Logman

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Logman

Manages and schedules performance counter and event trace log collections on local and remote systems.

Syntax Verbs

Logman [create {counter | trace} [CollectionName]] [start CollectionName] [stop CollectionName] [delete CollectionName] [query {CollectionName | providers [providerName]}] [update CollectionName]

Parameters
  • create {counter | trace} CollectionName
    Creates collection queries for either counter or trace collections. You can use command line options to specify settings.
  • start CollectionName
    Starts the data collection query CollectionName. Use this option to change from scheduled collections to manual ones. Use the update parameter in the command line with begin-time (-b), end-time (-e), or repeat-time (-rt) to reschedule collections.
  • stop CollectionName
    Stops the data collection query CollectionName. Use this option to change from scheduled collections to manual ones. Use the update parameter in the command line with begin-time (-b), end-time (-e), or repeat-time (-rt) to reschedule collections.
  • delete CollectionName
    Deletes the data collection query CollectionName. If the CollectionName does not exist, you will receive an error.
  • Query {CollectionName | providers[providerName]}
    If no CollectionName or providers are given, the status of all existing collection queries are displayed. Use CollectionName to display the properties of a specific collection. To display the properties on remote computers, use the -sRemoteComputer option in the command line. Use providers as your keyword in place of CollectionName to display the registered providers installed on your local system. To list registered providers installed on the remote system, use the -s option in the command line. Use query providersproviderName to display a list of parameters that can be set for the specified provider, including their values and descriptions of what they enable. Note that this information is provider dependant.
  • update CollectionName
    Updates collection queries for counter and trace collections. For counter collections, modifications to the query will stop, and then restart the collections. For trace collections, use the following parameters in the command line to query without stopping the collection: -pprovider [(Flags[,Flags ...])] Level, - maxN, - oPathName, -ftMM**:**SS, or -fd.

Syntax Options

[-s ComputerName]

[-config FileName]

[-b M**/D/YYYYH:MM:**SS [{AM | PM}]]

[-e M**/D/YYYYH:MM:**SS [{AM | PM}]

[-m [start] [stop]]

[-[-]r]

[-o {Path | DSN!CounterLog}]

[-f {bin | bincirc | csv | tsv | SQL}]

[-[-]a]

[-[-]v [{NNNNNN | MMDDHHMM}]]

[-[-] rc [FileName]]

[-[-] max [Value]]

[-[-]cnf [[[HH**:]]MM:**]SS]

[-c {Path [Path ...] | -cfFileName}]

[-si [[HH**:]]MM:**]SS]

[-ln LoggerName]

[-ets]

[-[-] rt]

[-p {GUID | provider [(Flags [,Flags...])] Level | -pf [FileName]}]

[-[-] ul]

[-bs Value]

[-ft [[HH**:]]MM:**]SS]

[-nb Min Max]

[-fd LoggerName]

[-[-]uUserName Password]

[-rf [[HH**:]]MM:**]SS]

[-y]

[-mode [TraceMode [TraceMode ...]]]

[-ct {system | perf | cycle}]

