Reading circular ETW log file with ETWTraceEventSource

Question

Short version - Why does ETWTraceEventSource return 0 log entries for a 100mb circular log file?

Long version - I've modified an IIS application to use ETW logging (using the nuget package). My event source looks like this: -

[EventSource(Name = "MyEtwLog")]
public class MyEtwSource : EventSource
{
   [Event(1, Level = EventLevel.Verbose)]
   public void Debug(string message) { WriteEvent(1, message); }
   [Event(2, Level = EventLevel.Informational)]
   public void Info(string message) { WriteEvent(2, message);  }
   [Event(3, Level = EventLevel.Warning)]
   public void Warn(string message) { WriteEvent(3, message); }
   [Event(4, Level = EventLevel.Error)]
   public void Error(string message)  { WriteEvent(4, message); }
   [Event(5, Level = EventLevel.Critical)]
   public void Fatal(string message) { WriteEvent(5, message); }
}

And I have a session to enable the provider that looks like this: -

TraceEventSession _etwSession = new TraceEventSession(
   "MyEtwLog", @"C:\Logs\MyEtwLog.etl")  { CircularBufferMB = 100 };
etwSession.EnableProvider(
   TraceEventProviders.GetEventSourceGuidFromName("MyEtwLog"),
   TraceEventLevel.Always);

The IIS stuff is all working fine. I've been asked to write a winforms application to view these logs (the users don't like PerfView) so I have this code: -

using (ETWTraceEventSource source = new ETWTraceEventSource(@"C:\Logs\MyEtwLog.etl"))
{
   source.Dynamic.All += arg =>
   {
      // Process log entry
   }
   source.Process();
}

A user has created 10 of these logs and on his machine (Windows 8.1) 8 of them load up perfectly in the app. The remaining 2 are 100mb and show no log entries. If I open them in PerfView I can see there's nothing wrong with the file and all the log entries are there.

Debugging them on my machine (also Windows 8.1) I never hit the code at "Process log entry". After lots of trial and error I figured out that using AllEvents instead of Dynamic.All works: -

source.AllEvents += arg =>
{
   // Log entries, woo!!!
}

I validated this works fine on my test machine (Windows 7), but when I pass the app back to the user I get the exact same problem! I've also reproduced this on a Windows 2008 R2 machine (.net 4.5.2) and a Windows 7 machine(.net 4.5.1).

Help!!!

Answer 1

As one of developer of Tx (LINQ to logs and traces) library, I would recommend to use its official LINQpad driver to query etl files. This piece of documentation should be a good start for you. And of curse you can just integrate it with your windforms app.

Another option would be to use SvcPerf tool that is ETW E2E viewer built on top of Tx so you don't have to write your own tool at all.

In both cases you just need to have etl and manifest files.

In your particular case I think the problem was the following - Dynamic handler could desterilize actual events payload, but it needs to read manifest from session first. I would check if manifest is in place, and there is no diagnostic errors In the ETW stream emitted by EventSource itself.