The Raven Report

Performance Analysis of Logs (PAL) is a nifty utility that will read in a performance counter log, analyze the data against customizable XML files with many built in counter thresholds, and then display the information in a HTML report.

You can find PAL Here:

http://www.codeplex.com/PAL

PAL only needs to be installed on the system that you are going to process the logs for not the System you are monitoring.  Go ahead download and install PAL and it’s prerequisites (Log Parser 2.2 & Microsoft Office Web Components 2003).  I wait till you’re done.

Now that PAL is installed we need to setup some Counter Logs on the system we want to analyze.  To do this go to Start then run and type Perfmon.  Go into Performance Logs and Alerts right-click Counter Logs and choose New Log Settings…

 

 

For a general system overview add the following counter objects:

LogicalDisk
Memory
Network Interface
PhysicalDisk
Process
Processor
System
TCPv4

Change the interval to something like 60 Seconds and click OK.

After saving the counter log settings, it should automatically start collecting data.  You can tell if it’s running because the icon will be green. 

Once the Counter Logs has been running for a sufficient amount of time go ahead and stop the logger.  At this point, you’ll want to copy the log file to the system that you installed PAL on.

Sidenote: 

PAL does come with VBScripts for creating these counters on the fly.  These are located C:\Program Files\PAL\PAL v1.3.4.2\PerfmonLogScripts .

Syntax:

cscript CreateAndStartPerfmonLogs.vbs <computer[;computer]> <ServerType> <CounterListFilePath>

<computer[;computer]>  List of computers to create and start the perfmon log.

<ServerType>           Text description to be added to the log name.

<CounterListFilePath>  File containing the list of perfmon counters.

Example:

Open a command window and change directory to C:\Program Files\PAL\PAL v1.3.4.2\PerfmonLogScripts.

cscript  CreateAndStartPerfmonLogs.vbs myserver sysoverview CounterList_SystemOverview.txt 

 

OK now back to Analyzing the Counter File:

Go ahead and open the PAL GUI and Click Next

On the Counter Log Screen you’ll want to browse out to the Log file we created earlier and click Next.

 

On the Threshold File screen Verify that the System Overview threshold file is selected. After and answering  the Question Variables Names  section in the lower left, Click Next.

 

Click Next to accept the defaults on the Analysis Interval screen:

 

Customize  the name and location of the output report on the Output Options Screen and click Next

 

 

The Queue Page displays the queued commands that the wizard has built Click Next to move to the final screen

 

 

 

On the Execute Screen verify Execute: Execute what is in the queue. is selected and choose Finish.

 

 

At this point PAL will kick off a VBScript that will slice and dice up the log file and generate a detailed report.  The report will highlight any thresholds that were exceeded, at the top of the report in the alerts section, and contains charts and suggested resolutions information for many of the counters analyzed. 

While adding a new disk to a server we ran into an issue where we were getting  the following error message when trying to delete a folder from a mounted drive.

Cannot delete Folder: Access is denied. The source file may be in use

Well it turns out that this is a know issue and only happens when try to delete a folder that is on a mount point.  Apparently the Recycle Bin not understand mounted volumes and attempts to store the deleted folder in the Recycle Bin of the parent drive which doesn’t work since the folder doesn’t exist on that drive.  Since the Recycle Bin is not used when deleting folders over the network, this issue only appears when deleting folders locally.

To work around this you can bypass the Recycle Bin with a Shift+Delete or delete it via a network share. 

For more details check out this KB Article http://support.microsoft.com/kb/243514

I was looking for the advanced network settings on a Windows 2008 Server I noticed that the menu bar (file, edit, view, Advanced, etc) is no longer visible by default.  Guess I hadn’t really needed it until this point.  How to get it back you ask? Well there are two ways.

1.       Just like in DOS days , press the ALT key and the bar will pop back up   

2.   Now say you are ALT key challenged and don’t want to use the ALT key. Click on Organize then Folder and Search Options  from there switch to Use Windows classic folders

 

 

Problem: 

PXE boot option will not map a drive (default F:) to the DS. All the configuration seems correct and the password has been verified.

