ETW (Event Tracing for Windows) Logging – Part 2

This is in continuation from the previous post here.

I want to cover two useful features in this post.
1. In the previous post I showed how to use the command line tool logman.exe  to capture and start / stop ETW logs.
There is one alternative GUI instead of using logman.
To open it go to Computer Management -> Performance -> Data Collector Sets -> User Defined, you can see the data collector you specified earlier.

 

1

You can simply right click and do start / stop / Check properties. There are a lot of additional options that you can set.

2

When you open the properties of Application_1, you can find a lot of additional settings and all the options supported by logman.exe

.3

4

2. Leveraging ETW for a continuous logging.

As showed in the previous example, ETW will generate a binary file and then it can be decoded to generate XML log file. If we want to leverage this feature for 24 x 7 logging, we need to keep watching the size of the files. These files will keep growing.
One simple solution for this one is to create a simple batch file with 4 commands
• logman stop Application_1
• Copy .etl file to an archive folder
• Delete .etl file
• logman start Application_1 (This will create a fresh .etl file)

This batch file can be executed every hour using windows task scheduler and the resulting binary files can be decoded as and when required.
However I didn’t spend much time analyzing the performance impacts of this. But as I read in many blogs ETW is supposed to provide best performance. While creating Data Collector, we can specify Buffer Size, Circular Log mode etc. These options can be considered. I also came across this issue which says some of the logs were missing when the message size is large. However I didn’t test it.

– Shiv

turbo360

Back to Top