11.1. Performance Monitoring

Transcription

1 11.1. Performance Monitoring Windows Reliability and Performance Monitor combines the functionality of the following tools that were previously only available as stand alone: Performance Logs and Alerts Server Performance Advisor System Monitor The table below describes the components of Windows Reliability and Performance Monitor. Component Description The resource view shows you real time statistics for the following categories: Resource View CPU Disk Network Memory To view details, expand each node. Resource View is a default view of important system information, but it cannot be customized and only shows current statistics (data is not saved). The Reliability Monitor shows you an historical record of system changes and events. Reliability Monitor tracks: Reliability Monitor Application installs and uninstalls Application and Windows failures Hardware failures Information is reported for each day over a one year period. Each day is assigned a System Stability Index number. The System Stability Index number identifies how stable the system is. 1 is the least stable and 10 is the most stable.

2 Daily indexes are shown on a chart, with additional detail available for each day. Performance Monitor (formerly System Monitor) displays current system statistics. You track performance by using objects and counters: Performance Monitor An object is a statistic group, often corresponding to a specific type of hardware device or software process (such as physical disk or processor statistics). A counter is a specific statistic you can monitor. For example, for the PhysicalDisk object, you can monitor counters such as %Disk Read Time or %Idle Time. Be aware of the following: Performance Monitor shows real time statistics. You can customize the statistics you want to view. You can save the current statistics, but you cannot use Performance Monitor to capture data over long periods of time. A Data Collector Set is a group of objects and counters that can be used to capture system performance statistics over a period of time. A Data Collector Set includes one or more data collectors, which identify the specific objects and counters you want to track. There are four types of data collectors: Data Collector Sets Use a performance counter data collector to save system statistics over time in a log. Logs can be saved to different log formats: o Use text files (comma or tab delimited) to import data into a spreadsheet program. o Use binary files to save data that is intermittent. Select a circular file to save all data into a single file, overwriting the contents when the log is full.

3 o Use SQL database files to import statistics into SQL server in order to perform data comparisons or data archival. Use an event trace data collector to capture events logged by software processes. Use a configuration data collector to monitor the state and changes to registry keys. Use a performance counter alert to configure triggers that take an action when a counter reaches a threshold value. When you configure an alert you specify: o The counter you want to watch. o A threshold limit (a counter value that you want to watch for). o An action to take when the threshold value is reached. For example, you can write an event to a log, send a message, or run a program. The system comes with four default collector sets, and you can also define your own custom collector sets. Be aware of the following when using the Reliability and Performance Monitor: You can run the Reliability and Performance Monitor on one system and connect to a remote system to view statistics for the remote computer. The remote computer must be running the Remote Registry service. Run Perfmon to open Performance Monitor from the command prompt. Run Perfmon /sys to open Performance Monitor in stand alone mode. When in stand alone mode, you can compare multiple logs by overlaying each log onto a base log. This lets you compare statistics between logs (use the Compare option). You can view data in multiple logs in Performance Monitor by using the View Log Data option and selecting all logs you want to view. Use a Data Collector Set to capture and save statistics over time. Resource View and Performance Monitor only show recent statistics. Use Performance Monitor to customize the current statistics that you see. Using a collector set, you can start and stop multiple data collectors at a time. When configuring data collector sets:

4 o The Data Collector Set schedule specifies how often to start a collection task. For example, you can configure the collector to start every day at a specific hour. o To collect data for a specified amount of time, configure the overall duration on the Stop Condition tab of the Data Collector set. Once the collectors in the data collector set start, they will automatically stop when the duration period is reached. Note: By default, the stop duration of a Data Collection Set is 1 minute. To make the Data Collection Set run continuously, set the overall duration to 0 seconds or deselect the Overall duration option. o To control how frequently a counter is sampled, configure the sample interval on the Performance Counters tab of the Data Collector. For example, you can configure the collector to get information every 15 minutes. o The limit duration setting for the stop condition of a Data Collector Set controls when new log files are created. For example, configuring a limit duration of 5 minutes would create a new log file every 5 minutes. o Use the When a limit is reached, restart the data collector set option to break the log file into multiple files. When the duration or maximum size is reached, a new log file is created. Use the Relog command to combine multiple logs or to segment large logs. Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+ E mail: sergey@infosec.co.il Mob: (+972)

