By using performance logs you can record performance information for replay in Performance Monitor at a later date. You can also export logging data to spreadsheets or databases for analysis and report generation. Performance logging is configured as a Windows service called Performance Logs and Alerts. Because this service runs under the special identity Network Service by default, a user needn't be logged on to the computer you are monitoring to collect performance information.
Note
The Performance Logs and Alerts service is configured to start manually and is stopped by default. You shouldn't start it yourself. It is started by the Performance Logs and Alerts snap-in as necessary.
You create performance logs by using Performance Monitor. In Performance Monitor, expand the Performance Logs And Alerts node, and then select the type of performance log you want to create. Two types of performance logs are available: counter logs and trace logs.
Counter logs record performance data at a specific interval by using the performance objects and counters discussed previously. You can save data in several formats, including commadelimited and tab-delimited text and binary. When using a text file, you can export the data to a spreadsheet or database for further analysis. When using the binary format, logged data can be replayed in real time in System Monitor.
Trace logs monitor continuously for specific types of events from Windows system providers and subcomponents and record performance data whenever those events occur. Trace logs can also obtain information from nonsystem providers such as Active Directory, Netlogon, and the Security Accounts Manager (SAM). To interpret the trace log output, you need a parsing tool that can read the raw data and convert it into a usable format. One tool available in Windows Server 2003 is Tracerpt. Tracerpt is a command-line utility that processes trace logs and allows you to generate trace analysis reports and comma-delimited text files for the events generated.
For both trace and counter logs, parameters that you track in log files are recorded separately from parameters that you chart in Performance Monitor. You can configure performance logging to start manually or automatically. Logging can be manually started in Performance Monitor. Automatic monitoring can be scheduled to start at a specific date and time.
After you select the Counter Logs node in the left pane of Performance Monitor, you should see a list of current logs (if any) in the right pane. A green log symbol next to the log name, as shown in the following screen, indicates logging is active. A red log symbol indicates logging is stopped.
You can manage an existing counter log by right-clicking its entry in the right pane, and then selecting one of the available shortcut options. Choose Delete to delete the log. Choose Properties to display the log's Properties dialog box. Choose Start to activate logging. Choose Stop to halt logging. Choose Save Settings As to save the log configuration as a Web page that can be viewed in a browser, such as Microsoft Internet Explorer, or imported into a new counter log using New Log Settings From.
Tip
View performance data from the Web
The Web page created by using the Save Settings As option has an embedded System Monitor that you can use to view the performance data you've configured. If you save the settings to a folder published under Microsoft Internet Information Services (IIS), you are able to view performance data remotely. All you must do is type the appropriate Uniform Resource Locator (URL) in the Web browser's Address box.
You can create a new counter log by right-clicking in the right pane and selecting New Log Settings from the shortcut menu. A New Log Settings dialog box is displayed asking you to name the new log settings. Type a descriptive name here before continuing, and then click OK. A Properties dialog box similar to the one in Figure 16-4 is displayed.
Figure 16-4. After you name the counter log, you can specify the performance objects and counters you want to track
You have two options for tracking performance data. To add all counters for specific performance objects, click Add Objects, and then use the Add Object dialog box to select the objects you want to add. All counters for these objects will be logged. To add specific counters for objects, click Add Counters, and then use the Select Counters dialog box to select the counters you want to add.
In the Properties dialog box, any counters you've selected are added to the Counters list in the General tab. By default, each counter is sampled once every 15 seconds. For most monitoring, this is too rapid because you'll want to collect data over a period of several hours and the data set grows too large with so much sampling going on. Lots of sampling also requires lots of processing power. So, to reduce overhead and get a more useful sample, set a longer sampling interval, such as once every 5 minutes or once every 15 minutes.
Inside Out: Use an account with appropriate access permissions when necessary
By default, the Performance Logs and Alerts service runs as the special identity Network Service. If this special identity doesn't have sufficient permissions to collect the performance data, such as when you are remotely monitoring, you might want to specify an administrator account to use. In the Run As box, type the name of the account under which the counter log will run, and then click Set Password. After you type the password for the account and then confirm the password, click OK to close the Set Password dialog box. To run the log under the default account later, type <Default>.
Next, select the Log Files tab, as shown in Figure 16-5. By default, counter logs are saved as sequentially numbered binary files in the %SystemDrive%PerfLogs directory.
If desired, you can change the logging options. Use Log File Type to set the log type as one of the following formats:
Text File (Comma Delimited) creates a log file with comma-separated entries.
Text File (Tab Delimited) creates a log file with tab-separated entries.
Binary File creates a binary file that Performance Monitor can read.
Binary Circular File creates a binary file that overwrites old data with new data when the file reaches a specified size limit.
SQL Database writes the performance data to a Microsoft SQL database.
