To specify which events to collect, you create an event subscription. Among other details, the subscription speciﬁes exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Events are forwarded using Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS).
Criteria for filtering:
• Logged—The time and date range an event occurred in. You can select from a list of periods or specify a custom range.
• Event level—Select from these levels of event severity: Critical, Error, Warning, Information, and Verbose.
• Event sources—Select one or multiple sources of events (for example, the Task Scheduler service).
• Event IDs—You can enter a single ID or multiple IDs separated by commas. Placing a minus sign in front of an ID excludes it from the filter results.
• Task category—A list of categories becomes available only if you select an event source with corresponding tasks.
• Keywords—Select from a list of predefined keywords, such as Audit Failure or Audit Success. • User—Use specific user accounts as filters. You can enter a single user or a list of users
separated by commas.
• Computer—Use a specific computer or groups of computers as filters. For multiple computers, separate the list items with commas.
Creating Tasks from Events
Responding to events manually can be time consuming and inefficient because an administrator would have to review the logs constantly. However, you can create a task in Event Viewer that runs whenever a particular event is logged.
Steps to configure tasks
1. Right-click an event in a log and click Attach Task To This log to start the Create Basic Task Wizard.
2. You can enter a name for the task or use the name that’s assigned automatically. The assigned name begins with the log name followed by the source and event ID.Entering a task name
3. The next window shows details about the type of event that triggers the task: log name, source, and event ID. This information can’t be changed.
4. In the Action window, you select from these options: Start a program, Send an e-mail (deprecated), or Display a message (deprecated). To run a program or script, click the Start a program option button, if necessary, and then click Next.
Sending an e-mail and displaying a message are deprecated options. They’re still available, but they might be removed in later versions, so using them isn’t recommended.
5. In the Start a Program window, type the program or script name you want to run (or browse to and select the name) when the event is generated. You can also enter command-line arguments and a working directory.
6. In the Finish window, you can review the details.
Using Log Categories
Events are logged in two main categories:
- Windows logs, containing events that apply system wide and events from applications;
Windows logs contain these five log files:
• System—This log stores events generated by Windows system components, such as a device driver that fails to load. Windows determines the events and the information on each event a particular component logs.
• Application—This log stores events generated by applications. For example, a database- driven accounting system might generate an Application log entry when a write operation to the database fails. Application developers determine what events and information an application logs.
• Security—This log stores events related to security policies, such as logon attempts, file accesses, and file creation or deletion. Administrators can determine and set the security policies that create log entries.
• Setup—This log stores events occurring during Windows setup.
• Forwarded Events—This log stores events collected from other systems. An event subscription (discussed later in “Event Subscriptions”) must be created to collect events from other systems.
- Applications and Services logs, containing events from specific applications or system services.
In the Windows logs (except for the Security log) and the Applications and Services logs, there are four levels:
• Error—A problem that can affect how the application or component logging the event functions
• Critical—An unrecoverable failure in an application or a component
• Warning—An issue that doesn’t immediately affect operations but might cause future problems if not addressed
• Information—A change not related to any problems, such as an application finishing successfully
The Security log has these two levels: Audit Success (a file or object was accessed successfully) and Audit Failure (a file or object was accessed unsuccessfully).
There are four subtypes of these logs: Admin, Operational, Analytic, and Debug.
- The Admin subtype shows a problem and a solution with instructions on how to fix the problem. The detail and guidance it supplies make it a good source of troubleshooting information for users, administrators, and support staff.
- Operational logs aren’t as straightforward, and determining solutions might require more analysis; typically, users don’t have the knowledge or expertise to use an Operational log.
- Analytic logs record a series of events related to a problem. Because the volume of events logged can be quite high, sifting through information in Analytic logs requires more effort than with Admin or Operational logs.
- Debug logs contain events software developers can evaluate to troubleshoot programs. By default, the Analytic and Debug logs are hidden and disabled. To make them visible, click View, Show Analytic and Debug Logs from the menu. To enable them after they have been made visible, right-click the one you want to enable and click Enable Log.
