BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Windows Event Log Integration with ETW

| by Jonathan Allen on Aug 10, 2013. Estimated reading time: 1 minute |

ETW or Event Tracing for Windows is a high performance logging system that is available for Windows Vista and later operating systems. On a typical system it can handle over 100,000 events per second, far more than most applications should need.

Unlike typical logging frameworks, which are line-based, the events generated by ETW sources are structured. The fields names are not predefined by the ETW framework itself. Rather, they are based on the structure of the event source class used. Consider this example inspired by Vance Morrison,

sealed class MinimalEventSource : EventSource
{
    public void Load(long ImageBase, string Name) { WriteEvent(1, ImageBase, Name); }
    public void LoadComplete(string Name, int Duration) { WriteEvent(2, Name, Duration); }
    public static MinimalEventSource Log = new MinimalEventSource();
}

The column names in the log are based on the parameter names in the function, hence the non-standard capitalization. The number passed to WriteEvent is the ordinal of the function as it appears in the source code.

Normally ETW logging is disabled; events are only recorded with a tool like PerfView is listening. This allows you to examine an application running in production without modifying configuration files. But sometimes you may still want to proactively log data somewhere. That’s where the new Microsoft EventSource Library comes into play.

Microsoft EventSource Library allows you tag ETW events with an attribute to indicate that they should also be sent to the Windows Event Log. A new base class called “Microsoft.Diagnostics.Tracing.EventSource” replaces the standard “System.Diagnostics.Tracing.EventSource” class. Then an EventSourceAttribute is used to specify the folder that the logs will be written to. Finally, an EventAttribute is added to each ETW event declaration that will be copied to the Windows Event Log.

Unfortunately this scheme has the same limitations of other Windows Event Log writers. There is a limited amount of space in the log so you shouldn’t log high frequency events. And a system administrator needs to create the new event log folders.

To make registering the log somewhat easier, the NuGet package creates a manifest file that can be passed to wevtutil.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT