Skip to main content

.NET Programming: Jumpstart ETW (Event Tracking for Windows)

Image
To get started with ETW I highly recommend this pluralsight course by Kathleen Dollard. It gives you a really good introduction, including background and some examples. It will be much harder to succeed just by googling or reading books.

I will not spoil anything from this course. Here I will just give a few more hints and annotations to show where I struggled with ETW, to help you not doing the same mistakes. After finishing the pluralsight course I was really eager to get going with my own implementation but I ran into some annoying trapped doors.

Nuget package for EventSource

The current nuget package for EventSource (Vers. 1.0.16) will create the manifest file automatically (it validates your implementation upfront, only when validation succeeds manifest file will be created. Otherwise there will be no updated or no new manifest file in your bin folder!). Therefore there is no need to create it by hand.

wevtutil.exe

Running wevtutil.exe without parameters to see its help, produces this output on my console:


But all necessary commands are working. I am still investigating into this issue. But it will not effect the needed functionality, all operations worked fine for me.

In the beginning I had some trouble with wevtutil.exe
  • Making spelling mistakes
  • Specifying dll file instead of man file
  • And wrong paths (copy paste issues)
Doing these mistakes will lead into error messages like this:


Seeing these error messages for the first time confused me:

`At column=0, The system cannot locate the resource specified. Failed to load xml document`

The message made me thinking about something was wrong in my implementation in my manifest file. Maybe wrong or missing resources for translation, something in this direction. But its just talking about the parameters for wevtutil and indicates you are specifing a file that is not existing (as already described above spelling mistake in one of the paths or specified dll instead of man file and so on).

EventSource names

I had some issues specifing a “valid” EventSource name. I specified a name like this “MyCompany-MyApplication-MyEvents”. I was wondering why the regarding nested folder was not created. I could just see this entry far in the bottom in the Event Viewer:


But when I tried to open the regarding log I received this message:


The solution was really simple. There was already an existing Eventlog with the name “MyCompany” created by another application:


In this case you cannot create a nested folder with the same name. Makes sense, but a better error message would be helpful.

Maintenance for builds and installed manifests

  • Renaming and building EventSources will create new dll and man files in your build folder but it will not remove the old files. I always delete the content of my build folder when I do changes to keep the overview.
  • You need to keep your custom event sources (dll files) in installation folder (when you remove it, your views in Event Viewer will look strange), you better create a suitable folder for it. Keep man files there too, to be able to uninstall the events (I could not find a way to remove my custom events without man files).

Last but not least

Finally you should definitely checkout this nuget package with more EventSource examples.
Labels:
by

Popular posts from this blog

How to integrate AVM smart devices into HomeKit by using openHAB

by
After some evaluating openHAB (Vers. 2.2.0) on my NAS I wanted to do it right and started with this  (German) article to use openHABian together with a Raspberry Pi.My primary goal was to integrate my AVM smart home devices  to control them with HomeKit . To get started I used the following items: Raspberry PI SD Card 16 GB And the following software (I used a Mac, so you might need to replace some tools if you use another OS): Download the latest openHABian image here . This is a dedicated linux distribution to provide an openHAB server. Download SD Formatter here . Needed to format your SD card. Download Etcher here . Needed to install the openHABian image on the SD card. Installation openHABian Insert the SD card Connect the Raspberry Pi via LAN with your network Plugin the Raspberry Pi Wait about 45 minutes until all updates were installed When everything went well you should be able to connect to http://openhabianpi:8080 Connect via ssh: ssh openh...
Read more

Install and verify IIS HttpModules with custom config sections

by
A week ago I started to learn about HttpModules and HttpHandlers watching a pluralsight course by Robert Boedigheimer . First of all I want to really recommend this course, I learned a lot of stuff which I could not find in any other course, book or blog post. As I already did in the past with another course , I want to add some comments and extend the HttpModule part. I refer to the course example with the serverMaskModuleGAC. I walked into some trap doors and thereby I found another approach to simplify the installation process of the module to GAC a little bit. With this approach I am able to verify my custom config sections and module registration is correct. Here is my approach: 1. When you have finished your implementation for serverMaskModule, install it in the GAC as usual by using the gacutil tool. By the way, there are some traps when you need to install it on Windows Server 2012 . Here I am using Windows 8.1 64 Bit. I created my HttpModule with .NET 2.0 because it se...
Read more

How does AppFabric cache calculates the values for RequestCount, ReadRequestCount, WriteRequestCount and MissCount?

by
When I started to use the Get-CacheStatistics cmdlet to monitor caching activities more intensivley I was often confused. Here an example: Should not be ReadCount+WriteCount = RequestCount? Why is WriteRequestCount increasing +2 although I just send one put request? By talking to Microsoft support I figured out how AppFabric cache calculates its numbers (Thanks to Gayathri from Distributed Service Team). Number calculation behavior depends on your configuration, high availability and local cache have a major impact on it. Activity RequestCount  ReadRequestCount  WriteRequestCount  MissCount  DataCacheFactory is initialized and Named Cache is up  +1 - - - Put item, not yet in local and server cache +1 - +1 (+2 with HA) +1 Get item from local cache - - - - Get item from server cache, local cache has expired +1 +1 - - Get item, local and server cache has expired +1 +1 - +1 I hope this is helpful for you when you are analyzing the caching behavior f...
Read more