1. Vital Signs: Performance Monitoring Windows Server
Module 7: Performance Analysis Of Logs (PAL) Tool
Microsoft Confidential ©2011 Microsoft Corporation

2. Conditions and Terms of Use
Microsoft Confidential
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non- infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred.
Copyright and Trademarks
© 2011 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
Microsoft®, Internet Explorer®, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
© 2011 Microsoft Corporation Microsoft Confidential

3. Students: How to View this Presentation
Switch to Notes Page view
Click View on the ribbon and select Notes Page
Use page up or page down to navigate
Zoom in or out as needed
Most slides will have supporting text that you can view now or after the delivery
Add notes to your copy of the presentation if you want to.
You take the presentation files home with you.
Microsoft Confidential

4. Module 7: Performance Analysis of Logs (PAL) tool
Section 1: Getting started
Section 2: Using the wizard
Section 3: Interpreting the report
Microsoft Confidential

5. Section 1: Getting started
Overview
Download PAL
PAL supports most of the major Microsoft products
Install PAL
Export thresholds to a counter log template
Microsoft Confidential

6. Microsoft Confidential
Overview
Performance Analysis of Logs (PAL) analyzes counter logs (.csv or .blg) and creates an HTML report
The Performance Analysis of Logs (PAL) tool is a free, public, and open source project on Codeplex.com. Codeplex.com is Microsoft’s open source web site. The tool analyzes performance counters logs in CSV or BLG formats and creates an HTML report. The report has charts that shows red, green, and yellow thresholds to visually indicate when a counter has exceeded known thresholds. The thresholds are owned by subject matter experts in the Microsoft support community.
PAL implements all of the performance counter thresholds from this workshop and most of the major Microsoft server products such as Microsoft SQL Server, Microsoft Exchange Server, Microsoft Active Directory, and so on.
PAL uses the counter thresholds from the Vital Signs workshop
Microsoft Confidential
(continued)

7. Microsoft Confidential
Overview (continued)
PAL is:
A free and open-source project on Codeplex.com
A time saver, but not a replacement for performance analysis
Not supported by Microsoft
For support, use the forums at
Contributors and users donate their time
Designed to be used on a workstation—no connectivity to the original computer needed
Resource intensive during analysis
The tool is a time saving tool and not intended to replace analysis using Performance Monitor. We primarily use it to point out areas that warrant more investigation.
Usage of PAL is relatively easy. Install it on a computer running Windows 7 or Windows Server 2008 R2 computer. Use the PAL Wizard to point it to a performance counter log. Answer a few questions about the computer where the counter log was captured, then you are done.
No network connectivity is needed. It does not need access to the computer on where the counter log was captured. The expected use case is where a counter log is collected on a production computer, then moved to your workstation for analysis. The tool can be resource intensive on both memory, disk, and processor, so this is another reason to run it on a workstation computer.
Be aware that it may have false positives on counter values - this is due to the complex nature of performance analysis.
The PAL tool is not a Microsoft product and it is not supported by Microsoft. With that said, go to the forums at for any support concerns.
Microsoft Confidential

8. Microsoft Confidential
Download PAL
Free and public download available at
The PAL tool is free for anyone to use and can be downloaded from Codeplex.com which is Microsoft’s open source web site. Please keep in mind that all of the developers, subject matter experts, and supporters of the tool volunteer their time to this project.
Codeplex.com is Microsoft’s open-source website
PAL is an effort from the open-source community to make counter-log analysis easier
Microsoft Confidential

9. PAL supports most of the major Microsoft products
PAL has counter thresholds defined for most of the major Microsoft server products
PAL has counter thresholds for most of the major server product offered by Microsoft. The counter thresholds are owned by subject matter experts who regularly support the products.
The threshold files are owned by subject matter experts of that field
Microsoft Confidential

