The Performance Logs and Alerts Tool
System Monitor is useful if you just want to fire up a quick realtime session to show performance counters on local or remote machines. But if you want longer-term persistent logging of performance data, you need to use the Performance Logs and Alerts tool's logging features. The Performance Logs tool lets you store Performance Monitor counter data from multiple servers to a central log file that you can later use System Monitor to view or other tools to manipulate. If you expand the Performance Logs node in MMC, you'll see three categories: Counter Logs, Trace Logs, and Alerts. I focus mainly on Counter Logs. The Alerts tool simply lets you take an action (e.g., send an email or a Net Send message) based on a counter passing a specified threshold value. Alerts is sort of a poor man's system-monitoring tool.
To illustrate how you can use Counter Logs, we need to create a new log session. Right-click the Counter Logs node and select New Log Settings, then give the logging session a unique name. The dialog box that opens, which Figure 2 shows, lets you select the objects and counters that you want to monitor across one or more servers.
The first thing you'll notice when you create a new logging session is that System Monitor creates the performance log for data storage in a folder called C:\perflogs on the system running the logging session. You can use the Log Files tab to change this path, but you must first select the objects and counters to log. Click Add Objects to select all the counters for an object. If you want to log only individual counters, click Add Counters. For either option, you can select objects and counters from a local or remote machine.
You can set the frequency with which you'd like to collect data, as Figure 3 shows. If you're collecting long-term data, I recommend using a reasonable interval—especially if you're monitoring many counters on multiple machines. Log files can get large if the interval is too small. Start with every 15 minutes, assess your log file size after a few intervals to estimate how big your log files will grow, and adjust accordingly.
To change the default user ID, enter a new ID in the Run As text box. System Monitor uses the user ID to connect to the machines you're monitoring.
You need sufficient permission to collect Performance Monitor data. The permissions on the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib registry subkey control access to Performance Monitor data. Performance Monitor data feeds through this registry subkey into tools such as System Monitor. By default, this subkey grants access to performance data to members of the local Administrators and Server Operators groups, as well as to any user logged on to the local machine. You can adjust permissions on this subkey to restrict which groups or users can access data.
After you set the options for which objects and counters on which servers you want to log, you can use the Log Files tab to adjust the format of the log file that generates. You can use the Schedule tab to change the schedule on which the logging session runs. If you set the session for a timed start or stop, logging starts as soon as you apply the changes to the session. If you set the start as manual, you must right-click the log session in the MMC window to explicitly start logging.
Under the Log Files tab, Performance Monitor logging supports storing log files in several formats in addition to the native binary .blg file format. You can store your data to text-based comma-separated value (CSV) files or even SQL Server tables—which is a new Windows Server 2003 and XP feature. If you choose SQL Server, you must specify a data source and table that you want to use to store the data—but the SQL Server option is useful if you need to collect a large amount of performance data over time.
When you start logging, you'll notice that a 65KB log file writes to the log directory. Each time you stop and start logging, a new log file generates with an incremented number in its name. An interesting new feature in XP and Win2K lets you continue logging performance data even if the Performance Monitor tool isn't running. In NT 4.0, you had to install the Microsoft Windows NT Server 4.0 Resource Kitbased Datalog service to get this unattended monitoring functionality. XP and Win2K include the Performance Logs and Alerts Windows service. This service automatically starts when a logging session starts (and stops when the session stops).
Another XP and Win2K performance-logging improvement is saving logging sessions. In NT 4.0, you can create logging workspaces that store to a binary file. If you want to reuse your selected performance objects and counters in a logging session for a different set of servers, you need to recreate the workspace file for each server or servers you want to monitor. This task is tedious if, for example, you want to distribute a set of logging settings to run locally on a set of servers. In XP and Win2K, all the settings files (i.e., logging and alerting) are implemented as HTML-based files. Thus, you can easily modify a settings file such as the one that Listing 1 shows. The code at callout A in Listing 1 shows the name of the log file to which performance data will be stored during this session. The code at callout B lists the command, script, or batch file that should run when the logging session stops. In this case, no command is specified. The code at callout C starts to list the performance objects and counters being tracked during this session. Listing 1 shows only a portion of a full session file. If you understand each entry, you can easily edit a session file manually. You can change the server name and even the counters you're monitoring, then distribute the settings file to any machine from which you want to perform logging. To create an HTML settings file for a logging session, right-click the session name in Performance Monitor and select Save Settings As.
Register
