Export (0) Print
Expand All
Expand Minimize

Chapter 3 - Monitoring Processes, Services, and Events

Updated: June 29, 2001

As an administrator, it's your job to keep an eye on the network systems. The status of system resources and usage can change dramatically over time. Services may stop running. File systems may run out of space. Applications may throw exceptions, which in turn can cause system problems. Unauthorized users may try to break into the system. The techniques discussed in this chapter will help you find and resolve these and other system problems.

On This Page

Managing Applications, Processes, and Performance
Managing System Services
Event Logging and Viewing
Monitoring Server Performance and Activity

Managing Applications, Processes, and Performance

Anytime you start an application or type a command on the command line, Microsoft Windows 2000 starts one or more processes to handle the related program. Generally, processes that you start in this manner are called interactive processes. That is, the processes are started interactively with the keyboard or mouse. If the application or program is active and selected, the related interactive process has control over the keyboard and mouse until you switch control by terminating the program or selecting a different one. When a process has control, it's said to be running in the foreground.

Processes can also run in the background. With processes started by users, this means that programs that aren't currently active can continue to operate—only they generally aren't given the same priority as the active process. You can also configure background processes to run independently of the user logon session; such processes are usually started by the operating system. An example of this type of background process is a batch file started with an AT command. The AT command tells the system to run the file at a specified time, and (if permissions are configured correctly) the AT command can do so regardless of whether a user is logged on to the system.

Task Manager

The key tool you'll use to manage system processes and applications is Task Manager. You can access Task Manager using any of the following techniques:

  • Press Ctrl+Shift+Esc.

  • Press Ctrl+Alt+Del, and then select the Task Manager button.

  • Type taskmgr into the Run utility or a command prompt.

  • Right-click the taskbar and select Task Manager from the pop-up menu.

Techniques you'll use to work with Task Manager are covered in the following sections.

Administering Applications

Task Manager's Applications tab is shown in Figure 3-1. This tab shows the status of the programs that are currently running on the system. You can use the buttons on the bottom of this tab as follows:

  • Stop an application by selecting the application and then clicking End Task.

  • Switch to an application and make it active by selecting the application and then clicking Switch To.

    Figure 3-1: The Applications tab of the Windows Task Manager shows the status of programs currently running on the system.

    Figure 3-1: The Applications tab of the Windows Task Manager shows the status of programs currently running on the system.
  • Start a new program by selecting New Task and then enter a command to run the application. New Task functions like the Start menu's Run utility.

Tip The Status column tells you if the application is running normally or if the application has gone off into the ozone. A status of Not Responding is an indicator that an application may be frozen, and you may want to end its related task. However, some applications may not respond to the operating system during certain process-intensive tasks. Because of this, you should be certain the application is really frozen before you end its related task.

Right-Clicking a Listing

Right-clicking an application's listing displays a pop-up menu that allows you to

  • Switch to the application and make it active

  • Bring the application to the front of the display

  • Minimize and maximize the application

  • Tile or end the application

  • Go to the related process in the Processes tab

Note: The Go To Process is very helpful when you're trying to find the primary process for a particular application. Selecting this option highlights the related process in the Processes tab.

Administering Processes

The Task Manager Process tab is shown in Figure 3-2 . This tab provides detailed information on the processes that are running. As you examine processes, note that although applications have a main process, a single application may start multiple processes. Generally, these processes are dependent on the main application process and are stopped when you terminate the main application process or use End Task. Because of this, you'll usually want to terminate the main application process or the application itself rather than dependent processes.

The fields of the Processes tab provide lots of information about running processes. You can use this information to determine which processes are hogging system resources, such as CPU time and memory. Additional uses for the tab include

  • Stopping a process by selecting it and then choosing End Process

  • Stopping a process and its subprocesses by right-clicking it and then choosing End Process Tree

  • Setting a process's priority by right-clicking it and then choosing Set Priority from the pop-up menu

Figure 3-2: The Processes tab provides detailed information on running processes.

Figure 3-2: The Processes tab provides detailed information on running processes.

Note: If you examine processes running in Task Manager, you'll note a process called System Idle Process. You can't set the priority of this process. Unlike other processes that track resource usage, System Idle Process tracks the amount of system resources that aren't used. Thus, a 99 in the CPU column for the process means 99 percent of the system resources currently aren't being used.

Priority determines how much of the system resources are allocated to a process. Most processes have a normal priority by default. To increase priority, set the priority to high. To decrease priority, set the priority to low. The highest priority is given to real-time processes.

Viewing System Performance

The Task Manager Performance tab provides an overview of CPU and memory usage. As shown in Figure 3-3, the tab displays graphs as well as statistics. This information gives you a quick check on system resource usage. For more detailed information, use Performance Monitor, as explained later in this chapter.

