Chapter 17: Watching Your System BAI617. Chapter Topics Working With Event Viewer Performance Monitor Resource Monitor.

Chapter 17:Watching Your System

BAI617

Chapter Topics

• Working With Event Viewer• Performance Monitor• Resource Monitor

Monitoring Your System with Event Viewer

• The best time to know about a problem is before it happens

• Event Viewer in Windows Server 2008 R2 is one of the primary tools used to watch your system

Performance & Event Logs

• Logging is your eyes and ears when you are not present to monitor systems yourself

• Baselines help determine the “norm”• From the baseline you can determine

performance improvement or degradation.• Without logging there is no proving that any

tweaks you make are making a difference

Managing Event Logs

• Event logs will tell you the following crucial information about system events

• Date / Time• Source of Event (Subcomponent)• Event ID• Specifics of error• Possible causes

• Sometime they are completely unhelpful, but most times they are a great starting point.

Windows 2008 Event Logs

• Windows 2008 brings some new organization to the Computer Management window and many new categories for event logging

Getting to what you need

• There can be hundreds of events to sift through to try to find the one you are looking for. There are useful search and filter tools built into the Event Viewer console

Viewing an Event

Understanding Event Levels• Information events:

– These entries are used to indicate a change has occurred or to describe the successful completion of an operation. The icon used to represent Information events is an in a circle.

• Warning events: – Indicate events that may lead to a problem in the future. The event isn’t necessarily

significant. Sometimes you can trace back from critical or error events to identify a preceding warning. The icon used to represent Warning events is a black exclamation point in a yellow triangle.

• Error events: – Indicate a problem occurred external to the application or component that might impact

the functionality of the application or component. The icon used to represent error events is a white exclamation point in a red circle

• Critical events: – Critical event is one that an application or component cannot automatically recover

from. Critical events are the most serious. The icon used to represent Critical events is a white x in a red circle.

Understanding Windows Logs• Application

– The Application log is used to log events from applications. The application developer can choose to log events in this log or create an additional application log specifically for the application. As an example, SQL Server will log applications into this log.

• Security – The Security log will show all audited events. Audited events include logons,

files, and other object usage, as well as any other auditing events the administrator has enabled. Audited events can be specified to include both success and failure events. Windows Server 2008 R2 does enable auditing of specific events by default, so these logs will have events even if the administrator hasn’t modified auditing.

• System – The System log records events related to the operating system. It includes

information related to system drivers and system services.

Archiving Logs

• Many organizations have policies in place that require log files to be archived. Once archived, the original file is saved and can be viewed later, and new events won’t overwrite archived events

• Certain logs are going to need to be saved for future reference – Security and Auditing logs are an example.

• Other logs can be cleared after review.

Monitoring Multiple Machines

• Creating Custom Views in MMC

• Manage your server farm.

• Advanced topic: With SQL you can collect events to a database and configure subscribers.

Performance Monitor

• Performance Monitor has been around in the Windows operating systems for several versions, but it enjoys some significant improvements today

• This is one of the tools used to create a network and server performance baseline

• Performance Monitor measures specific counters from every part of the server – hardware, OS, application, networking, etc

Performance Monitor

• Performance Monitor uses objects and counters.• Objects – Performance Monitor objects are specific resources that

can be measured. Some commonly measured objects are Processor, Memory, Network Interface, and Physical Disk.

• Counters – Counters are the individual metrics within an object. For

example, the Processor object includes counters such as the % Processor Time, % User Time, and Interrupts/Sec counters.

Resource Monitor

• The Resource Monitor is constantly running and capturing counters on the core four resources of your system. – You can access it by right-clicking Monitoring Tools

and selecting Resource Monitor. – You can also access via Task Manager. Select the

Performance tab, and click the Resource Monitor button

Resource Monitor

• One of the primary benefits of the Resource Monitor is the ability to filter the results according to specific processes or services.

• For example, if you want to identify the load a specific application is placing on your system, you can select only that application’s processes.

Resource Monitor

Resource Monitor

• Overview Tab– Gives you a one screen

view of the main 4 subsystems

Resource Monitor

• Memory Tab

Resource Monitor

• Disk Tab

Review

• Working With Event Viewer• Performance Monitor• Resource Monitor

Questions?

Lab Environment