LightYear
/Docs
DocsTroubleshootingDiagnose High CPU Usage

Diagnose High CPU Usage

Identify processes causing high CPU usage and resolve performance issues on Linux servers.

intermediate
8 min read
LightYear Docs Team
Updated April 24, 2026
cpuperformancetophtoptroubleshooting
Ready to get started?

High CPU usage can cause slow response times, timeouts, and server instability. This guide shows how to identify the cause and resolve it.

Step 1 — Check Overall CPU Usage

>_BASH
$top
OUTPUT
top - 10:00:00 up 5 days,  2:30,  1 user,  load average: 3.45, 2.89, 2.12
Tasks: 145 total,   3 running, 142 sleeping
%Cpu(s): 89.3 us,  5.2 sy,  0.0 ni,  4.1 id,  0.5 wa,  0.0 hi,  0.9 si
MiB Mem :   3840.0 total,    234.5 free,   2890.3 used,    715.2 buff/cache

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
12345 www-data  20   0  456789  123456   8901 R  85.3   3.1  12:34.56 php-fpm
 6789 mysql     20   0 1234567  456789  12345 S  12.1  11.9   5:23.45 mysqld

Press P to sort by CPU usage. Press q to quit.

Step 2 — Use htop for Better Visibility

>_BASH
$apt install -y htop
$htop

htop provides a colour-coded, interactive view of all processes with per-core CPU usage bars.

Step 3 — Identify the Problematic Process

>_BASH
$ps aux --sort=-%cpu | head -10
OUTPUT
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
www-data 12345 85.3  3.1 456789 123456 ?        R    10:00  12:34 php-fpm: pool www
mysql     6789 12.1 11.9 1234567 456789 ?       Sl   09:00   5:23 /usr/sbin/mysqld

Step 4 — Investigate the Process

Check what the high-CPU process is doing:

>_BASH
$strace -p 12345 -c

For PHP-FPM, check the slow log:

>_BASH
$tail -f /var/log/php8.1-fpm.log

For Nginx, check the access log for unusual traffic:

>_BASH
$awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

Step 5 — Check for Cryptomining Malware

Unexpected high CPU usage can indicate a compromised server running cryptomining software:

>_BASH
$# Check for suspicious processes
$ps aux | grep -E "xmrig|minerd|cryptonight|stratum"
$
$# Check for unusual network connections
$ss -tulnp | grep -v "sshd|nginx|mysql"
$
$# Check recently modified files
$find /tmp /var/tmp -newer /etc/passwd -type f

[!WARNING] If you find cryptomining malware, the server may be fully compromised. Consider taking a snapshot for forensic analysis, then rebuilding from a clean image.

Step 6 — Limit CPU Usage with cgroups

If a specific process is consuming too much CPU, limit it:

>_BASH
$# Limit a process to 50% CPU
$cpulimit -p 12345 -l 50

Or use nice to lower a process's priority:

>_BASH
$renice +10 -p 12345

Was this article helpful?

Your cookie choices for this website

This site uses cookies and related technologies, as described in our privacy policy, for purposes that may include site operation, analytics, and enhanced user experience. You may choose to consent to our use of these technologies, or manage your own preferences. Cookie policy