ETW input
editETW input
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
Event Tracing for Windows is a powerful logging and tracing mechanism built into the Windows operating system. It provides a detailed view of application and system behavior, performance issues, and runtime diagnostics. Trace events contain an event header and provider-defined data that describes the current state of an application or operation. You can use the events to debug an application and perform capacity and performance analysis.
The ETW input can interact with ETW in three distinct ways: it can create a new session to capture events from user-mode providers, attach to an already existing session to collect ongoing event data, or read events from a pre-recorded .etl file. This functionality enables the module to adapt to different scenarios, such as real-time event monitoring or analyzing historical data.
This input currently supports manifest-based, MOF (classic) and TraceLogging providers while WPP providers are not supported. Here you can find more information about the available types of providers.
It has been tested in every Windows versions supported by Filebeat, starting from Windows 8.1 and Windows Server 2016. In addition, administrative privileges are required in order to control event tracing sessions.
Example configurations:
Read from a provider by name:
filebeat.inputs: - type: etw id: etw-dnsserver enabled: true provider.name: Microsoft-Windows-DNSServer session_name: DNSServer-Analytical trace_level: verbose match_any_keyword: 0x8000000000000000 match_all_keyword: 0
Same provider can be defined by its GUID:
filebeat.inputs: - type: etw id: etw-dnsserver enabled: true provider.guid: {EB79061A-A566-4698-9119-3ED2807060E7} session_name: DNSServer-Analytical trace_level: verbose match_any_keyword: 0x8000000000000000 match_all_keyword: 0
Read from a current session:
filebeat.inputs: - type: etw enabled: true id: etw-dnsserver-session session: UAL_Usermode_Provider
Read from a .etl file:
filebeat.inputs: - type: etw enabled: true id: etw-dnsserver-session file: "C\Windows\System32\Winevt\Logs\Logfile.etl"
Examples shown above are mutually exclusive, since the options provider.name
, provider.guid
, session
and file
cannot be present at the same time. Nevertheless, it is a requirement that one of them appears.
Multiple providers example:
filebeat.inputs: - type: etw id: etw-dnsserver enabled: true provider.name: Microsoft-Windows-DNSServer session_name: DNSServer-Analytical trace_level: verbose match_any_keyword: 0xfffffffffffffffff match_all_keyword: 0 - type: etw id: etw-security enabled: true provider.name: Microsoft-Windows-Security-Auditing session_name: Security-Auditing trace_level: warning match_any_keyword: 0xffffffffffffffff match_all_keyword: 0
Configuration options
editThe ETW
input supports the following configuration options.
file
editSpecifies the path to an .etl file for reading ETW events. This file format is commonly used for storing ETW event logs.
provider.guid
editIdentifies the GUID of an ETW provider. To see available providers, use the command logman query providers
.
provider.name
editSpecifies the name of the ETW provider. Available providers can be listed using logman query providers
.
session_name
editWhen specified a provider, a new session is created. It sets the name for a new ETW session associated with the provider. If not provided, the default is the provider ID prefixed with Elastic-.
trace_level
editDefines the filtering level for events based on severity. Valid options include critical, error, warning, informational, and verbose.
match_any_keyword
editAn 8-byte bitmask used for filtering events from specific provider subcomponents based on keyword matching. Any matching keyword will enable the event to be written. Default value is 0xfffffffffffffffff
so it matches every available keyword.
Run logman query providers "<provider.name>"
to list the available keywords for a specific provider.
match_all_keyword
editSimilar to MatchAnyKeyword, this 8-byte bitmask filters events that match all specified keyword bits. Default value is 0
to let every event pass.
Run logman query providers "<provider.name>"
to list the available keywords for a specific provider.
session
editNames an existing ETW session to read from. Existing sessions can be listed using logman query -ets
.