PricingSign inRequest a Demo

Windows Event Trace (ETW)

Prerequisites

IMPORTANT

🚧 This source is experimental and built on top of Windows ETW, which has resource limitations and was not initially designed for long-term monitoring. Please use with caution on your host systems. While the source supports reading events from ETL logs, using them for continuous event collection may result in dropped events and increased resource utilization on your hosts.

This source creates a Real-Time ETW Session to ingest Event Tracing Logs from Windows using the Event Tracing API. Currently, only real-time monitoring sessions are supported.

System Requirements

  • Windows system with Event Tracing for Windows (ETW) enabled

  • Familiarity with ETW provider GUIDs for configuration

  • Administrative privileges for ETW session creation

For more information on ETW, refer to Microsoft's ETW Documentation.

Supported Platforms

Platform
Supported

Windows

Available in Bindplane Distro for OpenTelemetry Collector v1.75.0+.

Configuration Fields

Field
Description

Session Name

Name of the ETW session to create and monitor. Default: "Bindplane-ETW-Session"

Providers

Provider names or GUIDs to monitor (e.g., Microsoft-Windows-Kernel-File)

Enable Raw Logs (XML)

When enabled, logs are saved as raw XML strings instead of parsed objects. Useful for XML analysis in some destinations.

Level

Maximum event level to ingest. Options: none, verbose, informational, warning, error, critical.

Session Buffer Size

Buffer size for the ETW session. Default: 64 KiB

Require All Providers

When enabled, source only starts if all providers are available. Default: false

Common ETW Providers

Provider Name

Microsoft-Windows-Kernel-File

Microsoft-Windows-DNS-Client

Discovering Available Providers

To list all registered ETW providers on your system, run this command in an administrative PowerShell session:

logman query providers

Best Practices

  1. Start with a minimal set of providers and expand gradually based on monitoring needs

  2. Monitor resource usage when enabling multiple providers

  3. Use Performance Monitor to view session settings under Event Trace Sessions

  4. Consider the impact on system performance when enabling verbose logging levels

PreviousWindows EventsNextZooKeeper

Last updated

Was this helpful?