10. Microsoft Confidential
Install PAL
PAL 2.0 has the following prerequisites:
Windows PowerShell 2.0 (free)
.NET Framework 3.5 (free)
Microsoft Chart Controls for .NET Framework 3.5 (free)
PAL installation uses Windows Installer (.msi)
The first version of PAL (1.x) was originally written in VBScript, COM, and used the Microsoft Log Parser tool and Microsoft Office 2003 Web Components (OWC11) to process the counter data and generate charts.
PAL v2.x requires Microsoft Windows PowerShell 2.0, Microsoft .NET Framework 3.5, and Microsoft Chart Controls for .NET Framework 3.5. All of these technologies are built into Windows 7 except for the chart controls. All of the prerequisites are free downloads from Microsoft’s web site. Computers running Windows XP or Windows Server 2003 can still download and install the prerequisites for free, but computers running Windows XP or Windows Server 2003 cannot open counter logs captures on Windows Vista or Windows Server 2008 or later.
PAL can run on 32-bit versions of Windows XP and Windows Server 2003 and later, but 64-bit is recommended. This is because some of the counter logs can be quite large and the 32-bit virtual address space is too small when processing them.
Microsoft Confidential

11. Export thresholds to a counter log template
To take full advantage of the thresholds, export a threshold file to a counter log template
If you do not have a performance counter log to process yet, then consider exporting one of the threshold files from PAL. PAL can export the threshold file to a counter log template (*.htm which are used by Windows XP and Windows Server 2003 and earlier), a data collector set template (*.xml which are use by Windows Vista and Windows Server 2008 and later), or a counter list template (*.txt) for the Logman.exe command line tool.
Go to Section 3: Manage logs from the command line in Module 1 for more information on how to use the counter list template for Logman.exe.
Counter log templates can be saved as .htm (Windows Server 2003/ Windows XP), .xml (Windows Server 2008/Windows 7), or .txt (logman)
Microsoft Confidential

12. Section 2: Using the wizard
Counter log page: Choose the path
Counter log page: Restrict the time range
Threshold file page
Questions page
Output options page: Analysis interval
Output options page: All Counter Stats
File output page
Queue page
Execute page
Finish
Microsoft Confidential

13. Counter log page: Choose the path
Provide the file path to one more counter logs (.blg or .csv)
To begin the analysis of a counters log, run the PAL Wizard. On the Counter Log page, specify the counter log file path. For example, C:\Perflogs\Admin\VitalSigns_ blg. If you wish to merge two or more counter logs, then specify the full path to all of the counter logs on the same line separated by semi-colons (;) like C:\Perflogs\Admin\VitalSigns_ blg;C:\Perflogs\Admin\VitalSigns_ blg.
Relog.exe is part of the operating system and is used by PAL to merge counter logs together when needed. Merging counter logs can have unpredictable results and is generally not recommended.
If you provide paths to multiple logs, PAL uses Relog.exe to attempt to merge the logs. Use consecutively captured logs.
Microsoft Confidential

14. Counter log page: Restrict the time range
You can restrict the date/time range to reduce the size of the output or to focus on a specific time range
Optionally, a data time range within the counter log(s) can be specified. This will use the begin and end parameters of Relog.exe to create a new log from the existing one within the time range specified. When the Restrict to a Data Time Range is selected, PAL will use Relog.exe to exam the counter log and populate the Begin Time and End Time with the start and end times of when the counter log was collected.
PAL uses Relog.exe to restrict the date/time range of the log
Microsoft Confidential

15. Microsoft Confidential
Threshold file page
Choose a threshold file that best describes the product or role of the counters that are captured in the counter log
On the Threshold File page, choose a threshold file that best describes the product or role of the counters captured in the counter log. Many of the threshold files inherit from other threshold file. For example, the Microsoft Internet Information Services 5.x/6.x/7.x threshold file inherits from the ASP.NET and System Overview threshold files. Those threshold files inherit from other thresholds and so on. Therefore, when you select one threshold file, it might inherit from many others to produce a comprehensive analysis and report.\
If you find that the PAL analysis takes too long, then consider using the Quick System Overview threshold file. Many of the other threshold files inherit from the System Overview threshold file which analyzes all of the Process counter object instances with multiple analyses. Analyzing these instances can be very resourse intensive. The Quick System Overview threshold file only analyzes the _Total instance of the Process object making it much faster and less resource intensive. This allows an overall operating system analyses, but it will not report on individual processes.
System Overview is the generic default for Windows and Windows Server operating systems. Quick System Overview gives a “quick” analysis.
Microsoft Confidential

16. Microsoft Confidential
Questions page
The answers to these questions help determine which thresholds are best for your particular computer environment
Many of the thresholds in PAL use questions to help analyze the counter log. Each threshold file might have specific questions and inherit from the Quick System Overview threshold file which asks general questions about the hardware of the computer where the counter log was collected.
NumberOfProcessors: This is the number of logical processors running on the system which includes logical cores and hyper-threaded processor instances. Default value is 4.
ThreeGBSwitch: If the computer system is running a 32-bit version of Windows or Windows Server, then the /3GB switch might have been used which is an optional setting in the boot.ini file. The default value is False. For more information on the /3GB switch, see
SixtyFourBit: If the computer system is a 64-bit version of Windows or Windows Server, then set the answer to this question as True. Otherwise, leave it at the default False value. The default value is False.
TotalMemory: This is the amount of RAM in gigabytes usable by the computer where the counter log was captured. The default value is 4 (4 GB).
Failure to answer the questions properly can produce inaccurate results.
Click each question and type an answer
Microsoft Confidential

17. Output options page: Analysis interval
The log is divided into time slices. Choose an analysis interval to determine the size of the time slices.
The analysis interval is often confused with the collection interval of the counter log. The collection interval is how often counter data was collected in the log. The analysis interval is the size of each of the time slices used in the analysis. Statistics (minimum, average, maximum, trend, and so on) are produced from each time slice and used in each of the thresholds. This is why each time slice requires at least 1 counter value. Three or more counters values are preferred to create a better average because average values have more weight (an average value that exceeds a threshold is typically consider more important than a maximum value) in the counter thresholds than minimum or maximum values. If the AUTO value is used, then PAL will divide the counter log into 30 equal time slices. For example, if it is a 30 hour counter log, then it will have 1 hour time slices. If it is a 30 minute counter log, then it will have 1 minute time slices.
Time slices each have a min, avg, max, and trend value. Average values are typically more useful than maximum values.
The AUTO (automatic) value divides the log into 30 time slices.
Microsoft Confidential

18. Output options page: All Counter Stats
If you select this checkbox, the final report will include all of the counters that are in the log
During analysis, the PAL tool will create a list of counters that is needs to process each analysis. An analysis is a logical container of counter paths and thresholds. It compares the list of counters needed to the counters in the log file. All counter data in the log that does not match counters definitions in the threshold file will be ignored.
Select the All Counter Stats feature if you have counters in the log that you want in the report, but do not have an analysis for them. This feature will be much more resource intensive, so it is not selected by default. In some cases, users want all of the counters in the counter log to be in the report. In PAL v1.x, users were required to create an analysis with or without thresholds to have the counters show up in the report. This process is still recommended for PAL v2.0, but it can be inconvenient, so this feature was added. When selected, it will create run time analyses for each of the counters that are not already defined in other analyses. In the report, each counter in the log will have statistics (minimum, average, maximum, and trend) and plotted on a chart with other instances of the counter. This feature is especially helpful with working with third-party performance counters.
All Counter Stats is much more resource intensive and is disabled by default
Great for third-party counters or for other counters without thresholds defined
Microsoft Confidential

19. Microsoft Confidential
File output page
Choose the output directory, and either the HTML report and naming convention or the XML output and naming convention
By default, PAL will create a local HTML report using the naming convention specified in the HTML Report File Name field. The text in the field surrounded by square brackets ([]) are replaced by variables within PAL. For example, [LogFileName] will be replaced with the name of the counter log file name(s) used in the analysis.
An optional XML document can be produced as part of the output. This is helpful when using other tools to parse the output of PAL.
The default output directory for the report(s) is your My Documents\PAL Reports directory, but users commonly like to make the output directory the same directory as the counter log being analyzed.
The default is the user’s My Documents\PAL Reports folder. [LogFileName], [DateTimeStamp], and [GUID] are variables.
Microsoft Confidential

20. Microsoft Confidential
Queue page
The queue is a batch (.bat) file that runs a Windows PowerShell script, PAL.ps1
The PAL tool is really a PowerShell file called PAL.ps1. PAL.ps1 accepts many parameters which make it flexible, but difficult to use. Therefore, the PAL Wizard was created to assist with passing in the parameters.
The PAL Wizard simply creates a batch file in your %temp% directory which executes the PAL.ps1 script one or more times. The Queue page (shown above) is a special view of the batch file showing the parameters on separate lines to make it easier to read. The corresponding batch file has all of the parameters on a single line for proper execution.
The PAL.ps1 script is the analysis engine. The wizard just creates the batch file that runs the script.
Microsoft Confidential