Cause:

Altiris uses a LAN Manager Hash file to store  and user the password. Most security polices require the hashing of passwords to be disabled for the domain /server.  This is normally disabled via group policy in the Network security: Do not store LAN Manager hash value on next password change setting being enabled.

Solution:

In most environments it will not be possible to enable this setting across the domain due to security policies, but you can do it for local accounts if you move the server in question to an OU where a policy  over the Network security: Do not store LAN Manager hash value on next password change  to disabled. After the policy propagates reboot the server and create a new local account for PXE booting. You will now be able to use this account in your PXE Boot options just use workgroup as the domain.  Once the password is set you could re-enable the Network security: Do not store LAN Manager hash value on next password change   as this setting only applies during password changes.

 

If you ever wanted to remove a boot option from the PXE configuration utility that was flagged in use then you know it can be quite a pain figuring out what jobs are referencing the boot option and changing them. I have even had a couple occasions where the boot options were changed but I still couldn’t remove the old PXE option.

So do you just leave it and act like it doesn’t exist? No I say, to the database we must go.

First open the PXE Config utility select and choose edit on the Boot option in question.

Once the Edit Shared menu Option is open look at the File location and get the  number from the end of the path. 161 in our case

Now open SQL Query editor and point it to the Express DB

Run the following Query

select * from dbo.task
where bootoption_id = 161

This will return any jobs that reference the boot option. In this case Event_id 200735 references this boot option.  There is also a task_seq which is used if there are additional steps in a job that reference the boot option.

Now we need to run another query get  the Job info this si stored in the events table

select * from dbo.event

where event_id = 2000735

 

From this query we can get the name of the job. Once we have the name we can go into the DS console and easily find the job and change the boot option. Once these are updated we can once again go into the PXE Config Utility and delete the offending Boot option.

  

I regularly have requests to allow a regular user of a system access the event viewer remotely.   What would seem like a trivial task ends up taking some thought as there is no built in way to easily allow this access on Windows 2003.

So say we want to allow Jim Bob user access to the System event log on our server.

First we need to open Regedit and browse out to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

Next dsd well want to copy the CustomSD value into a text editor and add access for Jim Bob

Original Value:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)

Now since we only want to give him read access we’ll mirror the Interactive User’s (IU) default permissions.

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;;; S-1-5-3-3127463467463)

Just copy your newly minted SDDL string back into the CustomSD key and Jim Bob will be good to go.

Now say you just want to allow all Authenticated Users (AU) access you could just modify your SDDL as follows:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;;;AU)

Rinse and repeat for any additional event logs that you want to grant access to.

Windows 2008 is much easier as long as you are ok giving the user/group read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

Now if you want to customize things like give someone access to the Application and System log but not the security log you still have to dig into the SDDL.

The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the wevtutil utility. Ok so let’s say Jim Bob now needs access to just the System event log on our Windows 2008 Server.

First we need to open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.

wevtutil gl system > C:\temp\out.txt

Open the text file and copy out the channelAccess: entry

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )

Now once again copy the Interactive User (IU) rights and add Jim Bob to them.

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))

Last we need to apply the new SDDL. Just replace the O:BAG:XXXX with your SDDL String you created in the previous step.

wevtutil sl System /ca:O:BAG:XXXX

There you have it.  As another option, you can remove access for the Event Log Readers group from event log in question by removing the (A;;0x1;;;S-1-5-32-573) entry from the respective log SDDL String.

 

One on the challenges with Windows 2008 is the fact that it requires a DVD drive to install the OS from standard media, and many of our servers only have a CD Drive.

To solve this problem we created a custom Win PE boot option called W2K8 Setup 64bit & W2K8 Setup 32bit and instead of starting Aclient we call Windows setup.

