Windows Server 2008 Inside Out- P8

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
59
lượt xem
15
download

Windows Server 2008 Inside Out- P8

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows server 2008 inside out- p8', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Windows Server 2008 Inside Out- P8

  1. Tracking a System’s General Health 317 Table 11-1 Process Statistics and How They Can Be Used Column Name Description Base Priority Shows the priority of the process. Priority determines how much (BasePriority) of the system resources are allocated to a process. The standard priorities are Low (4), Below Normal (6), Normal (8), Above Normal (10), High (13), and Real-Time (24). Most processes have a Normal priority by default, and the highest priority is given to real-time processes. CPU Time Shows the total amount of CPU time used by the process since it (TotalProcessor- was started. Click the column header to quickly see the processes Time) that are using the most CPU time. If a process is using a lot of CPU time, the related application might have a configuration problem. This could also indicate a runaway or nonresponsive process that is unnecessarily tying up the CPU. CPU Usage (CPU) Shows the percentage of CPU utilization for the process. The System Idle Process shows what percentage of CPU power is idle. A 99 in the CPU column for the System Idle Process means 99 percent of the system resources currently aren’t being used. If the system has low idle time (meaning high CPU usage) during peak or average usage, you might consider upgrading to faster processors or adding processors. Handles Shows the number of file handles maintained by the process. The (HandleCount) number of handles used is an indicator of how dependent the process is on the file system. Some processes have thousands of open file handles. Each file handle requires system memory to maintain. Image Name Shows the name of the process. (ProcessName) Image Path Name Shows the full path to the executable for the process. (Path) Memory – Shows the amount of virtual memory allocated to and reserved for Commit Size a process. Virtual memory is memory on disk and is slower to access (Virtual- than pooled memory. By configuring an application to use more MemorySize) physical RAM, you might be able to increase performance. To do this, however, the system must have available RAM. If it doesn’t, other Chapter 11 processes running on the system might slow down. Memory – Shows the amount of virtual memory for a process that cannot be Non-Paged Pool written to disk. The nonpaged pool is an area of RAM for objects (NonpagedSystem- that can’t be written to disk. You should note processes that require MemorySize) a high amount of nonpaged pool memory. If there isn’t enough free memory on the server, these processes might be the reason for a high level of page faults. Memory – Shows the amount of committed virtual memory for a process Paged Pool that can be written to disk. The paged pool is an area of RAM for (PagedSystem- objects that can be written to disk when they aren’t used. As process MemorySize) activity increases, so does the amount of pool memory the process uses. Most processes have more paged pool than nonpaged pool requirements.
  2. 318 Chapter 11 Performance Monitoring and Tuning Column Name Description Memory – Shows the maximum amount of memory the process used, including Peak Working Set both the private working set and the non-private working set. If peak (PeakWorkingSet) memory is exceptionally large, this can be an indicator of a memory leak. Memory – Shows the amount of memory the process is currently using, Working Set including both the private working set and the non-private working (WorkingSet) set. The private working set is memory the process is using that cannot be shared with other processes. The non-private working set is memory the process is using that can be shared with other processes. If memory usage for a process slowly grows over time and doesn’t go back to the baseline value, this can be an indicator of a memory leak. Memory – Shows the change in memory usage for the process recorded since Working Set Delta the last update. A constantly changing memory delta can be an indicator that a process is in use, but it could also indicate a problem. Generally, the memory delta might show increasing memory usage when a process is being used and then show a negative delta (indicated by parentheses in Task Manager) as activity slows. Page Fault Delta Shows the change in the number of page faults for the process recorded since the last update. As with memory usage, you might see an increase in page faults when a process is active and then a decrease as activity slows. Page Faults Shows page faults caused by the process. Page faults occur when a process requests a page in memory and the system can’t find it at the requested location. If the requested page is elsewhere in memory, the fault is called a soft page fault. If the requested page must be retrieved from disk, the fault is called a hard page fault. Most processors can handle large numbers of soft faults. Hard faults, on the other hand, can cause significant delays. If there are a lot of hard faults, you might need to increase the amount of memory or reduce the system cache size. PID (Id) Shows the run-time identification number of the process. Session ID Shows the identification number user (session) within which the Chapter 11 (SessionId) process is running. This corresponds to the ID value listed on the Users tab. Threads (Threads) Shows the number of threads that the process is using. Most server applications are multithreaded, which allows concurrent execution of process requests. Some applications can dynamically control the number of concurrently executing threads to improve application performance. Too many threads, however, can actually reduce performance, because the operating system has to switch thread contexts too frequently.
