ptg
Customizing the Event Log
The properties of an event log can be configured. In Event Viewer, the properties of a log are defined by general characteristics: log path, current size, date created, when last modified or accessed, maximum size, and what should be done when the maximum log size is reached.
To customize the event log, access the properties of the particular log by highlighting the log and selecting Action and then Properties. Alternatively, you can right-click the log and select Properties to display the General tab of the log’s property page, as shown in Figure 33.5.
The Log Size section specifies the maximum size of the log and the subsequent actions to take when the maximum log size limit is reached. The three options are as follows:
. Overwrite Events as Needed (Oldest Events First)
. Archive the Log When Full, Do Not Overwrite Events
. Do Not Overwrite Events (Clear Logs Manually)
If you select the Do Not Overwrite Events option, Windows Server 2008 R2 stops logging events when the log is full. Although Windows Server 2008 R2 notifies you when the log
ptg
33
is full, you need to monitor the log and manually clear the log periodically so new events can be tracked and stored in the log file.
In addition, log file sizes must be specified in multiples of 64KB. If a value is not in multi-ples of 64KB, Event Viewer automatically sets the log file size to a multiple of 64KB. When you need to clear the event log, click the Clear Log button in the lower right of the property page.
Understanding the Security Log
Effectively logging an accurate and wide range of security events in Event Viewer requires an understanding of auditing in Windows Server 2008 R2. It is important to know events are not audited by default. You can enable auditing in the local security policy for a local server, the domain controller security policy for a domain controller machine, and the Active Directory (AD) Group Policy Object (GPO) for a domain. Through auditing, you can track Windows Server 2008 R2 security events. It is possible to request that an audit entry be written to the security event log whenever certain actions are carried out or an object such as a file or printer in AD is accessed. The audit entry shows the action carried out, the user responsible for the action, and the date and time of the action.
Performance and Reliability Monitoring
Performance is a basis for measuring how fast application and system tasks are completed on a computer and reliability is a basis for measuring system operation. How reliable a system is will be based on whether it regularly operates at the level at which it was designed to perform. Based on their descriptions, it should be easy to recognize that performance and reliability monitoring are crucial aspects in the overall availability and health of a Windows Server 2008 R2 infrastructure. To ensure maximum uptime, a well-thought-through process needs to be put in place to monitor, identify, diagnose, and analyze system performance. This process should invariably provide a means for quickly comparing system performances at varying instances in time, detecting, and potentially preventing a catastrophic incident before it causes system downtime.
Performance Monitor, which is a Microsoft Management Console (MMC) snap-in, provides a myriad of tools for administrators so they can conduct real-time system moni-toring, examine system resources, collect performance data, and create performance reports from a single console. This tool is literally a combination of three legacy Windows Server monitoring tools: System Monitor, Performance Monitor, and Server Performance Advisor. However, new features and functionalities have been introduced to shake things up, including Data Collector Sets, resource view, scheduling, diagnostic reporting, and wizards and templates for creating logs. To launch the Performance Monitor MMC snap-in tool, select Start, All Programs, Administrative Tools, Performance Monitor, or type
ptg
The Performance Monitor MMC snap-in is composed of the following elements:
. Overview Screen
. Performance Monitor
. Data Collector Sets
. Report Generation
The upcoming sections further explore these major elements found in the Performance Monitoring tool.
Performance Monitor Overview
The first area of interest in the Performance Monitor snap-in is the Overview of Performance Monitor screen, also known as the Performance icon. It is displayed as the home page in the central details pane when the Performance Monitor tool is invoked. The Overview of Performance Monitor screen presents holistic, real-time graphical illustra-tions of a Windows Server 2008 R2 system’s CPU usage, disk usage, network usage, and memory usage, as displayed in Figure 33.6.
Additional process-level details can be viewed to better understand your system’s current
ptg
33
example, the Memory section includes % Committed Bytes in Use, Available Mbytes, and Cache Faults/sec.
The Overview of Performance Monitor screen is the first level of defense when there is a need to get a quick overview of a system’s resources. If quick diagnosis of an issue cannot be achieved, an administrator should leverage the additional tools within Performance Monitor. These are covered in the upcoming sections.
Performance Monitor
Windows Server 2008 R2 comes with two tools for performance monitoring. The first tool is called Performance Monitor and the second tool is known as Reliability Monitor. In the previous release of Windows, the Reliability Monitor tool was included in the Reliability and Performance snap-in. With Windows Server 2008 R2, the Reliability Monitor tool has been removed from the Performance Monitor console. The improved Performance Monitor tool provides performance analysis and information that can be used for bottle-neck, performance, and troubleshooting analysis.
First, defining some terms used in performance monitoring will help clarify the function of Performance Monitor and how it ties in to software and system functionality. The three components noted in Performance Monitor, Data Collector Sets, and Reports are as follows:
. Object—Components contained in a system are grouped into objects. Objects are
grouped according to system functionality or by association within the system. Objects can represent logical entities such as memory or a physical mechanism such as a hard disk drive. The number of objects available in a system depends on the configuration. For example, if Microsoft Exchange Server is installed on a server, some objects pertaining to Exchange would be available.
. Counter—Counters are subsets of objects. Counters typically provide more detailed
information for an object such as queue length or throughput for an object. The System Monitor can collect data through the counters and display it in either a graphical format or a text log format.
. Instances—If a server has more than one similar object, each one is considered an
instance. For example, a server with multiple processors has individual counters for each instance of the processor. Counters with multiple instances also have an instance for the combined data collected for the instances.
Performance Monitor provides an interface that allows for the analysis of system data, research performance, and bottlenecks. Performance Monitor displays performance counter output in line graphs, histogram (bar chart), and report format.
ptg
Launching Performance Monitor is accomplished by selecting Performance Monitor from the Monitoring Tools folder in the Performance Monitor MMC snap-in. You can also open it from a command line by typing Perfmon.msc. When a new Performance Monitor session is started, it loads a blank system monitor graph into the console with % Processor Time as the only counter defined.
Adding Counters with Performance Monitor
Before counters can be displayed, they have to be added. The counters can be added simply by using the menu bar. The Counter button on the toolbar includes Add, Delete, and Highlight. You can use the Add Counter button to display new counters. On the other hand, use the Delete Counter button to remove unwanted counters from the display. The Highlight Counter button is helpful for highlighting a particular counter of interest; a counter can be highlighted with either a white or black color around the counter.
The following step-by-step procedures depict how to add counters to Performance Monitor: 1. In the navigation tree of Performance Monitor, first expand Performance,
Monitoring Tools, and then Performance Monitoring.
2. Either click the Add icon in the menu bar or right-click anywhere on the graph and select Add Counters.
NOTE
Typical baseline counters consist of Memory - Pages/Sec, PhysicalDisk - Avg. Disk Queue Length, and Processor - % Processor Time.
