Performance Logs and Alerts: A guide to the Windows Server 2003 utility

Performance Logs and Alerts is one of performance monitoring tools in Windows Server 2003. This tip discusses the tool's two types of logs: counter logs and trace logs.

Windows Server 2003 comes with two performance monitoring tools which give administrators the data they need to find bottlenecks and for troubleshooting Windows.

I discussed System Monitor a previous article. In this tip I'll discuss the second tool, Performance Logs and Alerts.

The Performance Logs and Alerts utility has two types of performance-related logs: counter logs and trace logs. These logs are used for advanced performance analysis and data logging over a period of time. The utility also has a mechanism to trigger alerts.

Some performance analysis improvements are new in Windows Server 2003. One is the ability to run log collections under different accounts. For example, if you need to log data from a remote server that requires administrator privileges, the system will allow you to specify an account with the necessary permissions using the Run As feature. Another improvement is the ability to support log files greater than 1GB. Performance data can also be appended to an existing log file because of the new log file format.

Note: Data collection occurs regardless of whether a user is logged on to the server being monitored because logging runs as a service.

The three components to Performance Logs and Alerts are trace logs, counter logs and alerts.

  • Trace logs collect event traces. They provide measurement of performance associated with events related to system and nonsystem providers. Data is sent to the logs immediately as an event occurs and is measured continuously in a stream from the beginning of an event to its end. This is different from the way the System Monitor measures data. System Monitor measures data using sampling.
  • Counter logs record sampled data about system services, threads, and hardware resources based on objects in System Monitor. This utility uses counters the same way System Monitor does.
  • Alerts provide a function used to define a counter value that will trigger an alert. When an alert is triggered, the alert function can be set up to perform some action, such as sending a network message, executing a program, or starting a log.

    Alerts are useful for notification purposes in times of emergency (unusual activity that does not occur often) such as bandwidth saturation to or from an NIC hosting a critical application. Alerts provide notification when a particular resource performance value exceeds or drops below a threshold, baseline or set value.

Configuring trace logs

Configuring and enabling trace logs to monitor the activities of an application or environment variable is simply a matter of creating a trace log filename and enabling logging. To create a trace log:

  1. Launch the Performance monitoring tool from Start -> Programs -> Administrative Tools -> Performance.
  2. Double-click Performance Logs and Alerts and click once on trace logs.
  3. Right-click a blank area of the details pane on the right of the window and click New Log Settings.
  4. In the Name field, type the name of the trace log you want to create. Click OK.

For a list of installed providers and their status (enabled or not), click Provider Status in the General tab. By default, the Nonsystem Providers option is selected to keep trace logging overhead to a minimum. Click Events Logged by System Provider and check the boxes as appropriate to define events for logging.

On the Log File tab, you can configure the log to be circular, so that when the log file reaches a predetermined size, it will be overwritten.

About the author: Rahul Shah currently works at a software firm in India, where he is a systems administrator maintaining Windows servers. He has also worked for various software firms in testing and analytics, and also has experiences deploying client/server applications in different Windows configurations.

More information on this topic:

  • Tip: Use System Monitor to find bottlenecks in Windows Server 2003
  • Topics: Windows network management
  • Sign up for our RSS feed to receive expert advice every day.

Dig Deeper on IT operations and infrastructure management

Cloud Computing
Enterprise Desktop
Virtual Desktop