Installing Sonar on Windows Host

Last Updated On February 16, 2019
You are here:


Sonar v0.2.3 or higher


The following monitoring scenarios should be considered:

  • Monitoring WMI, performance counters on Windows OS.
  • Monitoring product specific metrics, for example SQLServer or BizTalk Server.

These scenarios are useful for gathering key metrics from OS, processes or products that are needed for monitoring and anomaly detection.

Benefits and Liabilities

The following benefits and liabilities should be considered before monitoring event logs with Sonar:


  • Minimal performance impact – query Windows event logs within a period of time is the most efficient technique with near zero CPU cost.
  • Cloud-native collection  for events – Sonar supports exposing collected records from Windows event log to InfluxDb (via UDP).
  • Cloud-native collection for metrics – Sonar supports exposing metrics to Prometheus.
  • Using either InfluxData TICK stack enables anomaly detection and machine learning for collected event log records by application or severity.


  • InfluxDb and/or Prometheus are required for storing metrics collected by Sonar.
  • Sonar daemon requires configuring queries for metrics that should be scraped on periodic intervals.


Download Sonar

This step is required to deploy Sonar monitoring agent on target host. Create new folder, for example C:\Sonar. Next, download the latest zip file with the bits to Sonar folder from releases section in our GitLab repository and unzip the Sonar archive.

This operation will create folder named “out” with the binaries in C:\Sonar directory.

Create Windows Service

This step is required to install Sonar daemon as Windows service. To accomplish this, open command prompt with administrator permissions and execute the following command:

sc.exe create sonard binpath= c:\sonar\out\Sonard.exe start= auto obj= LocalSystem depend= "WinRM"

The above command creates new windows service for sonar daemon.

Specify Windows Service Settings

This step is required to specify path to metric collector configuration file and configure Sonar daemon. To complete this step, modify existing file named Sonar.dll.config file in C:\Sonar\out directory as follows:

<!--?xml version="1.0"?-->

<section name="Sonar" type="Infragravity.Sonar.SonarConfigurationSection, Sonar"><appsettings>
<add key="ConfigPath" value="C:\Sonar\Sonar.config">
<add key="RuntimeType" value="Service">
<add key="LogLevel" value="Warning">
<add key="LogPath" value="C:\Sonar\Sonard.log">
<add key="ExporterPort" value="5000">
<add key="ExporterCacheMilliseconds" value="20000">
<add key="ExporterEnabled" value="true">

The above settings are described below as follows:

  • ConfigPath – path to the metric collection configuration file.
  • RuntimeType – should be set to “Service” to run as windows service or any other value to run as console application.
  • LogLevel – sets logging level.
  • LogPath – specifies path for log file for Sonar daemon running as windows service.
  • ExporterPort – specifies port number to use for exposing metrics to Prometheus.
  • ExporterCacheMilliseconds – specifies how long metric should remain in cache before being removed.
  • ExporterEnabled – indicates that Prometheus exporter endpoint should be hosted by Sonar using port and cache settings described above.

Configure Windows Firewall

This step is optional and typically needed to access Sonar metric endpoint from external monitoring system – Prometheus. To accomplish this, execute the below command:

netsh advfirewall firewall add rule name="sonard" dir=in action=allow protocol=TCP localport=5000

Define Metric Collection

This step is required to configure which metrics Sonar should be monitoring. To complete this step, create Sonar.config file in C:\Sonar directory as specified in ConfigPath setting described in the previous step. Below is sample configuration:

<!--?xml version="1.0"?-->

<section name="Sonar" type="Infragravity.Sonar.SonarConfigurationSection, Sonar"><connectionstrings>
<add name="influxdb" connectionstring="Data Source = udp://;Initial Catalog=sonar;User Id =; Password =; Application Name = default;Max Pool Size=100;Packet Size=4094;Connection Timeout=10">
<runtime scrapeintervalseconds="5" skipsslcheck="true" threads="1"></runtime>
<schedules><add name="s15" query="W3SVC_WebService" server="webapi-prom" intervalseconds="10"></add></schedules>
<add name="webapi-prom" url="" timeoutmilliseconds="1000" authtype="Negotiate">
<add name="W3SVC_WebService" filter="select Name,TotalGetRequests,
CurrentAnonymousUsers from Win32_PerfFormattedData_W3SVC_WebService" resource="*" namespace="root\cimv2">

<add name="Name" value="Name">
<add name="TotalGetRequests" value="CimType.UInt32">
<add name="TotalPostRequests" value="CimType.UInt32">
<add name="TotalPutRequests" value="CimType.UInt32">
<add name="TotalOptionsRequests" value="CimType.UInt32">
<add name="GetRequestsPersec" value="CimType.UInt32">
<add name="OptionsRequestsPersec" value="CimType.UInt32">
<add name="PostRequestsPersec" value="CimType.UInt32">
<add name="PutRequestsPersec" value="CimType.UInt32">
<add name="LogonAttemptsPersec" value="CimType.UInt32">
<add name="CurrentAnonymousUsers" value="CimType.UInt32">

The above configuration shows how to collect multi-instance performance counter for IIS and expose it to Prometheus.

<add name="s15" query="W3SVC_WebService" server="webapi-prom" intervalseconds="10">

To send metrics to InfluxDb via UDP, modify schedule by adding output attribute set to output adapter:

<add name="s15" query="W3SVC_WebService" server="webapi-prom" intervalseconds="10" output="influxdb">

Configure InluxDb UDP transport

This step is optional if Sonar is configured with schedules that do not have “output” attribute set explicitly. All output from these schedules will be exposed to Prometheus monitoring. If you need to send metrics to InfluxDB, update influxdb.conf with the following snippet:

enabled = true
bind-address = ":8092"
database = "sonar"
retention-policy = ""
batch-size = 5000
batch-pending = 10
read-buffer = 0
batch-timeout = "1s"
precision = ""

After restart, InfluxDb will create new UDP listener for receiving metrics via UDP port 8092 and store them in database named “sonar”. If database does not exist, use influxDB CLI by issuing the following commands:

create database sonar

Please note that configured port number and host address should match connection string settings for InfluxDb described in previous steps.

Configure WS-Management

This step is required when WS-Management adapter is required to collect metrics from WMI. To complete this step, execute the following commands:

winrm quickconfig

For non-production scenarios, WinRm can be configured to use HTTP:

winrm set winrm/config/service @{AllowUnencrypted="true"}

The WinRM HTTPS listener can be configured to list certificates and set thumbprint for the HTTPS listener:

Get-ChildItem -path cert:\LocalMachine\My\
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<hostname>";CertificateThumbprint="<thumbprint>"}

Start Sonar Daemon

Next, run the following command to start Sonar daemon as windows service:

net start sonard


You can inspect Sonar.log file or run Sonar daemon as console for troubleshooting. To accomplish this simply change value of RuntimeType setting in Sonard.dll.config to “Console” and execute Sonard.exe file manually.