  3. Tracking a System’s General Health 319 At a Windows PowerShell prompt, you can get key stats for all processes by following these steps: 1. Get all the processes running on the server and store them in the $a variable by entering: $a = get-process 2. Use the InputObject parameter to pass the process objects stored in $a to get- process and then pass the objects to the format-table cmdlet along with the list of properties you want to see by entering: get-process -inputobject $a | format-table –property ProcessName, BasePriority, HandleCount, Id, NonpagedSystemMemorySize, PagedSystemMemorySize, PeakPagedMemorySize, PeakVirtualMemorySize, PeakWorkingSet, SessionId, Threads, TotalProcessorTime, VirtualMemorySize, WorkingSet, CPU, Path Note The order of the properties in the comma-separated list determines the display order. If you want to change the display order, simply move the property to a different position in the list. When you know the process you want to examine, you don’t need to use this multistep procedure. Simply enter the name of the process without the .exe or .dll instead of using -inputobject $a. In this example, you list details about the explorer process: get-process explorer | format-table –property ProcessName, BasePriority, HandleCount, Id, NonpagedSystemMemorySize, PagedSystemMemorySize, PeakPagedMemorySize, PeakVirtualMemorySize, PeakWorkingSet, SessionId, Threads, TotalProcessorTime, VirtualMemorySize, WorkingSet, CPU, Path You can enter part of a process name as well using an asterisk as a wildcard to match a partial name. In this example, get-process lists any process with a name that starts Chapter 11 with exp: get-process exp* | format-table –property ProcessName, BasePriority, HandleCount, Id, NonpagedSystemMemorySize, PagedSystemMemorySize, PeakPagedMemorySize, PeakVirtualMemorySize, PeakWorkingSet, SessionId, Threads, TotalProcessorTime, VirtualMemorySize, WorkingSet, CPU, Path Some interesting additional properties you can use with get-process include: MinWorkingSet The minimum amount of working set memory used by the process Modules The executables and dynamically linked libraries used by the process PeakVirtualMemorySize The peak amount of virtual memory used by the process
  4. 320 Chapter 11 Performance Monitoring and Tuning PriorityBoostEnabled A Boolean value that indicates whether the process has the PriorityBoost feature enabled PriorityClass The priority class of the process PrivilegedProcessorTime The amount of kernel-mode usage time for the process ProcessorAffinity The processor affi nity setting for the process Responding A Boolean value that indicates whether the process responded when tested StartTime The date and time the process was started UserProcessorTime The amount of user-mode usage time for the process Description A description of the process FileVersion The fi le version of the process’s executable In Task Manager, you can stop processes that you suspect aren’t running properly. To do this, right-click the process, and choose End Process to stop the process or End Process Tree to stop the process as well as any other processes it started. To stop a pro- cess at the Windows PowerShell prompt, you can use stop-process. The best way to use stop-process is to identity the process ID of the process that you want to stop rather than a process name. This ensures that you stop only the intended process rather than all instances of processes with a particular process name. You should also have stop- process prompt you to confi rm how you want to proceed using the -confi rm parameter. In the following example, you stop the process with the process ID 4524: stop-process –id 4524 –confirm As you are confirming this action and passing through the output, you’ll see a prompt asking you to confirm. You can then: Press Y to answer Yes and confirm that you want to perform the action and continue. Press A to answer Yes to all prompts and confirm that you want to perform all Chapter 11 actions without further prompting. Press N to answer No and skip the action and continue to the next action. Press L to answer No to all prompts and confirm that you do not want to perform any actions. Press N to answer No and confirm that you do not want to perform the action. Press S to suspend the pipeline and return to the command prompt. To later return to the pipeline, type exit.
