{"id":1371,"date":"2014-01-24T13:00:45","date_gmt":"2014-01-24T13:00:45","guid":{"rendered":"http:\/\/writeasync.net\/?p=1371"},"modified":"2014-01-22T09:41:19","modified_gmt":"2014-01-22T09:41:19","slug":"decoding-eventsource-traces","status":"publish","type":"post","link":"http:\/\/writeasync.net\/?p=1371","title":{"rendered":"Decoding EventSource traces"},"content":{"rendered":"

In the previous post<\/a>, I introduced an EventSource sample<\/a>. If you run the sample app, the calculator client will continually try to connect to the service and perform random operations, tracing all the while. That’s nice, but how do you actually read and decode these traces?<\/p>\n

First, you need to actually collect the traces. As usual, open an elevated<\/strong> command prompt and run logman.exe create trace SampleTrace -p {0745B9D3-BC9A-4C33-953C-77DE89336B0D} -o SampleTrace.etl<\/code> (note that we use the ClientEventSource<\/code> provider ID) to create the session and logman.exe start SampleTrace<\/code> to start the session. Now run the app and let it go for 30 seconds or so. After you exit the app, run logman.exe stop SampleTrace<\/code> to stop the session. You will now have a file SampleTrace_000001.etl<\/code> (or similar). However, ETL is a binary format and a manifest is required to decode the trace data.<\/p>\n

Conveniently, I have created a PowerShell script to invoke EventSource<\/code>‘s method to generate the manifest file for types in a given assembly: GenerateManifests.cmd<\/a>. To use it, pass in the assembly name and an optional output path (defaults to current directory). For the sample app, the command would be something like GenerateManifests.cmd EventSourceSample.Core.dll<\/code>. The resulting file EventSourceSample-ClientEventSource.man<\/code> can now be passed to tracerpt.exe<\/code> to decode the events!<\/p>\n

Let’s try converting to XML:
\ntracerpt.exe -l SampleTrace_000001.etl -import EventSourceSample-ClientEventSource.man -o SampleTrace.xml -of XML<\/code><\/p>\n

Opening up SampleTrace.xml<\/code> you should see output similar to the following:<\/p>\n

\r\n<Event xmlns="http:\/\/schemas.microsoft.com\/win\/2004\/08\/events\/event">\r\n\t<System>\r\n\t\t<Provider Name="ClientEventSource" Guid="{0745b9d3-bc9a-4c33-953c-77de89336b0d}" \/>\r\n\t\t<EventID>30<\/EventID>\r\n\t\t<Version>0<\/Version>\r\n\t\t<Level>4<\/Level>\r\n\t\t<Task>0<\/Task>\r\n\t\t<Opcode>1<\/Opcode>\r\n\t\t<Keywords>0xF00000000008<\/Keywords>\r\n\t\t<TimeCreated SystemTime="2014-01-24T12:00:20.612995800Z" \/>\r\n\t\t<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" \/>\r\n\t\t<Execution ProcessID="10824" ThreadID="1076" ProcessorID="0" KernelTime="0" UserTime="60" \/>\r\n\t\t<Channel \/>\r\n\t\t<Computer \/>\r\n\t<\/System>\r\n\t<EventData>\r\n\t\t<Data Name="id">{aeb41e37-cf40-4317-a989-7d5aa6a2dc87}<\/Data>\r\n\t<\/EventData>\r\n\t<RenderingInfo Culture="en-US">\r\n\t\t<Level>Information <\/Level>\r\n\t\t<Opcode>Start <\/Opcode>\r\n\t\t<Keywords>\r\n\t\t\t<Keyword>Connection <\/Keyword>\r\n\t\t<\/Keywords>\r\n\t\t<Message>Connection {aeb41e37-cf40-4317-a989-7d5aa6a2dc87} opening. <\/Message>\r\n\t<\/RenderingInfo>\r\n<\/Event>\r\n<\/pre>\n
There it is, in all its glory — the event header (in the System<\/code> element) containing process, thread, timestamp, etc. and the decoded message (in the RenderingInfo<\/code> element).<\/p>\n
This is a bit hard to read, so let’s try exporting to EVTX and using Event Viewer<\/a> instead:
\ntracerpt.exe -l SampleTrace_000001.etl -import EventSourceSample-ClientEventSource.man -o SampleTrace.evtx -of EVTX<\/code><\/p>\n
Typing the file name SampleTrace.evtx<\/code> will launch Event Viewer to view the log. By default, the log will be sorted in descending timestamp order. In the upper pane, the table will show the event summary, e.g.:<\/p>\n\n\n\n
Level<\/td>\nDate and Time<\/td>\nSource<\/td>\nEvent ID<\/td>\nTask Category<\/td>\n<\/tr>\n
Information<\/td>\n1\/24\/2014 12:00:20 PM<\/td>\nClientEventSource<\/td>\n30<\/td>\nNone<\/td>\n<\/tr>\n<\/table>\n
The pane below this shows the decoded message and a detailed dump of the properties in the event. Within Event Viewer you can filter the log and resave it in different formats (e.g. CSV).<\/p>\n
These are the basic in-box tools you can use for dealing with ETL files. If you’re looking for a programmatic solution, e.g. to do more detailed analysis, stay tuned for a future post.<\/p>\n","protected":false},"excerpt":{"rendered":"
In the previous post, I introduced an EventSource sample. If you run the sample app, the calculator client will continually try to connect to the service and perform random operations, tracing all the while. That’s nice, but how do you… <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[71,31],"tags":[],"class_list":["post-1371","post","type-post","status-publish","format-standard","hentry","category-diagnostics","category-scripts"],"_links":{"self":[{"href":"http:\/\/writeasync.net\/index.php?rest_route=\/wp\/v2\/posts\/1371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/writeasync.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/writeasync.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/writeasync.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/writeasync.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1371"}],"version-history":[{"count":0,"href":"http:\/\/writeasync.net\/index.php?rest_route=\/wp\/v2\/posts\/1371\/revisions"}],"wp:attachment":[{"href":"http:\/\/writeasync.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/writeasync.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1371"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/writeasync.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}