ETW, .NET 4.5 - how to write to the event log?

2019-03-14 17:17发布

问题:

I am trying to wrap my head around ETW and how to integrate t into a high Performance application.

We all know the old dreaded EventLog with it's non structured (and thus not so optimal) API.

Now there is a new and fancy API for high performance tracing - ETW, and it got a new API on the .NET side in 4.5 in the form of the EventSource class that you can easily subclass (so no more manifest writing).

THis leaves me with a number of questions, trying to get this working.

  • What is the current proposed best (as per documentation, Guidelines) way to work with ETW and get Events from there into the EventLog? I have an application here that must write (Performance) Events and would love to use ETW; but the Events shall appear in a (custom) Event log.
  • Is there a complete example for this? I can find some, but they all date to the .NET 4.0 time and start with the manifest.

What did I try? I got an EventSource working, but simply have failed to get the proper documentation on how to get the rest working Downstream from there.

回答1:

What you are trying to achieve is not possible due to the following;

  • To direct ETW events to the event log you’ll need to specify a channel of type Admin, Operational or some of the classic once like Application in the manifest and register it using wevtutil. Unfortunately you can’t use EventSource for this, even if you had a manifest, as the underlying implementation does not set the channel byte on the EventDescriptor block when calling WriteEvent e.g. your event is never marked for specific channel.

  • What EventSource does behind the scene to avoid the cumbersome process of registering manifest, compile it into win32 resource, link it to an assembly/dll, register it etc. is to generate a manifest from your EventSource implementation and send it as a known event to allow the receiving service to parse all other event payloads instead of relying on windows infrastructure to get the manifest information. To the best of my knowledge only PerfView supports this for now.



回答2:

In August 2013, Microsoft.Diagnostics.Tracing.EventSource 1.0.4 beta released on NuGet. The three big wins are channel support, static (installed) manifest support (the two things required to get into the Event Viewer) and .NET 4.0 support.

According to the blog post announcing RTM, Microsoft.Diagnostics.Tracing.EventSource "enables fast app tracing to the Windows Event Log, including in production".



回答3:

There is a small introduction tutorial:

http://blogs.msdn.com/b/vancem/archive/2012/08/13/windows-high-speed-logging-etw-in-c-net-using-system-diagnostics-tracing-eventsource.aspx

http://blogs.msdn.com/b/vancem/archive/2012/07/09/logging-your-own-etw-events-in-c-system-diagnostics-tracing-eventsource.aspx

I haven't tried them because I'm currently working with .NET 4 but maybe these links help you...



回答4:

MSDN really doesn't explain it well. I hope Stackoverflow will let me to add link to Pluralsight lecture that explains all EventSource topics ideally with usage best practices https://app.pluralsight.com/library/courses/event-tracing-windows-etw-dotnet/table-of-contents



回答5:

The "Semantic Logging Application Block" has examples of EventListener-derived classes, one of which records in the event log. It is described a bit on Vance's blog.



回答6:

This is very interesting as I have been working on the similar requirements off late. Firstly, you can generate manifest from EventSource class using its static method GenerateManifest(typeof(MyEvents), null). This will provide you with the manifest of your events etc but it does not contain details about the channels. You will need to define the channels yourself in the manifest and then register is using wevtutil.exe, mc.exe and rc.exe utilities. This will create you the event logs as per your provider name in the manifest.

Interestingly, I could manage to get the Debug and Analytic logs to show me the events generated via EventSource. I could also use Perfmon's Tracing Session to record the events for certain period with filters on keywords and levels. Provider does appear in the Trace Session provider list as well.

The only thing I am looking at present is to bring the events in Admim and Operation's channels. Please shout if you need samples etc.

Details are present at- http://www.suneet.net/FrmBlogViewer.aspx?blogid=75