BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

InfoQ Dev Summit Boston

Discover transformative insights to level up your software development decisions. Register now with early bird tickets.
InfoQ Dev Summit Munich

Get practical advice from senior developers to navigate your current dev challenges. Register now with early bird tickets.
QCon San Francisco

Level up your software skills by uncovering the emerging trends you should focus on. Register now.
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News Windows Event Log Integration with ETW

Windows Event Log Integration with ETW

Bookmarks

Aug 10, 2013 1 min read

InfoQ Article Contest

Share your knowledge Win a ticket to a QCon event
or an InfoQ Dev SummitFind out more

ETW or Event Tracing for Windows is a high performance logging system that is available for Windows Vista and later operating systems. On a typical system it can handle over 100,000 events per second, far more than most applications should need.

Unlike typical logging frameworks, which are line-based, the events generated by ETW sources are structured. The fields names are not predefined by the ETW framework itself. Rather, they are based on the structure of the event source class used. Consider this example inspired by Vance Morrison,

sealed class MinimalEventSource : EventSource 
{
    public void Load(long ImageBase, string Name) { WriteEvent(1, ImageBase, Name); } 
    public void LoadComplete(string Name, int Duration) { WriteEvent(2, Name, Duration); } 
    public static MinimalEventSource Log = new MinimalEventSource(); 
}

The column names in the log are based on the parameter names in the function, hence the non-standard capitalization. The number passed to WriteEvent is the ordinal of the function as it appears in the source code.

Normally ETW logging is disabled; events are only recorded with a tool like PerfView is listening. This allows you to examine an application running in production without modifying configuration files. But sometimes you may still want to proactively log data somewhere. That’s where the new Microsoft EventSource Library comes into play.

Microsoft EventSource Library allows you tag ETW events with an attribute to indicate that they should also be sent to the Windows Event Log. A new base class called “Microsoft.Diagnostics.Tracing.EventSource” replaces the standard “System.Diagnostics.Tracing.EventSource” class. Then an EventSourceAttribute is used to specify the folder that the logs will be written to. Finally, an EventAttribute is added to each ETW event declaration that will be copied to the Windows Event Log.

Unfortunately this scheme has the same limitations of other Windows Event Log writers. There is a limited amount of space in the log so you shouldn’t log high frequency events. And a system administrator needs to create the new event log folders.

To make registering the log somewhat easier, the NuGet package creates a manifest file that can be passed to wevtutil.

Rate this Article

Adoption
Style

This content is in the Microsoft topic

Related Topics:
BT