public void End() { this._EndTime = DateTime.Now; EtwSession.NewEvent -= this.EventHandler; EtwSession.Stop(); this._Thread = null; }
public void Stop() { EtwSession?.Dispose(); EtwSession = null; AppInsightsClient?.Flush(); AppInsightsConfig = null; }
public void Start() { if (!(TraceEventSession.IsElevated() ?? false)) { throw new SecurityException("Admin rights required to turn on ETW event monitoring"); } //https://docs.microsoft.com/en-us/azure/azure-monitor/app/console AppInsightsConfig = TelemetryConfiguration.Active; AppInsightsConfig.TelemetryInitializers.Add(new AppInsightsCloudIdInitializer()); AppInsightsClient = new TelemetryClient(AppInsightsConfig); AppInsightsClient.Context.GlobalProperties.Add("node", Environment.MachineName); AppInsightsClient.Context.GlobalProperties.Add("provider", ServiceFabricEtw.ProviderName); EtwSession?.Dispose(); EtwSession = new TraceEventSession(SessionName); //Note: TopShelf already calls Stop() when Cancel/unhandled exception occurs - so no need to do ETW cleanup as per: https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent.Samples/) //Use command line tool: "logman -ets" to monitor, and "logman -ets -stop ServiceFabric-Node-Monitor" to stop ETW sessions Task.Run(() => { EtwSession.Source.Dynamic.All += ServiceFabricTraceEvent; EtwSession.EnableProviderForOperationalChannel(); EtwSession.Source.Process(); }); }
private static void StopFunc() { if (etwWatcher != null) { etwWatcher.Dispose(); } if (etwSession != null) { etwSession.StopTrace(); } etwSession = null; etwWatcher = null; }
public static void Start(int ProcessID) { if (settings == null || settings.EtwEvents == null || settings.EtwEvents.Count == 0) { throw new Exception("No settings loaded."); } EtwSessionSetting etwSessionSettings = new EtwSessionSetting(); etwSessionSettings.RealTimeSession = true; etwSessionSettings.Name = etwSessionName; etwSessionSettings.BufferSize = 64; etwSession = new EtwSession(etwSessionSettings); etwSession.StartTrace(); List <Guid> guids = new List <Guid>(); List <Guid> providerGuids = new List <Guid>(); foreach (EtwEventInfo etwEventInfo in settings.EtwEvents) { if (!providerGuids.Contains(etwEventInfo.ProviderGuid)) { providerGuids.Add(etwEventInfo.ProviderGuid); etwSession.EnableProvider(etwEventInfo.ProviderGuid); } } etwWatcher = new EventTraceWatcher(etwSessionName); etwWatcher.EventArrived += new EventHandler <EventArrivedEventArgs>(etwWatcher_EventArrived); etwWatcher.Enabled = true; etwTotalEventCounter = 0; etwFilteredEventCounter = 0; processId = ProcessID; }
protected void Listen() { EtwSession.NewEvent += this.EventHandler; EtwSession.Start(); System.Diagnostics.Debug.WriteLine("Tracing session ended"); }
static void Main(string[] args) { // Setting up logging BaseLogger logger; if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { logger = new WindowsLogger("RealTimeKql", "RealTimeKql"); } else { logger = new ConsoleLogger(); } if (!logger.Setup()) { Console.WriteLine("Error instantiating logger. Terminating program..."); return; } logger.Log(LogLevel.INFORMATION, "Welcome to Real-Time KQL!"); // Parsing command line arguments var commandLineParser = new CommandLineParser(logger, args); if (!commandLineParser.Parse()) { logger.Log(LogLevel.ERROR, "Problem parsing command line arguments. Terminating program..."); return; } else if (commandLineParser.InputSubcommand == null) { // User called help, terminating program return; } // Setting up output method IOutput output = null; if (commandLineParser.OutputSubcommand == null) { output = new ConsoleJsonOutput(logger); } switch (commandLineParser.OutputSubcommand.Name) { case "json": output = GetJsonOutput(logger, commandLineParser.OutputSubcommand); break; case "table": output = new ConsoleTableOutput(logger); break; case "adx": output = GetAdxOutput(logger, commandLineParser.OutputSubcommand.Options); break; case "blob": output = GetBlobOutput(logger, commandLineParser.OutputSubcommand.Options); break; case "eventlog": output = GetEventLogOutput(logger, commandLineParser.OutputSubcommand.Options); break; default: logger.Log(LogLevel.ERROR, $"ERROR! Problem recognizing output method specified: {commandLineParser.OutputSubcommand.Name}"); return; } // Setting up event component EventComponent eventComponent = null; var arg = commandLineParser.InputSubcommand.Argument?.Value; var options = commandLineParser.InputSubcommand.Options; var queries = commandLineParser.Queries.ToArray(); switch (commandLineParser.InputSubcommand.Name) { case "etw": eventComponent = new EtwSession(arg, output, queries); break; case "etl": eventComponent = new EtlFileReader(arg, output, queries); break; case "winlog": eventComponent = new WinlogRealTime(arg, output, queries); break; case "evtx": eventComponent = new EvtxFileReader(arg, output, queries); break; case "csv": eventComponent = new CsvFileReader(arg, output, queries); break; case "syslog": eventComponent = new SyslogFileReader(arg, output, queries); break; case "syslogserver": eventComponent = GetSyslogServer(options, output, queries); break; default: logger.Log(LogLevel.ERROR, $"Problem recognizing input method specified: {commandLineParser.InputSubcommand.Name}. Terminating program..."); return; } if (!eventComponent.Start()) { logger.Log(LogLevel.ERROR, "Error starting up. Please review usage and examples. Terminating program..."); return; } // Waiting for exit signal var exitEvent = new ManualResetEvent(false); Console.CancelKeyPress += (sender, eventArgs) => { eventArgs.Cancel = false; exitEvent.Set(); }; exitEvent.WaitOne(); }