(ETW) Event tracing for Windows get started (with PDF download)

  Outline  etw Introduction  ETW The idea of monitoring the remote machine using  ETW monitoring native demo  ETW   The underlying class library: EventSource introduction   Underlying class library: TraceEvent what is ETW? 1.Event Tracing for Windows (ETW): An event-tracking method provided by the operating system to monitor the performance of a system with a load, with low system overhead (compared to Performance Logs and Alerts).  2.ETW is primarily used for server applications that must log events, errors, warnings, or audits frequently. ETW provides an event tracking mechanism triggered by user-mode application and kernel-mode device drivers. In addition, ETW is able to dynamically enable or disable logging for detailed tracking without restarting the operating system or the application. History of the  ETW 1. ETW was first introduced in Windows 2000. Since then, various Windows operating system cores and service components have documented their activities through ETW, and it is now one of the key system instrumentation technologies on the Windows platform. In Windows 7, ETW has been further enhanced.  2. Thanks to the excellent performance and power of ETW, more and more third-party applications are starting to abandon their log systems and gradually start using ETW to track and record their status and activities for performance tuning or for routine maintenance of the application.   Why should I use event tracking logs? The current software systems are becoming larger and more complex, and the constant changes in the number of combinations and workloads have increased the difficulty of various software troubleshooting, and the development and management of software has become a formidable challenge. Application event tracking logs are particularly important in this regard.  v Intelligent detection methods for some critical error states can greatly shorten the location, commissioning and analysis time of faults, and V provides data basis for difficult to reproduce problems. V helps solve performance problems and discovers bottlenecks not foreseen in the development phase ; v You can use various management tools to derive statistics from the event trace log for capacity planning and trend analysis. The advantage of the  ETW v provider is separated from the tracing session, and the failure of the application (crashes or hangs) does not affect the trace. V enables and disables logging dynamically, making it easy to trace in real-world production environments without restarting the system or restarting the application. V The Shutdown event tracking time hardly consumes system resources; compared with other event tracking techniques, its performance advantages are obvious. V customizable message formats for easy extension, and custom formats help keep log data confidential. V Log logging mechanismUsing buffers per processor, these buffers are written to disk by an asynchronous write thread. This allows large server applications to minimize the amount of interference that can be encountered when writing to an event. V ETW uses the buffering and logging mechanisms implemented in the kernel to provide a tracking mechanism for events raised by user-mode applications and kernel-mode device drivers. The clock resolution of the time stamp of the collection event is accurate to three NS, and the system can provide up to ten ms;100 NS; V ETW introduces the operating system from Windows 2000 and introduces a unified event provider model and API after Windows Vista™. Provides a consistent, easy-to-use mechanism. The  ETW system consists of the entire ETW system consisting of the Provider,customer and controller three parts:    provider   So-called Provider, the provider of events, It can be a system component, a driver, or an application we have developed. First, it needs to register an event trace with the system, and then when the provider is started by the controller (enable), it can start sending events to the corresponding event trace session.  · Controller     as the name implies, a controller is one. Its main task is two: first, the event Trace session control management. It uses Starttrace to create an event Trace session in memory so that provider knows where to go. The controller will also be responsible for sending events recorded in the session to consumer. The controller's second task is to manage the provider, start or stop provider. To avoid extra overhead, provider does not work all the time, and only starts working when it is.    consumer   Consumer subscribe to events in real time from the event Trace session or from a log file. The main function of consumer is to provide event Trace Callback. We can design a generic callback to handle all events, or we can design callback for specific events of interest to us. For the callback of common events, we can specify them at opentrace time, and for specificCallback, you can specify it by Settracecallback.   parsing ETW-generated files  ETW finally generates an. etl file (which can be understood as a compressed file), and then parses the file, converting it to a message that the average person can see, to determine what went wrong.    perfview.exe is a performance analysis tool that specializes in analyzing ETW information and can be used to parse ETL files.  ·  can also write its own program to parse ETL files, and generate the corresponding format of the log records, such as: XML files.   ETW Monitoring Native Demo This demo must consist of at least three parts:   an application to be monitored (data provider, which can be a WinForm program)    A control program (Controler, which can be a WinForm program) that controls the event-tracking session   The process used to parse the generated ETL file (the reader, which can be a WinForm program) the idea of ETW monitoring a remote machine This scenario consists of four parts: ·   Remote machines: applications to be monitored (provider roles, such as a Web site)   on remote machines: Control procedures for event tracking sessions (controler roles such as: A Windows service, WCF Homestay) ·   Local machine: Remote control Controler Program (can be any program, as long as it can be used to invoke WCF).   The program (reader)    underlying class library used to parse the generated ETL files: EventSource introduction   Just the demo, how to write data into the ETL file? is actually through the EventSource class library.  ·  Why do you use it? Because it is not used, it can be very complicated to write.

