# README
High performant etw library to consume ETW logs.
Pure Golang (no need to enable CGO) library to consume ETW logs.
Examples
See ./examples
package main
import (
"context"
"encoding/json" // recommend a faster library for json meshing.
"fmt"
"time"
"github.com/tekert/golang-etw/etw"
)
func main() {
// ETW needs a trace to be created before being able to consume from
// it. Traces can be created using golang-etw or they might be already
// existing (created from an autologgers for instance) like Eventlog-Security.
// Creating the trace (producer part)
s := etw.NewRealTimeSession("TestingGoEtw")
// We have to stop the session or it will be kept alive and session name
// will not be available anymore for next calls
defer s.Stop()
// we need to enable the trace to collect logs from given providers
// several providers can be enabled per trace, in this example we
// enable only one provider
if err := s.EnableProvider(etw.MustParseProvider("Microsoft-Windows-Kernel-File")); err != nil {
panic(err)
}
// Consuming from the trace
c := etw.NewConsumer(context.Background())
defer c.Stop()
c.FromSessions(s)
// When events are parsed they get sent to Consumer's
// Events channel by the default EventCallback method
// EventCallback can be modified to do otherwise
go func() {
var b []byte
var err error
c.ProcessEvents(func(e *etw.Event) {
if b, err = json.Marshal(e); err != nil {
panic(err)
}
fmt.Println(string(b))
})
}()
if err := c.Start(); err != nil {
panic(err)
}
time.Sleep(5 * time.Second)
if c.Err() != nil {
panic(c.Err())
}
}
How ETW works
Related Documentation
-
(Best) ETW Framework Conceptual Tutorial (Actually deleted by microsoft... using wayback machine)
-
Advanced ETWSession Configuration (Actually deleted by microsoft... using wayback machine)
Related Work
- ETW Explorer (use this to browse manifest providers in your system)
- ETWProviders