Parameters
  • -s ComputerName
    Specifies that create, start, stop, delete, query, or update commands will be performed on the remote system. By default, the local system is used for commands.
  • -config FileName
    Specifies the pathname of the settings file that contains command line parameters.
  • -b M / D / YYYY H : MM : SS[{ AM| PM}]
    Specifies begin-time for collections in a 24-hour format. You can also specify begin-time for collections in a 12-hour format by adding AM or PM in the command line. By default, the current day and time is used unless otherwise specified. Use the manual start option to start the collection immediately.
  • -e M / D / YYYY H : MM : SS[{ AM| PM}]
    Specifies end-time for collections in a 24-hour format. You can also specify end-time for collections in a 12-hour format by adding AM or PM in the command line. By default, the current day and time is used unless otherwise specified. Use the manual stop and then the repeat option to specify a stop time before the actual current time, or you will receive an error message.
  • -m [start] [stop]
    Specifies that collections start and stop manually by using the start and stop parameters in the command line. You cannot use the -mstart and -b, or the -mstop and -e, or -rf parameters together in your command line for the same query.
  • -r
    Repeats the collection every day at the time periods specified by the -b and -rf options, or the -b and -e options. This command is only valid for begin- and end-times specified on the same day, month, and year.
  • --r
    Turns off the repeat option.
  • -o {Path| DSN!CounterLog}
    Specifies the pathname of the output file that collects performance counter and trace data, or the location of the SQL database and dataset. To specify SQL using the DSN!CounterLog format, use the -f option in the command line. By default, the collection log file name is the collection query name suffixed by either .blg for performance counters, or .etl for trace data.
  • -f {bin| bincirc | csv| tsv| SQL}
    Specifies the file format used for collecting performance counter and trace data. You can use binary, circular binary, comma and tab separated, or SQL database formats when collecting performance counters. You must use the -o option in the command line with the DNS!counter_log option. For SQL database formats, the Database System Name (DSN) must be predefined, and administrative credentials granted to write to the database. The dataset CounterLog is created in the database, and is specified by the DSN. Defaults to binary.
  • -a
    Use this option to append the file.
  • --a
    Turns off the append command option, and reverts to the overwrite mode.
  • -v {NNNNNN| MMDDHHMM}
    Attaches the version control information to the end of the output file and path name. Use numeric NNNNNN format, or date format MMDDHHMM (month, day, 24-hour, minute) for version control.
  • --v
    Turns off the version option.
  • -rc FileName
    Specifies to run this command after the file is closed either at the end, or during the collection period. Use the -rf option in conjunction with -cnf to close the files during the collection periods. Using the -stop option will not turn off this command. Commands always run in the foreground.
  • --rc
    Turns off the run this command option.
  • -max Value
    Specifies the maximum size of the collected log file in megabytes. If the log file exceeds the maximum size, the collection will stop. For a SQL database, the maximum size is the number of records to be written.
  • --max
    Turns off the maximum size limit option. This is the default option.
  • -cnf[[ HH:] MM:] SS
    Creates a new file when output files exceed a maximum size, or when the time specified elapses. You must include the -v option when executing this command. By default, only one log file is created during each collection.
  • --cnf
    Turns off the create-new-file option.
  • -c{Path[Path ...] | -cfFileName}
    Specifies the performance counter path to log, or specifies the pathname of the log file that lists these counters. To list multiple counter paths, separate the command line by a space, or use the -cf option to list counter paths in an input file, one per line.
The general format for counter paths is as follows: \[**\\\\***Computer*\]**\\***Object*\[Parent**/***Instance\#Index*\]**\\***Counter*\] where the parent, instance, index, and counter components of the format can contain either a valid name or a wildcard character. The computer, parent, instance, and index components are not necessary for all counters.

You determine the counter paths to use based on the counter itself. For example, the LogicalDisk object has an instance *Index*, so you must provide the *\#Index* or a wildcard. Therefore, you could use the following format:

**\\LogicalDisk(\*/\*\#\*)\\\***

In comparison, the process object does not require an instance *Index*. Therefore, you could use the following format:

**\\process(\*)\\ID process**

The following is a list of the possible formats:

  - \\\\computer\\object(parent/instance\#index)\\counter  
      
  - \\\\computer\\object(parent/instance)\\counter  
      
  - \\\\computer\\object(instance\#index)\\counter  
      
  - \\\\computer\\object(instance)\\counter  
      
  - \\\\computer\\object\\counter  
      
  - \\object(parent/instance\#index)\\counter  
      
  - \\object(parent/instance)\\counter  
      
  - \\object(instance\#index)\\counter  
      
  - \\object(instance)\\counter  
      
  - \\object\\counter  
      

If a wildcard character is specified in the parent name, all instances of the specified object that match the specified instance and counter fields will be returned.

If a wildcard character is specified in the instance name, all instances of the specified object and parent object will be returned if all instance names corresponding to the specified index match the wildcard character.

If a wildcard character is specified in the counter name, all counters of the specified object are returned.

