Revision no.

: PPT/2K403/02

Monitoring Microsoft
Windows Server 2003
(70-290)

Revision no.: PPT/2K403/02

Lesson 1: Using Event Viewer

2

Logs Available in Event Viewer

Configuring Event Viewer Logs

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Logs Available in Event Viewer

3

Application

System

Security

Directory Service

File Replication Service

DNS Server

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Configuring Event Viewer Logs

4

Overwrite Events As Needed (default)

Overwrite Events Older Than n Days

Do Not Overwrite Events (Clear Log Manually)

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Practice: Event Monitor

5

Configuring the Security Log

Setting File and Object Auditing

Reading the Security Log

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Lesson 2: Using the Performance Console

6

Configuring System Monitor

Decisions about Objects and Counters

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Configuring System Monitor

7

Configurations for data to be collected

Type of Data
Source of Data
Sampling Intervals

Viewing Data
Histogram
Report
Graph

Adding Additional Counters

Object
Counter
Instance
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Logging and Alerts

8

Collect data in a CSV or tab-separated format for exporting.

View Counter Log data during logging and post-collection.

Set Trace Logs (event-driven) based on available providers.

Define parameters for the log file including start and stop
times and maximum file size.

Set an alert on a counter with options to send an

administrative message, an application is executed, or a log is
started when the configured threshold on the counter is
breached.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Decisions about Objects and Counters

9

Memory Counters

Network Counters

Process Counters

Disk Counters

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Memory Counters
10

Memory shortages
Memory\Available Bytes
Available Kbytes or Available MBytes
Process (All_processes)\Working Set
Memory\Pages/sec
Memory\Cache Bytes.

Frequent hard page faults

Memory\Pages/sec
Process (All_processes) \Working Set
Memory\Pages Input/sec
Memory\Pages Output /sec.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Network Counters
11

Network Interface\Output Queue Length

Bytes Total\sec.

Network Interface
Bytes Sent/Sec
Current Bandwidth
Bytes Received/Sec.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Process Counters
12

Memory leaks :
Memory\Pool Nonpaged
Memory\Pool Nonpaged Bytes
Memory\Pool Paged Bytes
Process(process_name)\Pool Nonpaged Bytes
Process(process_name)\Handle Count
Process(process_name)\Pool Paged Bytes
Process(process_name)\Virtual Bytes
Process(process_name)\Private Bytes.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Disk Counters
13

LogicalDisk
% Free Space

PhysicalDisk
Avg. Disk Bytes/Transfer
Avg. Disk sec/Transfer
Avg. Disk Queue Length
% Disk Time.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Practice: Using the Performance Console

14

Recording the Performance Data

Importing Logged Data

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Lesson 3: Using Task Manager

15

Task Manager Overview

Applications Tab

Processes Tab

Performance Tab

Networking Tab

Users Tab

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Task Manager Overview

16

Displays information about:

Programs and processes running on your computer
Status of running programs
Your computers performance a dynamic overview
Network status
Number of users connected to the computer, what they are
working on, and allows administrators to send a message

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Applications Tab
17

The Applications tab shows the status of the user-level

programs running on the computer.

Services and system applications running in a context

different from the logged on user are not displayed.

On the Applications tab you can also start a new program with
New Task, end a program with End Task, or switch to another
program using Switch To.

By right-clicking on an application, you can also select Go To

Process from the shortcut menu, which will take you to the
corresponding process on the Process tab.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Processes Tab
18

The Processes tab shows information about all processes

running on your computer,including user-level applications,
services, and other system processes.

By choosing Select Columns from the View menu, you can add
or remove columns of data including memory usage changes
(deltas), process IDs, and processor use.

By right-clicking on any process, you can change the priority

of processor time that the process receives, set the processor
affinity on multiple processor computers, and end a process.

For processes that have child or related processes, you can

end all related processes by choosing End Process Tree.
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Performance Tab
19

The Performance tab displays a real-time view of key elements

of your computers performance.

Graphs are presented for each processor on the system and

memory usage.

Text displays show physical, kernel, and commit memory;

also, the number of handles and threads in use by active
processes are displayed.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Networking Tab
20

The Networking tab shows all active network connections by

name, their connection speed, bandwidth usage, and status.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Users Tab
21

The Users tab shows all users who are logged on, and allows
for the logoff or forced disconnection of the user from the
computer.

Logged-on users may be local at the console, or remotely

attached from the network.

Network messages can be sent to remote users (it certainly is

polite to tell them before you disconnect them) by selecting the
users session and then clicking Send Message.

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Practice: Task Manager

22

Using Task Manager

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Lesson 4: Using the WMI Event Logging

Provider

Revision no.: PPT/2K403/02

23

How WMI Works

Using WMIC Monitoring

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

How WMI Works

24

WMI sources of information output information about their

components (devices, services, applications, and so on) to the
WMI Object Manager,

which enters the information into the WMI database

Depending on what is accepted as input and returned as

output by each provider, administrators will be able to use
methods to manipulate the components, set properties, and
configure events that can alert administrators to changes in
the components.

The WMI Repository can be accessed by management tools

supplied by a system, application, Windows Management
Interface Command-line (WMIC).
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Windows Management Interface Commandline (WMIC)

25

The WMIC provides a command-line interface to WMI, and can

be used to manage,locally or remotely, any computer with WMI
that can authenticate the user running WMIC.

For WMIC to manage a remote computer, only WMI needs to be

on the local computer from which the monitoring activity will
be accomplished

WMIC does not have to be available on the remotely managed

computer.

WMIC can be used to access various types of tasks

Local management of a computer
Remote management of a computer
Remote management of multiple computers
Administrative Scripting
CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Using WMIC Monitoring

26

PRODUCT

/OUTPUT:c:\applog.htm NTEVENT WHERE "eventtype<3 AND

logfile='Application'"GET Logfile, SourceName, Eventtype,
Message, TimeGenerated /FORMAT:htable:"sortby=EventType"

/OUTPUT:c:\applog.csv /NODE:@"c:\serverlist.txt" NTEVENT

WHERE "eventtype< 3 AND logfile='Application'" GET Logfile,
SourceName, Eventtype, Message, TimeGenerated
/FORMAT:csv:"sortby=EventType"

OS ASSOC

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

Practice: WMI Data from Event Viewer

27

Extract Data from Event Viewer

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute

Revision no.: PPT/2K403/02

28

Design & Published by:

CMS Institute, Design & Development Centre, CMS House, Plot No. 91, Street No.7,
MIDC, Marol, Andheri (E), Mumbai 400093, Tel: 91-22-28216511, 28329198
Email: [email protected]
www.cmsinstitute.co.in

CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute