# Windows Event Trace (ETW)

### Prerequisites

{% hint style="warning" %}
**IMPORTANT**

🚧 This source is built on top of Windows ETW, which has resource limitations and was not initially designed for long-term monitoring. Please use with caution on your host systems.

While the source supports reading events from ETL logs, using them for continuous event collection may result in dropped events and increased resource utilization on your hosts if not tuned to your specific environment (the default settings may not work out of the box).
{% endhint %}

This source creates a Real-Time ETW Session to ingest Event Tracing Logs from Windows using the [Event Tracing API](https://learn.microsoft.com/en-us/windows-hardware/test/weg/instrumenting-your-code-with-etw). Currently, only real-time monitoring sessions are supported.

#### System Requirements

* Windows system with Event Tracing for Windows (ETW) enabled
* Familiarity with ETW provider GUIDs for configuration
* Administrative privileges for ETW session creation

For more information on ETW, refer to Microsoft's [ETW Documentation](https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal).

### Supported Platforms

| Platform | Supported |
| -------- | --------- |
| Windows  | ✓         |

Available in Bindplane Distro for OpenTelemetry Collector `v1.75.0+`.

### Configuration Fields

<table><thead><tr><th width="210.34765625">Field</th><th>Description</th></tr></thead><tbody><tr><td>Session Name</td><td>Name of the ETW session to create and monitor. Default: "Bindplane-ETW-Session"</td></tr><tr><td>Providers</td><td>Provider names or GUIDs to monitor (e.g., <code>Microsoft-Windows-Kernel-File</code>)</td></tr><tr><td>Enable Raw Logs (XML)</td><td>When enabled, logs are saved as raw XML strings instead of parsed objects. Useful for XML analysis in some destinations.</td></tr><tr><td>Level</td><td>Maximum event level to ingest. Options: <code>none</code>, <code>verbose</code>, <code>informational</code>, <code>warning</code>, <code>error</code>, <code>critical</code>.</td></tr><tr><td>Session Buffer Size</td><td>Buffer size for the ETW session. Default: 64 KiB</td></tr><tr><td>Require All Providers</td><td>When enabled, source only starts if all providers are available. Default: false</td></tr><tr><td>Include Log Record Original</td><td>When enabled, the original log record is included in the log body.</td></tr></tbody></table>

### Common ETW Providers

| Provider Name                 |
| ----------------------------- |
| Microsoft-Windows-Kernel-File |
| Microsoft-Windows-DNS-Client  |

#### Discovering Available Providers

To list all registered ETW providers on your system, run this command in an administrative PowerShell session:

```powershell
logman query providers
```

### Best Practices

1. Start with a minimal set of providers and expand gradually based on monitoring needs
2. Monitor resource usage when enabling multiple providers
3. Use Performance Monitor to view session settings under `Event Trace Sessions`
4. Consider the impact on system performance when enabling verbose logging levels


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bindplane.com/integrations/sources/windows-event-trace-etw.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.