First off create a new PE boot option. Once at the Edit Configuration screen (step 9) choose New then Text file. Select the file and change the name to runagent.bat. Delete any text in the runagent.bat file so that file is blank.

Then select the startup.bat file and add the full path to your setup.exe file under the :UserActions line F:\images\w2k8\setup.exe in my case, save it then your ready to boot into setup without accessing the DS console.

Last week I listed  an old laptop I have for sale on Craigslist. Here is one of the more amusing  scams I received.

 

Cody Posey to sale-767560960

Hi,

I wanna buy your item for my lover,reply if it's still available.

 

------------------------------------------------------------------------------------------

Noah to Cody

Tell your lover that they are in luck. Give me a call.  

------------------------------------------------------------------------------------------

Cody Posey to me

 

Thanks for getting back to me, I am buying your item for my Interracial beloved lover, am  sending this item as a gift of love from me. Please consider your item sold and remove the add from site. because i will like to make a prompt payment for your item. I am located in Denver. will be adding an additional dollars doing payment for the shipping cost. Send me what i will use for the payment. Do you prefer pay pal or Money order? Send me your full name and address if you prefer money order for the payment to be made asap.

Thanks for your time

Good luck

-----------------------------------------------------------------------------------------

Noah to Cody  

I am intrigued by the prospect of your interracial beloved lover receiving and cherishing my item. I hope that they will love and hold my item as much as I have over these past years, and If you could send a picture of your lover,  I would even bless my item to their image. But I fear your lover will never have the enjoyment I had with the item, as I do not participate in modern currencies and will only except payment for my item in gold. 

 

Over time the helpdesk database becomes very laden with sludge.  In our case in over  3 years of heavy use the helpdesk has been in place we have accumulated over 1.5 million incidents, 8500  obsolete contacts and 150 worker queues.   With every passing month  my users noticed the system getting slower and slower.  

 

What to do with all this filth you ask, well purge it of course.  First off we needed to come up with a policy  and then figure out how to implement  the policy.  Today we'll work with the incidents database.

 

After sitting down with the users of the system we were able to determine that we only needed 6 months of tickets. 

 

Once the policy was determined the fun part began. Since there is no built in method inside of the Altiris Helpdesk system to purge  incidents,  we needed to  figure out how to do this from SQL.

 

A word of warning before we get started:  Make sure you have a good backup of your Altiris_Incidents database and preferably test this process thoroughly on a test box first.  Also everything here is provided as is,  these processes work in my environment, but may need  some tweaking to work in yours.

 

With that out of the way,  on to the fun stuff.

 

All the incidents are stored in the workitem table.  The records in  the worker table only have  one dependency  that we  have to worry about when purging the records.  That column is called link_parent_number and is used for linking child and parent incidents and the default value should be 0.  I found it easier to identify these  records after the purge, so well start with the purge then clean up the left over records.

 

First we'll start with creating a query to select all the records over 6 months old.  Open SQL management studio  select the Altiris_Incidents database and create a new query.

 

Select count(*)  

FROM workitem

WHERE modified_on < DATEADD(mm,6*-1,GETDATE());

 

This will give us the number of records in the workitem table that are older than 6 months.

Now remember that each workitem may have multiple records in the workitem  table.  If you want to see the total number of actual incidents change the query to:

 

Select count(distinct number)  

FROM workitem

WHERE modified_on < DATEADD(mm,6*-1,GETDATE());

 

You can modify this query as needed  until you get the  records you want to purge. Once we have our counts it's time to prepare to delete the  old incidents.   At this point, you'll want to once again verify  you have a good backup before preceding.

 

Now we'll need to  modify your select query into a delete query. This is  accomplished by changing the  select x,x,x to delete.  I always like to use a BEGIN TRANSACTION , COMMIT TRANSACTION/ROLLBACK TRANSACTION   to the start and end of my queries whenever I'm deleting our modifying tables as if something goes wrong I can quickly rollback without restoring the database.