Figure 3-3: The Performance tab provides a quick check on system resource usage.

Figure 3-3: The Performance tab provides a quick check on system resource usage.

Graphs on the Performance Tab

The graphs on the Performance tab provide the following information:

  • CPU Usage The percentage of processor resources being used

  • CPU Usage History A history graph of CPU usage plotted over time

  • MEM Usage The amount of memory currently being used on the system

  • Memory Usage History A history graph of memory usage plotted over time

Tip To view a close-up of the CPU graphs, double-click within the Performance tab. Double-clicking again returns you to normal viewing mode.

Customizing and Updating the Graph Display

To customize or update the graph display, use the following options on the View menu:

  • Update Speed Allows you to change the speed of graph updating as well as to pause the graph.

  • CPU History On multiprocessor systems, allows you to specify how CPU graphs are displayed.

  • Show Kernel Times Allows you to display the amount of CPU time used by the operating system kernel.

Beneath the graphs you'll find several lists of statistics. These statistics provide the following information:

  • Commit Charge Provides information on the total memory used by the operating system. Total lists all physical and virtual memory currently in use. Limit lists the total physical and virtual memory available. Peak lists the maximum memory used by the system since bootup.

  • Kernel Memory Provides information on the memory used by the operating system kernel. Critical portions of kernel memory must operate in RAM and can't be paged to virtual memory. This type of kernel memory is listed as Nonpaged. The rest of kernel memory can be paged to virtual memory and is listed as Paged. The total amount of memory used by the kernel is listed under Total.

  • Physical Memory Provides information on the total RAM on the system. Total shows the amount of physical RAM. Available shows the RAM not currently being used and available for use. System Cache shows the amount of memory used for system caching.

  • Totals Provides information on CPU usage. Handles shows the number of I/O handles in use. Threads shows the number of threads in use. Processes shows the number of processes in use.

Managing System Services

Services provide key functions to Windows 2000 workstations and servers. To manage system services, you'll use the Services entry in the Computer Management console, which you start by completing the following steps:

  1. Choose Start, Programs, then Administrative Tools, and finally Computer Management. Or select Computer Management in the Administrative Tools folder.

  2. Right-click the Computer Management entry in the console tree and select Connect To Another Computer on the shortcut menu. You can now choose the system whose services you want to manage.

  3. Expand the Services And Applications node by clicking the plus sign (+) next to it, and then choose Services.

Note: Windows 2000 provides several other ways to access services. For example, you can also use the Services entry in the Component Services utility.

Figure 3-4 shows the Services view in the Computer Management console. The key fields of this dialog box are used as follows:

  • Name The name of the service. Only services installed on the system are listed here. Double-click an entry to configure its startup options. If a service you need isn't listed, you can install it by using the Network Connection Properties dialog box or the Windows Optional Networking Components Wizard. See Chapter 15 for details.

  • Description A short description of the service and its purpose.

  • Status Whether the status of the service is started, paused, or stopped. (Stopped is indicated by a blank entry.)

  • Startup Type The startup setting for the service. Automatic services are started at bootup. Manual services are started by users or other services. Disabled services are turned off and can't be started while they remain disabled.

  • Log On As The account the service logs on as. The default in most cases is the local system account.

Note: Both the operating system and users can disable Services. Generally, Windows 2000 disables services if there is a possible conflict with another service.

Figure 3-4: Use the Services view to manage services on Windows 2000 workstations and servers.

Figure 3-4: Use the Services view to manage services on Windows 2000 workstations and servers.

Common Windows 2000 Services

Table 3-1 provides a summary of common services that you'll see on Windows 2000 systems. Keep in mind that the type and number of services running on a Windows 2000 system depend on its configuration. To install or remove services, you use the Configure Your Server administration tool.

Table 3-1 Common Services That May Be Installed on Windows 2000 Systems

Service Name

Description

Alerter

Sends administrative alert messages

Application Management

Provides software installation services

ClipBook

Enables remote viewers to see local pages with ClipBook Viewer

COM+ Event System

Provides automatic distribution of events to subscribing COM components

Computer Browser

Enables computer browsing; maintains a list of resources used for network browsing

Dynamic Host Configuration Protocol (DHCP) Client

Manages network configuration by registering and updating Internet Protocol (IP) addresses and Domain Name System (DNS) names

DHCP Server

Provides dynamic IP address assignment and network configuration for DHCP clients

Distributed Transaction Coordinator

Coordinates distributed transactions for resource managers

DNS Client

Resolves and caches DNS names

DNS Server

Manages DNS names and queries

Event Log

Logs event messages issued by applications and the operating system

File Server for Macintosh

Enables Macintosh users to store and access files on the server system

Gateway Service for NetWare

Provides access to file and print resources on NetWare networks

Intersite Messaging

Allows sending and receiving of messages between Active Directory sites

License Logging Service

Tracks license usage and compliance

Messenger

Sends and receives messages transmitted by administrators or by the Alerter service