Tip
If you plan to use Performance Monitor to analyze or view the log, use one of the binary file formats.
If you want the counter logs to use a particular naming style, Use End File Names With to set an automatic suffix for each new file created when you run the counter log. Logs can have a numeric suffix or a suffix in a specific date format. With a numeric suffix, use Start Numbering At to set the first serial number for a log that uses an automatic numeric suffix.
After you set the log file type, click Configure to configure the log file location. If you selected SQL Database as the file type, use the Configure SQL Logs dialog box to select a previously configured system Data Source Name (DSN). The DSN is used to establish a connection to a structured query language (SQL)–compliant database. If you selected another file type, you'll be able to set the log file name and folder location. By choosing either selection, you have the option of limiting the log file size to a specific value, such as 1 MB, as shown in the following screen:
When you've set all of the log file options, click the Schedule tab, shown in Figure 16-6, and then specify when logging should start and stop. You can configure the logging to start manually or automatically at a specific date. Select the appropriate option, and then specify a start date if necessary.
Once logging is started, it will continue until you manually shut it off. You can configure the log file to stop manually after a specified period of time, such as seven days, at a specific date and time, or when the log file is full (if you've set a specific file size limit). When a log file closes, you can start a new log file or run a command automatically as well.
Click OK when you've finished setting the logging schedule and the new log will be added to the Counter Logs list. The log's icon will be red until logging starts.
Windows Server 2003 includes a command-line utility called Typeperf for writing performance data to the command line. You can use it to monitor the performance of both local and remote computers. The available parameters for Typeperf are summarized in Table 16-2.
Table 16-2. Parameters for Typeperf
Parameter | Description |
|---|---|
–cf <filename> | Specifies a file containing a list of performance counters to monitor. |
–config <filename> | Specifies the settings file containing command options. |
–f <CSV|TSV|BIN|SQL> | Sets the output file format. The default is .csv for comma separated values. |
–o <filename> | Sets the path of an output file or SQL database. |
–q [object] | Lists installed counters for the specified object. |
–qx [object] | Lists installed counters with instances. |
–s <ComputerName> | Sets the server to monitor if no server is specified in the counter path. |
–sc <samples> | Sets the number of samples to collect. |
–si <[[hh:]mm:]ss> | Sets the time between samples. The default is 1 second. |
–y | Answers Yes to all questions without prompting. |
Looks complicated, I know, but Typeperf is fairly easy to use once you get started. In fact, all you really need to provide to get basic monitoring information is the pathname to the performance counter you want to track. The performance counter path has the following syntax:
\ComputerNameObjectNameObjectCounter
Here, the path starts with the UNC computer name or IP address of the local or remote computer you are working with and includes the object name and the object counter to use. If you wanted to track SystemProcessor Queue Length on CORPSVR02, you'd type:
typeperf "\corpsvr02SystemProcessor Queue Length"
Note
You might have noticed that I enclosed the counter path in double quotation marks. Although this is good form for all counter paths, it is required in this example because the counter path includes spaces.
You can also easily track all counters for an object by using an asterisk (*) as the counter name, such as in the following:
typeperf "\corpsvr02Memory*"
Here, you track all counters for the Memory object.
A slight problem is introduced for objects that have multiple instances. For these objects, such as the Processor object, you must specify the object instance you want to work with. The syntax for this is as follows:
\ComputerNameObjectName(ObjectInstance)ObjectCounter
Here, you follow the object name with the object instance in parentheses. To work with all instances of an object that has multiple instances, you use _Total as the instance name. To work with a specific instance of an object, use its instance identifier. For example, if you want to examine the Processor\%Processor Time counter, you must use either this to work with all processor instances:
typeperf "\corpsvr02Processor(_Total)\%Processor Time"
or this to work with a specific processor instance:
typeperf "\corpsvr02Processor(0)\%Processor Time"
In this case, that is the first processor on the system.
By default, Typeperf writes its output to the command line in a comma-delimited list. You can redirect the output to a file using the –O parameter and set the output format using the –F parameter. The output format indicators are CSV for a comma-delimited text file, TSV for a tab-delimited text file, BIN for a binary file, and SQL for a SQL binary file. Consider the following example:
typeperf "\corpsvr02Memory*" -o perf.bin -f bin
Here, you track all counters for the Memory object and write the output to a binary file called Perf.bin in the current directory.
If you need help determining the available counters, type typeperf –q followed by the object name whose counters you want to view, such as in the following:
typeperf -q Memory
If an object has multiple instances, you can list the installed counters with instances by using the –QX parameter, such as in the following:
typeperf -qx PhysicalDisk
You can use this counter information as input to Typeperf as well. Add the –O parameter and write the output to a text file, such as in the following:
typeperf -qx PhysicalDisk -o perf.txt
Then edit the text file so that only the counters you want to track are included. You can then use the file to determine which performance counters are tracked by specifying the –CF parameter followed by the file path to this counter file. Consider the following example:
typeperf -cf perf.txt -o c:perflogsperf.bin -f bin
Here, Typeperf reads the list of counters to track from Perf.txt and then writes the performance data in binary format to a file in the C:PerfLogs directory.
