Logman

Manages and schedules performance counter and event trace log collections on local and remote systems.

Syntax Verbs

Logman [create {counter | trace} collection_name ] [start collection_name] [stop collection_name] [delete collection_name] [query {collection_name|providers}] [update collection_name]

Parameters

create { counter | trace } collection_name   : Creates collection queries for either counter or trace collections. You can use command line options to specify settings.

start   collection_name   : Starts the data collection query collection_name. Use this option to change from scheduled collections to manual ones. Use the update parameter in the command line with begin-time (-b), end-time (-e), or repeat-time (-rt) to reschedule collections.

stop   collection_name   : Stops the data collection query collection_name. Use this option to change from scheduled collections to manual ones. Use the update parameter in the command line with begin-time (-b), end-time (-e), or repeat-time (-rt) to reschedule collections.

delete   collection_name   : Deletes the data collection query collection_name. If the collection_name does not exist, you will receive an error.

query { collection_name | providers } : If no collection_name or providers are given, the status of all existing collection queries are displayed. Use collection_name to display the properties of a specific collection. To display the properties on remote computers, use the -s remote computer option in the command line. Use providers as your keyword in place of collection_name to display the registered providers installed on your local system. To list registered providers installed on the remote system, use the -s option in the command line.

update   collection_name   : Updates collection queries for counter and trace collections. For counter collections, modifications to the query will stop, and then restart the collections. For trace collections, use the following parameters in the command line to query without stopping the collection: -p provider [(flags[,flags ...])] Level, - max n, - o PathName, -ft mm:ss, or -fd.

Syntax Options

[-s computer_name] [-config FileName] [-b M/d/yyyy h:mm:ss[AM | PM]] [-e M/d/yyyy h:mm:ss[AM | PM]] [-m [start] [stop]] [-[-]r] [-o {Path | DSN!counter_log}] [-f {bin | bincirc | csv | tsv | SQL}] [-[-]a] [-[-]v [{nnnnn | mmddhhmm}]] [-[-] rc [FileName]] [-[-] max {value}] [-[-]cnf [[[hh:]]mm:]ss] [-c {Path [path ...] | -cf FileName}] [-si [[hh:]mm:]ss] [-ln logger_name] [-ets] [-[-] rt] [-p {GUID | provider [(flags [,flags...]}] Level | -pf FileName}] [-[-] ul] [-bs value] [-ft [[hh:]mm:]ss] [-nb min max] [-fd logger name] [-[-]u user password] [-rf [[hh:]mm:]ss] [-y] [-mode {trace_mode [trace_mode ...]}]

Parameters

-s   computer_name   : Specifies that create, start, stop, delete, query, or update commands will be performed on the remote system. By default, the local system is used for commands.

-config   FileName   : Specifies the pathname of the settings file that contains command line parameters.

-b   M/d/yyyy h:mm:ss [ AM | PM ] : Specifies begin-time for collections in a 24-hour format. You can also specify begin-time for collections in a 12-hour format by adding AM or PM in the command line. By default, the current day and time is used unless otherwise specified. Use the manual start option to start the collection immediately.

-e   M/d/yyyy h:mm:ss [ AM | PM ] : Specifies end-time for collections in a 24-hour format. You can also specify end-time for collections in a 12-hour format by adding AM or PM in the command line. By default, the current day and time is used unless otherwise specified. Use the manual stop and then the repeat option to specify a stop time before the actual current time, or you will receive an error message.

-m   start   stop   : Specifies that collections start and stop manually by using the start and stop parameters in the command line. You cannot use the -m start and -b, or the -m stop and -e, or -rf parameters together in your command line for the same query.

- r   : Repeats the collection every day at the time periods specified by the -b and -rf options, or the -b and -e options. This command is only valid for begin- and end-times specified on the same day, month, and year.

-- r   : Turns off the repeat option.

-o { Path | DSN!counter_log } : Specifies the pathname of the output file that collects performance counter and trace data, or the location of the SQL database and dataset. To specify SQL using the DSN!counter_log format, use the -f option in the command line. By default, the collection log file name is the collection query name suffixed by either .blg for performance counters, or .etl for trace data.

-f { bin | bincirc | csv | tsv | SQL } : Specifies the file format used for collecting performance counter and trace data. You can use binary, circular binary, comma and tab separated, or SQL database formats when collecting performance counters. You must use the -o option in the command line with the DNS!counter_log option. For SQL database formats, the Database System Name (DSN) must be predefined, and privileges granted to write to the database. The dataset counter_log is created in the database, and is specified by the DSN. Defaults to binary.

- a   : Use this option to append the file.

-- a   : Turns off the append command option, and reverts to the overwrite mode.

- v { nnnnn | mmddhhmm } : Attaches the version control information to the end of the output file and path name. Use numeric nnnnn format, or date format mmddhhmm (month, day, 24-hour, minute) for version control.