Net Logon

Authenticates user logons

Network dynamic data exchange (DDE)

Supports DDE between applications

Network DDE DSDM

Manages shared dynamic data exchange and is used by Network DDE

NT LM Security Support Provider

Provides security to Remote Procedure Call (RPC) programs that don't use named pipes

Performance Logs and Alerts

Configures performance logs and alerts

Plug and Play

Manages device installation and configuration and notifies programs of device changes

Print Server for Macintosh

Enables Macintosh users to send print jobs to Windows

Print Spooler

Spools printer files

Protected Storage

Provides protected storage for sensitive data, such as private keys

RPC

Provides RPC services for distributed applications

RPC Locator

Manages the RPC name service database

Routing and Remote Access

Provides routing and remote access services

Secondary Logon Service

Enables Run As, where you can run processes as another user

Security Accounts Manager

Stores security information for local user accounts

Server

Provides RPC server services, including file sharing, printer spooling, and named pipes

Simple Transmission Control Protocol/Internet Protocol (TCP/IP) Services

Supports the TCP/IP services Character Generator, Daytime, Discard, Echo, and Quote of the Day

System Event Notification

Tracks system events and notifies COM+ Event System subscribers of these events

Task Scheduler

Enables job scheduling

TCP/IP NetBIOS Helper Service

Enables support for NetBIOS over TCP/IP and NetBIOS name resolution

Telnet

Allows a remote user to log on to the system and run console programs using the command line

Windows Internet Name

Provides a NetBIOS name service for

Service (WINS)

TCP/IP clients

Workstation

Provides services for network connections and communications

Starting, Stopping, and Pausing Services

As an administrator, you'll often have to start, stop, or pause Windows 2000 services. To start, stop, or pause, complete the following steps:

  1. Start the Computer Management console.

  2. Right-click the Computer Management entry in the console tree and select Connect To Another Computer on the shortcut menu. You can now choose the system whose services you want to manage.

  3. Expand the Services And Applications node by clicking the plus sign (+) next to it, and then choose Services.

  4. Right-click the service you want to manipulate, and then select Start, Stop, or Pause, as appropriate. You can also choose Restart to have Windows stop and then start the service after a brief pause. Additionally, if you pause a service, you can use the Resume option to resume normal operation.

Note: When services that are set to start automatically fail, the status is listed as blank and you'll usually receive notification in a pop-up dialog box. Service failures can also be logged to the system's event logs. In Windows 2000, you can configure actions to handle service failure automatically. For example, you could have Windows 2000 attempt to restart the service for you. See the section of this chapter entitled "Configuring Service Recovery" for details.

Configuring Service Startup

You can set Windows 2000 services to start manually or automatically. You can also turn them off permanently by disabling them. You configure service startup by completing the following steps:

  1. In the Computer Management console, connect to the computer whose services you want to manage.

  2. Expand the Services And Applications node by clicking the plus sign (+) next to it, and then choose Services.

  3. Right-click the service you want to configure and then choose Properties.

  4. In the General tab, use the Startup Type drop-down list box to choose a startup option, as shown in Figure 3-5. Select Automatic to start services at bootup. Select Manual to allow the services to be started manually. Select Disabled to turn off the service.

  5. Click OK.

    Figure 3-5: Use the General tab's Startup drop-down list box to configure service startup options.

    Figure 3-5: Use the General tab's Startup drop-down list box to configure service startup options.

Configuring Service Logon

You can configure Windows 2000 services to log on as a system account or as a specific user. To do either of these, complete the following steps:

  1. In the Computer Management console, connect to the computer whose services you want to manage.

  2. Expand the Services And Applications node by clicking the plus sign (+) next to it, and then choose Services.

  3. Right-click the service you want to configure and then choose Properties.

  4. Select the Log On tab, shown in Figure 3-6.

  5. Select Local System Account if the service should log on using the system account (which is the default for most services).

  6. Select This Account if the service should log on using a specific user account. Be sure to type an account name and password in the fields provided. Use the Browse button to search for a user account, if necessary.

  7. Click OK.

    Figure 3-6: Use the Log On tab to configure the service logon account.

    Figure 3-6: Use the Log On tab to configure the service logon account.