 

BEGIN TRANSACTION

Delete FROM workitem

WHERE modified_on < DATEADD(mm,6*-1,GETDATE());

 

-- COMMIT TRANSACTION

-- ROLLBACK TRANSACTION

 

Once you run this you'll want to verify that the number  of rows affected matches the number of rows selected in your original query.  You can also go into the helpdesk and verify everything is working correctly and that you can create new tickets and view existing ones.

 

If your happy with the results go ahead and uncomment the COMMIT TRANSACTION and execute it. Otherwise uncomment the ROLLBACK TRANSACTION and  execute it, and everything will be back  like it never happened.

 

After the old incidents are purged we still need to  clean up any lingering parent/child linking issues. If you don't link tickets then you can skip this step, but I would recommend you do it anyway as it won't hurt.

 

As before we will start with a query, but this time will change it to an update instead of a delete.

We need to find all the incidents that reference incidents that are no longer in the database .

 

Select count( *)  from workitem

where link_parent_number != 0

and link_parent_number  not in (select distinct number from workitem)

 

This query will search the  workitem table, and return any record that  doesn't have a 0 (the default) in the link_parent_number column,  and the  incident number  referenced in the  link_parent_number is not in the workitem table.

 

Now we modify the this query into an update

 

BEGIN TRANSACTION

update workitem

set link_parent_number = 0

where link_parent_number != 0

and link_parent_number  not in (select distinct number from workitem)

-- COMMIT TRANSACTION

-- ROLLBACK TRANSACTION

 

Once you run the update you will need to remember to  un comment and execute either the commit or rollback  transaction.

 

There you have it you have successfully purged your helpdesk database of incidents over 6 months old.

 

There are a couple caveats with purging the workitem table like this. If you have a lot of activity  going on in a live environment and your deleting many records at once you may run into performance  or locking issues while your running the deletes.  Also copying and pasting SQL code or rewriting  something  I did 6 months ago but now forgot is not something I look forward to. To solve these problems we'll now put all our code together into a stored procedure.  I have attached the completed stored procedure  so you can follow along. Most of this code will already be familiar  to you as we covered it  above, but I'll go ahead and go through each section so you can understand what it's doing and customize it to your environment.

 

 

We start with the general CREATE /ALTER Procedure  statement. If you already have  the stored procedure in your database the you can change the CREATE below to an ALTER and your update the existing procedure.

 

set ANSI_NULLS ON

set QUOTED_IDENTIFIER ON

GO

 

CREATE PROCEDURE [dbo].[PurgeIncidentTable] AS

 

To make the Stored Procedure more versatile,  in this section of the code we declare  and set variables.  These variables allow your to define things that change  over time in one place and not have to go through all the code and manually updating  values whenever  requirements change.

SET NOCOUNT ON

DECLARE @rows int

DECLARE @batchsize int

DECLARE @monthstokeep INT

DECLARE @totalrows INT

DECLARE @delay VARCHAR(10)

SET @batchsize = 1000

SET @monthstokeep = 6

SET @delay = '00:00:02'

 

SET @totalrows = 0

SET @rows = 1

 

 

In the next section we  are translating our original delete query into  a loop  to resolve the  locking issue outlined above that could occur when purging 10000s of records is one  swoop. Instead we take all the rows to purge, and delete them in batch sizes of 1000 (SET @batchsize = 1000)  we then  add the number of rows we deleted in the loop itineration  to the @totalrows.  Then we wait the amount of time in @delay  ( in our case 2 seconds), then repeat through the  loop  again until all the rows  are purged. Once purged  we then print to the screen that the table was purged and how many rows were purged.

 

-- Delete obsolete Rows in the workitem table

WHILE (@rows > 0)

BEGIN

 

DELETE TOP (@batchsize)

FROM workitem WITH (PAGLOCK)

WHERE modified_on < DATEADD(mm,@monthstokeep*-1,GETDATE());

 

SELECT @rows = @@ROWCOUNT;

SET @totalrows = @totalrows + @rows;

 

WAITFOR DELAY @delay;

END

PRINT 'workitem table Purged..'

