11 monitoring microsoft windows server 2003 chapter 3

11

MONITORING MICROSOFT WINDOWS SERVER 2003

Chapter 3

Chapter 3: MONITORING MICROSOFT WINDOWS SERVER 2003 2

CHAPTER OVERVIEW

Use Event Viewer to monitor system logs.

Configure Task Manager to display performance data.

Use System Monitor to display real-time performance data.

Create counter logs and alerts.


SERVER MONITORING PRACTICES

Real-time monitoring

Uses tools that display a continuous stream of statistics about what the system is doing right now

Logged monitoring

Enables administrators to observe trends that develop over longer periods of time than those observed in a typical real-time monitoring session


MONITORING SUBSYSTEMS

Processor

Disk

Memory

Network


WHAT IS A BASELINE?


USING EVENT VIEWER


EVENT VIEWER LOGS

Application

Information about specific programs running on the computer

System

Events generated by components such as services and device drivers

Security

Security-related events such as failed logons and attempts to access resources


UNDERSTANDING EVENT TYPES

EEvveenntt TTyyppee IIccoonn DDeessccrriippttiioonn

Error A significant problem, such as loss of dataor loss of functionality

Warning An event that might not be significant butmight indicate a future problem

Information An event that describes the successfuloperation of an application, driver, or

service

SuccessAudit

An audited security access attempt thatsucceeds

Failure Audit An audited security access attempt thatfails


VIEWING EVENTS


EVENT LOG RETENTION SETTINGS


USING FILTERS


FINDING SPECIFIC EVENTS


ACCESSING REMOTE EVENT LOGS

Allows you to view event logs on another system.

Select Connect To Another Computer from the Action menu.


ARCHIVING EVENT LOGS

Might be required in certain environments.

Reduces space used by log files.

Save as .evt files in order to view in Event Viewer.

Save as .txt or .csv files to import into other applications.


USING TASK MANAGER

Real-time monitoring tool

Displays information on: Processor and memory performance

Applications and processes

Network utilization

Users connected to the system


WORKING WITH APPLICATIONS


MONITORING PROCESSES


MONITORING PERFORMANCE LEVELS


MONITORING NETWORK ACTIVITY


MONITORING USERS


USING THE PERFORMANCE CONSOLE

System Monitor

Displays real-time performance data collected from performance counters

Performance Logs and Alerts

Records data from performance counters over a period of time and executes specific actions when counters reach a certain value


USING SYSTEM MONITOR


MODIFYING THE GRAPH VIEW


HISTOGRAM VIEW


REPORT VIEW


ADDING COUNTERS


CREATING AN EFFECTIVE DISPLAY

Limit the number of counters.

Modify the counter display properties.

Choose counters with comparable values.


SAVING A SYSTEM MONITOR CONSOLE

Allows you to access commonly used counters more easily

Reduces time needed to monitor critical components

Can allow you to develop an eye for issues


WHAT IS A BOT TLENECK?


MONITORING PROCESSOR PERFORMANCE

Processor: % Processor Time

Should be < 85%

System: Processor Queue Length

Should be < 10

Server Work Queues: Queue Length

Should be < 4

Processor: Interrupts/sec

Varies depending on configuration


MONITORING MEMORY PERFORMANCEMemory: Page Faults/Sec Should be < 5

Memory: Pages/Sec Should be < 20

Memory: Available Bytes Should not fall below 5 percent of the system’s total physical

memory

Memory: Committed Bytes Should always be less than the physical RAM in the computer

Memory: Pool Non-Paged Bytes Should be a stable number that does not grow without a

corresponding growth in server activity


MONITORING DISK PERFORMANCE

PhysicalDisk: Disk Bytes/sec Should be equivalent to the levels established in the original

baseline readings or higher

PhysicalDisk: Avg. Disk Bytes/Transfer Should be equivalent to the levels established in the original

baseline readings or higher

PhysicalDisk: Current Disk Queue Length Should be < 2

PhysicalDisk: % Disk Time Should be < 80%

LogicalDisk: % Free Space Should be > 20%


MONITORING NETWORK PERFORMANCE

Network Interface: Bytes Total/sec

Should be equal to baseline readings or higher

Network Interface: Output Queue Length

Preferably 0, < 2 acceptable

Server: Bytes Total/sec

Should be < 50 percent of the total bandwidth capacity


MONITORING SERVER ROLES

Different server roles place different demands on underlying hardware.

Different server roles require different components to be monitored.

Be aware of overmonitoring.

Table 3-3


USING PERFORMANCE LOGS AND ALERTS

Counter logs

Captures statistics for specific counters to a log file

Trace logs

Records information about system applications when certain events occur

Alerts

Performs an action when the counter reaches a specified value


CREATING A COUNTER LOG


CREATING A TRACE LOG


VIEWING A COUNTER LOG


CREATING ALERTS


CHAPTER SUMMARY

Event Viewer is an MMC snap-in that displays logs maintained by the computer.

Task Manager displays real-time performance data for the computer.

The Performance console consists of two snap-ins: System Monitor and Performance Logs and Alerts.

System Monitor shows real-time performance data for system hardware and software components using graph, histogram, and report views.

Performance Logs and Alerts records performance counter information to counter logs and operating system events to trace logs over scheduled periods of time, enabling you to capture large data samples for later examination.

11 monitoring microsoft windows server 2003 chapter 3

Documents

event viewer slide

system logs

remote event logs

archiving event logs

system monitor

computer system events

counter logs

understanding event