21. Microsoft Confidential
Execute page
Execute the queue (batch file), add another log to analyze, or execute and restart the wizard
If you wish to queue up more counter logs to be analyzed, then select Add to Queue and click the Add button (the Finish button changes to Add). This will allow you to repeat the PAL Wizard with another counter log and will be added to the batch file shown in the Queue page. This feature is helpful if you want to queue up a lot of counter logs to be analyzed while away from your computer.
If you are ready to execute the contents of the Queue (batch file), then click Execute, Finish. This will close the PAL Wizard and execute the PAL batch file in the %temp% directory.
If you want the contents of the Queue (batch file) to execute now, but want to create another Queue (batch file) with similar settings, the select Execute and Restart, Finish. This will execute the current batch file and restart the PAL Wizard with the current settings.
PAL analysis can be resource intensive. If you want the PAL analysis to run as a low priority process, then select the Execute as a low priority process feature.
The PAL analysis is resource intensive. It can be executed as a low priority, in order to reduce its impact on resources.
Microsoft Confidential

22. Microsoft Confidential
Finish
While the script is running, it can be very resource intensive
As a reminder, PAL is designed to run on a workstation and can be very resource intensive. It does not use network connectivity.
PAL can run on a workstation that does not have connectivity to the computer that the counter log was original captured on
Microsoft Confidential

23. Section 3: Interpreting the report
The HTML report
Interpreting the report
Analysis charts
Alerts
Microsoft Confidential

24. Microsoft Confidential
The HTML report
After the analysis, an HTML report is created
An HTML report (if selected in the output options) will automatically open in the default web browser of the system. The output is only tested using Microsoft Internet Explorer 8 and 9, but should work on any web browser that uses standard HTML. Microsoft Internet Explorer is installed by default on Windows 7 and Windows Server 2008 R2.
The HTML report begins with a table of contents with local links to various places within the document. The first part of the report shows all of the alerts from each of the time slices. This view is helpful when correlating alerts that occurred within the same time slice, but from different analyses. For example, if the amount of available memory is low (an alert will show) and pages/sec is high (an alert with show), then both of those alerts can be correlated that the low available memory is likely resulting in a high number of hard page faults.
The report has a table of contents showing the number of alerts in each section. Alerts are counter values that are outside established thresholds.
Microsoft Confidential

25. Interpreting the report
Each analysis has a description, the thresholds it uses, and references to more information, charts, and alerts
Each analysis has a description of why the analysis exists, the thresholds it uses, and references to more information about the analysis. This is important to look at if the analysis has warning or critical alerts. The description typically has next steps to take if alert conditions are found.
Microsoft Confidential

26. Microsoft Confidential
Analysis charts
Most charts in the analyses show the thresholds
Some of the charts in the report have warning (yellow gradient) and critical (red gradient) zones to indicate when a counter value is breaking thresholds. This is helpful with visually seeing the health of a resource measured by the counter instance.
The chart lines use different patterns to help differentiate them
Microsoft Confidential

27. Microsoft Confidential
Alerts
Alerts are thrown when thresholds are broken. Overall counter stats are analyzed, as well as each time slice.
When a threshold condition is met, the threshold assigns a warning (yellow) or critical (red) alert to each of the statistic values (Min, Avg, Max, and Trend) of the counter instance for that time slice. Thresholds are also applied to the overall statistics of the counter instance to show if the resource is in this condition for the entire length of the counter log. If thresholds are used against a counter instance and if none of the threshold conditions are met, then the condition is set to OK (green) and the statistics will have a white background. If no thresholds are used against a counter instance, then the condition is set to No Thresholds and the statistics will have a white background.
Disclaimer: The information provided by the PAL tool report is provided "as is" and is intended for information purposes only. The authors and contributors of this tool take no responsibility for damages or losses incurred by use of this tool.
Microsoft Confidential

28. Microsoft Confidential
Review
What is important about the size of the time slices in the analysis?
Is PAL supported by Microsoft?
Why does PAL save time?
Microsoft Confidential

29. Microsoft Confidential
Review (answers)
The size of time slices define the average, min, max, and trend values which are used for each threshold
No, the PAL tool is an open source project that is not supported by Microsoft
It bulk processes counter logs and presents the data in an easy to read report
Microsoft Confidential

30. Microsoft Confidential
Questions?
Microsoft Confidential