5 11.2. Event Logs Event logs record actions that occur on and affect your machine. You access and manage event logs through Event Viewer. Use the Event Viewer snap in to view and manage local and remote logs. To manage logs and read events from the command prompt, use Wevtutil. Windows Server 2008/2012/2016 includes many default event logs that are used for system and various server roles. Common event logs include the following: Log Application Security System Setup Forwarded Events Description The Application log contains a list of all application related events such as application installations, un installations, and application errors. The Security log contains a list of all security related events such as security modifications and user login events. Where programmers use code to determine what types of events are recorded by an application in the application log, an administrator can determine what types of security events to log. You can, for example, enable logon auditing to record logon attempts. You can also examine the Security Log to find the results for system audits. The System log contains a list of all system related events such as system modifications, malfunctions, and errors. This is a new log available in Windows Server 2008/2012/2016 and Windows Vista/7/10. It records events related to application setup. This is also a new log. You can use it to store events gathered from remote systems through event subscriptions. Event subscriptions allow you to collect data on events from multiple remote machines. Through the event subscription, you can specify which events to collect and which log to store them in. To configure event subscriptions, you need to make sure Windows Remote Management (WinRM) and

6 Windows Event Collector (Wecsvc) are running on machines that are forwarding and collecting events. Additional logs are often added as you add roles and services. Applications can also use custom logs for application related events. The Applications and Services category includes the following logs: Admin, Operational, Analytic, Debug. By default, the Analytic and Debug logs are hidden and disabled. Use the View menu to display these logs. Once displayed, right click the log to enable it, or run wevtutil sl Analytic /e:true. The following table describes various features available with event logs. Feature Description You can configure a size limit on each log, as well as the action to take when that size limit is reached. Possible actions are: Log size Overwrite events. As new events are logged, the oldest events are overwritten. This is the default setting. Archive the log. With this option, the current log is saved and a new log is created automatically. Stop logging events. Using this option, new events are no longer saved. You must manually clear the log before new events are logged. Saving a log places all events in a file. Save events Saving a log lets you archive the log for later analysis. You can open a saved log on another computer. After you open a saved log, you can filter and search events in the log. The default extension for saved logs is.evt. Filter events When viewing events in Event Viewer, you can filter events to show only events of a specific type, severity, or other characteristics. For example, you can filter by time, event level, event ID, user, or computer.

7 The filter applies only to the selected log. To remove a filter, right click the log and select Clear Filter. The filter is removed if you close Event Viewer. If you save a filtered log, only the filtered events are saved. To save the entire log, clear the filter before saving. A custom view is a saved filter. Custom views are saved between Event Viewer sessions, and are available each time you use Event Viewer. Custom views Event Viewer comes with several predefined custom views: Administrative Events, Active Directory Domain Services, File Server, Print Services. Custom views apply filter criteria to one or more event logs. The filter criteria for a custom view is similar to that for a filter, but also includes the log(s) you want to include in the view. You can filter a custom view to show only events that meet the specified filter criteria. You can create a custom view from a filtered log. When you create the custom view, the filter criteria applied to the selected log are included in the custom view criteria. You cannot clear the events in a custom view. Instead, clear the events in the original log file. You can export a custom view and import it on another system. This exports and imports the custom view criteria, not the events showing in the view. To save the events showing in a custom view, use the Save Events in Custom View As... option. Attach a Task You can attach a task to an event or a log to receive notification or take other actions when an event is logged. Tasks attached to a log or a custom view execute the action when any event is added to the log or the custom view. Tasks attached to an event execute the action whenever an event with that ID, source, and log occurs.

8 Actions that you can take are: o Run a program o Send an e mail o Display a message Each event has a URL with text Event Log Online Help. By default, clicking this link sends information about the event, such as the Event ID and source, to Microsoft. The default browser is then opened with additional information (if any) from the Microsoft website. You can customize the behavior of this link as follows: Event Log Online Help You can associate a custom URL with a specific event ID. You can send the information to a server other than the Microsoft server. You can disable the link and prevent data from being sent over the Internet. To associate a custom URL, edit the registry or create an entry in the instrumentation manifest. Use Group Policy to redirect the link to another server or to disable the link. Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+ E mail: sergey@infosec.co.il Mob: (+972)

