2.2.2.7 FileFormat

The FileFormat enumeration defines the format of the data in the log file.

 typedef  enum
 {
   plaCommaSeparated = 0,
   plaTabSeparated = 1,
   plaSql = 2,
   plaBinary = 3
 } FileFormat;

plaCommaSeparated:  Comma-separated log file. The first line in the text file contains column headers followed by comma-separated data in the remaining lines of the log file.

plaTabSeparated:  Tab-separated log file. The first line in the text file contains column headers followed by tab-separated data in the remaining lines of the log file.

plaSql:  The data is saved into a SQL database, instead of to a file. The SQL database contains three tables: CounterData, CounterDetails, and DisplayToId. All three tables are specified below.

The CounterData table contains a row for each counter that is collected at a particular time. There will be a large number of these rows. The GUID, CounterID, and RecordIndex fields make up the primary key for this table.

The CounterData table defines the following fields:

  • GUID(uniqueidentifier, NOT NULL): GUID, as specified in [MS-DTYP] section 2.3.4, for this data set. Use this key to join with the DisplayToID table.

  • CounterID(int, NOT NULL): Identifies the counter. Use this key to join with the CounterDetails table.

  • RecordIndex(int, NOT NULL): The sample index for a specific counter identifier and collection PLA-UID. The value increases for each successive sample in this log file.

  • CounterDateTime(char(24), NOT NULL): The time the collection was started, in UTC time.

  • CounterValue(float, NOT NULL): The formatted value of the counter. This value can be zero for the first record if the counter requires two samples to compute a displayable value.

  • FirstValueA(int): Combine this 32-bit value with the value of FirstValueB to create the FirstValue member of PDH_RAW_COUNTER. FirstValueA contains the low-order bits.

  • FirstValueB(int): Combine this 32-bit value with the value of FirstValueA to create the FirstValue member of PDH_RAW_COUNTER. FirstValueB contains the high-order bits.

  • SecondValueA(int): Combine this 32-bit value with the value of SecondValueB to create the SecondValue member of PDH_RAW_COUNTER. SecondValueA contains the low-order bits.

  • SecondValueB(int): Combine this 32-bit value with the value of SecondValueA to create the SecondValue member of PDH_RAW_COUNTER. SecondValueB contains the high order bits.

    The CounterDetails table describes a specific counter on a particular computer. The CounterDetails table defines the following fields:

  • CounterID(int, IDENTITY PRIMARY KEY): A unique identifier in the database that maps to a specific counter name text string. This field is the primary key of this table.

  • MachineName(varchar(1024), NOT NULL): The name of the computer that logged this data set.

  • ObjectName(varchar(1024), NOT NULL): The name of the performance object.

  • CounterName(varchar(1024), NOT NULL): The name of the counter.

  • CounterType(int, NOT NULL): The counter type.

  • DefaultScale(int, NOT NULL): The default scaling to be applied to the raw performance counter data.

  • InstanceName(varchar(1024)): The name of the counter instance.

  • InstanceIndex(int): The index number of the counter instance.

  • ParentName(varchar(1024)): Some counters are logically associated with others, and are referred to as parents. For example, the parent of a thread is a process and the parent of a logical disk driver is a physical drive. This field contains the name of the parent. Either the value in this field or the ParentObjectID field identifies a specific parent instance. If the value in this field is NULL, the value in the ParentObjectID field will be checked to identify the parent. If the values in both fields are NULL, the counter does not have a parent.

  • ParentObjectID(int): The unique identifier of the parent. The value in either this field or the ParentName field identifies a specific parent instance. If the value in this field is NULL, the value in the ParentName field will be checked to identify the parent.

    The DisplayToID table relates the user-friendly string displayed by the System Monitor to the PLA-UID stored in the other tables. The DisplayToID table defines the following fields:

  • GUID(uniqueidentifier, NOT NULL PRIMARY KEY): A PLA-UID generated for a log. This field is the primary key of this table. Note that these do not correspond to the values in: HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \SysmonLog \Log Queries\

  • RunID(int): Reserved for internal use.

  • DisplayString(varchar(1024), NOT NULL UNIQUE): Name of the log file as displayed in the System Monitor.

  • LogStartTime(char(24)): Time the logging process started in yyyy-mm-dd hh:mm:ss:nnn format.

  • LogStopTime(char(24)): Time the logging process stopped in yyyy-mm-dd hh:mm:ss:nnn format. Multiple log files with the same DisplayString value can be differentiated by using the value in this and the LogStartTime fields. The values in the LogStartTime and LogStopTime fields also allow the total collection time to be accessed quickly.

  • NumberOfRecords(int): Number of samples stored in the table for each log collection.

  • MinutesToUTC(int): Value used to convert the row data stored in UTC time to local time.

  • TimeZoneName(char(32)): Name of the time zone where the data was collected. If collecting or analyzing relogged data from a file collected on systems in the user's time zone, this field will state the location.

plaBinary:  Binary log file.