  5. Tracking a System’s General Health 321 Monitoring and Troubleshooting Services You can view information about services running on a system by using the Services tab of Task Manager or by running get-service. By default, the Services tab shows all services configured on the system whether they are running, stopped, or in a different state. As shown in Figure 11-8, services are listed by name, process ID (PID), descrip- tion, status, and group. Figure 11-8 The Services tab provides detailed information on configured services. As multiple services typically run under the same process ID, you can quickly sort ser- vices by their associated process ID by clicking the related column heading. You can click the Status column heading to sort services according to their status as Running or Stopped. If you right-click a service’s listing in Task Manager, you display a short- cut menu that allows you to start a stopped service, stop a started service, or go to the related process on the Processes tab. The Group column provides additional information about related identities or service host contexts under which a service runs. Services running an identity with a restric- tion have the restriction appended. For example, a service running under the Local Ser- Chapter 11 vice identity may be listed as LocalServiceNoNetwork to indicate that the service has no network access, or as LocalSystemNetworkRestricted to indicate that the service has restricted access to the network. Services that have svchost.exe list their associated context for the -k parameter. For example, the RemoteRegistry service runs with the command line svchost.exe -k regsvc and you’ll see an entry of regsvc in the Group column for this service. At a Windows PowerShell prompt, you can get the status of configured services simply by entering get-service. By default, only the service status, internal name, and display name are shown. Additional properties that you can display include: CanPauseAndContinue Indicates whether the service can be paused and resumed CanStop Indicates whether you can stop the service
  6. 322 Chapter 11 Performance Monitoring and Tuning DependentServices Lists the services that depend on this service ServicesDependedOn Lists the services on which this service depends At a Windows PowerShell prompt, you can get the available details for all services by following these steps: 1. Get all the services running on the server and store them in the $a variable by entering: $a = get-service 2. Use the InputObject parameter to pass the service objects stored in $a to get- service and then pass the objects to the format-table cmdlet along with the list of properties you want to see by entering: get-service -inputobject $a | format-table –property Name, DisplayName, CanPauseAndContinue, CanStop, DependentServices, ServicesDependedOn, Status When you know the service you want to examine, you don’t need to use this multistep procedure. Simply enter the internal name of the process instead of using -inputobject $a. In this example, you list details about the TermService process: get-service TermService | format-table –property Name, DisplayName, CanPauseAndContinue, CanStop, DependentServices, ServicesDependedOn, Status You can enter part of a service name as well using an asterisk as a wildcard to match a partial name. In this example, get-service lists any service with a name that starts with term: get-service Term* | format-table –property Name, DisplayName, CanPauseAndContinue, CanStop, DependentServices, ServicesDependedOn, Status To list services by display name, use the -displayname parameter and enclose the dis- play name in quotation marks, such as: get-service –displayname "Terminal Services" | format-table –property Name, DisplayName, CanPauseAndContinue, CanStop, DependentServices, ServicesDependedOn, Status Chapter 11 You can use the following cmdlets to manage services: Suspend-Service Pauses a service Resume-Service Resumes a paused service Start-Service Starts a stopped service Stop-Service Stops a started service Restart-Service Stops and then starts a service Typically, you’ll use Restart-Service when you suspect a service is having a problem and you want to reset it.
  7. Tracking a System’s General Health 323 Getting Network Usage Information As Figure 11-9 shows, the Networking tab in Task Manager displays current network usage for each of the system’s connections to the network. Figure 11-9 Use the Networking tab to track network activity. You can use the information provided to determine the following quickly: The number of network adapters installed on the computer The percentage of utilization of each network adapter The link speed of each network adapter The state of each network adapter The network activity graph shows traffic going to and from the computer as well as how much of the network capacity is in use. If a system has one network adapter, the graph details network traffic on this adapter over time. If a system has multiple network adapt- ers, the graph displays a composite index of all network connections, which represents all network traffic. Chapter 11 TROUBLESHOOTING OU S OO G Get separate views of bytes received and sent for troubleshooting For troubleshooting, it is sometimes useful to have separate views of traffic going to the computer (Bytes Received) and traffic going from the computer (Bytes Sent). To do this, click View, choose Network Adapter History, and then select Bytes Sent. Then click View, choose Network Adapter History, and then select Bytes Received. Afterward, Bytes Sent are shown in red, Bytes Received in yellow, and Bytes Total in green.
