20411B-ENU-TrainerHandbook

13-16 Monitoring Windows Server 2012

Lesson 3

Monitoring Event Logs

Event Viewer provides a convenient and accessible location for you to view events that occur and that Windows Server records into one of several log files based on the type of event that occurs. To support your users, you should know how to access event information quickly and conveniently, and know how to interpret the data in the event log.

Lesson Objectives

After completing this lesson, you will be able to:

•Describe a custom view.

•Explain how to create a custom view.

•Describe event subscriptions.

•Explain how to configure an event subscription.

What Is a Custom View?

Event logs contain vast amounts of data, and it could be a challenge to narrow the set of events to just those events that interest you. In previous Windows versions, you could apply filters to logs, but you could not save those filters. In Windows Server 2008 and Windows Server 2012, custom views allow you to query and sort just the events that you want to analyze. You also can save, export, import, and share these custom views.

Event Viewer allows you to filter for specific events across multiple logs, and display all events that may be related to an issue that you are

investigating. To specify a filter that spans multiple logs, you need to create a custom view.

Create custom views in the Action pane in Event Viewer. You can filter custom views based on multiple criteria, including:

•The time that the event was logged.

•Event level to display, such as errors or warnings.

•Logs from which to include events.

•Specific Event IDs to include or exclude.

•User context of the event.

•Computer on which the event occurred.

PROHIBITED USE STUDENT .ONLY USE MCT

13-18 Monitoring Windows Server 2012

Enabling Subscriptions

To enable subscriptions, perform the following tasks:

1.On each source computer, run the following command at an elevated command prompt to enable WinRM:

winrm quickconfig

2.On the collector computer, type the following command at an elevated command prompt to enable the Wecsvc:

wecutil qc

3.Add the computer account of the collector computer to the local Administrators group on each of the source computers.

Demonstration: Configuring an Event Subscription

This demonstration shows how to:

•Configure the source computer.

•Configure the collector computer.

•Create and view the subscribed log.

Demonstration Steps

Configure the source computer

1.Switch to LON-DC1 and if necessary, sign in as Adatum\Administrator with the password

Pa$$w0rd.

2.Run the winrm quickconfig command at a command prompt.

Note: The service is already running.

3.Open Active Directory Users and Computers, and add the LON-SVR1 computer as a member of the domain local Administrators group.

Configure the collector computer

1.Switch to LON-SVR1, and then open a command prompt.

2.Run the wecutil qc command.

Create and view the subscribed log

1.Switch to Event Viewer.

2.Create a new subscription to collect events from LON-DC1: o Collector initiated

o Source computer LON-DC1 o All events types

o Last 30 days

PROHIBITED USE STUDENT .ONLY USE MCT

13-20 Monitoring Windows Server 2012

Exercise 1: Establishing a Performance Baseline

Scenario

In this exercise, you will use Performance Monitor on the server, and create a baseline by using typical performance counters.

The main tasks for this exercise are as follows:

1.Create and start a data collector set.

2.Create a typical workload on the server.

3.Analyze the collected data.

 Task 1: Create and start a data collector set

1.Switch to the LON-SVR1 computer.

2.Open Performance Monitor.

3.Create a new User Defined data collector set by using the following information to complete the process:

o Name: LON-SVR1 Performance

o Create: Create manually (Advanced) o Type of data: Performance counter o Select the following counters:

Memory, Pages/sec

Network Interface, Bytes Total/sec

PhysicalDisk, %Disk Time

PhysicalDisk, Avg. Disk Queue Length

Processor, %Processor Time

System, Processor Queue Length

o Sample interval: 1 second

o Where to store data: default value 4. Save and close the data collector set.

5. In Performance Monitor, in the results pane, right-click LON-SVR1 Performance, and then click Start.

 Task 2: Create a typical workload on the server

1.Open a command prompt, and then run the following commands by pressing Enter after each command:

Fsutil file createnew bigfile 104857600

Copy bigfile \\LON-dc1\c$

Copy \\LON-dc1\c$\bigfile bigfile2

Del bigfile*.*

Del \\LON-dc1\c$\bigfile*.*

2.Do not close the command prompt.

PROHIBITED USE STUDENT .ONLY USE MCT

13-24 Monitoring Windows Server 2012

o Sample interval: 1 second

o Where to store data: default value

o Alert Action: Log an entry in the application event log

4. Start the LON-SVR1 Alert data collector set.

 Task 4: Introduce additional workload on the server

1. Switch to the command prompt.

2. Change to the C:\Labfiles, and then run StressTool.exe 95.

3. Wait one minute for the data capture to occur, and at the command prompt, press Ctrl+ C, and then close the command prompt.

 Task 5: Verify results

•Switch to LON-DC1, and then open Forwarded Events.

Question: In Performance Monitor, are there any performance-related alerts in the subscribed application log? Hint: They have an ID of 2031.

Results: At the end of this exercise, you will have centralized event logs and examined these logs for performance-related events.

 To prepare for the next module

When you are finished the lab, revert all virtual machines to their initial state. To do this, perform the following steps:

1.On the host computer, start Hyper-V Manager.

2.In the Virtual Machines list, right-click 20411B-LON-DC1, and then click Revert.

3.In the Revert Virtual Machines dialog box, click Revert.

4.Repeat steps 2 and 3 for 20411B-LON-SVR1.

PROHIBITED USE STUDENT .ONLY USE MCT