Event Viewer typically shows information from only one log at a time. So how can you mix a variety of data from different logs? You can create custom views to pull data from multiple logs based on the criteria listed previously in “Viewing Events.” Event logs are XML based, which enables you to construct XML queries, but the selections in the Filter tab allow you to create views that should answer most needs without requiring XML coding knowledge.
To conﬁgure event subscriptions, perform the following steps:
1. Configure the forwarding computer.
2. Configure the Collecting Computer.
3. Create an Event Subscription.
CONFIGURE THE FORWARDING COMPUTER
To configure a forwarding computer to forward events, perform the following steps:
1. Right-click Start and choose Command Prompt (Admin).
2. At the command prompt, execute the following command:
3. To add the collecting computer name to the Administrators group, execute the following command:
Net localgroup "Administrators" <collecting_computer_name>[email protected]<domain_name> /add
4. If a message appears, indicating that changes must be made, type Y and then press Enter.
5. Close the Command Prompt window.
winrm quickconﬁg command on the forwarding computer accomplishes the following:
- It sets the Windows Remote Management (WS-Management) service to Automatic (Delayed Start) and starts the service.
- It configures the Windows Remote Management HTTP listener.
- It creates a Windows Firewall exception.
CONFIGURE THE COLLECTING COMPUTER
To configure a collecting computer to forward events, perform the following steps:
1. Right-click Start and choose Command Prompt (Admin).
2. At the command prompt, execute the following command:
3. Close the Command Prompt window.
By executing the
wecutil qc command(windows event collector utility), you conﬁgure the receiving computer to receive events. The last step is to then specify the events you want to send to the receiving computer.
CREATE AN EVENT SUBSCRIPTION
Instead of going from system to system to check event logs, you can use the Forwarded Events log to view event information from remote computers in a single log. To create this log, you need an event subscription. An event subscription specifies what server to collect events from, what events to collect, and the local event log to write them to.
To create an event subscription on the collecting computer, perform the following steps:
1. Open Server Manager.
2. Click Tools > Event Viewer.
3. Right-click Subscriptions and choose Create Subscription . The Subscription Properties dialog box opens.
4. Enter a name, If necessary, in the Description text box, type a description.
5. In the Subscription type and source computers section, choose one of the following two options:
• Collector initiated: The collecting computer polls the source computers to retrieve events. Then click the Select Computers button to select which computers to poll.
• Source computer initiated: The forwarding computer contacts the collection computer. Then click the Select Computer Groups button to specify the forwarding computers.
6. Click Select Events. The Query Filter dialog box opens
7. Optionally, you can click the Advanced button to open the Advanced Subscription Settings dialog box and then conﬁgure the bandwidth used (Normal, Minimize
Bandwidth, and Minimize Latency) and the protocol (HTTP or HTTPS). Click OK to close the Advanced Subscription Settings dialog box.
Right click the task bar, click Task manager; or use Ctrl+ALT+Delete key combo, then choose task manager.
Use the Set Priority feature with care. Setting a higher priority can sometimes have unexpected and undesirable results. In particular, never set priority to Realtime unless an application’s instructions specify it.
Basic Performance Monitoring
Although there are many specialized tools you can use for performance monitoring, you can do basic monitoring in the Performance tab of Task Manager on three important performance components: CPU, memory, and network adapters (Ethernet in the figure). These components are listed on the left with basic current information in the last 60-second period.
A thread is the smallest piece of program code that Windows can schedule for execution. For example, Microsoft Word is an application and is listed in Task Manager in the Processes tab, but several threads can be scheduled to run within this larger process, such as the spell checking and autocorrect features.
A handle is a reference to a resource on the computer. Handles are often associated with open files but can also be associated with a block of memory or other data structures an application is using. Handles help processes and the OS keep track of open and used resources.
You have to hover your mouse over parts of the Memory composition graph to see the In use, Modified, Standby, and Free labels.
• In use—Memory used by the OS, applications, and other processes
• Modified—Memory containing content that must be written to disk before being released for other purposes
• Standby—Memory containing cached information
• Free—Memory available for use
Below the graphs on the right is hardware information, including the memory’s speed, how many memory slots are being used, the form factor (indicating the type of memory), and how much memory is reserved for use by hardware. More data is available under the graphs, including the following:
• In use—Total amount of memory currently allocated by the OS and running processes. • Available—The amount of physical memory that can be used by the system and running
• Committed—Measures the demand for virtual memory. As the amount of committed memory exceeds available physical memory, paging increases, and if it becomes excessive, it can have a serious effect on performance.
