LOGMAN

Manages and schedules performance counter and event trace log collections on local and remote systems.

LOGMAN /?

LOGMAN [create [COUNTER | TRACE] collection_name] [-ets] [-y] [-b M/d/yyyy h:mm:ss[AM | PM]] [-e M/d/yyyy h:mm:ss[AM | PM]] [-rf [[hh:]]mm:]ss] [-m start stop] [-f file_format] [-[-]r] [-o pathname | DSN!counter_log] [-[-]a] [-[-]v [nnnnn | mmddhhmm]] [-[-]rc [filename]] [-[-]max value] [-[-]cnf [[[hh:]]mm:]ss]]
| delete collection_name [-ets]
| query collection_name | PROVIDERS [-ets]
| start collection_name
| stop collection_name
| update collection_name [-ets] [-y] [-b M/d/yyyy h:mm:ss[AM | PM]] [-e M/d/yyyy h:mm:ss[AM | PM]] [-rf [[hh:]]mm:]ss] [-m start stop] [-f file_format] [-[-]r] [-o pathname | DSN!counter_log] [-[-]a] [-[-]v [nnnnn | mmddhhmm]] [-[-]rc [filename]] [-[-]max value] [-[-]cnf [[[hh:]]mm:]ss]] ] [-s computer_name] [-config filename] [-c path [path ...] | -cf filename] -ct {cycle | perf | system} [-si [[hh:]]mm:]ss] [-ln logger_name [-fd logger_name]] [-[-]rt] [-p GUID | provider [(flags[,flags ...])] Level | -pf filename] [-[-]ul] [-bs value] [-ft [[hh:]]mm:]ss] [-nb min max] [-[-]u user password] [-mode trace_mode [trace_mode ...]]

create [COUNTER | TRACE] collection_name (NTXP)

Creates collection queries for either counter or trace collections. You can use command-line options to specify settings.

delete collection_name (NTXP)

Deletes the data collection query collection_name. If the collection_name does not exist, you will receive an error.

query collection_name | PROVIDERS (NTXP)

If no collection_name or providers are given, the status of all existing collection queries are displayed. Use collection_name to display the properties of a specific collection. To display the properties on remote computers, use -s remote computer in the command line. Use providers as your keyword in place of collection_name to display the registered providers installed on your local system. To list registered providers installed on the remote system, use -s in the command-line.

start collection_name (NTXP)

Starts the data collection query collection_name. Use this option to change from scheduled collections to manual ones. Use the update parameter in the command-line with begin-time (-b), end-time (-e), or repeat-time (-rt) to reschedule collections.

stop collection_name (NTXP)

Stops the data collection query collection_name. Use this option to change from scheduled collections to manual ones. Use the update parameter in the command-line with begin-time (-b), end-time (-e), or repeat-time (-rt) to reschedule collections.

update collection_name (NTXP)

Updates collection queries for counter and trace collections. For counter collections, modifications to the query will stop, and then restart the collections. For trace collections, use the parameters in the command-line to query without stopping the collection: -p provider [(flags[,flags ...])] Level, -max n, -o PathName, -ft mm:ss, or -fd.

/? (NTXP)

Displays help.

-a (NTXP)

Append the file.

--a (NTXP)

Turns off the append option, and reverts to the overwrite mode.

-b M/d/yyyy h:mm:ss[AM | PM] (NTXP)

Specifies begin-time for collections in a 24-hour format. You can also specify begin-time for collections in a 12-hour format by adding AM or PM in the command-line. By default, the current day and time is used unless otherwise specified. Use the manual start option to start the collection immediately.

-bs value (NTXP)

Specifies the buffer size in n kilobytes for trace data collections.

-c path [path ...] (NTXP)

-cf filename (NTXP)

Specifies the performance counter path to log, or specifies the pathname of the log file that lists these counters. To list multiple counter paths, separate the command-line by a space, or use the -cf option to list counter paths in an input file, one per line.

The general format for counter paths is: [\\Computer]\object[parent/instance#index]\counter] where:

The parent, instance, index, and counter components of the format may contain either a valid name or a wildcard character. The computer, parent, instance, and index components are not necessary for all counters.

You determine the counter paths to use based on the counter itself. For example, the LogicalDisk object has an instance index, so you must provide the #index or a wildcard. Therefore, you could use the format: \LogicalDisk(*/*#*)\*

In comparison, the Process object does not require an instance index. Therefore, you could use the format: \Process(*)\ID Process

The list of the possible formats:

      \\machine\object(parent/instance#index)\counter
      \\machine\object(parent/instance)\counter
      \\machine\object(instance#index)\counter
      \\machine\object(instance)\counter
      \\machine\object\counter
      \object(parent/instance#index)\counter
      \object(parent/instance)\counter
      \object(instance#index)\counter
      \object(instance)\counter
      \object\counter

If a wildcard character is specified in the parent name, all instances of the specified object that match the specified instance and counter fields will be returned.

If a wildcard character is specified in the instance name, all instances of the specified object and parent object will be returned if all instance names corresponding to the specified index match the wildcard character.

If a wildcard character is specified in the counter name, all counters of the specified object are returned.

Partial counter path string matches (for example, pro*) are not supported.

-cnf [[[hh:]]mm:]ss] (NTXP)

Creates a new file when output files exceed a maximum size, or when the time specified elapses. You must include the -v option when executing this command. By default, only one log file is created during each collection.

--cnf (NTXP)

Turns off the create-new-file option.

-config filename (NTXP)

Specifies the pathname of the settings file that contains command-line parameters.

