ETW Input Format Examples

Log Parser

ETW Input Format Examples

Parsing an IIS 6.0 ETW Trace Log File

This example shows how to start a trace session containing events from the IIS 6.0 providers, how to stop the session, and how to parse the resulting trace log file.
The example commands shown here apply to Windows Server 2003.

  1. List the GUIDs of the providers registered with the system using the following command from a command-line window:
    C:\>logman query providers
    
    The output of this command will look like the following sample:
    Provider                                 GUID
    -------------------------------------------------------------------------------
    IIS: WWW Global                          {d55d3bc9-cba9-44df-827e-132d3a4596c2}
    ACPI Driver Trace Provider               {dab01d4d-2d48-477d-b1c3-daad0ce6f06b}
    Active Directory: Kerberos               {bba3add2-c229-4cdb-ae2b-57eb6966b0c4}
    IIS: SSL Filter                          {1fbecc45-c060-4e7c-8a0e-0dbd6116181b}
    IIS: Request Monitor                     {3b7b0b4b-4b01-44b4-a95e-3c755719aebf}
    IIS: WWW Server                          {3a2a4e84-4c21-4981-ae10-3fda0d9b0f83}
    IIS: Active Server Pages (ASP)           {06b94d9a-b15e-456e-a4ef-37c984a2cb4b}
    Local Security Authority (LSA)           {cc85922f-db41-11d2-9244-006008269001}
    IIS: IISADMIN Global                     {DC1271C2-A0AF-400f-850C-4E42FE16BE1C}
    Windows Kernel Trace                     {9e814aad-3204-11d2-9a82-006008a86939}
    ASP.NET Events                           {AFF081FE-0247-4275-9C4E-021F3DC1DA35}
    NTLM Security Protocol                   {C92CF544-91B3-4dc0-8E11-C580339A0BF8}
    IIS: WWW Isapi Extension                 {a1c2040e-8840-4c31-ba11-9871031a19ea}
    Active Directory: SAM                    {8e598056-8993-11d2-819e-0000f875a064}
    HTTP Service Trace                       {dd5ef90a-6398-47a4-ad34-4dcecdef795f}
    Active Directory: NetLogon               {f33959b4-dbec-11d2-895b-00c04f79ab69}
    Spooler Trace Control                    {94a984ef-f525-4bf1-be3c-ef374056a592}
    
    The command completed successfully.
    
  2. Identify the providers needed for the trace session; in this example, the trace session will be enabled for the "IIS: WWW Server" and "IIS: Active Server Pages (ASP)" providers.
  3. Create a text file containing the GUID of each selected provider on a line, followed by the tracing flags and tracing level values for the provider. For more information on the available flags and levels for a provider, consult the component documentation.
    The following example shows a text file named "MyProviders.guid" containing the "IIS: WWW Server" and "IIS: Active Server Pages (ASP)" providers:
    {3a2a4e84-4c21-4981-ae10-3fda0d9b0f83} 0xfffffffe 5
    {06b94d9a-b15e-456e-a4ef-37c984a2cb4b} 0xffffffff 5
    
  4. Start the tracing session using the providers text file as the argument of the "-pf" logman command-line parameter:
    C:\>logman start ExampleTrace -pf MyProviders.guid -ets
    
  5. The tracing session has now started, and the selected providers will be logging events for each request to the IIS Web Server.
  6. When desired, the tracing session can be stopped with the following command:
    C:\>logman stop ExampleTrace -ets
    
  7. After the tracing session has been stopped, the ETW trace log file named "ExampleTrace.etl" is available for use.
    The following Log Parser command parses the ETW trace log file and displays the logged events:
    C:\>LogParser "SELECT * FROM ExampleTrace.etl" -i:ETW
    
    The output of this command will look like the following sample:
    EventNumber EventName  EventTypeName                Timestamp                      UserData
    ----------- ---------- ---------------------------- ------------------------------ -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    2           IISGeneral GENERAL_REQUEST_START        2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|SiteId=1|AppPoolId=DefaultAppPool|ConnId=-288230375077969904|RawConnId=0|RequestURL=http://localhost:80/|RequestVerb=GET
    3           IISFilter  FILTER_START                 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|FilterName=C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
    4           IISFilter  FILTER_PREPROC_HEADERS_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
    5           IISFilter  FILTER_PREPROC_HEADERS_END   2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
    6           IISFilter  FILTER_END                   2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
    7           IISFilter  FILTER_START                 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|FilterName=C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\fpexedll.dll
    8           IISFilter  FILTER_PREPROC_HEADERS_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
    9           IISFilter  FILTER_PREPROC_HEADERS_END   2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
    10          IISFilter  FILTER_END                   2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
    11          IISCache   URL_CACHE_ACCESS_START       2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|RequestURL=/
    

Parsing a live IIS 6.0 ETW Trace Session

This example shows how to start a live trace session containing events from the IIS 6.0 providers, how to start a Log Parser command that shows the events in real-time, and how to stop the session.
The example commands shown here apply to Windows Server 2003.

  1. Execute steps 1-3 from the example above.
  2. Start the tracing session using the providers text file as the argument of the "-pf" logman command-line parameter, specifying also the "-rt" flag to enable a real-time tracing session:
    C:\>logman start ExampleTrace -pf MyProviders.guid -ets -rt
    
  3. The tracing session has now started, and the selected providers will be logging events for each request to the IIS Web Server.
  4. From a separate command-line shell window, execute the following Log Parser command to parse the live tracing session in real-time:
    C:\>LogParser "SELECT * FROM ExampleTrace" -i:ETW
    
    This Log Parser command will output the trace events indefinitely, until the command is manually aborted, or until the tracing session is stopped.
  5. When desired, the tracing session can be stopped with the following command:
    C:\>logman stop ExampleTrace -ets
    


© 2004 Microsoft Corporation. All rights reserved.