krabsetw icon indicating copy to clipboard operation
krabsetw copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Parsing .NET EventSource

Open bobsira opened this issue 1 year ago • 1 comments

Can I use this library to parse ETW events generated by with .NET System.Diagnostics.Tracing.EventSource class?

I'm currently having a blocker on how to pass ETW EventSource in our logging tool which is written in C++.

bobsira avatar May 03 '23 02:05 bobsira

Hi @bobsira, krabsetw should be able to subscribe to EventSource providers from both C# and C++:

  • First, translate your EventSource provider name to an ETW provider ID: here's an example.
  • Next, use RawProvider (in C#) or krabs::provider<> (in C++) to subscribe to the ETW provider ID
  • When you receive an event callback:
    • In C#, convert the contents of the event to a ReadOnlySpan and parse it accordingly: new ReadOnlySpan<byte>(record.UserData.ToPointer(), record.UserDataLength);
    • In C++, use the UserData and UserDataLength properties of EVENT_RECORD to access the contents of the event

swannman avatar May 03 '23 16:05 swannman