• Cached—The sum of modified and standby memory, described in the preceding list. • Paged pool—The amount of memory currently required by the OS kernel and drivers that
can be written to virtual memory.
• Non-paged pool—The amount of memory currently required by the OS kernel and drivers that must remain in physical memory.
Another tool for real-time monitoring is Resource Monitor, which shows CPU, memory, disk, and network use information for separate processes or the system as a whole in real time. You can go beyond the simple system resource monitoring Task Manager offers. With Resource Monitor, you can review processes that have stopped responding and close them if needed, check current file use by applications, and start, restart, pause, and end services.
resmon.exe to start it.
The CPU tab is divided into four sections: Processes, Services, Associated Handles, and Associated Modules.
The Processes section displays the name of the program executable file, the process ID (PID), a short description of the process, its status, the number of threads in use, the percentage of the CPU it’s currently using, and an average of CPU use for the past 60 seconds.
The Services section displays a service’s name, PID, description, and status as well as the service group it belongs to, the current percentage of CPU being used, and the average CPU use. Right-click a service to start, stop, or restart it.
The Associated Handles section shows the file handles in use by selected processes
The Associated Modules section shows files, such as dynamic link libraries (DLLs), used by selected processes as part of their operation. When you click a check box next to a process name in the Processes section, the results in the lower sections are filtered. Only the services, file handles, and module names associated with this process are shown.
In the Memory tab, the graphs on the right show overall memory use. The left side is divided into Processes and Physical Memory sections. In the Processes section, each process’s memory use is divided into these categories:
• Commit—How much physical memory plus pages from the paging file the OS reserves for the process
• Working Set—How much physical memory is currently in use • Shareable—How much physical memory is in use and shared with other processes
• Private—How much physical memory is in use and not shared with other processes, which is a fairly close indication of the amount of memory this process requires to run
• Hard Faults/sec—The number of times the process must read memory written to the paging file.
The Physical Memory section has a color-coded bar graph of overall memory allocation divided into these sections:
• Hardware Reserved—Memory reserved by hardware components, such as buses, video cards, and sound cards, used to communicate with the OS
• In Use—Memory used by OS processes, drivers, and other processes
• Modified—Pages of modified memory that haven’t been accessed for some time
• Standby—Memory still linked to a process but available for reuse
• Free—Memory not in use by any processes or released when a process ended
Graphs on the right show overall disk activity and the queue length for each disk. The left side is divided into three sections: Processes with Disk Activity, Disk Activity, and Storage. For each process, the Disk Activity section shows the files in use (one per line), read activity, write activity, total activity (read + write), priority, and response time. To filter the display, you can click the check box next to a process. The Storage section shows logical disks with their physical drive numbers.
Metrics in both sections can help you troubleshoot performance problems. For example, in the Storage section, a consistently high value in the Active Time column (showing the percentage of time a disk is actually servicing requests) can indicate a bottleneck, and adding disk storage and distributing the load could alleviate this problem. In the Disk Activity section, response times consistently higher than 20 milliseconds (ms) warrant attention, and consistent response times higher than 50 ms indicate a serious problem.
Graphs on the right show overall network bandwidth use over the past 60 seconds, the number of TCP connections, and the current utilization of Ethernet connections (determined by the number of NICs).
The left side is divided into these sections:
- Processes with Network Activity, which shows the processes currently accessing the network and how much data is being sent and received;
- Network Activity, which lists the amount of data processes are sending and receiving as well as their network addresses;
- TCP Connections, which lists local and remote addresses and ports associated with programs (executable images) accessing the network;
- Listening Ports, which lists all ports currently listening. To filter the display, you can click the check box next to a process.
Metrics in this tab that are especially useful for troubleshooting include Ethernet connection use graphs.
- Watch for consistent utilization higher than 40%, which can indicate a network bottleneck that might be improved with some changes to the network layout (such as adding subnets).
- Consistent utilization in the 60% to 70% range is a good in- dicator that you should reexamine the network layout.