  8. 324 Chapter 11 Performance Monitoring and Tuning You can also get more detailed information for each adapter. This information is use- ful for troubleshooting. If you click View and choose Select Columns, you’ll see a dia- log box that will let you add columns for summary statistics to the Networking tab. Table 11-2 summarizes the key network statistics available. Table 11-2 Network Statistics and How They Can Be Used Column Name Description Bytes Sent Throughput Shows percentage of current connection bandwidth used by traffic sent from the system. Bytes Received Shows percentage of current connection bandwidth used by Throughput traffic received by the system. Bytes Throughput Shows percentage of current connection bandwidth used for all traffic on the network adapter. If this shows 50 percent or more utilization consistently, you’ll want to monitor the system more closely and consider adding network adapters. Bytes Sent Shows cumulative total bytes sent on the connection since the system booted. Bytes Received Shows cumulative total bytes received on the connection since the system booted. Bytes Shows cumulative total bytes on the connection since the system booted. Unicasts Shows cumulative number of unicast packets received or sent since the system booted. Unicasts Sent Shows total packets sent by unicast since the system booted. Unicasts Received Shows total packets received by unicast since the system booted. Nonunicasts Shows total number of broadcast packets sent or received since the system booted. Too much broadcast traffic on the network can be an indicator of networking problems. If you see a lot of nonunicast traffic, monitor the amount received during the refresh interval. Nonunicasts Sent Shows total broadcast packets sent since the system booted. Chapter 11 Nonunicasts Received Shows total broadcast packets received since the system booted. Getting Information on User and Remote User Sessions Members of the Administrators group and any users to which you specifically grant remote access can connect to systems using Terminal Services or Remote Desktop Con- nection. Both techniques allow users to access systems remotely and use the systems as if they were sitting at the keyboard. In the standard configuration, however, remote access is disabled. You can enable the remote access feature by using the System utility in Control Panel, System And Maintenance. Open the System Properties dialog box by
  9. Tracking a System’s General Health 325 clicking Advanced System Settings, and then click the Remote tab. In the Remote Desk- top panel, select one of the following options and then click OK: Allow Connections From Computers Running Any Version Of Remote Desktop (Less Secure) Allow Connections Only From Computers Running Remote Desktop With Net- work Level Authentication (More Secure) NOTE Windows Vista, Windows Server 2008, and later releases of Windows have Network Level Authentication. Most earlier releases of Windows do not. With Remote Desktop, Windows Server 2008 allows one console session and two remote administration sessions. Most remote sessions are created as console sessions. The reason for this is that the console session provides full functionality for adminis- tration. If you log on locally to the console and someone is logged on remotely to the console, you will be prompted to end his or her user session so that you can log on. If you click Yes, the user’s session is disconnected, halting all user-started applications without saving application data. If you click No, you will not be allowed to log on. See Chapter 19, “Using Remote Desktop for Administration,” for details on how you can use Remote Desktop to configure remote sessions for administration rather than console sessions. If you configure a server by using Terminal Services, multiple users can log on to a system up to the maximum allowed by licensing. To keep track of sessions after you’ve configured Terminal Services, you can use the Users tab of Task Manager. As shown in Figure 11-10, the Users tab lists user connections according to the following factors: User The pre–Windows 2000 logon name of the user account, such as Wrstanek or Administrator. If you want to see the logon domain as well as the logon name, select Show Full Account Name on the Options menu. Chapter 11 ID The session ID. All user connections have a unique session ID. The session ID for any user logged on locally is 0. Status The status of the connection (Active or Disconnected). Client Name The name of the computer from which the user is connecting. This field is blank for console sessions. Session The type of session. Console is used for users logged on locally. Oth- erwise, indicates the connection type and protocol, such as RDP-TCP for a con- nection using the Remote Desktop Protocol (RDP) with Transmission Control Protocol (TCP) as the transport protocol.
