Performance Logs and Alerts

Performance Logs and Alerts expands the monitoring capabilities of System Monitor to include features for logging counter and trace data and for generating performance alerts. Logged counter data information can be exported to spreadsheets or databases for analysis and report generation. The data can be stored as a text file (comma- or tab-delimited), a binary file, a binary circular file where the log file is a set size and new data overwrites old data, or a SQL database.

Performance logging runs as a service. As a result, a user doesn’t have to be logged on to the monitored computer for data collection to occur. You can manage multiple logging sessions from a single console window and view data as it is collected as well as after collection has stopped. Automatic log generation enables the defining of parameters such as filename, file size, and start and stop times. An alert can be set on a counter to cause a specific action to occur, such as starting a specified program, sending a notification message, or starting a log when the value of a selected counter falls below or exceeds a specified setting.

Counter Logs

A counter log collects data at a predefined interval. Counter logs are helpful for recording data about system services activities and hardware usage from the local machine or a remote machine. You can log data manually on demand or schedule logging to start and stop automatically. The system can also perform continuous logging, depending on the file size and duration limits you set. The logged data can be viewed through the System Monitor display or exported to spreadsheets or databases.

You can view the counters configured in the counter log dynamically through System Monitor by saving log settings such as counters as an HTML page. The resulting page hosts the System Monitor control through an ActiveX control that provides the interface for the monitoring user.

Trace Logs

Rather than measure samples at a predefined interval, as counter logs do, a trace log monitors data continuously and waits for specific events such as page faults to occur. That data is then recorded into a binary trace log file. Developers can use the tools in the Microsoft Platform SDK to translate binary trace logs into human-readable form.

Creating Counter and Trace Logs

To create a counter log or a trace log, complete the following steps:

1. Launch Performance from the Administrative Tools menu, and in the console tree, expand Performance Logs And Alerts.

2. In the console tree, select Counter Logs to create a counter log, or select Trace Logs to create a trace log. Existing logs are listed in the details pane. A red icon indicates a log that is not running or has been stopped; a green icon indicates a log that is running.

3. Right-click in a blank area of the details pane and choose New Log Settings (Figure 20-8).

   
   Figure 20-8: Creating new log settings.

4. In the Name text box, type the name of the counter or trace log you are creating and click OK. A Properties dialog box for configuring the counter or trace log you are creating is displayed.

5. Configure the counter or trace log to monitor your local or remote machine by choosing the proper counters for the resources to be monitored, selecting log file properties, and choosing the desired scheduling options. The sample data interval for counter logs is set on the General tab of the Properties dialog box for the log.

Adding Counters to Counter Logs

Counters are added on the General tab of a log’s Properties dialog box (Figure 20-9). When you create a counter log file, the Properties dialog box is displayed automatically. If you need to add counters later, you can display the Properties dialog box by right-clicking the name of the log file, choosing Properties from the shortcut menu, clicking Add on the General tab, and then choosing the desired counters. The procedure for selecting counters is identical to that described earlier this chapter in the section titled “Selecting Counters.”

Figure 20-9: The General tab of a log’s Properties dialog box.

Saving Log and Alert File Settings

To save the settings for a log or an alert file, right-click the name of the log or alert file in the details pane, and then choose Save Settings As from the shortcut menu. Type the name you want to give to the log or alert file, and save it as an .HTM file. You can use the saved settings for a new log or alert by right-clicking in the details pane, choosing New Log Settings From, and then selecting the .HTM file containing the settings you want to reuse.

Selecting System and Nonsystem Providers for Trace Logs

Events in trace logs are monitored not by counters but by providers. You can choose to log events by system or nonsystem providers. The default system provider, the Windows Kernel Trace Provider, monitors threads, processes, disk input/output, network TCP/IP, page faults, and file details. The default system provider uses the most overhead to monitor events. Only one trace log at a time can be run using the system provider. If you attempt to run more than one, you receive an error message.

To choose providers, right-click the name of the trace log file and choose Properties from the shortcut menu. On the General tab (Figure 20-10), select the Events Logged By System Provider option and then choose the events you want to monitor, or select the Nonsystem Providers option and then add the nonsystem providers of your choice (for example, Active Directory) by clicking Add.

Figure 20-10: Specifying events logged by the system provider.

Remember that trace logging of page fault and file details generates a huge amount of data. Microsoft recommends that you limit trace logging using these fault options to a maximum of two hours; otherwise, you might run out of disk space on your machine.

Choosing nonsystem providers to monitor the system incurs less overhead. With nonsystem providers, you can select the data providers of your choice. You cannot run concurrent multiple trace logs using the same nonsystem provider, but you can do so using different nonsystem providers. Some nonsystem providers available in Microsoft Windows Server 2003 are ACPI Driver Trace Provider; Active Directory: Kerberos; Active Directory: NetLogon; Active Directory: SAM; DNS Trace; Local System Authority (LSA); NTLM Security Protocol; and Exchange Information Store.

Setting File Parameters for Counter and Trace Logs

To set file parameters for counter and trace logs, complete the following steps:

1. Open Performance and expand Performance Logs And Alerts.

2. In the console tree, select Counter Logs to set file parameters for counter logs, or select Trace Logs to set file parameters for trace logs.

3. Double-click the name of the log for which you want to set the file parameters. A dialog box displaying the properties of the log appears.

4. Click the Log Files tab, and set the desired parameters for the log file. (The available parameters are described in the next section.)

Understanding the Log File Parameters

The Log Files tab of the Properties dialog box for a counter or trace log (Figure 20-11) allows the setting of a number of file parameters, such as the file type and whether to end the filename with a set of sequential numbers or a date to keep track of multiple log files. To specify a folder other than the default chosen by Windows (the PerfLogs folder at the root directory), click Configure.

Figure 20-11: The Log Files tab of a trace log’s Properties dialog box.

The Configure Log Files dialog box also has a log file size option to allow the log file to become as large as disk quotas or the operating system permits or to limit the size to a specific size. Limit the size of a log file if you want to use one of the circular logging options. In conjunction with limiting the size of a log file, you can use the When The Log File Is Full option on the Schedule tab to run a command if you want a particular action to occur when the log file reaches its limit. You can choose from among five file types for a counter log:

• Text File - Comma Delimited Used to export data to a spreadsheet program. The data is stored as a comma-delimited log file with the file extension .CSV.

• Text File - Tab Delimited Can also be used to export data to a spreadsheet program. The data is stored as a tab-delimited log file with the file extension .TSV.

• Binary File Used for intermittent instances (instances that stop and start after the log has been started). The data is stored as a sequential, binary-format log file with the file extension .BLG.

• Binary Circular File Records data continuously to the same log file where the new records overwrite the previous ones. The data is stored in binary format as a circular file with the file extension .BLG.

• SQL Database Records data into an existing SQL database.

Trace logs can be either of two file types:

• Circular Trace File Records data continuously to the same log file where the new records overwrite the previous ones. The data is stored in a circular file with the file extension .ETL.

• Sequential Trace File Collects data until a user-defined limit is reached. When the limit is reached, the current file is closed and a new one is started. The data is stored as a sequential file using the file extension .ETL.

The default file type for counter logs is Binary File (with the extension .BLG), and the default file type for trace logs is Sequential Trace File (with the extension .ETL).