9 11.3. Event Subscription Use Event Subscriptions to view a set of events stored in multiple logs on multiple computers. To create subscriptions, you must configure both the source (the computer where the event is generated) and the collector (the computer where the events are sent). Thus, when you create an event subscription, events are sent from the source computer to the collector computer. The events are saved on the collector computer where they can be manipulated in the event logs like any other events. The event subscription allows you to define which events to collect and in which logs the events are stored. Event subscriptions use the following services: Windows Remote Management (WinRM) Windows Event Collector (Wecsvc) Event subscriptions work on both Windows Vista and Server 2008 systems. After the source and collector are configured with the above services running, you can define the events to collect through the subscription. It allows you to determine the following: The log where events are saved. By default, this is the ForwardedEvents log. The subscription type and source computers: Subscription Type Description Collector initiated Source computer initiated The collector computer contacts the subscribed computers and lets them know of subscription details. The subscription is configured on each computer separately. Note: After the subscription is created, you can't change the subscription type. If you wish to modify it, you must delete and recreate the subscription. The events to collect. Same filter criteria as for a custom view: event type, specific logs, user/computer, event IDs. The user account with read access to the source logs. By default, this is the collector computer account, but you can change it to a user account through the Specific User option. You need to make sure the user account

10 is a member of the local Administrators group on each source computer. You can do that when you configure the subscription. You can also use the wevtutil sl command line command to give an account access to individual logs. Delivery optimization options described in the table below. Option Normal Minimize bandwidth Minimize latency Custom Description Unless you need tight control over bandwidth or forwarded events delivered as quickly as possible, you should use normal delivery mode. By default, normal delivery uses pull delivery mode (the collector contacts the source when it wants events), batches 5 items at a time, and sets a batch timeout of 15 minutes. You can use this option to control the use of bandwidth for event delivery. By default, it uses push delivery mode (the source sends events to the collector on a regular basis) and sets a batch timeout of 6 hours with a heartbeat interval of 6 hours. You can use this option to ensure that events are forwarded to you as quickly as possible. By default, it uses push delivery mode and sets a batch timeout of 30 seconds. The Custom option is available if you are using Event Viewer to manage an event that was created with the wecutil command line command (or another method). You cannot use Event Viewer to create or manage custom event delivery. If the custom option is available, you know that the subscription is using delivery settings that do not correspond to those supported by Event Viewer. The protocol by which the source and collector communicate. By default, this is http, which uses port 80. However, you can change the protocol to https, which uses port 443. After you have created the subscription, you can use the Runtime Status link to check communication with the remote servers. To configure event subscriptions, do the following:

11 1. Run the winrm quickconfig command on the source computer. (Note: You must also run winrm quickconfig on the collector if the collector is to use delivery optimization options other than normal.) 2. On the collector, do the following: o o Run the wecutil qc command. Open event viewer and configure the event subscriptions. You must be running event viewer locally, not connected remotely from another computer. 3. On the source computer, add the collector computer account to the local Administrators group (or the account specified in the subscription). Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+ E mail: sergey@infosec.co.il Mob: (+972)

12 11.4. Network Monitor Network Monitor is a protocol analyzer. Use Network Monitor to capture, view, and analyze network traffic. Be aware of the following when using Network Monitor: Network Monitor captures packets (or packet fragments) and their contents. You enable packet capturing on specific network interface cards. When enabled on a NIC, Network Monitor captures all traffic sent to and from that NIC. Enable p mode (promiscuous mode) to capture all packets regardless of the destination MAC addresses. Be aware, however, that even with p mode enabled, you will only see packets sent to or from the local device if devices are connected through a switch (switches only forward packets to the switch port that holds the destination device). Configure filters to specify packets to display or capture. o A display filter shows only the packets specified by the filter. Using a display filter does not affect the data that is in the capture file. o A capture filter captures only the specified filter. If the packet type you are looking for is not in the capture file after using a capture filter, you must reconfigure the filter and recapture. You can add filter criteria by right clicking a value in the display and selecting Add Cell to Display Filter. After adding the filter criteria, be sure to click the Apply button to make the filter active. To see computer names instead of MAC addresses, configure aliases. Each alias associates a name and comment with a MAC address. Enable the use of conversations to group frames based on attributes. o The criteria used to group conversations are defined based on the parser used. For example, the TCP parser defines a conversation as frames using the TCP protocol, with the same source and destination address, and with the same source and destination port. o Enabling conversations apply the groupings to new captures, but not existing ones.

