We recently had a customer inquire about using ELM to monitor a process for excessive memory. This customer typically would look at Task Manager, find the process, and look at the ‘Memory (Private Working Set)’ value. From experience, they knew a value above 1,000 indicated a problem, and the process needed to be restarted. Provided your ELM Agent has the proper license, this can be accomplished with a Performance Alarm Monitor Item. If your point of reference is Task Manager, then the first step is finding the corresponding performance counter.
The Windows Performance Subsystem has a lot of counters. But with a little investigation, the Task Manager ‘Memory (Private Working Set)’ corresponds with the Performance Monitor (perfmon) ‘Process’ object, ‘Working Set – Private’ counter. To help with the investigation, Microsoft has documentation that cross-references Task Manager data to System Monitor data[1][2].
To confirm your findings, we recommend verifying the System Monitor counter by watching it side-by-side with Task Manager for a couple minutes. For example, the rdpclip.exe process can be displayed in both Task Manager and Performance Monitor, and with a simple division (PerfMon / 1024 = Task Manager), the values compared.
As we’ve seen, scaling can be required for an appropriate comparison, and the same may be true with the ELM Performance Alarm. To simplify this step, create a Performance Alarm and temporarily use an unrealistically low (or high) criteria. Continuing with our rdpclip example, a condition of greater than 1 is specified:
When this Performance Alarm Monitor runs, the Action message will show the value returned by the Windows performance sub-system, and criteria can be adjusted accordingly. With our rdpclip monitor, the results look like this:
You may need work with some further adjustments of the threshold so the Performance Alarm can be set to monitor the exact values you need to automatically keep an eye on your critical processes.
With that our Performance Alarm is set to create an event when our process exceeds the specified memory usage (defined in the threshold) more than X consecutive times. If desired, we can then go and create a Notification Method off an Event View for this particular event (found in the ELM — Monitor Item Events View). An option here could be an email or a bit more advanced such as a Command Script Notification to automatically restart the service in question.
We hope that you found this article on Watching For Processes Exceeding Memory Usage Thresholds informative and useful and wish you continued success with ELM.
[1] http://msdn.microsoft.com/en-us/library/aa965225(VS.85).aspx#process_memory_performance_information [2] http://technet.microsoft.com/en-us/library/cc938567.aspx