-- v   : Turns off the version option.

- rc   FileName   : Specifies to run this command after the file is closed either at the end, or during the collection period. Use the -rf option in conjunction with -cnf to close the files during the collection periods. Using the -stop option will not turn off this command. Commands always run in the foreground.

-- rc   : Turns off the run this command option.

- max   value   : Specifies the maximum size of the collected log file in megabytes. If the log file exceeds the maximum size, the collection will stop. For a SQL database, the maximum size is the number of records to be written.

-- max   : Turns off the maximum size limit option. This is the default option.

- cnf   [[hh:]mm:]ss   : Creates a new file when output files exceed a maximum size, or when the time specified elapses. You must include the -v option when executing this command. By default, only one log file is created during each collection.

-- cnf   : Turns off the create-new-file option.

-c { Path [ path ... ] | -cf   FileName } : Specifies the performance counter path to log, or specifies the pathname of the log file that lists these counters. To list multiple counter paths, separate the command line by a space, or use the -cf option to list counter paths in an input file, one per line.

The general format for counter paths is as follows: [\\Computer]\object[parent/instance#index]\counter] where:

The parent, instance, index, and counter components of the format may contain either a valid name or a wildcard character. The computer, parent, instance, and index components are not necessary for all counters.

You determine the counter paths to use based on the counter itself. For example, the LogicalDisk object has an instance index, so you must provide the #index or a wildcard. Therefore, you could use the following format:

\LogicalDisk(*/*#*)\*

In comparison, the Process object does not require an instance index. Therefore, you could use the following format:

\Process(*)\ID Process

The following is a list of the possible formats:

  • \\machine\object(parent/instance#index)\counter

  • \\machine\object(parent/instance)\counter

  • \\machine\object(instance#index)\counter

  • \\machine\object(instance)\counter

  • \\machine\object\counter

  • \object(parent/instance#index)\counter

  • \object(parent/instance)\counter

  • \object(instance#index)\counter

  • \object(instance)\counter

  • \object\counter

If a wildcard character is specified in the parent name, all instances of the specified object that match the specified instance and counter fields will be returned.

If a wildcard character is specified in the instance name, all instances of the specified object and parent object will be returned if all instance names corresponding to the specified index match the wildcard character.

If a wildcard character is specified in the counter name, all counters of the specified object are returned.

Partial counter path string matches (for example, pro*) are not supported.

-si   [[hh:]mm:]ss   : Specifies sample intervals for performance counter collection in hours, minutes, and seconds. Default is 15-seconds.

-ln   logger_name   : Specifies a user-defined name for the event trace logging session. By default, the collection name is used as the logger name.

-ets   : Creates and starts an event trace session with the options specified on the command line. You can use this optional parameter with the create trace, update, query, and delete parameters.

- rt   : Specifies that the event trace session run in real-time mode, and not log to a file. By default, the data logs to a file.

-- rt   : Turns off the real-time logging option.

-p { GUID | provider [( flags [ ,flags ... ])] Level ] | -pf { FileName } : Specifies the providers (trace data collectors) to use for trace data collection. Use logman query providers to find the pname (named providers) from the registered provider list. Use the -pf option to list multiple providers. The -pf option identifies the input file containing the provider names. The provider names are enclosed by quotation marks (""), or with GUIDs enclosed by braces, flag masks, and integers (enable level). The flags are either in hexadecimal (OXFFFF) or (flag, flag) format.

- ul   : Specifies that the event trace session is run in user mode. If you use the -ul option, only one provider can be enabled for the event trace session.

-- ul   : Specifies that the user mode is turned off, and the event trace session is run in kernel mode.

-bs   value   : Specifies the buffer size in n kilobytes for trace data collections.

-ft   [[hh:]mm:]ss   : Specifies the flush timer interval in minutes and seconds for trace data collections.

-nb   min max   : Specifies the minimum and maximum number of buffers for trace data collection. Minimum default is the number of processors on the system plus two. Maximum default is at 25.

-fd   logger_name   : Flushes all the active buffers of an existing event trace session to a disk. Use this command in conjunction with the -ln option.

- u   user password   : Specifies the account name and password the collection query uses on local or remote systems. To start collecting data for collection queries, log Performance Logs and Alerts to the remote system. You can use * as your password in the command line to produce a prompt for the password.

-- u   : Resets the account name to the Performance Logs and Alerts service account.

-rf   [[hh:]mm:]ss   : Specifies that collections run for a set period of time.

-y   : Overwrites the settings for collection name, and then applies new ones without querying the end user.