Configuring Service Recovery

You can configure Windows 2000 services to take specific actions when a service fails. For example, you could attempt to restart the service or run an application. To configure recovery options for a service, complete the following steps:

  1. In the Computer Management console, connect to the computer whose services you want to manage.

  2. Expand the Services And Applications node by clicking the plus sign (+) next to it, and then choose Services.

  3. Right-click the service you want to configure and then choose Properties.

  4. Select the Recovery tab, shown in Figure 3-7.

    Note: Windows 2000 automatically configures recovery for some critical system services during installation. In Figure 3-7, you see that the IIS (Internet Information Server) Admin Service is set to run a file if the service fails. This file is an application that corrects service problems and safely manages dependent IIS services while working to restart the service.

    Figure 3-7: Use the Recovery tab to specify actions that should be taken in case of service failure.

    Figure 3-7: Use the Recovery tab to specify actions that should be taken in case of service failure.

    You can now configure recovery options for the first, second, and subsequent recovery failures. The available options are

    • Take No Action

    • Restart the Service

    • Run a File

    • Reboot the Computer

    Best Practice When you configure recovery options for critical services, you may want to try to restart the service on the first and second attempts and then reboot the server on the third attempt.

  5. Configure other options based on your previously selected recovery options. If you elected to run a file as a recovery option, you'll need to set options in the Run File panel. If you elected to restart the service, you'll need to specify the restart delay. After stopping the service, Windows 2000 waits for the specified delay before trying to start the service. In most cases a delay of 1–2 minutes should be sufficient.

  6. Click OK.

Event Logging and Viewing

Event logs provide historical information that can help you track down system and security problems. The event-logging service controls whether events are tracked on Windows 2000 systems. When this service is started, you can track user actions and system resource usage events with the following event logs:

  • Application Log Records events logged by applications, such as the failure of MS SQL to access a database.

  • Directory Service Records events logged by Active Directory and its related services.

  • DNS Server Records DNS queries, responses, and other DNS activities.

  • File Replication Service Records file replication activities on the system.

  • Security Log Records events you've set for auditing with local or global group policies.

    Note: Any user who needs access to the security log must be granted the user right to Manage Auditing and the Security Log. By default, members of the Administrators group have this user right. To learn how to assign user rights, see Chapter 7.

  • System Log Records events logged by the operating system or its components, such as the failure of a service to start at bootup.

Accessing and Using the Event Logs

You access the event logs by completing the following steps:

  1. In the Computer Management console, connect to the computer whose event logs you want to view or manage.

  2. Expand the System Tools node by clicking the plus sign (+) next to it and then double-click Event Viewer. You should now see a list of logs, as shown in Figure 3-8.

  3. Select the log you want to view.

Entries in the main panel of Event Viewer provide a quick overview of when, where, and how an event occurred. To obtain detailed information on an event, double-click its entry. The event type precedes the date and time of the event. Event types include

  • Information An informational event which is generally related to a successful action.

  • Success Audit An event related to the successful execution of an action.

  • Failure Audit An event related to the failed execution of an action.

    Figure 3-8: Event Viewer displays events for the selected log.

    Figure 3-8: Event Viewer displays events for the selected log.
  • Warning A warning. Details for warnings are often useful in preventing future system problems.

  • Error An error, such as the failure of a service to start.

    Note: Warnings and errors are the two types of events that you'll want to examine closely. Whenever these types of events occur and you're unsure of the cause, double-click the entry to view the detailed event description.

In addition to type, date, and time, the summary and detailed event entries provide the following information:

  • Source The application, service, or component that logged the event.

  • Category The category of the event, which is sometimes used to further describe the related action.

  • Event An identifier for the specific event.

  • User The user account that was logged on when the event occurred.

  • Computer The name of the computer where the event occurred.

  • Description In the detailed entries, a text description of the event.

  • Data In the detailed entries, any data or error code output by the event.

Setting Event Log Options

Log options allow you to control the size of the event logs as well as how logging is handled. By default, event logs are set with a maximum file size of 512 KB. Then, when a log reaches this limit, events older than seven days are overwritten to prevent the log from exceeding the maximum file size.

To set the log options, complete the following steps:

  1. In the Computer Management console, double-click the Event Viewer entry. You should now see a list of event logs.

  2. Right-click the event log whose properties you want to set and select Properties from the shortcut menu. This opens the dialog box shown in Figure 3-9.

  3. Enter a maximum size in the Maximum Log Size field. Make sure that the drive containing the operating system has enough free space for the maximum log size you select. Log files are stored in the %SystemRoot%\system32\config directory by default.

    Note: Throughout this book you'll see references to %SystemRoot%. This is an environment variable used by Windows 2000 to designate the base directory for the Windows 2000 operating system, such as C:\WIN2000. For more information on environment variables, see Chapter 9.

    Determine what happens when the maximum log size is reached. The options available are

    • Overwrite Events As Needed Events in the log are overwritten when the maximum file size is reached. Generally, this is the best option on a low priority system.