  10. 326 Chapter 11 Performance Monitoring and Tuning Figure 11-10 Use the Users tab to track and manage remote user sessions. The Users tab can help you determine who is logged on and whether that user’s status is either Active or Inactive. Right-click an active session and you can choose Send Mes- sage to send a console message to the user. This message is displayed on the screen of that user’s session. If you must end a user session, you can do this in one of two ways. Right-clicking the session and choosing Log Off logs the user off using the normal logoff process. This allows application data and system state information to be saved as during a normal logoff. Right-clicking the session and choosing Disconnect forcibly ends a user’s session without saving application data or system state information. You can also connect to an inactive session. Right-click the inactive session, and then choose Connect. When prompted, provide the user’s password. Finally, by default the shortcut keys used to end a remote control session are Ctrl+* (Ctrl+Shift+8). If you want a session to use different shortcut keys, right-click the ses- sion you want to work with, and then select Remote Control. You can then set the short- cut keys to end the remote control session. Chapter 11 Tracking Events and Troubleshooting by Using Event Viewer The Windows operating system defines an event as any significant occurrence in the operating system or an application that should be recorded for tracking purposes. Informational events can be tracked as well as events that record warnings, errors, and auditing. Critical errors that deserve immediate attention, such as when the server has run out of disk space or memory, are recorded in the logs and displayed on screen.
  11. Tracking Events and Troubleshooting by Using Event Viewer 327 Understanding the Event Logs The Windows service that controls event logging is the Event Log service. When this service is started, events are recorded in one of the available event logs. Two general types of log files are used: Windows logs Logs that the operating system uses to record general system events related to applications, security, setup, and system components. Applications and Services logs Logs that specific applications and services use to record application-specific or service-specific events. Windows logs you’ll see include: Application Contains events logged by applications. You’ll fi nd events in this log for Microsoft Exchange Server, SQL Server, Internet Information Services (IIS), and other installed applications. It is also used to record events from printers and, if you’ve configured alert logging, alerts. The default location is %SystemRoot%\ System32\Winevt\Logs\Application.evtx. The default log size is 20480 MB. Forwarded Events When you configure event forwarding, this log records for- warded events from other servers. The default location is %SystemRoot%\Sys- tem32\Config\FordwardedEvents.evtx. The default log size is 20480 MB. Security Contains events you’ve set for auditing with local or global group poli- cies. Depending on the auditing configuration, you’ll find events for logon, logoff, privilege use, and shutdown, as well as general system events, such as the loading of the authentication package by the Local Security Authority (LSA). The default location is %SystemRoot%\System32\Winevt\Logs\Security.evtx. The default log size is 131072 MB on domain controllers and 20480 MB on member servers. Note Only administrators are granted access to the Security log by default. If other users need to access the Security log, you must specifically grant them the Manage Auditing and the Security Log user rights. You can learn more about assigning user rights in Chapter 35, Chapter 11 “Managing Users, Groups, and Computers.” Setup This log records events logged by the operating system or its components during setup and installation. The default location is %SystemRoot%\System32\ Winevt\Logs\Setup.evtx. The default log size is 1028 MB. System Contains events logged by Windows Server 2008 and its components. You should routinely check this log for warnings and errors, especially those related to the failure of a service to start at bootup or the improper configuration of a service. The default location is %SystemRoot%\System32\Winevt\Logs\Sys- tem.evtx. The default log size is 20480 MB.