PRINT CAST(@totalrows AS VARCHAR(20)) + ' records purged'

 

 

In the next and final block we are pretty much just copying the Link parent number cleanup  update query we created  earlier.  We also add  a couple of PRINT lines to the statement  to echo out how many rows we update. With that the stored procedure is complete.

 

-- Fix any Obsolete parent links

update workitem

set link_parent_number = 0

where link_parent_number != 0

and link_parent_number  not in (select distinct number from workitem)

SELECT @rows = @@ROWCOUNT;

PRINT 'workitem obsolete linked parents fixed..'

PRINT CAST(@rows AS VARCHAR(20)) + ' records fixed'

 

 

To add the Stored procedure to your system open SQL  management studio, and in a new query window, execute the code. This will create the Store Procedure in your database.

 

Now all you have to do to purge your database  of records older than 6 months is run

 

EXEC  PurgeIncidentTable

 

You can also schedule this procedure to run via the SQL job scheduler  on a daily/weekly or whatever basis.

 

In conclusion,  I have been running the PrugeIncidentTable  procedure in production for over 6 months without issue.  Our Helpdesk's live online incident count has  reduced from over 1.5 million to around a running average of 330,000 active incidents, and the performance on the helpdesk is now stable and predictable.

 

PurgeIncidentTable.zip (700.00 bytes)

Last time we covered adding a collection picker to your reports. In case you missed it you can find it here. I know after reading the prior tip you were excited beyond belief, and happily adding collection pickers to all your reports.

That is until you realize that you have to select a collection each and every time you want to run the report, and most of the time you end up selecting the same collection. Fear not, because today I'll show you how to set the default collection .

First off we need to pick a collection. Let’s go with the All Computers collection. We'll need to browse to the collection in the NS console right-click it and choose properties:  

 

 

In the Properties window we'll need to copy the GUID of the collection and save it for later.

{eb3a1a12-e1c7-4431-b060-f0333e4e488c}

Now we'll need to create/clone a report that has a collection picker. We'll use the Add Remove Programs Example one we created last time. Unlike basic parameters, item picker parameters do not allow you to set a default value; we'll at least it not in the NS console. To accomplish our task we'll need to export the report to XML, then modify the XML and import it back into the NS.

Browse out to the report the NS console, right-click it, choose Export and save the xml file to your computer.

 

Now Open the file in notepad and look for the following lines:

<parameter type="custom" assemblyName="Altiris.NS.StandardItems, Version=6.0.6074.70, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f" typeName="Altiris.NS.StandardItems.Query.ItemPickerParameter" filterClass="a725fb57-09e1-4e9f-bb13-b4600094cf61" excludeDescendents="False" autoUpdateIfCollection="True" prompt="True" name="Collection" substituted="true">
<prompt><![CDATA[Collection]]></prompt>
</parameter>

Now we need to add a default tag with our GUID from earlier above the </parameter> in lines above:

<default><![CDATA[{EB3A1A12-E1C7-4431-B060-F0333E4E488C}]]></default>

So now your Collection parameter XML should be:

<parameter type="custom" assemblyName="Altiris.NS.StandardItems, Version=6.0.6074.70, Culture=neutral, PublicKeyToken=d516cb311cfb6e4f" typeName="Altiris.NS.StandardItems.Query.ItemPickerParameter" filterClass="a725fb57-09e1-4e9f-bb13-b4600094cf61" excludeDescendents="False" autoUpdateIfCollection="True" prompt="True" name="Collection" substituted="true">
<prompt><![CDATA[Collection]]></prompt>
<default><![CDATA[{EB3A1A12-E1C7-4431-B060-F0333E4E488C}]]></default>
</parameter>

Go ahead and save the new XML file and import it back into the NS. Now when you run the report you will see All Computers is already selected.