    • Overwrite Events Older Than . . . Days When the maximum file size is reached, events in the log are overwritten only if they are older than the setting you select. If the maximum size is reached and the events can't be overwritten, the system generates error messages telling you the event log is full.

    • Do Not Overwrite Events (Clear Log Manually) When the maximum file size is reached, the system generates error messages telling you the event log is full.

  4. Click OK when you're finished.

    Note: On critical systems where security and event logging is very important, you may want to use Overwrite Events Older Than . . . Days or Do Not Overwrite Events (Clear Log Manually). When you use these methods, you may want to archive and clear the log file periodically to prevent the system from generating error messages.

    Figure 3-9: You should configure log settings according to the level of auditing on the system.

    Figure 3-9: You should configure log settings according to the level of auditing on the system.

Clearing the Event Logs

When an event log is full, you need to clear it. To do that, complete the following steps:

  1. In the Computer Management console, double-click the Event Viewer entry. You should now see a list of event logs.

  2. Right-click the event log whose properties you want to set and select Clear All Events from the shortcut menu.

  3. Choose Yes to save the log before clearing it. Choose No to continue without saving the log file.

Archiving the Event Logs

On key systems such as domain controllers and application servers, you'll want to keep several months worth of logs. However, it usually isn't practical to set the maximum log size to accommodate this. Instead, you should periodically archive the event logs.

Archive Log Formats

Logs can be archived in three formats:

  • Event log format for access in Event Viewer

  • Tab-delimited text format, for access in text editors or word processors or import into spreadsheets and databases

  • Comma-delimited text format, for import into spreadsheets or databases

When you export log files to a comma-delimited file, each field in the event entry is separated by a comma. The event entries look like this:

9/7/99,9:43:24 PM,DNS,Information,None,2,N/A,ZETA,The DNS Server has started. 
9/7/99,9:40:04 PM,DNS,Error,None,4015,N/A,ZETA,The DNS server has encountered a critical  
error from the Directory Service (DS). The data is the error code. 

The format for the entries is as follows:

Date, Time, Source, Type, Category, Event, User, Computer, Description. 

Creating Log Archives in the Event Viewer Format

To create a log archive in the Event Viewer file format, complete the following steps:

  1. In the Computer Management console, double-click the Event Viewer entry. You should now see a list of event logs.

  2. Right-click the event log you want to archive and select Save Log File As from the shortcut menu.

  3. In the Save As dialog box, select a directory and a log filename.

  4. In the Save As Type dialog box, Event Log (*.evt) will be the default file type.

  5. Choose Save.

    Note: If you plan to archive logs regularly, you may want to create an archive directory. This way you can easily locate the log archives. You should also name the log file so that you can easily determine the log file type and the period of the archive. For example, if you're archiving the system log file for January 2000, you may want to use the filename System Log Jan. 2000.

Creating Log Archives In Other Formats

To create a tab- or comma-delimited log archive, follow these steps:

  1. In the Computer Management console, double-click on the Event Viewer entry. You should now see a list of event logs.

  2. Right-click on the event log you want to archive and select Save Log File As from the shortcut menu.

  3. In the Save As dialog box, select a directory and a log filename.

  4. Using the Save As Type drop-down list box select the Text or CSV log file format.

  5. Choose Save.

Viewing Log Archives

You can view log archives in text format in any text editor or word processor. You should view log archives in the event log format in Event Viewer. You can view log archives in Event Viewer by completing the following steps:

  1. In the Computer Management console, right-click the Event Viewer entry. On the shortcut menu, select Open Log File. You should now see the Open dialog box shown in Figure 3-10.

  2. Select a directory and a log filename.

  3. Choose the log file type and then enter a display name for the log.

  4. Enter a display name for the log file.

  5. Click Open. The archived log is displayed as a separate view in Event Viewer. Select this view to display the saved events in the log.

Monitoring Server Performance and Activity

Monitoring a server isn't something you should do haphazardly. You need to have a clear plan—a set of goals that you hope to achieve. Let's take a look at the reasons you may want to monitor a server and at the tools you can use to do this.

Figure 3-10: Use the Open dialog box to open the saved event log in a new view.

Figure 3-10: Use the Open dialog box to open the saved event log in a new view.

Why Monitor Your Server?

Troubleshooting server performance problems is a key reason for monitoring. For example, users may be having problems connecting to the server and you may want to monitor the server to troubleshoot these problems. Here, your goal would be to track down the problem using the available monitoring resources and then to resolve it.

Another common reason for wanting to monitor a server is to improve server performance. You do this by improving disk I/O, reducing CPU usage, and cutting down on the network traffic load on the server. Unfortunately, there are often trade-offs to be made when it comes to resource usage. For example, as the number of users accessing a server grows, you may not be able to reduce the network traffic load, but you may be able to improve server performance through load balancing or by distributing key data files on separate drives.