13 o The conversation feature requires a lot of memory during the capture. o Frames can be associated with multiple conversations. Network Monitor uses parsers to differentiate between packet types. New parsers included with Network Monitor allow for analyzing IPv6, PPPoE and SOAP. The network parsing language (NPL) allows developers to build custom parsers, which can then be added to Network Monitor to extend its capabilities. Version 3.1 is required for full Windows Vista support and version 3.4 for 7/10. Network Monitor can now capture VPN/RAS traffic. For example, you can trace traffic inside your VPN tunnel. Network Monitor can now capture wireless management and data frames, allowing you to scan specific wireless channels to measure signal strength and speed. Nmcap.exe is the command line version of Network Monitor. You must run Network Monitor as an administrator or as a member of the Netmon users group. Running Network Monitor on a production system can result in adverse system performance. Instead, run Network Monitor on another computer that communicates with the server you want to analyze. Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+ E mail: sergey@infosec.co.il Mob: (+972)

14 11.5. SNMP Simple Network Management Protocol (SNMP) is used to monitor networkattached devices for conditions that warrant administrative attention. The components that make up an SNMP system are listed in the following table: Component Managed devices SNMP agent SNMP manager Network Management Station (NMS) Description The network nodes in a managed network are called managed devices. An SNMP agent is the software that is installed on managed devices. The agent gathers information about the device and can send information or respond to requests for information from other devices. The SNMP manager collects and consolidates the data and information gathered by the SNMP agents. A Network Management Station (NMS) is the computer used to run the SNMP manager software which processes information from SNMP managers. The NMS sends requests for information to the agents running on individual devices. You can also use special management tools running on the NMS to view and analyze data collected from multiple agents. The Management Information Base (MIB) is a type of database used to manage the devices in a communications network by defining the parameters that the SNMP agents will monitor and by storing the collected data. Management Information Base (MIB) The different types of information contained in the MIB are: The name of the object. The type of data contained about the object. Whether the device must provide information when polled. How the object can be used (i.e. for read only or readwrite).

15 A description of the object and how it is used. Communication between agents and managers can occur in two different ways: Polling is a method in which the management system sends a request to each of the different agents. It requests specific information using the structures defined in the MIB. The SNMP management system then gathers that information for the system administrator to view and create reports from. o Get (read) requests are messages that request information from an agent. o Set (write) requests modify data in the MIB on the agent. o Traversal operations are requests by the NMS for a list of variables that are supported by the agent. Traps are messages (similar to alarms) sent to the NMS by the agent. The administrator specifies traps on the agents. If the trap criteria is met, the agent sends a message immediately to the management system using UDP port 162. Most organizations have stopped using traps and only use polling due to the security vulnerability posed by trap authentication. Note: It is not possible to send commands to an agent using SNMP. However, you can set (write) a value to the MIB on an agent, and the agent software could then be configured to perform an action based on the value in the database. Access to a managed device is controlled through the community name. The community name is like a password. Any device that knows the community name has access to the agent. To connect to an agent, simply supply a valid community name. Note: When you first configure an agent, it might be configured with a default community name of PUBLIC or PRIVATE. If you do not change this community name, anyone who can guess the wellknown community name will be allowed access to the information on the agent. Each community name is associated with a community right. o NONE does not allow SNMP access. o NOTIFY configures the agent to support sending traps, but not receiving messages.

16 o READ ONLY configures the device to accept Get but not Set commands. o READ WRITE configures the device to accept both Get and Set commands. o READ CREATE allows the host to create new entries in SNMP tables. The community name and rights must be configured on each agent. You can define multiple community names on each device. For example, you can define one community with read only access, and a different community with read write access. Note: Because the community name offers very little security, many network administrators will allow only readonly access. Be aware of the following when using SNMP: Windows Vista/7/10 and Server 2008/2012/2016 systems come with the SNMP Trap service already installed. You must manually add the SNMP Agent service. o On Vista/7/10 systems, use the Programs and Features applet in the Control Panel to turn on SNMP. o On Server 2008/2012/2016 systems, use Server Manager and add a feature. After the SNMP agent has been added, edit the properties of the service in the Services console. Use the settings on the Security tab to define the community name, rights, and to identify the hosts from which SNMP packets are accepted. Enable the Send authentication trap option to send a trap when an SNMP authentication request is made using the wrong community name. Use the Traps tab to enable traps for a specific community, and to identify where traps are to be sent. Sergey Gorokhod MCT/MCSE/MCITP/MCTS/MCSA/CCSE/CCSA/CCNA/A+ E mail: sergey@infosec.co.il Mob: (+972)