- If you’re seeing utilization consistently higher than 90%, there’s definitely a problem that should be solved as soon as possible.
Using Performance Monitor
Although general data can point you in the right direction, more detailed metrics are helpful in identifying a specific problem. Performance Monitor can collect and combine data from three sources:
• Performance counters—Performance metrics from OS components and applications. Depending on what’s being reported, they can be counts (such as physical disk reads per second) or percentages (for example, CPU utilization).
• Configuration information—Changes to values of Windows Registry keys. A data collector set (covered later in this section) is used to determine which keys are monitored.
• Event trace data—Log files created by applications and device drivers that incorporate Event Tracing for Windows (ETW). This data is different from events shown in Event Viewer and is usually used only by software developers.
You can also trigger alerts and tasks based on user-defined thresholds and generate a variety of reports. Access to this tool is determined by what groups a user belongs to. Administrators can access all features, and other groups have access but with certain limits:
• Users—This group can view log files and modify display properties but can’t access real-time data and can’t create or modify data collector sets.
• Performance Monitor Users—This group can view log files and real-time data and modify display properties but can’t create or modify data collector sets.
• Performance Log Users—This group can use all features available to the other two groups. If this group is given the “Log on as a batch user” right, members can create and modify data collector sets; however, data collector sets must run under their own credentials. This group can’t use the Windows Kernel Trace provider in data collector sets.
To customize a view even more, you can open the Performance Monitor Properties dialog box by right-clicking the graph and clicking Properties. There are five tabs with options for customizing the display:
• General—Control display elements, such as the legend explaining graphs, the value bar (showing the last, average, minimum, and maximum values for a selected metric), and the length of time the graph covers. You can also decide whether to display the minimum, maximum, or average value for the graph’s duration and specify how often samples of data are taken and how long to display data.
• Source—Specify whether to display current activity on the system, which is good for troubleshooting an immediate problem, or activity from log files or a database, which is a good option when you’re looking for trends or a recurring problem. With log files and databases, you can also set a time range for viewing data.
• Data—Select which performance counters to display and configure line or bar color, scale, and style for each counter. With the scale setting, you can show both smaller and larger numbers on the same graph (for example, CPU and memory use).
• Graph—Select the type of view (Line Chart, Histogram, or Report) and do some customizing, if you like. For example, you can configure scrolling and wrapping for a line graph or add vertical and horizontal grids to a histogram.
• Appearance—Control colors for the graph background, control background (the area around the graph), text labels, and grid lines. You can also change the font for text labels and add a border.
One reason tracking causes of poor performance with real-time monitoring is difficult is that you have no point of reference for comparing data. This point of reference, called a “performance baseline” or simply a “baseline,” is a record of performance data gathered when a system is per- forming well under normal operating conditions. Generally, baseline data is collected shortly after a system is put into service and then again each time changes are made, such as installing or removing a server role or when many users are added. The baseline data collected during normal operation conditions can then be compared with data collected during peak resource demands to give you insight into your system’s capabilities and limitations.
To create a baseline of performance data, you create a data collector set that specifies the performance counters you want to collect, how often to collect them, and how long to collect them. You can create multiple data collector sets that capture different aspects of system performance and measure performance during different periods.
A data collector set can contain a variety of types of information collected and displayed as a graph or report. Information types in a data collector set include the following:
• Performance counters—These system performance indicators used to view real-time data are also used in data collector sets.
• Counter alerts—Events generated when a counter falls below or exceeds a specified threshold. For example, you can create an alert to log an entry in the Application log if the % Processor Time counter exceeds 90%.
• Event traces—Logs information based on system or application events.
• System configuration—Monitors and records changes to Registry keys.
The Reliability Monitor provides a stability index that ranges from 1 (the least stable) to 10 (the most stable). You can use the index to help evaluate the reliability of your computer. Any change you make to your computer or problem that occurs on your computer affects the stability index.
To open the reliability monitor, execute the following command at a command prompt:
At the bottom of the page, click View all problem reports to view only the problems that have occurred on your computer. This view doesn’t include the other computer events
that show up in Reliability Monitor, such as events about software installation.