Getting Ready to Monitor

Before you start monitoring a server, you may want to establish baseline performance metrics for your server. To do this, you measure server performance at various times and under different load conditions. You can then compare the baseline performance with subsequent performance to determine how the server is performing. Performance metrics that are well above the baseline measurements may indicate areas where the server needs to be optimized or reconfigured.

After you establish the baseline metrics, you should formulate a monitoring plan. A comprehensive monitoring plan includes the following steps:

  1. Determining which server events should be monitored in order to help you accomplish your goal.

  2. Setting filters to reduce the amount of information collected.

  3. Configuring monitors and alerts to watch the events.

  4. Logging the event data so that it can be analyzed.

  5. Analyzing the event data in Performance Monitor.

These procedures are examined later in the chapter. While you should develop a monitoring plan in most cases, there are times when you may not want to go through all these steps to monitor your server. For example, you may want to monitor and analyze activity as it happens rather than logging and analyzing the data later.

Using Performance Monitor

Performance Monitor graphically displays statistics for the set of performance parameters you've selected for display. These performance parameters are referred to as counters. You can also update the available counters when you install services and add-ons on the server. For example, when you configure DNS on a server, Performance Monitor is updated with a set of objects and counters for tracking DNS performance.

Performance Monitor creates a graph depicting the various counters you're tracking. The update interval for this graph is completely configurable but by default is set to one second. As you'll see when you work with Performance Monitor, the tracking information is most valuable when you record the information in a log file and when you configure alerts to send messages when certain events occur or when certain thresholds are reached, such as when a the CPU processor time reaches 99 percent. The sections that follow examine key techniques you'll use to work with performance monitor.

Choosing Counters to Monitor

The Performance Monitor only displays information for counters you're tracking. Dozens of counters are available—and as you add services, you'll find there are even more. These counters are organized into groupings called performance objects. For example, all CPU-related counters are associated with the Processor object.

To select which counters you want to monitor, complete the following steps:

  1. Select the Performance option on the Administrative Tools menu. This displays the Performance console.

  2. Select the System Monitor entry in the left pane, shown in Figure 3-11.

    Figure 3-11: Counters are listed in the lower portion of the Performance Monitor window.

    Figure 3-11: Counters are listed in the lower portion of the Performance Monitor window.
  3. Performance Monitor has several different viewing modes. Make sure you're in View Chart display mode by selecting the View Chart button on the Performance Monitor toolbar.

    To add counters, select the Add button on the Performance Monitor toolbar. This displays the Add Counters dialog box shown in Figure 3-12. The key fields are

    • Use Local Computer Counters Configure performance options for the local computer.

      • Select Counters From Computer Enter the Universal Naming Convention (UNC) name of the server you want to work with, such as \\ZETA. Or use the selection list to select the server from a list of computers you have access to over the network.

    • Performance Object Select the type of object you want to work with, such as Processor.

      Note: The easiest way to learn what you can track is to explore the objects and counters available in the Add Counters dialog box. Select an object in the Performance Object field, click the Explain button, and then scroll through the list of counters for this object.

      All Counters Select all counters for the current object.

      • Select Counters From List Select one or more counters for the current object. For example, you could select % Processor Time and % User Time.

      • All Instances Select all counter instances for monitoring.

    • Select Instances From List Select one or more counter instances to monitor.

    Figure 3-12: Select counters you want to monitor.

    Figure 3-12: Select counters you want to monitor.

    Tip Don't try to chart too many counters or counter instances at once. You'll make the display difficult to read and you'll use system resources—namely CPU time and memory—that may affect server responsiveness.

  4. When you've selected all the necessary options, click Add to add the counters to the chart. Then repeat this process, as necessary, to add other performance parameters.

  5. Click Done when you're finished adding counters.

  6. You can delete counters later by clicking on their entry in the lower portion of the Performance window and then clicking Delete.

Using Performance Logs

You can use performance logs to track the performance of a server and you can replay them later. As you set out to work with logs, keep in mind that parameters that you track in log files are recorded separately from parameters that you chart in the Performance window. You can configure log files to update counter data automatically or manually. With automatic logging, a snapshot of key parameters is recorded at specific time intervals, such as every 10 seconds. With manual logging, you determine when snapshots are made. Two types of performance logs are available:

  • Counter Logs These logs record performance data on the selected counters when a predetermined update interval has elapsed.

  • Trace Logs These logs record performance data whenever their related events occur.

Creating and Managing Performance Logging

To create and manage performance logging, complete the following steps:

  1. Access the Performance console by selecting the Performance option on the Administrative Tools menu.

  2. Expand the Performance Logs And Alerts node by clicking the plus sign (+) next to it. If you want to configure a counter log, select Counter Logs. Otherwise, select Trace Logs.

  3. As shown in Figure 3-13, you should see a list of current logs in the right pane (if any). A green log symbol next to the log name indicates logging is active. A red log symbol indicates logging is stopped.

  4. You can create a new log by right-clicking in the right pane and selecting New Log Settings from the shortcut menu. A New Log Settings box appears, asking you to give a name to the new log settings. Type a descriptive name here before continuing.

    Figure 3-13: Current performance logs are listed with summary information.

    Figure 3-13: Current performance logs are listed with summary information.

    To manage an existing log, right-click its entry in the right pane and then select one of the following options:

    • Start To activate logging.

    • Stop To halt logging.

    • Delete To delete the log.

    • Properties To display the log properties dialog box.

Creating Counter Logs

Counter logs record performance data on the selected counters at a specific sample interval. For example, you could sample performance data for the CPU every 15 minutes. To create a counter log, complete the following steps:

  1. Select Counter Logs in the left pane of the Performance console and then right-click in the right pane to display the shortcut menu. Choose New Log Settings.

  2. In the New Log Settings dialog box, type a name for the log, such as System Performance Monitor or Processor Status Monitor. Then click OK.

  3. In the General tab, click Add to display the Select Counters dialog box. This dialog box is identical to the Add Counters dialog box shown previously in Figure 3-12.

  4. Use the Select Counters dialog box to add counters for logging. Click Close when you're finished.

  5. In the Sample Data Every ... field, type in a sample interval and select a time unit in seconds, minutes, hours, or days. The sample interval specifies when new data is collected. For example, if you sample every 15 minutes, the log is updated every 15 minutes.

    Click the Log Files tab, shown in Figure 3-14, and then specify how the log file should be created using the following fields:

    • Location Sets the folder location for the log file.

    • File Name Sets the name of the log file.

    • End File Names With Sets an automatic suffix for each new file created when you run the counter log. Logs can have a numeric suffix or a suffix in a specific date format.

    • Start Numbering At Sets the first serial number for a log that uses an automatic numeric suffix.

    • Log File Type Sets the type of log file to create. Use Text File – CSV for a log file with comma-separated entries. Use Text File – TSV for a log file with tab-separated entries. Use Binary File to create a binary file that can be read by Performance Monitor. Use Binary Circular File to create a binary file that overwrites old data with new data when the file reaches a specified size limit.

    Figure 3-14: Configure the log file format and usage.

    Figure 3-14: Configure the log file format and usage.

    Tip If you plan to use Performance Monitor to analyze or view the log, use one of the binary file formats.

    • Comment Sets an optional description of the log, which is displayed in the Comment column.

    • Maximum Limit Sets no predefined limit on the size of the log file.

    • Limit Of Sets a specific limit in KB on the size of the log file.

  6. Click the Schedule tab, shown in Figure 3-15, and then specify when logging should start and stop.

  7. You can configure the logging to start manually or automatically at a specific date. Select the appropriate option and then specify a start date if necessary.

    Tip Log files can grow in size very quickly. If you plan to log data for an extended period, be sure to place the log file on a drive with lots of free space. Remember, the more frequently you update the log file, the higher the drive space and CPU resource usage on the system.

    Figure 3-15: Specify when logging starts and stops.

    Figure 3-15: Specify when logging starts and stops.

    The log file can be configured to stop

    • Manually

    • After a specified period of time, such as seven days

    • At a specific date and time

    • When the log file is full (if you've set a specific file size limit)

  8. Click OK when you've finished setting the logging schedule. The log is then created, and you can manage it as explained in the "Creating and Managing Performance Logging" section of this chapter.

Creating Trace Logs

Trace logs record performance data whenever events for their source providers occur. A source provider is an application or operating system service that has traceable events. On domain controllers you'll find two source providers: the operating system itself and Active Directory:NetLogon. On other servers, the operating system will probably be the only provider available.

To create a trace log, complete the following steps:

  1. Select Trace Logs in the left pane of the Performance console and then right-click in the right pane to display the shortcut menu. Choose New, and then select New Log Settings.

  2. In the New Log Settings dialog box, type a name for the log, such as Logon Trace or Disk I/O Trace. Then click OK. This opens the dialog box shown in Figure 3-16.

  3. If you want to trace operating system events, select the Events Logged By System Provider option button. As shown in Figure 3-16, you can now select system events to trace.

    Caution: Collecting page faults and file detail events puts a heavy load on the server and causes the log file to grow rapidly. Because of this, you should collect page faults and file details only for a limited amount of time.

  4. If you want to trace another provider, select the Nonsystem Providers option button and then click Add. This displays the Add Nonsystem Providers dialog box, which you'll use to select the provider to trace.

