`2132.543`	s	time past midnight
`3600`	s	time since reset
`81965`	#	packets received
`0`	#	packets for this host
`9546`	#	current versions
`56`	#	old version
`512`	#	access denied
`540`	#	bad length or format
`10`	#	bad authentication
`4`	#	declined
`147`	#	rate exceeded
`1`	#	kiss-o'-death packets sent

timingstats

(Only available when the deamon is compiled with process time debugging + support (--enable-debug-timing - costs performance). Record processing time + statistics for various selected code paths.

53876 36.920 10.0.3.5 1 0.000014592 input processing delay

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Item	Units	Description
`53876`	MJD	date
`36.920`	s	time past midnight
`10.0.3.5`	IP	server address
`1`	#	event count
`0.000014592`	s	total time
`message`	text	code path description (see source)

+ + +

Access Control Options

Related Links

Table of Contents

Access Control Support

Access Control Options

Related Links

Table of Contents

Access Control Support

Access Control Commands

Access Control Commands

Introduction

Peer Status Word

Monitoring Options

Monitoring Options

Related Links

Table of Contents

Introduction

Related Links

Table of Contents

Introduction

Monitoring Commands

Monitoring Commands

File Set Types

File Set Types