  12. 328 Chapter 11 Performance Monitoring and Tuning Applications and Services logs you’ll see include: DFS Replication This log records distributed file system (DFS) replication activi- ties. The default location is %SystemRoot%\System32\Winevt\Logs\DfsReplica- tion.evtx. The default log size is 15168 MB. Directory Service Contains events logged by Active Directory. The primary events relate to the Active Directory database and global catalogs. You’ll find details on database consistency checks, online defragmentation, and updates. The default location is %SystemRoot%\System32\Winevt\Logs\Directory Service.evtx. DNS Server Contains Domain Name System (DNS) queries, responses, and other DNS activities. You might also find details on activities that relate to DNS integra- tion with Active Directory. The default location is %SystemRoot%\System32\ Winevt\Logs\DNS Server.evtx. The default log size is 16384 MB. File Replication Service Contains events logged by the File Replication Service, a service used to replicate Active Directory changes to other domain control- lers. You’ll find details on any important events that took place while a domain controller attempted to update other domain controllers. The default location is %SystemRoot%\System32\Winevt\Logs\File Replication Service.evtx. The default log size is 20480 MB. Hardware Events When hardware subsystem event reporting is configured, this log records hardware events reported to the operating system. The default loca- tion is %SystemRoot%\System32\Config\HardwareEvents.evtx. The default log size is 20480 MB. Microsoft\Windows Logs that track events related to specific Windows ser- vices and features. Logs are organized by component type and event category. Operational logs track events generated by the standard operations of the related component. In some cases, you’ll see supplemental logs for analysis, debugging, and recording administration-related tasks. Most of the related logs have a fi xed default log size of 1028 MB. By default, the logs are sized as appropriate for the type of system you are working with and its configuration. In a standard configuration of Windows Server 2008, most logs Chapter 11 are sized as listed previously. As shown, most logs have a fairly large maximum size. This includes the DNS Server, System, and Application logs. Because they are less criti- cal, the Directory Service and File Replication Service logs on domain controllers have a maximum size of 1028 MB. Because the Security log is so important, it is usually con- figured with a maximum size of 131072 MB on domain controllers and 20480 MB on member servers. Primarily, this is to allow the server to record a complete security audit trail for situations in which the server is under attack and a large number of security events are generated. Windows Server 2008 logs are configured to overwrite old events as needed by default. So, when the log reaches its maximum size, the operating system overwrites old events with new events. If desired, you can have Windows automatically archive logs. In this configuration, when the maximum file size is reached, Windows archives the events by
  13. Tracking Events and Troubleshooting by Using Event Viewer 329 saving a copy of the current log in the default directory. Windows then creates a new log for storing current events. You can also configure logs so that Windows never overwrites events. However, the problem with doing it that way is, when the maximum size is reached, events can’t be overwritten and the system will generate an error message telling you that such and such an event log is full each time it tries to write an event—and you can quickly get to where there are dozens of these errors being displayed. Note You can control the log configuration through Group Policy as well. This means changes you make in Group Policy could in turn change the maximum log size and which action to take when the maximum log size is reached. For more information about Group Policy, see Chapter 36, “Managing Group Policy.” Accessing the Event Logs and Viewing Events You can view the event logs using Event Viewer, as shown in Figure 11-11. Event Viewer is a Microsoft Management Console (MMC) snap-in that can be started from the Administrative Tools menu or by typing eventvwr at the command line. Event Viewer has custom views as well as standard views of logs. Using the custom Administrative Events view, you can view all errors and warnings for all logs. Using your own custom views, you can create views to surface particular types and categories of events from any logs you want to track. You can also access event logs directly to view all the events they contain. You can use the following techniques to work with logs and custom views: To view all errors and warnings for all logs, expand Custom Views and then select Administrative Events. In the main pane, you should see a list of all warning and Chapter 11 error events for the server. To view all errors and warnings for a specific server role, expand Custom Views, expand Server Roles, and then select the role to view. In the main pane, you should now see a list of all events for the selected role. To view summary information for Windows logs, select the Windows Logs node. You’ll then see a list of available logs by name and type along with the number of events and log size. To view summary information for Applications and Services logs, select the Appli- cations And Services Logs node. You’ll then see a list of available logs by name and type along with the number of events and log size.
  14. 330 Chapter 11 Performance Monitoring and Tuning To view events in a specific log, expand the Windows Logs node, the Applications And Services Logs node, or both nodes. Select the log you want to view, such as Application or System. Figure 11-11 The main view in Event Viewer lists the available logs and shows their current size. As Figure 11-12 shows, individual event entries provide an overview of the event that took place. Each event is recorded according to the date and time the event took place as well as the event level. For all the logs except Security, the event levels are classified as Information, Warning, or Error. For the Security log, the event levels are classified as Audit Success or Audit Failure. These event levels have the following meanings: Information Generally relates to a successful action, such as the success of a service starting up. If you’ve configured alert logging, the alerts are also recorded with this event type to show they’ve been triggered. Warning Describes events that aren’t critical but could be useful in prevent- Chapter 11 ing future system problems. Most warnings should be examined to determine whether a preventative measure should be taken. Error Indicates a fatal error or significant problem occurred, such as the failure of a service to start. All errors should be examined to determine what corrective measure should be taken to prevent the error from reoccurring. Audit Success Describes an audited security event that completed as requested, such as when a user logs on or logs off successfully. Audit Failure Describes an audited security event that didn’t complete as requested, such as when a user tries to log on and fails. Audit failure events can be useful in tracking down security issues.
