This module can be used to collect events through Event Tracing for Windows (ETW).
ETW is a mechanism in Windows designed for efficient logging of both kernel and user-mode applications. Debug and Analytical channels are based on ETW and cannot be collected as regular Windows Eventlog channels via the im_msvistalog module. Various Windows services such as the Windows Firewall and DNS Server can be configured to log events through Windows Event Tracing.
The im_etw module reads event tracing data directly for maximum efficiency. Unlike other solutions, im_etw does not save ETW data into intermediary trace files that need to be parsed again.
|The im_etw module is only available on the Windows platform.|
This directive specifies that kernel trace logs should be collected, and accepts a comma-separated list of flags to use for filtering the logs. The Provider and KernelFlags directives are mutually exclusive (but one must be specified). The following values are allowed:
This directive specifies the name (not GUID) of the ETW provider from which to collect trace logs. Providers available for tracing can be listed with
logman query providers. The Provider and KernelFlags directives are mutually exclusive (but one must be specified). The
Windows Kernel Traceprovider is not supported; instead, the KernelFlags directive should be used to open a kernel logger session.
This optional directive specifies the log level for collecting trace events. Because kernel log sessions do not provide log levels, this directive is only available in combination with the Provider directive. Valid values include
Verbose. If this directive is not specified, the verbose log level is used.
The following fields are used by im_etw.
Depending on the ETW provider from which NXLog collects trace logs, the set of fields generated by the im_etw module may slightly vary. In addition to the fields listed below, the module can generate special provider-specific fields. If the module is configured to collect trace logs from a custom provider (for example, from a custom user-mode application), the module will also generate fields derived from the custom provider trace logs.
A string containing a
field=valuepair for each field in the event.
The username associated with the event.
The type of the account. Possible values are:
Well Known Group,
The ID of the activity corresponding to the event.
The channel to which the event log should be directed.
The domain name of the user.
The Event ID, corresponding to the provider, that indicates the type of event.
The time when the event was generated.
The ID of the process that generated the event.
The ID of the thread that generated the event.
A keyword bit mask corresponding to the current event.
An integer indicating the operation corresponding to the event.
The normalized severity number of the event, mapped as follows.
Event Log Severity Normalized Severity
The name of the trace provider.
An integer indicating a particular component of the provider.
The version of the event type.