Windows Server 2008 R2 Unleashed (268 page)

NOTE

You must be a member of the Backup Operators group at the minimum to archive an

event log.

Logs archived in the new log-file format (.evtx) can be reopened using the Windows

Server 2008 R2 Event Viewer utility. Logs saved in log-file format retain the XML data for

each event recorded. Event logs, by default, are stored on the server where the Event

Viewer utility is being run. Data can, however, be archived to a remote server by simply

providing a UNC path (such as \\servername\share\) when entering a filename.

Logs archived in comma-delimited (.csv) or text (.txt) format can be reopened in other

programs such as Microsoft Word or Excel. These two formats do not retain the XML data

or formatting.

1358

CHAPTER 33

Logging and Debugging

Customizing the Event Log

The properties of an event log can be configured. In Event Viewer, the properties of a log

are defined by general characteristics: log path, current size, date created, when last

modified or accessed, maximum size, and what should be done when the maximum log

size is reached.

To customize the event log, access the properties of the particular log by highlighting the

log and selecting Action and then Properties. Alternatively, you can right-click the log

and select Properties to display the General tab of the log’s property page, as shown in

Figure 33.5.

ptg

FIGURE 33.5

Selecting properties for the event log.

The Log Size section specifies the maximum size of the log and the subsequent actions to

take when the maximum log size limit is reached. The three options are as follows:

. Overwrite Events as Needed (Oldest Events First)

. Archive the Log When Full, Do Not Overwrite Events

. Do Not Overwrite Events (Clear Logs Manually)

If you select the Do Not Overwrite Events option, Windows Server 2008 R2 stops logging

events when the log is full. Although Windows Server 2008 R2 notifies you when the log

Performance and Reliability Monitoring

1359

is full, you need to monitor the log and manually clear the log periodically so new events

can be tracked and stored in the log file.

In addition, log file sizes must be specified in multiples of 64KB. If a value is not in multi-

ples of 64KB, Event Viewer automatically sets the log file size to a multiple of 64KB.

When you need to clear the event log, click the Clear Log button in the lower right of the

property page.

Understanding the Security Log

33

Effectively logging an accurate and wide range of security events in Event Viewer requires

an understanding of auditing in Windows Server 2008 R2. It is important to know events

are not audited by default. You can enable auditing in the local security policy for a local

server, the domain controller security policy for a domain controller machine, and the

Active Directory (AD) Group Policy Object (GPO) for a domain. Through auditing, you

can track Windows Server 2008 R2 security events. It is possible to request that an audit

entry be written to the security event log whenever certain actions are carried out or an

object such as a file or printer in AD is accessed. The audit entry shows the action carried

out, the user responsible for the action, and the date and time of the action.

ptg

Performance and Reliability Monitoring

Performance is a basis for measuring how fast application and system tasks are completed

on a computer and reliability is a basis for measuring system operation. How reliable a

system is will be based on whether it regularly operates at the level at which it was

designed to perform. Based on their descriptions, it should be easy to recognize that

performance and reliability monitoring are crucial aspects in the overall availability and

health of a Windows Server 2008 R2 infrastructure. To ensure maximum uptime, a well-

thought-through process needs to be put in place to monitor, identify, diagnose, and

analyze system performance. This process should invariably provide a means for quickly

comparing system performances at varying instances in time, detecting, and potentially

preventing a catastrophic incident before it causes system downtime.

Performance Monitor, which is a Microsoft Management Console (MMC) snap-in,

provides a myriad of tools for administrators so they can conduct real-time system moni-

toring, examine system resources, collect performance data, and create performance

reports from a single console. This tool is literally a combination of three legacy Windows

Server monitoring tools: System Monitor, Performance Monitor, and Server Performance

Advisor. However, new features and functionalities have been introduced to shake things

up, including Data Collector Sets, resource view, scheduling, diagnostic reporting, and

wizards and templates for creating logs. To launch the Performance Monitor MMC snap-in

tool, select Start, All Programs, Administrative Tools, Performance Monitor, or type

perfmon.msc at a command prompt.

1360

CHAPTER 33

Logging and Debugging

The Performance Monitor MMC snap-in is composed of the following elements:

. Overview Screen

. Performance Monitor

. Data Collector Sets

. Report Generation

The upcoming sections further explore these major elements found in the Performance

Monitoring tool.

