On the Log Files tab, you can change the naming scheme of the log and how the event tracer writes trace data to the trace log. You have two types of logging from which to choose: sequential or circular. With sequential trace logging, the event tracer writes data to the log until the log reaches the maximum size you specify. If you don't specify a maximum size, the event tracer will continue logging until the disk fills up or you stop the logging session. With circular trace logging, the event tracer overwrites data when the log reaches the maximum size you specify.

The Schedule tab lets you set a start time and stop time for the logging session. You can also manually start and stop a logging session from the Performance Logs and Alerts snap-in's UI. Regardless of whether you manually start a logging session or schedule it, the session uses the Performance Logs and Alerts Windows service to perform the trace logging. This service needs an Administrator or equivalent account to run, so you must be logged on using such an account. (In Windows 2003, you can also be a member of the Performance Logs built-in group.) Otherwise, the tracing session won't run.

On the Schedule tab, you can also choose to execute a script after a logging session has stopped. For example, you might want to run a script that moves the log to a different folder so that you can process the log data at a later time.

The Advanced tab lets you change the defaults for allocating event tracer buffers. You can specify a different buffer size as well as the minimum and maximum number of buffers to allocate. Adjusting these values is usually a trade-off between capturing events without dropping them and consuming more memory on the system. For high-volume captures such as file I/O or registry I/O, a 128KB buffer size with a minimum of 50 buffers and maximum of 100 is typical, but you should experiment.

Command-line utilities. If you want to start a trace session from the command line, you have several options, which unfortunately differ depending on the OS version you're running. The Win2K resource kit includes the tracelog.exe utility, which lets you create and manage tracing sessions for the Windows kernel provider. (The resource kit doesn't have a command-line utility that lets you create and manage tracing sessions for nonsystem providers.)

Tracelog.exe also lets you set up a temporary trace logging session. If you use tracelog.exe to set up a temporary trace logging session, you won't see that session in the Performance Logs and Alerts snap-in's UI.

The following command uses tracelog.exe to enable TCP/IP tracing on a Win2K box:

tracelog -start -noprocess –nothread
-nodisk -b 128 -min 50 -max 100
-f c:\perflogs\netfile.etl
Prev. page     1 2 [3] 4 5 6 7     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Really enjoyed this article..great to have monitoring techniques that can provide so much more information and for what seems to be less of a system overhead as well.

John- January 05, 2004

Very interesting. For some reason local and even domain admin account didn't give me enough rights to start a log session with system providers.

israel- June 01, 2004

Good article but lacks in detail. Wwhat if I want to write code to analyze the ETL file myself? And how can registry be manipulated to enable tracing?

pranay- July 07, 2004

 
 

ADS BY GOOGLE