Vance Morrison:when You log events to an ETW event stream with ETW parlance, you is creating a ETW event Provider.  Sadly, historically creating a ETW event provider have been a non-trivial task, which writing an XML ' Schema manifest ' and   Using a specialized tool (MC.exe) to generate source code to link into your application.    You also need to register the provider using another obscure tool (WEVTUTIL) when your application is deployed. This discouraged the most users from ever building their own ETW providers, which are a shame because it is a powerful feature  of ETW. Bottom class Library: EventSource Evolutionary History • The original 1.0 version was released by Vance Morrison on the MSDN personal blog
Introduction tutorial:logging ETW events in C #: System. Diagnostics.Tracing.EventSource
http://blogs.msdn.com/b/vancem/archive/2012/07/09/ Logging-your-own-etw-events-in-c-system-diagnostics-tracing-eventsource.aspx• Later, EventSource was released to Nuget.org, and the NuGet version was updated, with the latest version: Microsoft EventSource Library 1.1.25
http://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.EventSource/
.net 4.5 has eventsource revenue in the class library System.Diagnostics.Tracing.EventSource, but under. Net 3.5, it is also a standalone class library.
To fix this, we have added the System.Diagnostics.Tracing.EventSource type to  Version V4.5 of the. NET Runtime (now Available for download, as a release candidate.  it'll officially ship later in) .   It makes writing ETW provider as simple as writing just a few lines of code.    in this blog entry I'll demonstrate just How easy it's to log your own events to the ETW data stream and thus make the OS ETW data even more useful by correlating It with what is doing in your Code.  eventsource specific role   system to be monitored, to create a class as a subclass of EventSource, Use this class as a data Provider provider register to ETW, and subscribe to ETW events to bind to a callback function.  ·  when the ETW session starts and starts or stops the provider, ETW fires the event, and the provider callback function is fired to update the bool state of the current write log, true to write , false cannot be written. When the system evaluates to False, leave immediately, and no longer waste resources to record the log.   Bottom Class Library: traceevent introduction   Just in the demo, how to start or stop an ETW session? How to bind the session with the provider? is actually implemented through the TraceEvent class library.    Bottom Class Library: TraceEvent Evolutionary history   First, the new version was published by Vance Morrison on CodePlex: New version of Traceevent/perfmonitor Posted to bcl.codeplex.com
http://blogs.msdn.com/b/vancem/archive/2013/01/07/ New-version-of-traceevent-perfmonitor-posted-to-bcl-codeplex-com.aspx• Later, TraceEvent was posted on nuget.org, and CodePlex was no longer updated, and the NuGet version was updated, the latest version is: Microsoft traceevent Library 1.0.32
https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/
TraceEvent is not included in the. Net 4.5 class Library System.Diagnostics.Tracing, and is still a standalone component.
The bottom class libraries of the underlying sourceevent and traceevent of Sourceevent and traceevent are unmanaged advapi32.dll, and ultimately this class library accomplishes the actual work.  The advapi32.dll full name is: Advanced Windows base API DLL, which is part of a high-level API Application Interface service library that contains functions related to object security, registry manipulation, and event logs. • Typically located in the C:\WINDOWS\system32\ directory, size 659KB. Resource Link ·http://bcl.codeplex.com/SourceControl/list/changesets•https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/•http://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.EventSource/•http://blogs.msdn.com/b/vancem/archive/2012/07/09/ Logging-your-own-etw-events-in-c-system-diagnostics-tracing-eventsource.aspx•http://blogs.msdn.com/b/vancem/archive/2012/08/13/ Windows-high-speed-logging-etw-in-c-net-using-system-diagnostics-tracing-eventsource.aspx•http://blogs.msdn.com/b/vancem/archive/2012/12/20/ And-end-to-end-etw-tracing-example-eventsource-and-traceevent.aspx•http://blogs.msdn.com/b/vancem/archive/2013/01/07/ New-version-of-traceevent-perfmonitor-posted-to-bcl-codeplex-com.aspx•http://blogs.msdn.com/b/vancem/archive/2015/05/11/ Version-1-1-24-of-the-eventsource-nuget-package-marked-as-stable.aspx•http://blogs.msdn.com/b/vancem/archive/2014/03/15/ Walk-through-getting-started-with-etw-traceevent-nuget-samples-package.aspx•http://blogs.msdn.com/b/vancem/archive/2013/03/09/ Using-traceevent-to-mine-information-in-os-registered-etw-providers.aspx•http://blogs.msdn.com/b/vancem/archive/2013/08/10/ The-eventsource-nuget-package-and-support-for-the-windows-event-log-channel-support.aspx•http://blogs.msdn.com/b/vancem/archive/2013/08/15/traceevent-etw-library-published-as-a-nuget-package.aspx

Accessories: Click here to download PDF

(ETW) Event tracing for Windows get started (with PDF download)