Partial counter path string matches (for example, **pro\***) are not supported.
  • -si[[HH:]MM:]SS
    Specifies sample intervals for performance counter collection in hours, minutes, and seconds. Default is 15 seconds.
  • -ln LoggerName
    Specifies a user-defined name for the event trace logging session. By default, the collection name is used as the logger name.
  • -ets
    Creates and starts an event trace session with the options specified on the command line. You can use this optional parameter with the create trace, update, query, and delete parameters. To display the parameters and levels that have been set for currently running event trace sessions, type:
**logman query***LoggerName***-ets**
  • -rt
    Specifies that the event trace session run in real-time mode, and not log to a file. By default, the data logs to a file.
  • --rt
    Turns off the real-time logging option.
  • -p{GUID| provider[(Flags[ ,Flags ...])] Level| -pf[FileName]}
    Specifies the providers (trace data collectors) to use for trace data collection. Use logman query providers to find the PName (named providers) from the registered provider list. Use the -pf option to list multiple providers. The -pf option identifies the input file containing the provider names. The provider names are enclosed by quotation marks (""), or with GUIDs enclosed by braces, flag masks, and integers (enable level). The flags are either in hexadecimal (OXFFFF) or (flag, flag) format.
  • -ul
    Specifies that the event trace session is run in user mode. If you use the -ul option, only one provider can be enabled for the event trace session.
  • --ul
    Specifies that the user mode is turned off, and the event trace session is run in kernel mode.
  • -bs Value
    Specifies the buffer size in N kilobytes for trace data collections.
  • -ft[[HH:]MM:]SS
    Specifies the flush timer interval in minutes and seconds for trace data collections.
  • -nb Min Max
    Specifies the minimum and maximum number of buffers for trace data collection. Minimum default is the number of processors on the system plus two. Maximum default is at 25.
  • -fd LoggerName
    Flushes all the active buffers of an existing event trace session to a disk. Use this command in conjunction with the -ln option.
  • -u UserName Password
    Specifies the account name and password the collection query uses on local or remote systems. To start collecting data for collection queries, log Performance Logs and Alerts to the remote system. You need to use this option or the Run As command when you set up a configuration on a local computer that saves the performance data to a remote SQL server. You can use * as your password in the command line to produce a prompt for the password. The password does not appear when you type it at the password prompt.
  • --u
    Resets the account name to the Performance Logs and Alerts service account.
  • -rf[[HH:]MM:]SS
    Specifies that collections run for a set period of time.
  • -y
    Overwrites the settings for collection name, and then applies new ones without querying the end user.
  • -mode[TraceMode[TraceMode...]]
    Specifies advanced options for trace sessions only where TraceMode can be either globalsequence, localsequence or pagedmemory. Globalsequence specifies that the event tracer add a sequence number to every event it receives irrespective of which trace session received the event. Localsequence specifies that the event tracer add sequence numbers for events received at a specific trace session. When the localsequence option is used, duplicate sequence numbers can exist across all sessions but will be unique within each trace session. Pagedmemory specifies that the event tracer use paged memory rather than the default non-paged memory pool for its internal buffer allocations.
  • -ct{system| perf| cycle}
    Specifies the clock resolution used when the timestamp for each event is logged. Use the default clock type, -ct system, to provide a timestamp resolution of 10 ms. Use -ct perf for a resolution of 100 ns. Alternatively, use -ct cycle if you want to consume fewer system resources. It collects data at the processor clock cycle and then normalizes it to 100 ns. If you choose the cycle option but your hardware platform does not support this clock type, the operating system will change it to perf.
  • /?
    Displays help at the command prompt.
Remarks
  • You can use a subset of Logman commands to manage computers running Windows 2000 from a computer running Windows XP Professional. Windows 2000 does not support the following options:

    -r

    -o when specifying a Database System Name (DSN)

    -f sql

    -cnf

    -ln

    -ft

    -fd

    -ets

    -mode

    You can use the -u option to connect to the target computers; however, you cannot use it to set the credentials for the remote collection. The collection will run under whatever account you have configured the Performance Logs and Alerts service. By default, this is the Local System account.

  • Valid options for the command-line verbs create, update, start, stop, delete, and query are:

    -sRemoteComputer

    -[-]u Domain**/**UserName Password

  • Valid options for create and update, and common options for counter and trace are:

    -y

    -bM**/D/YYYY HH:MM:**SS [{AM | PM}]

    -eM**/D/YYYY HH:MM:**SS [{AM | PM}]

    -rfHH**:MM:**SS

    -m [start] [stop

    -f {bin | bincirc}

    -[-]r

    -oPathName

    -[-]a

    -[-]v {NNNNN | MMDDHHMM}

    -[-]rc Command PathName

    -[-]max N

    -[-]cnf HH**:MM:**SS

  • Common options for counters only are:

    -f {bin | bincirc | csv | tsv | SQL}

    -o {PathName | DSN!CounterLog }

  • Common options for create counter are:

    -c {CounterPath | -cfInputFile}

    -si [[HH**:]MM:**]SS

    These options update the counter, and will stop and start collections.

