Why do strings not show in the event log for my custom log events?
Eureka! I had installed the manifest wrongly, thinking that, of the two switches for wevtutil, one repeated the manifest filename and the other contained the DLL filename. Actually, both should refer to the DLL. I'm now doing this in WiX using this markup: <Component Id="etwManifest.man" Guid="*"> <File Id="File.etwManifest.man" Source="$(var.Project.TargetDir)EventSource.Provider-Name.etwManifest.man" KeyPath="yes"...
Using Logman does not collect events
You have to mess around with MOF file to register a new provider first. Then you need to create the session with logman or the Performance Tool within the Control Panel. Here is where I found some hints: http://www.osronline.com/showthread.cfm?link=250095. Now I will tell you my quick and dirty procedure: Compile...
ETW events in Azure diagnostics (SDK 2.5) are logged with incorrect / missing schema
azure,etw,azure-diagnostics,windows-azure-diagnostics
Turns out there were quite a few problems with my EventSource. The first thing I'd recommend to anyone working with ETW is to use the Microsoft TraceEvent Library from NuGet, even if you use System.Diagnostics.Tracing, because it comes with a tool that will verify your EventSource code and notify you...
How can I capture process names using the TraceEvent library?
I truly believe that process name is not being captured by the ETW log. Etw system event contains only process ID field. Although TraceEvent library declares this one as a part of TraceEvent, this one actually is being populated based on executable image filename and process ID, which is implemented...
Differences between the usage of log4net, ETW & TraceLogging
With ETW you can also capture Kernel data and see how your code effects CPU, Disk usage. You can also capture callstacks for ETW events (call stack for kernel mode events in Vista and also usermode events since Windows 7). The .Net Runtime ETW Provider raises Exceptions when you activate...
Missing ETW EventSource table in Azure SDK 2.6
azure,etw,azure-diagnostics,windows-azure-diagnostics
I upgraded my web project to .NET 4.5.1 and now the WAD table shows up as expected (I had been running on just .NET 4.5 before this). It would seem that there might be a bug with having 4 parameters on an EventSource event when using .NET 4.5.0. As a...
Activate Stacks only for some specific ETW Tasks in a provider?
windows-8.1,stack-trace,etw,wpr
Yes, this is possible since Windows 8.1 with the type entry in _EVENT_FILTER_DESCRIPTOR when it is set to EVENT_FILTER_TYPE_STACKWALK when you call EnableTraceEx2. On Windows 8.1,Windows Server 2012 R2, and later, event payload, scope, and stack walk filters can be used by the EnableTraceEx2 function and the ENABLE_TRACE_PARAMETERS and EVENT_FILTER_DESCRIPTOR...
Semantic Logging Out-Of-Process ElasticSearch Configuration
.net,elasticsearch,etw,enterprise-library-5,slab
In case anybody is interested.... it seems SLAB Out-Of-Process Service 2.0 does not support ElasticSearch anymore. I solved this by rolling back to version 1.1.
How do I listen to TPL TaskStarted/TaskCompleted ETW events
c#,.net,task-parallel-library,etw
Your question challanged me to look into ETW (which i've been wanting to look into for a while). I was able to capture "task start" and "task end" using Microsoft.Diagnostics.Tracing.TraceEvent NuGet library with the simple following code: private static void Main(string[] args) { Task.Run(() => { using (var session =...
Escape characters in ETW format strings?
c#,event-log,etw,etw-eventsource
The translation performed by the EventSource manifest generator is {0} -> %1 ... {n} -> %(n+1) & -> & < -> < > -> > ' -> ' " -> " For reference, the conversion happens in string EventProviderBase.TranslateToManifestConvention(string). Then you end up at the message compiler. Escapes are as...
EventLogQuery - How do I filter off certain events?
Stupid mistake. It should be EventID not ErrorID. *[System[(Level=1 or Level=2) and (ErrorID!=1001)]] ...
How to define names hierarchy in ETW EventSource?
c#,etw,etw-eventsource,perfview
this can't be done because ProviderName/Event/OpCode is the convention to show Events in PerfView. Microsoft-Windows-DotNETRuntime/GC/Start also follows this. Microsoft-Windows-DotNETRuntime is the provider, GC is the Event and Start is the OpCode. You can use Tasks to get a better output: public class Tasks { public const EventTask Connect = (EventTask)0x1;...