  15. Tracking Events and Troubleshooting by Using Event Viewer 331 Figure 11-12 Events are logged according to the date and time they occurred as well as by type. Note Any attempt by users, services, or applications to perform a task for which they don’t have appropriate permissions can be recorded as an audit failure. If someone is trying to break into a system, you might see a large number of audit failure events. If a service or application doesn’t have the permissions it needs to perform certain tasks, you might also see a large number of audit failure events. Other pertinent information recorded with an event includes the event source, event ID, task category, user, and computer. The Source column lists the application, service, or component that logged the event. The Task Category column details the category of Chapter 11 the event and is sometimes used to further describe the event. The Event ID column provides an identifier for the specific event that occurred. You can sometimes look up events in the Microsoft Knowledge Base to get more detailed information. When you select an event, Event Viewer shows additional details in the lower pane, including a general description of the event and other fields of information. The User field shows the name of the user who was logged on when the event occurred (if applicable). If a server process triggered the event, the user name usually is that of the special identity that caused the event. This includes the special identities Anonymous Logon, Local Service, Network Service, and System. Although events can have no user associated with them, they can also be associated with a specific user who was logged on at the time the event occurred.
  16. 332 Chapter 11 Performance Monitoring and Tuning The Computer field shows the name of the computer that caused the event to occur. Because you are working with a log from a particular computer, this is usually the account name of that computer. However, this is not always the case. Some events can be triggered because of other computers on the network. Some events triggered by the local machine are stored with the computer name as MACHINENAME. For some events, any binary data or error code generated by the event is available on the Details tab. You can double-click any event to open its Properties dialog box (see Figure 11-13). The Properties dialog box provides the information that is available in the details pane as well as an option to copy the event data to the Clipboard. Most of the event descrip- tions aren’t easy to understand, so if you need a little help deciphering the event, click Copy. You can then paste the event description into an e-mail message to another administrator. Figure 11-13 Event details include a description of the event and in some cases binary data generated by the event. Note Chapter 11 Within every event description is a Help And Support Center link that you can click. This link provides access to the Microsoft Web site where you can query for any additional information that might be available on the event.
  17. Tracking Events and Troubleshooting by Using Event Viewer 333 Viewing Event Logs on Remote Systems You can use Event Viewer to view events on other computers on your network. Start Event Viewer, right-click Event Viewer (Local) in the left pane, and then choose Con- nect To Another Computer. In the Select Computer dialog box, shown in Figure 11-14, type the domain name or Internet Protocol (IP) address of the computer for which you want to view the event log and then click OK. Or you can click Browse to search for the computer you want to use. If you need to specify logon credentials, select the Connect As Another User check box and then click the Set User button. Afterward, type the user name and password to use for logon, and then click OK. Note Keep in mind that you must be logged on as an administrator or be a member of the Administrators group to view events on a remote computer. You must also configure Windows Firewall on the local computer to allow your outbound connection and the remote computer to allow your inbound connection. Figure 11-14 Connect to a remote computer. Sorting, Finding, and Filtering Events Chapter 11 Event Viewer provides several ways for you to organize and search for events in the logs. You can sort events based on date or other stored information. You can search a particular event log for specific events and view events one at a time. You can also filter events so that only the specific events you want to see are shown.
  18. 334 Chapter 11 Performance Monitoring and Tuning Sorting the Event Logs By default, logs are sorted so that the newest events are listed fi rst. If you’d rather see the oldest events first, you can do this by clicking View, pointing to Sort By, and then selecting Date And Time. Or you can simply click the Date And Time column header. This change must be made for each log in which you want to see the oldest events fi rst. You can also sort events based on information in other columns. For example, if you wanted to sort the events based on the event level, you would click the Level column header. Searching the Event Logs By using the Find feature, you can search for events within a selected log and view matching events one at a time. Say, for instance, a Microsoft Knowledge Base article says to look for an event with such and such an event source and you want to search for it quickly. You can use the Find feature to do this. To search, right-click an event log and select Find. In the Find dialog box, type the search text to match and then click Find Next. The fi rst event that matches the search criteria is highlighted in the log. You can double-click the event to get more detailed information or click Find Next to find the next match. Filtering the Event Logs The Find option works well if you want to perform quick searches, such as for a single event of a specific type. If you want to perform an extended search, however, such as when you want to review all events of a particular type, there’s a better way to do it and that’s to create a fi ltered view so that only the specific events you want to see are shown. Windows creates several filtered views of the event logs for you automatically. In Event Viewer, filtered views are listed under the Custom Views node. When you select the Administrative Events node, you’ll see a list of all errors and warnings for all logs. When you expand the Server Roles node and then select a role-specific view, you’ll see a list of all events for the selected role. Chapter 11 You can create and work with filtered views in several different ways. You can: Create a custom view by filtering the events in a specific log and saving this fil- tered view for later use. Simply right-click the log and select Create Custom View. This displays the Create Custom View dialog box, as shown in the following screen. Choose the filter options you want to use, as described in Table 11-3, and then click OK. In the Save Filter To Custom View dialog box, type a name and description for the view. Select where to save the custom view. By default, custom views are saved under the Custom Views node. You can create a new node by clicking New Folder, entering the name of the new folder, and then clicking OK. Click OK to close the Save Filter To Custom View dialog box.
  19. Tracking Events and Troubleshooting by Using Event Viewer 335 Create a temporary view by filtering the events in a specific log. Simply select the log and then right-click and select Filter Current Log. This displays the Fil- ter Current Log dialog box, as shown in the following screen. Choose the fi lter options you want to use, as described in Table 11-3, and then click OK. After you’ve applied the fi lter, only events with the options you specify are displayed in the selected event log. For the rest of the current Event Viewer session, the filter is applied to the selected log and you know this because the upper portion of the main pane shows you are working with a filtered log. Chapter 11
  20. 336 Chapter 11 Performance Monitoring and Tuning Set Filter Options You can set as many filter options as you want to narrow the results. Keep in mind, how- ever, that each filter option you apply sets a search criterion that must be matched for an event to be displayed. The options are cumulative so that an event must match all filter options. Table 11-3 Find and Filter Options for Event Logging Option Description Computer Includes all events associated with a particular computer. Usually this is the name of the computer whose logs you are working with. Event ID Includes or excludes events with the event IDs you specify. Enter ID numbers or ID ranges separated by commas. To exclude an event, enter a minus sign before the event ID. Event Level Allows you to include or exclude events by level. The most important event levels are warnings, which indicate that something might pose a future problem and might need to be examined, and errors, which indicate a fatal error or significant problem occurred. Event Sources Includes events only from specified sources, such as an application, service, or component that logged the event. Event Logs Includes events only from specified logs. When working with a custom log view, the log you right-clicked is selected automatically and you can’t choose additional logs. Logged With filters, all events from the first to the last are displayed by default. You can choose to include events from the Last Hour, Last 12 Hours, Last 24 Hours, Last 7 Days, Last 30 Days, or a custom range. Task Category Includes events only within a given category. The categories available change based on the event source you choose. User Includes events associated with a particular user account that was logged on when the event was triggered. Server processes can log Chapter 11 events with the special identities Anonymous Logon, Local Service, Network Service, and System. Not all events have a user associated with them. You can apply a fi lter to a custom view as well as to a log. To filter a custom view, right- click the view and then select Filter Current Custom View. Choose the filter options you want to use and then click OK. For the rest of the current Event Viewer session, the filter is applied to the selected view and you know this because the upper portion of the main pane shows you are working with a filtered view. If you later want to clear a filter that is applied to a view or log, right-click the log and select Clear Filter. Another option is to save the filtered view as a custom view so you
Đồng bộ tài khoản