ETW input

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

Event Tracing for Windows is a powerful logging and tracing mechanism built into the Windows operating system. It provides a detailed view of application and system behavior, performance issues, and runtime diagnostics. Trace events contain an event header and provider-defined data that describes the current state of an application or operation. You can use the events to debug an application and perform capacity and performance analysis.

The ETW input can interact with ETW in three distinct ways: it can create a new session to capture events from user-mode providers, attach to an already existing session to collect ongoing event data, or read events from a pre-recorded .etl file. This functionality enables the module to adapt to different scenarios, such as real-time event monitoring or analyzing historical data.

This input currently supports manifest-based, MOF (classic) and TraceLogging providers while WPP providers are not supported. Here you can find more information about the available types of providers.

It has been tested in every Windows versions supported by Filebeat, starting from Windows 8.1 and Windows Server 2016. In addition, administrative privileges are required in order to control event tracing sessions.

Example configurations:

Read from a provider by name:

filebeat.inputs:
- type: etw
  id: etw-dnsserver
  enabled: true
  provider.name: Microsoft-Windows-DNSServer
  session_name: DNSServer-Analytical
  trace_level: verbose
  match_any_keyword: 0x8000000000000000
  match_all_keyword: 0

Same provider can be defined by its GUID:

filebeat.inputs:
- type: etw
  id: etw-dnsserver
  enabled: true
  provider.guid: {EB79061A-A566-4698-9119-3ED2807060E7}
  session_name: DNSServer-Analytical
  trace_level: verbose
  match_any_keyword: 0x8000000000000000
  match_all_keyword: 0

Read from a current session:

filebeat.inputs:
- type: etw
  enabled: true
  id: etw-dnsserver-session
  session: UAL_Usermode_Provider

Read from a .etl file:

filebeat.inputs:
- type: etw
  enabled: true
  id: etw-dnsserver-session
  file: "C\Windows\System32\Winevt\Logs\Logfile.etl"

Examples shown above are mutually exclusive, since the options provider.name, provider.guid, session and file cannot be present at the same time. Nevertheless, it is a requirement that one of them appears.

Multiple providers example:

filebeat.inputs:
- type: etw
  id: etw-dnsserver
  enabled: true
  provider.name: Microsoft-Windows-DNSServer
  session_name: DNSServer-Analytical
  trace_level: verbose
  match_any_keyword: 0xfffffffffffffffff
  match_all_keyword: 0
- type: etw
  id: etw-security
  enabled: true
  provider.name: Microsoft-Windows-Security-Auditing
  session_name: Security-Auditing
  trace_level: warning
  match_any_keyword: 0xffffffffffffffff
  match_all_keyword: 0

Configuration options

edit

The ETW input supports the following configuration options.

file

edit

Specifies the path to an .etl file for reading ETW events. This file format is commonly used for storing ETW event logs.

provider.guid

edit

Identifies the GUID of an ETW provider. To see available providers, use the command logman query providers.

provider.name

edit

Specifies the name of the ETW provider. Available providers can be listed using logman query providers.

session_name

edit

When specified a provider, a new session is created. It sets the name for a new ETW session associated with the provider. If not provided, the default is the provider ID prefixed with Elastic-.

trace_level

edit

Defines the filtering level for events based on severity. Valid options include critical, error, warning, informational, and verbose.

match_any_keyword

edit

An 8-byte bitmask used for filtering events from specific provider subcomponents based on keyword matching. Any matching keyword will enable the event to be written. Default value is 0xfffffffffffffffff so it matches every available keyword.

Run logman query providers "<provider.name>" to list the available keywords for a specific provider.

match_all_keyword

edit

Similar to MatchAnyKeyword, this 8-byte bitmask filters events that match all specified keyword bits. Default value is 0 to let every event pass.

Run logman query providers "<provider.name>" to list the available keywords for a specific provider.

session

edit

Names an existing ETW session to read from. Existing sessions can be listed using logman query -ets.