使用ETWTraceEventSource读取循环ETW日志文件
[英]Reading circular ETW log file with ETWTraceEventSource
问题描述
Short version - Why does ETWTraceEventSource return 0 log entries for a 100mb circular log file? 
简短版 -为什么ETWTraceEventSource为100mb的循环日志文件返回0个日志条目?
Long version - I've modified an IIS application to use ETW logging (using the nuget package). 长版 -我已经修改了IIS应用程序以使用ETW日志记录(使用nuget包)。 My event source looks like this: - 我的事件来源如下:-
[EventSource(Name = "MyEtwLog")]
public class MyEtwSource : EventSource
{
[Event(1, Level = EventLevel.Verbose)]
public void Debug(string message) { WriteEvent(1, message); }
[Event(2, Level = EventLevel.Informational)]
public void Info(string message) { WriteEvent(2, message); }
[Event(3, Level = EventLevel.Warning)]
public void Warn(string message) { WriteEvent(3, message); }
[Event(4, Level = EventLevel.Error)]
public void Error(string message) { WriteEvent(4, message); }
[Event(5, Level = EventLevel.Critical)]
public void Fatal(string message) { WriteEvent(5, message); }
}
And I have a session to enable the provider that looks like this: - 我有一个会话来启用提供程序,如下所示:-
TraceEventSession _etwSession = new TraceEventSession(
"MyEtwLog", @"C:\Logs\MyEtwLog.etl") { CircularBufferMB = 100 };
etwSession.EnableProvider(
TraceEventProviders.GetEventSourceGuidFromName("MyEtwLog"),
TraceEventLevel.Always);
The IIS stuff is all working fine. IIS一切正常。 I've been asked to write a winforms application to view these logs (the users don't like PerfView) so I have this code: - 我被要求编写一个winforms应用程序来查看这些日志(用户不喜欢PerfView),所以我有以下代码:-
using (ETWTraceEventSource source = new ETWTraceEventSource(@"C:\Logs\MyEtwLog.etl"))
{
source.Dynamic.All += arg =>
{
// Process log entry
}
source.Process();
}
A user has created 10 of these logs and on his machine (Windows 8.1) 8 of them load up perfectly in the app. 用户已创建10个这些日志,并且在他的计算机上(Windows 8.1)在其中8个日志完美地加载到了应用程序中。 The remaining 2 are 100mb and show no log entries. 其余2个为100mb,不显示任何日志条目。 If I open them in PerfView I can see there's nothing wrong with the file and all the log entries are there. 如果在PerfView中打开它们,则可以看到文件没有问题,并且所有日志条目都在那里。
Debugging them on my machine (also Windows 8.1) I never hit the code at "Process log entry". 在我的机器(也是Windows 8.1)上调试它们,我从没在“进程日志条目”中找到代码。 After lots of trial and error I figured out that using AllEvents instead of Dynamic.All works: - 经过大量的试验和错误,我发现使用AllEvents代替Dynamic.All可以:
source.AllEvents += arg =>
{
// Log entries, woo!!!
}
I validated this works fine on my test machine (Windows 7), but when I pass the app back to the user I get the exact same problem! 我验证了它在我的测试计算机(Windows 7)上可以正常工作,但是当我将应用程序返回给用户时,我遇到了完全相同的问题! I've also reproduced this on a Windows 2008 R2 machine (.net 4.5.2) and a Windows 7 machine(.net 4.5.1). 我还在Windows 2008 R2计算机(.net 4.5.2)和Windows 7计算机(.net 4.5.1)上重现了此内容。
Help!!! 救命!!!
1 个解决方案
解决方案1
1 2015-04-15 17:22:07
As one of developer of Tx (LINQ to logs and traces) library, I would recommend to use its official LINQpad driver to query etl files. 作为Tx(LINQ到日志和跟踪)库的开发人员之一,我建议使用其正式的LINQpad驱动程序来查询etl文件。 This piece of documentation should be a good start for you. 这份文档对您来说应该是一个好的开始。 And of curse you can just integrate it with your windforms app. 当然,您可以将其与您的windforms应用集成。
Another option would be to use SvcPerf tool that is ETW E2E viewer built on top of Tx so you don't have to write your own tool at all. 另一个选择是使用SvcPerf工具,该工具是在Tx之上构建的ETW E2E查看器,因此您根本不必编写自己的工具。
In both cases you just need to have etl and manifest files. 在这两种情况下,您只需要具有etl和manifest文件。
In your particular case I think the problem was the following - Dynamic handler could desterilize actual events payload, but it needs to read manifest from session first. 在您的特殊情况下,我认为问题出在下面-动态处理程序可以对实际事件有效负载进行消毒,但是它需要首先从会话中读取清单。 I would check if manifest is in place, and there is no diagnostic errors In the ETW stream emitted by EventSource itself. 我将检查清单是否到位,并且EventSource本身发出的ETW流中是否没有诊断错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.