Windows Performance Counters (im_winperfcount)

This module periodically retrieves the values of the specified Windows Performance Counters to create an event record. Each event record contains a field for each counter. Each field is named according to the name of the corresponding counter.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.
This module is only available on Microsoft Windows.
If performance counters are not working or some counters are missing, it may be necessary to rebuild the performance counter registry settings by running C:\windows\system32\lodctr.exe /R. See How to rebuild performance counters on Windows Vista/Server2008/7/Server2008R2 on TechNet for more details, including how to save a backup before rebuilding.

Configuration

The im_winperfcount module accepts the following directives in addition to the common module directives. The Counter directive is required.

Counter

This mandatory directive specifies the name of the performance counter that should be polled, such as \Memory\Available Bytes. More than one Counter directive can be specified to poll multiple counters at once. Available counter names can be listed with typeperf -q (see the typeperf command reference on Microsoft Docs).


PollInterval

This directive specifies how frequently, in seconds, the module will poll the performance counters. If this directive is not specified, the default is 1 second. Fractional seconds may be specified (PollInterval 0.5 will check twice every second).

UseEnglishCounters

This optional boolean directive specifies whether to use English counter names. This makes it possible to use the same NXLog configuration across all deployments even if the localization differs. If this directive is not specified it defaults to FALSE (native names will be used).

AllowInvalidCounters

If set to TRUE, invalid counter names will be ignored and a warning will be logged instead of stopping with an error. If this directive is not specified it defaults to FALSE.

Fields

The following fields are used by im_winperfcount.

$raw_event (type: string)

A list of event fields in key-value pairs.

$EventTime (type: datetime)

The current time.

$Hostname (type: string)

The name of the system where the event was generated.

$ProcessID (type: integer)

The process ID of the NXLog process.

$Severity (type: string)

The severity name: INFO.

$SeverityValue (type: integer)

The INFO severity level value: 2.

$SourceName (type: string)

Set to nxlog.

Examples

Example 1. Polling Windows performance counters

With this configuration, NXLog will retrieve the specified counters every 60 seconds. The resulting messages will be written to file in JSON format.

nxlog.conf
<Extension json>
    Module          xm_json
</Extension>

<Input counters>
    Module          im_winperfcount
    Counter         \Memory\Available Bytes
    Counter         \Process(_Total)\Working Set
    PollInterval    60
</Input>

<Output file>
    Module          om_file
    File            'C:\test\counter.log'
    Exec            to_json();
</Output>

<Route perfcount>
    Path            counters => file
</Route>