  • Options for update for trace collection are:

    - maxN

    - oPathName

    -ftMM**:**SS

    -fd

    These options will query trace collections without stopping the collections.

  • Valid options with counters only are:

    -f {bin | bincirc | csv | tsv | SQL}

    -o {PathName | DSN!CounterLog }

  • Valid options with create counter commands are:

    -c {CounterPath | -cfInputFile}

    -si [[HH**:]MM:**]SS

  • Valid options for create trace commands are:

    -lnLoggerName

    -[-]rt

    -p {GUID | provider**(Flags[,Flags ...])**Level | -pfFileName}

    -[-]ul

    -bsN

    -ftMM**:**SS

    -nbMin Max

    -fdLoggerName

    -ets

  • Using the -config option

    The contents of the setting file used with the -config option should have the following format:

    [CommandOption]

    Value

    where CommandOption is a command line option and Value specifies its value. For example:

    [counter]

    logx

    [-s]

    mysystem

    [-u] UserName Password]

  • Using the -mode option

    You should only use this option if you are an advanced user.

  • Using the -ct option

    The default system clock type is sufficient for most providers that generate events. However, if a provider is capable of generating events at a rate greater than 1 per 10 ms, use a perf clock type.

  • Managing Performance monitor

    You can only use Logman to manage systems running Windows 2000, Windows XP, or the Windows Server 2003 family of operating systems.

  • For more information about incorporating Logman into your Windows Management Instrumentation (WMI) scripts, see "Scripting WMI" at the Microsoft Windows Resource Kits Web site.

Examples

Date formats in the following examples are for US local time only.

To create daily counter collection queries with begin and end times, repeat collections, version control numbers, counter paths and sample intervals, type:

Logman create counter daily_perf_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -v mmddhhmm -c "\processor(_Total)\% processor Time" "\Memory\Available bytes" -si 00:15 -o "c:\perflogs\daily_log"

To create daily collection queries with begin and end times, repeat collections, output file collections, version control numbers, counter paths and sample intervals, type:

Logman create counter daily_perf_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -o "c:\perflogs\daily_log" -v mmddhhmm -c "\processor(_Total)\% processor Time" "\Memory\Available bytes" -si 00:15

To create daily collection queries using the config file, instead of the command line file, type:

Logman -config file daily_perf.txt

To create daily trace collection queries with begin and end times, repeat collections, version control numbers, provider names, input and output file collections, type:

Logman create trace daily_kernel_trace_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -v mmddhhmm -p "Windows Kernel Trace" 0xFFFFFFFF -rf 100 -o "c:\perflogs\daily_nt_trace"

To create daily trace collection queries with begin and end times, repeat collections, version control numbers, Guid and logger names, input and output file collections, type:

Logman create trace daily_lsass_trace_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -v mmddhhmm -p "Local Security Authority(LSA)" 0x00000001 -rf 30:00 -o " c:\perflogs\daily_lsass_trace"

To create daily counter collection queries with begin and end times, repeat collections, version control numbers, counter paths, sample intervals, SQL formats and output file collections, type:

Logman create counter daily_perf_log -b 7/27/2000 13:00:00 -e 7/27/2000 15:00:00 -r -v mmddhhmm -c "\processor(_Total)\% processor Time" "\Memory\Available bytes" -si 00:15 -f sql -o perfdb!daily_log

To start daily collections with sample intervals, account names and passwords, type:

Logman start daily_perf_log -s \\%computer_name% -u admin "adminpassword"

To start manual data collections, type:

Logman start daily_perf_log

To stop data collections, type:

Logman stop daily_perf_log

To delete data collections, type:

Logman delete daily_perf_log

To display the status of collection queries, type the following commands:

Logman query

Logman query daily_perf_log

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

See Also

Concepts

Start or stop a counter log, trace log, or alert manually
Define start or stop parameters for a log or alert
Performance Logs and Alerts overview
Relog
Command-line reference A-Z
Command shell overview