NXLog Legacy Documentation

Windows Performance Counters (im_winperfcount)

This module periodically retrieves the values of the specified Windows Performance Counters to create an event record. Each event record contains a field for each counter. Each field is named according to the name of the corresponding counter.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.
This module is only available on Microsoft Windows.
If performance counters are not working or some counters are missing, it may be necessary to rebuild the performance counter registry settings by running C:\windows\system32\lodctr.exe /R. See How to rebuild performance counters on Windows Vista/Server2008/7/Server2008R2 on TechNet for more details, including how to save a backup before rebuilding.

Configuration

The im_winperfcount module accepts the following directives in addition to the common module directives.

Required directives

The following directives are required for the module to start.

Counter

This directive specifies the name of the performance counter to collect, such as \Memory\Available Bytes. You can specify the Counter directive multiple times to collect different counters. Execute typeperf -q to list the available counters. See the typeperf command reference on Microsoft Learn.

At least one of Counter or CounterIndividual must be specified.

CounterIndividual

This directive is similar to the Counter directive but supports wildcards (* to match zero or more characters and ? to match a single character), such as \Battery Status(*)\Remaining Capacity. Wildcards allow you to collect all performance counters matching the pattern you specify. For example, specify \Process(note*)\% Processor Time to collect the % processor time of all process names starting with "note". There is no limit to the number of performance counters you can collect with this directive. However, if counters exceed 100, a warning is logged in the NXLog log file. You can specify the CounterIndividual directive multiple times to collect different counters.

At least one of Counter or CounterIndividual must be specified.

Optional directives

AllowInvalidCounters

If set to TRUE, invalid counter names will be ignored, and a warning is logged in the NXLog log file. The default is FALSE; invalid counter names cause NXLog to stop with an error. A counter name containing wildcards does not cause an invalid counter error if it does not match any counters. If StaticMode is FALSE, this directive is ignored since dynamically polling performance counters with wildcards may change the result set every time.

ExcludeCounter

Specify the name of a performance counter to exclude from collection. You can use wildcards, as explained in the CounterIndividual directive.

PollInterval

This directive specifies how frequently, in seconds, the module will poll the performance counters. If this directive is not specified, the default is 1 second. Fractional seconds may be specified (PollInterval 0.5 will check twice every second). Note that collecting many performance counters may cause a high load, which may delay the polling interval.

StaticMode

This directive specifies whether to validate the performance counters to collect once on startup or periodically. The default is TRUE; the module validates performance counters only during startup. This behavior suits environments where the list of performance counters to collect does not change. When set to FALSE, the module validates the performance counters to collect according to the PollInterval, adding new performance counters automatically.

UseEnglishCounters

This optional boolean directive specifies whether to use English counter names. This makes it possible to use the same NXLog configuration across all deployments even if the localization differs. If this directive is not specified it defaults to FALSE (native names will be used).

Fields

The following fields are used by im_winperfcount.

$raw_event (type: string)

A list of event fields in key-value pairs.

$EventTime (type: datetime)

The current time.

$Hostname (type: string)

The name of the system where the event was generated.

$ProcessID (type: integer)

The process ID of the NXLog process.

$Severity (type: string)

The severity name: INFO.

$SeverityValue (type: integer)

The INFO severity level value: 2.

$SourceName (type: string)

Set to nxlog.

Examples

Example 1. Polling Windows performance counters

With this configuration, NXLog will retrieve the specified counters every 60 seconds. The resulting messages will be written to file in JSON format.

nxlog.conf
<Extension json>
    Module               xm_json
</Extension>

<Input counters>
    Module               im_winperfcount
    Counter              \Memory\Available Bytes
    Counter              \Process(_Total)\Working Set
    CounterIndividual    \Process(myapp*)\% Processor Time
    CounterIndividual    \Process(WIN????)\% Processor Time
    PollInterval         60
</Input>

<Output file>
    Module               om_file
    File                 'C:\test\counter.log'
    Exec                 to_json();
</Output>

<Route perfcount>
    Path                 counters => file
</Route>