    When you're finished selecting providers and events to trace, click the Log Files tab. You can now configure the trace file as detailed in step 6 of the section of this chapter entitled "Creating Counter Logs." The only change is that the log file types are different. With trace logs, you have two log types:

    • Sequential Trace File Writes events to the trace log sequentially up to the maximum file size (if any).

    • Circular Trace File Overwrites old data with new data when the file reaches a specified size limit.

    Figure 3-16: Use the General tab to select the provider to use in the trace.

    Figure 3-16: Use the General tab to select the provider to use in the trace.
  5. Choose the Schedule tab and then specify when tracing starts and stops.

  6. You can configure the logging to start manually or automatically at a specific date. Select the appropriate option and then specify a start date, if necessary.

  7. You can configure the log file to stop manually, after a specified period of time (such as seven days), at a specific date and time, or when the log file is full (if you've set a specific file size limit).

  8. When you've finished setting the logging schedule, click OK. The log is then created and can be managed as explained in the section of this chapter entitled "Creating and Managing Performance Logging."

Replaying Performance Logs

When you're troubleshooting problems, you'll often want to log performance data over an extended period of time and analyze the data later. To do this, complete the following steps:

  1. Configure automatic logging as described in the "Using Performance Logs" section of this chapter.

  2. Load the log file in Performance Monitor when you're ready to analyze the data. To do this, select the View Log File Data button on the Performance Monitor toolbar. This displays the Select Log File dialog box.

  3. Use the Look In selection list to access the log directory, and then select the log you want to view. Click Open.

  4. Counters you've logged are available for charting. Click the Add button on the toolbar and then select the counters you want to display.

Configuring Alerts for Performance Counters

You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs.

To add alerts in Performance Monitor, complete the following steps:

  1. Select Alerts in the left pane of the Performance console, and then right-click in the right pane to display the shortcut menu. Choose New Alert Settings.

  2. In the New Alert Settings dialog box, type a name for the alert, such as Processor Alert or Disk I/O Alert. Then click OK. This opens the dialog box shown in Figure 3-17.

  3. In the General tab, type an optional description of the alert. Then click Add to display the Select Counters To Log dialog box. This dialog box is identical to the Add Counters dialog box shown previously in Figure 3-12.

    Figure 3-17: Use the Alert dialog box to configure counters that trigger alerts.

    Figure 3-17: Use the Alert dialog box to configure counters that trigger alerts.
  4. Use the Select Counters To Log dialog box to add counters that trigger the alert. Click Close when you're finished.

  5. In the Counters panel, select the first counter and then use the Alert When The Value Is ... field to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is over or under a specific value. Select Over or Under, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter(s). For example, to alert if processor time is over 98 percent, you would select Over and then type 98 as the limit. Repeat this process to configure other counters you've selected.

  6. In the Sample Data Every ... field, type in a sample interval and select a time unit in seconds, minutes, hours, or days. The sample interval specifies when new data is collected. For example, if you sample every 10 minutes, the log is updated every 10 minutes.

    Caution: Don't sample too frequently. You'll use system resources and may cause the server to seem unresponsive to user requests.

    Select the Action tab, shown in Figure 3-18. You can now specify any of the following actions to happen when an alert is triggered:

    • Log An Entry In The Application Event Log Creates log entries for alerts.

    • Send A Network Message To Sends a network message to the computer specified.

    • Run This Program Sets the complete file path of a program or script to run when the alert occurs.

    • Start Performance Data Log Sets a counter log to start when an alert occurs.

    Tip You can run any type of executable file, including batch scripts with the .BAT or .CMD extension and Windows scripts with the .VB, .JS, .PL, or .WSC extension. To pass arguments to a script or application, use the options of the Command Line Arguments panel. Normally, arguments are passed as individual strings. However, if you select Single Argument String, the arguments are passed in a comma-separated list within a single string. The Example Command Line Arguments list at the bottom of the tab shows how the arguments would be passed.

  7. Choose the Schedule tab and then specify when alerting starts and stops. For example, you could configure the alerts to start on a Friday evening and stop on Monday morning. Then each time an alert occurs during this period, the specified action(s) are executed.

    Figure 3-18: Set actions that are executed when the alert occurs.

    Figure 3-18: Set actions that are executed when the alert occurs.
  8. You can configure alerts to start manually or automatically at a specific date. Select the appropriate option and then specify a start date, if necessary.

  9. You can configure alerts to stop manually, after a specified period of time, such as seven days, or at a specific date and time.

  10. When you've finished setting the alert schedule, click OK. The alert is then created, and you can manage it in much the same way that you manage counter and trace logs.

Link
Click to order


Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft