public void End()
{
this._EndTime = DateTime.Now;
EtwSession.NewEvent -= this.EventHandler;
EtwSession.Stop();
this._Thread = null;
}
public void Stop()
{
EtwSession?.Dispose();
EtwSession = null;
AppInsightsClient?.Flush();
AppInsightsConfig = null;
}
public void Start()
{
if (!(TraceEventSession.IsElevated() ?? false))
{
throw new SecurityException("Admin rights required to turn on ETW event monitoring");
}
//https://docs.microsoft.com/en-us/azure/azure-monitor/app/console
AppInsightsConfig = TelemetryConfiguration.Active;
AppInsightsConfig.TelemetryInitializers.Add(new AppInsightsCloudIdInitializer());
AppInsightsClient = new TelemetryClient(AppInsightsConfig);
AppInsightsClient.Context.GlobalProperties.Add("node", Environment.MachineName);
AppInsightsClient.Context.GlobalProperties.Add("provider", ServiceFabricEtw.ProviderName);
EtwSession?.Dispose();
EtwSession = new TraceEventSession(SessionName);
//Note: TopShelf already calls Stop() when Cancel/unhandled exception occurs - so no need to do ETW cleanup as per: https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent.Samples/)
//Use command line tool: "logman -ets" to monitor, and "logman -ets -stop ServiceFabric-Node-Monitor" to stop ETW sessions
Task.Run(() =>
{
EtwSession.Source.Dynamic.All += ServiceFabricTraceEvent;
EtwSession.EnableProviderForOperationalChannel();
EtwSession.Source.Process();
});
}
private static void StopFunc()
{
if (etwWatcher != null)
{
etwWatcher.Dispose();
}
if (etwSession != null)
{
etwSession.StopTrace();
}
etwSession = null;
etwWatcher = null;
}
public static void Start(int ProcessID)
{
if (settings == null ||
settings.EtwEvents == null ||
settings.EtwEvents.Count == 0)
{
throw new Exception("No settings loaded.");
}
EtwSessionSetting etwSessionSettings = new EtwSessionSetting();
etwSessionSettings.RealTimeSession = true;
etwSessionSettings.Name = etwSessionName;
etwSessionSettings.BufferSize = 64;
etwSession = new EtwSession(etwSessionSettings);
etwSession.StartTrace();
List <Guid> guids = new List <Guid>();
List <Guid> providerGuids = new List <Guid>();
foreach (EtwEventInfo etwEventInfo in settings.EtwEvents)
{
if (!providerGuids.Contains(etwEventInfo.ProviderGuid))
{
providerGuids.Add(etwEventInfo.ProviderGuid);
etwSession.EnableProvider(etwEventInfo.ProviderGuid);
}
}
etwWatcher = new EventTraceWatcher(etwSessionName);
etwWatcher.EventArrived += new EventHandler <EventArrivedEventArgs>(etwWatcher_EventArrived);
etwWatcher.Enabled = true;
etwTotalEventCounter = 0;
etwFilteredEventCounter = 0;
processId = ProcessID;
}
protected void Listen()
{
EtwSession.NewEvent += this.EventHandler;
EtwSession.Start();
System.Diagnostics.Debug.WriteLine("Tracing session ended");
}
static void Main(string[] args)
{
// Setting up logging
BaseLogger logger;
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
logger = new WindowsLogger("RealTimeKql", "RealTimeKql");
}
else
{
logger = new ConsoleLogger();
}
if (!logger.Setup())
{
Console.WriteLine("Error instantiating logger. Terminating program...");
return;
}
logger.Log(LogLevel.INFORMATION, "Welcome to Real-Time KQL!");
// Parsing command line arguments
var commandLineParser = new CommandLineParser(logger, args);
if (!commandLineParser.Parse())
{
logger.Log(LogLevel.ERROR, "Problem parsing command line arguments. Terminating program...");
return;
}
else if (commandLineParser.InputSubcommand == null)
{
// User called help, terminating program
return;
}
// Setting up output method
IOutput output = null;
if (commandLineParser.OutputSubcommand == null)
{
output = new ConsoleJsonOutput(logger);
}
switch (commandLineParser.OutputSubcommand.Name)
{
case "json":
output = GetJsonOutput(logger, commandLineParser.OutputSubcommand);
break;
case "table":
output = new ConsoleTableOutput(logger);
break;
case "adx":
output = GetAdxOutput(logger, commandLineParser.OutputSubcommand.Options);
break;
case "blob":
output = GetBlobOutput(logger, commandLineParser.OutputSubcommand.Options);
break;
case "eventlog":
output = GetEventLogOutput(logger, commandLineParser.OutputSubcommand.Options);
break;
default:
logger.Log(LogLevel.ERROR, $"ERROR! Problem recognizing output method specified: {commandLineParser.OutputSubcommand.Name}");
return;
}
// Setting up event component
EventComponent eventComponent = null;
var arg = commandLineParser.InputSubcommand.Argument?.Value;
var options = commandLineParser.InputSubcommand.Options;
var queries = commandLineParser.Queries.ToArray();
switch (commandLineParser.InputSubcommand.Name)
{
case "etw":
eventComponent = new EtwSession(arg, output, queries);
break;
case "etl":
eventComponent = new EtlFileReader(arg, output, queries);
break;
case "winlog":
eventComponent = new WinlogRealTime(arg, output, queries);
break;
case "evtx":
eventComponent = new EvtxFileReader(arg, output, queries);
break;
case "csv":
eventComponent = new CsvFileReader(arg, output, queries);
break;
case "syslog":
eventComponent = new SyslogFileReader(arg, output, queries);
break;
case "syslogserver":
eventComponent = GetSyslogServer(options, output, queries);
break;
default:
logger.Log(LogLevel.ERROR, $"Problem recognizing input method specified: {commandLineParser.InputSubcommand.Name}. Terminating program...");
return;
}
if (!eventComponent.Start())
{
logger.Log(LogLevel.ERROR, "Error starting up. Please review usage and examples. Terminating program...");
return;
}
// Waiting for exit signal
var exitEvent = new ManualResetEvent(false);
Console.CancelKeyPress += (sender, eventArgs) =>
{
eventArgs.Cancel = false;
exitEvent.Set();
};
exitEvent.WaitOne();
}
