|
The object selection window for the line chart display of the Performance Monitor is shown in Figure 8.6. This window is displayed when you have used the Add To button.
Figure 8.6 The Add to Chart window.
When you select an object, you can then select the counters associated with the object and add them to the Performance Monitor, as required. As you add objects and counters, a legend bar at the bottom of the window displays information about each line on the chart or bar of the histogram. The same objects shown in the Figure 8.5 line chart can be seen in histogram format in Figure 8.7.
Figure 8.7 A histogram performance display.
You will need to enable the disk performance counters before any data can be collected for use with the Performance Monitor. The default is for disk performance counters to be disabled because of the small additional overhead required to maintain them. To enable and disable the counters at the Windows NT command prompt, use diskperf -y for enable and diskperf -n for disable. You’ll need to reboot for the changes to take effect.
It is often desirable to produce log data over a long period of time for the Performance Monitor to analyze at a later date. This is also useful in analyzing the changing pattern of usage that occurs on all servers. Configuring the Performance Monitor to log data is done by using the Log View menu. One advantage of using logged data is that you don’t have to view the data in realtime, but can go straight to the areas you’re interested in. Keep in mind that when you add objects to logs, only the entire object can be added and not individual counters.
If you can’t achieve the view or obtain the information by using the views available in the Performance Monitor, an Export Data function is available that allows the collected data to be written to either tab-separated or comma-delimited files for analysis by additional spreadsheet tools.
The Network Monitor And Monitoring Agent
The Network Monitor that’s shipped with Windows NT Server can be used to determine network load and performance statistics. The Network Monitor is the same product that is shipped with the Server Management Software (SMS), although the Windows NT Server version does have several functions disabled. The functions only available with SMS are Find Routers and Resolve Addresses From Names. Also, only traffic sent to and from the local system may be captured.
The Network Monitor window initially consists of four display areas. These are used to display a graph of network utilization, total network statistics, session statistics, and station statistics. The display areas can be configured as required. The initial Network Monitor display is shown in Figure 8.8.
Figure 8.8 The Network Monitor display.
Projects:
Practical Guide to Event and System Monitoring
The following section provides real-world examples on configuring, viewing, and interpreting the system event logs, as well as using the monitoring tools.
Locating And Examining Unsuccessful Logon Attempts
After an external audit of your company’s security, the security team recommends that a weekly report of all unsuccessful logon attempts be produced for review by senior managers. (Like you haven’t got enough work to do already; it’s bound to be the senior managers who can’t log on.)
Well, as the saying goes, you just work here. If that’s what they want, that’s what they’ll get. The place to start is with the User Manager, because if the Audit policy is not configured to audit logon failures, you’re not going to be able to gather the information you need to write your report.
- 1. Select Start|Programs|Administrative Tools|User Manager.
- 2. In the Policies menu, choose Audit. The Audit Policy window will be displayed. If it isn’t already selected, choose Audit These Events.
- 3. Select the Logon and Logoff Success and Failure options, as shown in Figure 8.9. Click OK, and close the User Manager.
Figure 8.9 The Audit Policy window.
Note: If you’re wondering why you would select the Success option when you’re only interested in Failure, remember that any figure for logon failures will be quite meaningless without the number of successful logons to compare it to. By selecting both options, you can present the actual percentage of logon failures.
Now, auditing is enabled. All user logon failures will generate a security audit event, which will be recorded in the security event log. So, at required intervals, you can check this log and see who can’t remember their password:
- 1. Click Start|Programs|Administrative Tools|Event Viewer.
- 2. The Event Viewer title bar will display the name of the log currently viewed. If it doesn’t read “Security Log,” choose Security in the Log menu.
- 3. Logon failures will have the Padlock icon displayed next to them, and the category will be described as Logon/Logoff. Double-clicking an event entry provides you with a detailed view.
Great. The display shows who failed to logon and when, but there are lots of successful entries and only a few failures, making it a bit difficult to see what’s going on. Isn’t there a way to simplify the display and locate the failures? Yes, there is. The View Option menu contains a Filter function that can be used to filter out the entries you want to view.
- 1. In the View menu, choose Filter Events. The Event Filter window will be displayed.
- 2. In the Source box, choose Security from the drop-down list. In the Category box, choose Logon/Logoff. Make sure only Failure Audit is selected in the Types window.
- 3. Set the start and finish date to view the time period you are interested in. Click OK. The Security display will now be filtered to show just the logon failures between the specific dates and times. It’s that simple.
Hey, wait a minute...what about the percentage of success-to-failure logons? Well, that’s the trouble with good ideas. You always end up doing more work than you bargained for. You need to save the event log into a text file by using the Event Log Save function. Then, use your favorite spreadsheet to produce your amazing report.
|
FEEDBACK
)
)
)
)
){kind=link}
){kind=link}
){kind=link}
){kind=link}