Performance Monitor Overview

The first area of interest in the Performance Monitor snap-in is the Overview of

Performance Monitor screen, also known as the Performance icon. It is displayed as the

home page in the central details pane when the Performance Monitor tool is invoked.

The Overview of Performance Monitor screen presents holistic, real-time graphical illustra-

tions of a Windows Server 2008 R2 system’s CPU usage, disk usage, network usage, and

memory usage, as displayed in Figure 33.6.

ptg

FIGURE 33.6

Viewing the Overview of Performance Monitor screen.

Additional process-level details can be viewed to better understand your system’s current

resource usage by reviewing subsections beneath each metric being displayed. For

Performance and Reliability Monitoring

1361

example, the Memory section includes % Committed Bytes in Use, Available Mbytes, and

Cache Faults/sec.

The Overview of Performance Monitor screen is the first level of defense when there is a

need to get a quick overview of a system’s resources. If quick diagnosis of an issue cannot

be achieved, an administrator should leverage the additional tools within Performance

Monitor. These are covered in the upcoming sections.

Performance Monitor

33

Windows Server 2008 R2 comes with two tools for performance monitoring. The first tool

is called Performance Monitor and the second tool is known as Reliability Monitor. In the

previous release of Windows, the Reliability Monitor tool was included in the Reliability

and Performance snap-in. With Windows Server 2008 R2, the Reliability Monitor tool has

been removed from the Performance Monitor console. The improved Performance

Monitor tool provides performance analysis and information that can be used for bottle-

neck, performance, and troubleshooting analysis.

First, defining some terms used in performance monitoring will help clarify the function of

Performance Monitor and how it ties in to software and system functionality. The three

components noted in Performance Monitor, Data Collector Sets, and Reports are as follows:

ptg

.
Object—
Components contained in a system are grouped into objects. Objects are

grouped according to system functionality or by association within the system.

Objects can represent logical entities such as memory or a physical mechanism such

as a hard disk drive. The number of objects available in a system depends on the

configuration. For example, if Microsoft Exchange Server is installed on a server,

some objects pertaining to Exchange would be available.

.
Counter—
Counters are subsets of objects. Counters typically provide more detailed

information for an object such as queue length or throughput for an object. The

System Monitor can collect data through the counters and display it in either a

graphical format or a text log format.

.
Instances—
If a server has more than one similar object, each one is considered an

instance. For example, a server with multiple processors has individual counters for

each instance of the processor. Counters with multiple instances also have an

instance for the combined data collected for the instances.

Performance Monitor provides an interface that allows for the analysis of system data,

research performance, and bottlenecks. Performance Monitor displays performance

counter output in line graphs, histogram (bar chart), and report format.

The histogram and line graphs can be used to view multiple counters at the same time, as

shown in Figure 33.7. However, each data point displays only a single value that is inde-

pendent of its object. The report view is better for displaying multiple values.

1362

CHAPTER 33

Logging and Debugging

FIGURE 33.7

The graph view of Performance Monitor.

ptg

Launching Performance Monitor is accomplished by selecting Performance Monitor from

the Monitoring Tools folder in the Performance Monitor MMC snap-in. You can also open

it from a command line by typing Perfmon.msc. When a new Performance Monitor

session is started, it loads a blank system monitor graph into the console with % Processor

Time as the only counter defined.

Adding Counters with Performance Monitor

Before counters can be displayed, they have to be added. The counters can be added

simply by using the menu bar. The Counter button on the toolbar includes Add, Delete,

and Highlight. You can use the Add Counter button to display new counters. On the other

hand, use the Delete Counter button to remove unwanted counters from the display. The

Highlight Counter button is helpful for highlighting a particular counter of interest; a

counter can be highlighted with either a white or black color around the counter.

The following step-by-step procedures depict how to add counters to Performance Monitor:

1. In the navigation tree of Performance Monitor, first expand Performance,

Monitoring Tools, and then Performance Monitoring.

2. Either click the Add icon in the menu bar or right-click anywhere on the graph and

Other books

The Fire and the Fog by David Alloggia
Crysis: Escalation by Smith, Gavin G.
Get Well Soon by Julie Halpern
Infinity Blade: Awakening by Sanderson, Brandon
Chasing Gideon by Karen Houppert
The Perfect Murder by Brenda Novak
The Tigrens' Glory by Laura Jo Phillips