The one problem with Typeperf is that it will sample data once every second until you tell it to stop by pressing Ctrl+C. This is fine when you are working at the command line and monitoring the output. It doesn't work so well, however, if you have other things to do—and most administrators do. To control the sampling interval and set how long to sample, you can use the –SI and –SC parameters, respectively. For example, if you wanted Typeperf to sample every 60 seconds and stop logging after 120 samples, you could type this:
typeperf -cf perf.txt -o C:perflogsperf.bin -f bin -si 60 -sc 120
You use trace logs to monitor continuously for specific types of events generated by system providers and subcomponents of the operating system, then you can record performance data whenever those events occur. For Windows system providers, you can track the following general events:
Process creations/deletions Records performance data related to the creation and deletion of processes.
Threads creations/deletions Records performance data related to the creation and deletion of threads.
Disk I/O Records disk I/O operations. You should select this data if you plan to monitor file details.
Network TCP/IP Records Transmission Control Protocol/Internet Protocol (TCP/ IP) send and receive requests.
File details Records file I/O operations.
Trace logs can also obtain information from nonsystem providers, including these:
Active Directory: Core
Active Directory: Kerberos
Active Directory: Netlogon
Active Directory: SAM
DNS Trace
Local Security Authority (LSA)
NTLM Security Protocol
Processor Trace Information
Spooler Trace Control
After you select the Trace Logs node in the left pane of Performance Monitor, you should see a list of current logs (if any) in the right pane. A green log symbol next to the log name, as shown in the following screen, indicates logging is active. A red log symbol indicates logging is stopped.
You can manage an existing trace log by right-clicking its entry in the right pane, and then selecting one of the available shortcut options. Choose Delete to delete the log. Choose Properties to display the log's Properties dialog box. Choose Start to activate logging. Choose Stop to halt logging. Choose Save Settings As to save the log configuration as a Web page that can be viewed in a browser, such as Internet Explorer, or imported into a new counter log using the New Log Settings From option.
Tip
View performance data from the Web
The Web page created by using Save Settings As has an embedded System Monitor that you can use to view the performance data you've configured. If you save the settings to a folder published under IIS, you are able to view performance data remotely. All you must do is type the appropriate URL in the Web browser's Address box.
You can create a new trace log by right-clicking in the right pane and selecting New Log Settings from the shortcut menu. A New Log Settings dialog box is displayed asking you to name the new log settings. Type a descriptive name here before continuing, and then click OK. A Properties dialog box similar to the one in Figure 16-7 is displayed.
To trace operating system events, select the Events Logged By System Provider option, then select system events to trace. Collecting page faults and file details events puts a heavy load on the server and causes the log file to grow rapidly. Because of this, you should collect page faults and file details only for a limited amount of time.
To trace events from nonsystem providers, select the Nonsystem Providers option, and then click Add. This displays the Add Nonsystem Providers dialog box, which you use to select the provider to trace.
In the Run As box, type the name of the account under which the counter log will run, and then click Set Password. After you type the password for the account and then confirm the password, click OK to close the Set Password dialog box. To run the log under the default account, Network Services, type <Default>.
Next, select the Log Files tab, as shown in Figure 16-8. For trace logs, you have two log types: Sequential Trace File, which writes events to the trace log sequentially up to the maximum file size (if any), and Circular Trace File, which overwrites old data with new data when the file reaches a specified size limit. By default, counter logs are saved as sequentially numbered binary files in the %SystemDrive%PerfLogs directory.
If you want the trace logs to use a particular naming style, use the End File Names With option to set an automatic suffix for each new file created when you run the trace log. Logs can have a numeric suffix or a suffix in a specific date format. For a numeric suffix, use the Start Numbering At option to set the first serial number for a log that uses an automatic numeric suffix.
After you set the log file type, click Configure to configure the log file location. You are able to set the log file name and folder location. You also have the option of limiting the log file size to a specific value, such as 1 MB, as shown in the following screen:
When you've set all of the log file options, click the Schedule tab, shown in Figure 16-9, and then specify when logging should start and stop. You can configure the logging to start manually or automatically at a specific date. Select the appropriate option, and then specify a start date if necessary.
Once logging is started, it will continue until you manually shut it off. You can configure the log file to stop manually after a specified period of time, such as seven days, at a specific date and time, or when the log file is full (if you've set a specific file size limit). When a log file closes, you can start a new log file or run a command automatically.
Click OK when you've finished setting the logging schedule and the new log will be added to the Trace Logs list. The log's icon will be red until logging starts.