ENABLE RELIABILITY MONITOR
If the reliability monitor is blank, To enable Reliability Monitor, perform the following steps:
1. Open Task Scheduler and enable and run the \Microsoft\Windows\RAC\RacTask in Task Scheduler.
2. Use the Registry Editor to change the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\WMI\WMIEnable value to 1.
3. Reboot the computer.
In the details tab, to show more columns, right click on one of the columns title, choose select column:
• Working set (memory): Shows the amount of memory in the private working set plus the amount of memory the process is using that can be shared by other processes.
• Peak working set (memory): Shows the maximum amount of working set memory used by the process.
• Working set delta (memory): Shows the amount of change in working set memory used by the process.
Resource Monitor is a system tool that allows you to view information about the use of hardware (CPU, memory, disk, and network) and software resources (ﬁle handlers and
modules) in real time. You can ﬁlter the results according to speciﬁc processes or services that you want to monitor. In addition, you can use Resource Monitor to start, stop,
suspend, and resume processes and services, and to troubleshoot when an application does not respond as expected.
If you want to ﬁnd and determine the program (process) that is hogging the processor resources, you can use Identify the highest current CPU usage.
In the Processes section, click CPU to sort processes by current CPU resource consumption.
If a ﬁle is locked and you cannot delete it because it is in use, you can use the Identify the process that is using a ﬁle exercise to see which process has the ﬁle open.
Click the CPU tab and then click the title bar of Associated Handlers to expand the table. Click in the Search Handlers box, type the name of the ﬁle you want to search for, and
then click Search.
IDENTIFY THE NETWORK ADDRESS TO WHICH A PROCESS IS CONNECTED
1. Open Server Manager.
2. Click Tools > Resource Monitor.
3. Click the Network tab and then click the title bar of TCP Connections to expand the table.
4. Locate the process whose network connection you want to identify. If there are a large number of entries in the table, you can click Image to sort by executable ﬁlename.
5. Review the Remote Address column and the Remote Port column to see which network address and port the process is connected to.
first of all, to view performance information, the user can be added to one of the following groups:
• Administrators can access all of the performance tools and data.
• Performance Monitor Users can view both real-time and historical data within the Performance Monitor console and can use the Reliability Monitor. However, they can-
not create or modify Data Collector Sets or use the Resource View.
• Performance Log Users group can view both real-time data and historical data within the performance Monitor console. However, these users can create or modify Data Collector Sets if the user has Log on as a batch user rights on the server.
A computer is composed of four primary systems: a processor, memory, disk, and a network. For the processor, memory, and disk performance, you should always start with these counters:
• Processor:%Processor Time measures how busy the processor is. Although the processor might jump to 100% processor usage, the processor should not be working at
80% capacity most of the time.
• A page fault occurs when a process attempts to access a virtual memory page that is not available in its working set in RAM. If the pages/sec is 1,000 or higher, you should
increase the memory.
• Paging File:% Usage shows how much of the paging file is actually being used. If the paging file % usage is above 75%, you might need to increase memory or reduce the
server’s memory usage.
• Physical Disk:%Disk Time indicates how busy a disk is as measured by the percentage of time that disk was busy. If a disk is consistently approaching 100%, the disk is being
• Physical Disk:%Avg. Disk Queue Length is the average number of read requests or write requests queued for the disk in question. A sustained average higher than two times the number of spindles (physical hard drives) indicates that the disk is being over utilized.
Performance Monitor uses performance counters, event trace data, and conﬁguration information, which can be combined into Data Collector Sets as follows:
• Performance counters are measurements of system state or activity. They can be included in the operating system or can be part of individual applications. Windows Performance Monitor requests the current value of performance counters at specified time intervals.
• Event trace data is collected from trace providers, which are components of the operating system or of individual applications that report actions or events. Output from multiple trace providers can be combined into a trace session.
• Configuration information is collected from key values in the Windows registry.
Data collector set
Performance alert is a notiﬁcation or task that is executed when a performance value is reached. Performance Monitor can also be used to start certain tasks when certain counters reach a particular value. For example, if the processor reaches 90%, you can have Performance Monitor run a command to stop a service or perform some other action in an effort to reduce burden on the processor.