-mode { trace_mode [ trace_mode ... ]} : Specifies advanced options for trace sessions only where trace_mode can be either globalsequence, localsequence or pagedmemory. Globalsequence specifies that the event tracer add a sequence number to every event it receives irrespective of which trace session received the event. Localsequence specifies that the event tracer add sequence numbers for events received at a specific trace session. When the localsequence option is used, duplicate sequence numbers can exist across all sessions but will be unique within each trace session. Pagedmemory specifies that the event tracer use paged memory rather than the default non-paged memory pool for its internal buffer allocations.

/?   : Displays help at the command prompt.

Remarks

  • Valid options for the command-line verbs create update, start, stop, delete, and query are:

    -s remote machine name

    -[-]u Domain/username password

  • Valid options for create and update, and common options for counter and trace are:

    -y

    -b M/d/yyyy h:mm:ss [AM|PM]

    -e M/d/yyyy h:mm:ss [AM|PM]

    -rf hh:mm:ss

    -m start stop

    -f bin|bincirc

    -[-]r

    -o PathName

    -[-]a

    -[-]v nnnnn|mmddhhmm

    -[-]rc command pathname

    -[-]max n

    -[-]cnf hh:mm:ss

  • Common options for counters only are:

    -f bin|bincirc|csv|tsv|SQL

    -o PathName | DSN!counter_log

  • Common options for create counter are:

    -c counterpath | -cf input file

    -si [[hh:]mm:]ss

    These options update the counter, and will stop and start collections.

  • Options for update for trace collection are:

    - max n

    - o PathName

    -ft mm:ss

    -fd

    These options will query trace collections without stopping the collections.

  • Valid options with counters only are:

    -f bin|bincirc|csv|tsv|SQL

    -o PathName | DSN!counter_log

  • Valid options with create counter commands are:

    counterpath | -cf input file

    -si hh:mm:ss

  • Valid options for create trace commands are:

    -ln logger name

    -[-]rt

    -p Guid | provider (flags[,flags ...]) level | -pf FileName

    -[-]ul

    -bs n

    -ft mm:ss

    -nb min max

    -fd logger name

    -ets

  • Using the -config option

    The contents of the setting file used with the -config option should have the following format:

    [command_option]

    value

    where command_option is a command line option and value specifies its value. For example:

    [create]

    counter logx

    [-s]

    mysystem

    [-u]

    mypassword

  • Using the -mode option

    You should only use this option if you are an advanced user.

  • Managing Performance monitor

    You can only use Logman to manage systems running Windows 2000 or Windows XP.

  • For more information about incorporating Logman into your Windows Management Instrumentation (WMI) scripts, see Scripting Logs and Monitoring at the Microsoft Windows Resource Kits Web site.

Examples

Date formats in the following examples are for US local time only.

To create daily counter collection queries with begin and end times, repeat collections, version control numbers, counter paths and sample intervals, type:

Logman create counter daily_perf_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -v mmddhhmm -c "\Processor(_Total)\% Processor Time" "\Memory\Available bytes" -si 00:15 -o "c:\perflogs\daily_log"

To create daily collection queries with begin and end times, repeat collections, output file collections, version control numbers, counter paths and sample intervals, type:

Logman create counter daily_perf_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -o "c:\perflogs\daily_log" -v mmddhhmm -c "\Processor(_Total)\% Processor Time" "\Memory\Available bytes" -si 00:15

To create daily collection queries using the config file, instead of the command line file, type:

Logman -config file daily_perf.txt

To create daily trace collection queries with begin and end times, repeat collections, version control numbers, provider names, input and output file collections, type:

Logman create trace daily_kernel_trace_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -v mmddhhmm -p "Windows Kernel Trace" 0xFFFFFFFF -rf 100 -o "c:\perflogs\daily_nt_trace"

To create daily trace collection queries with begin and end times, repeat collections, version control numbers, Guid and logger names, input and output file collections, type:

Logman create trace daily_lsass_trace_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -v mmddhhmm -p "Local Security Authority(LSA) " 0x00000001 -rf 30:00 -o " c:\perflogs\daily_lsass_trace"

To create daily counter collection queries with begin and end times, repeat collections, version control numbers, counter paths, sample intervals, SQL formats and output file collections, type:

Logman create counter daily_perf_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -v mmddhhmm -c "\Processor(_Total)\% Processor Time" "\Memory\Available bytes" -si 00:15 -f sql -o perfdb!daily_log

To start daily collections with sample intervals, account names and passwords, type:

Logman start daily_perf_log -s \\%computer_name% -u admin "adminpassword"

To start manual data collections, type:

Logman start daily_perf_log

To stop data collections, type:

Logman stop daily_perf_log

To delete data collections, type:

Logman delete daily_perf_log

To display the status of collection queries, type the following commands:

Logman query

Logman query daily_perf_log

Formatting legend

Format

Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

Start or stop a counter log, trace log, or alert manually

Define start or stop parameters for a log or alert

Performance Logs and Alerts overview

Relog

Command-line reference A-Z