-ct {cycle | perf | system} (NT2003)

Specifies the clock resolution used when the timestamp for each event is logged:

• system to provide a timestamp resolution of 10 ms (default)
• perf for a resolution of 100 ns
• cycle normalized 100 ns (consumes fewer system resources)

If you choose the cycle option but your hardware platform does not support this clock type, the operating system will change it to perf.

-e M/d/yyyy h:mm:ss[AM | PM] (NTXP)

Specifies end-time for collections in a 24-hour format. You can also specify end-time for collections in a 12-hour format by adding AM or PM in the command-line. By default, the current day and time is used unless otherwise specified. Use the manual stop and then the repeat option to specify a stop time before the actual current time, or you will receive an error message.

-ets (NTXP)

Creates and starts an event trace session with the options specified on the command-line.

-f file_format (NTXP)

Specifies the file format used for collecting performance counter and trace data. You can use:

• bin binary (default)
• bincirc circular binary
• csv comma separated
• tsv tab separated
• SQL SQL database

when collecting performance counters. You must use the -o option in the command-line with the DNS!counter_log option. For SQL database formats, the Database System Name (DSN) must be predefined, and privileges granted to write to the database. The dataset counter_log is created in the database, and is specified by the DSN.

-fd logger_name (NTXP)

Flushes all the active buffers of an existing event trace session to a disk. Use this command in conjunction with the -ln option.

-ft [[hh:]]mm:]ss (NTXP)

Specifies the flush timer interval in minutes and seconds for trace data collections.

-ln logger_name (NTXP)

Specifies a user-defined name for the event trace logging session. By default, the collection name is used as the logger name.

-m start stop (NTXP)

Specifies that collections start and stop manually by using the start and stop parameters in the command-line. You cannot use the -m start and -b, or the -m stop and -e, or -rf together in your command-line for the same query.

-max value (NTXP)

Specifies the maximum size of the collected log file in megabytes. If the log file exceeds the maximum size, the collection will stop. For a SQL database, the maximum size is the number of records to be written.

--max (NTXP)

Turns off the maximum size limit option. This is the default option.

-mode trace_mode [trace_mode ...] (NTXP)

Specifies advanced options for trace sessions only where trace_mode can be either:

• Globalsequence specifies that the event tracer add a sequence number to every event it receives irrespective of which trace session received the event.
• Localsequence specifies that the event tracer add sequence numbers for events received at a specific trace session. When the localsequence option is used, duplicate sequence numbers can exist across all sessions but will be unique within each trace session.
• Pagedmemory specifies that the event tracer use paged memory rather than the default non-paged memory pool for its internal buffer allocations.

-nb min max (NTXP)

Specifies the minimum and maximum number of buffers for trace data collection. Minimum default is the number of processors on the system plus two. Maximum default is at 25.

-o pathname | DSN!counter_log (NTXP)

Specifies the pathname of the output file that collects performance counter and trace data, or the location of the SQL database and dataset. To specify SQL using the DSN!counter_log format, use the -f option in the command-line. By default, the collection log file name is the collection query name suffixed by either .blg for performance counters, or .etl for trace data.

-p GUID | provider [(flags[,flags ...])] Level (NTXP)

-pf filename (NTXP)

Specifies the providers (trace data collectors) to use for trace data collection. Use logman query providers to find the pname (named providers) from the registered provider list. Use the -pf option to list multiple providers. The -pf option identifies the input file containing the provider names. The provider names are enclosed by quotation marks (""), or with GUIDs enclosed by braces, flag masks, and integers (enable level). The flags are either in hexadecimal (OXFFFF) or (flag, flag) format.

-r (NTXP)

Repeats the collection every day at the time periods specified by the -b and -rf options, or the -b and -e options. This command is only valid for begin-time and end-times specified on the same day, month, and year.

--r (NTXP)

Turns off the repeat option.

-rc filename (NTXP)

Specifies to run this command after the file is closed either at the end, or during the collection period. Use the -rf option in conjunction with -cnf to close the files during the collection periods. Using stop will not turn off this command. Commands always run in the foreground.

--rc (NTXP)

Turns off the run this command option.

-rf [[hh:]]mm:]ss (NTXP)

Specifies that collections run for a set period of time.

-rt (NTXP)

Specifies that the event trace session run in real-time mode, and not log to a file. By default, the data logs to a file.

--rt (NTXP)

Turns off the real-time logging option.

-s computer_name (NTXP)

Specifies that commands will be performed on the remote system. By default, the local system is used for commands.

-si [[hh:]]mm:]ss (NTXP)

Specifies sample intervals for performance counter collection in hours, minutes, and seconds. Default is 15-seconds.

-u user password (NTXP)

Specifies the account name and password the collection query uses on local or remote systems. To start collecting data for collection queries, log Performance Logs and Alerts to the remote system. You can use * as your password in the command-line to produce a prompt for the password.

--u (NTXP)

Resets the account name to the Performance Logs and Alerts service account.

-ul (NTXP)

Specifies that the event trace session is run in user mode. Only one provider can be enabled for the event trace session.

--ul (NTXP)

Specifies that the user mode is turned off, and the event trace session is run in kernel mode.

-v [nnnnn | mmddhhmm] (NTXP)

Attaches the version control information to the end of the output file and path name. Use numeric nnnnn format, or date format mmddhhmm (month, day, 24-hour, minute) for version control.

--v (NTXP)

Turns off the version option.

-y (NTXP)

Overwrites the settings for collection name, and then applies new ones without querying the end user.

none.

none.

none.

none.

External

DOS

none

Windows

none

Windows NT

NTXP NT2003