Windows Performance Counters (im_winperfcount)

This module utilizes the Windows Performance Data Helper API to consume Windows Performance Counter data, creating an event record each time it polls the data. Event records contain fields for each counter collected, named according to the corresponding counter path. For more information on counter paths, see Specifying a Counter Path in the Microsoft documentation.

To examine the supported platforms, see the list of installation packages.

If performance counters are not working or some counters are missing, it may be necessary to rebuild the performance counter registry settings by running C:\windows\system32\lodctr.exe /R. See How to rebuild performance counters on Windows Vista/Server2008/7/Server2008R2 on Microsoft Learn for more details, including how to save a backup before rebuilding.

Configuration

The im_winperfcount module accepts the following directives in addition to the common module directives.

Required directives

At least one of Counter or CounterIndividual must be specified for the module to start.

Counter

Specify the name of the performance counter to collect, such as \Memory\Available Bytes. The directive supports the wildcards * to match zero or more characters and ? to match a single character in the instance name. For example, \Processor Information(*)\% Processor Time. If more than one performance counter matches the specified value, the module returns data for the first matching counter it receives. You can specify the Counter directive multiple times to collect different performance counters.

Execute typeperf -q to list the available counters. Refer to the typeperf command reference on Microsoft Learn.

CounterIndividual

Similar to the Counter directive, but expands wildcards into a list of matching performance counters. There is no limit to the number of performance counters you can collect with this directive. However, if counters exceed 100, a warning is logged in the NXLog Agent log file. You can specify the CounterIndividual directive multiple times to collect different performance counters.

Optional directives

AllowInvalidCounters

If set to TRUE, invalid counter names will be ignored, and a warning is logged in the NXLog Agent log file. The default is FALSE; invalid counter names cause NXLog Agent to stop with an error. A counter name containing wildcards does not cause an invalid counter error if it does not match any counters. If StaticMode is FALSE, this directive is ignored since dynamically polling performance counters with wildcards may change the result set every time.

ExcludeCounter

Specify the name of a performance counter to exclude from collection. You can use wildcards, as explained in the CounterIndividual directive.

PollInterval

Specify the frequency, in seconds, at which the module checks the performance counters. The default value is 1 second. Fractional seconds are allowed; for example, 0.5 will check twice every second.

Be aware that the module performs its first poll after the specified interval once NXLog Agent starts. Monitoring a large number of performance counters can significantly increase system load and may introduce delays in the polling interval, causing data to be polled less frequently than the configured interval.

StaticMode

This directive specifies whether to validate the performance counters to collect once on startup or periodically. The default is TRUE; the module validates performance counters only during startup. This behavior suits environments where the list of performance counters to collect does not change. When set to FALSE, the module validates the performance counters to collect according to the PollInterval, adding new performance counters automatically.

UseEnglishCounters

This optional boolean directive specifies whether to use English counter names. This makes it possible to use the same NXLog Agent configuration across all deployments even if the localization differs. If this directive is not specified it defaults to FALSE (native names will be used).

Fields

The following fields are used by im_winperfcount.

$raw_event (type: string): A list of event fields in key-value pairs.
$EventTime (type: datetime): The current time.
$Hostname (type: string): The name of the system where the event was generated.
$ProcessID (type: integer): The process ID of the NXLog Agent process.
$Severity (type: string): The severity name: INFO.
$SeverityValue (type: integer): The INFO severity level value: 2.
$SourceName (type: string): Set to nxlog.

Examples

Example 1. Polling Windows performance counters

This configuration uses the Counter directive to poll two Windows performance counters every 60 seconds. It then converts records to JSON format using the to_json() procedure of the xm_json module.

nxlog.conf

<Extension json>
    Module          xm_json
</Extension>

<Input counters>
    Module          im_winperfcount
    Counter         \Memory\Available Bytes (1)
    Counter         \Processor Information(*)\% Idle Time (2)
    PollInterval    60
    Exec            to_json();
</Input>

1	Specifies a single performance counter for the available system memory.
2	Uses the `*` wildcard to collect an aggregate of all processor idle time performance counters.

Output sample

{
  "EventTime": "2025-07-31T10:46:12.800345+02:00",
  "Hostname": "SRV01",
  "\\Memory\\Available Bytes": "2179395584.000000",
  "\\Processor Information(*)\\% Idle Time": "91.748748",
  "SeverityValue": 2,
  "Severity": "INFO",
  "SourceName": "nxlog",
  "ProcessID": 59128,
  "EventReceivedTime": "2025-07-31T10:46:12.800345+02:00",
  "SourceModuleName": "counters",
  "SourceModuleType": "im_winperfcount"
}

Example 2. Using wildcards to poll individual performance counters

This configuration uses the CounterIndividual directive to poll for all processor idle time performance counters. It then converts records to JSON format using the to_json() procedure of the xm_json module.

nxlog.conf

<Extension json>
    Module               xm_json
</Extension>

<Input counters>
    Module               im_winperfcount
    CounterIndividual    \Processor Information(*)\% Idle Time
    PollInterval         60
    Exec                 to_json();
</Input>

Output sample

{
    "EventTime": "2025-07-31T10:54:39.059790+02:00",
    "Hostname": "SRV01",
    "\\Processor Information(0,0)\\% Idle Time": "31.238710",
    "\\Processor Information(0,1)\\% Idle Time": "93.716131",
    "\\Processor Information(0,10)\\% Idle Time": "96.840002",
    "\\Processor Information(0,11)\\% Idle Time": "87.468389",
    "\\Processor Information(0,12)\\% Idle Time": "96.840002",
    "\\Processor Information(0,13)\\% Idle Time": "100.000000",
    "\\Processor Information(0,14)\\% Idle Time": "95.278067",
    "\\Processor Information(0,15)\\% Idle Time": "99.963873",
    "\\Processor Information(0,2)\\% Idle Time": "95.278067",
    "\\Processor Information(0,3)\\% Idle Time": "100.000000",
    "\\Processor Information(0,4)\\% Idle Time": "98.401938",
    "\\Processor Information(0,5)\\% Idle Time": "99.963873",
    "\\Processor Information(0,6)\\% Idle Time": "99.963873",
    "\\Processor Information(0,7)\\% Idle Time": "99.963873",
    "\\Processor Information(0,8)\\% Idle Time": "95.278067",
    "\\Processor Information(0,9)\\% Idle Time": "99.963873",
    "\\Processor Information(0,_Total)\\% Idle Time": "93.423267",
    "\\Processor Information(_Total)\\% Idle Time": "93.423267",
    "SeverityValue": 2,
    "Severity": "INFO",
    "SourceName": "nxlog",
    "ProcessID": 41244,
    "EventReceivedTime": "2025-07-31T10:54:39.059790+02:00",
    "SourceModuleName": "counters",
    "SourceModuleType": "im_winperfcount"
}