Shulou(Shulou.com)06/01 Report--

This article introduces you to the introduction and use of Windows event tracking, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Although most Windows developers know that Windows event tracking (Event Tracing for Windows,ETW) is a logging and event tracking tool, many administrators have never heard of it and simply regard ETW as part of the event logging and tracking capabilities provided by the operating system. ETW runs in the kernel and can track events raised by user-mode applications, operating system kernels, and kernel-mode device drivers.

Some core operating system components and third-party applications use Windows event tracking to provide event logging and tracking. Although Windows event tracking is only available in the Windows check version during the * releases in Windows2000, it is now a built-in tool for all Windows versions.

Getting started with Windows event tracking (ETW)

In terms of Windows server troubleshooting and troubleshooting, there is not much information to refer to. Administrators always try their best to look around for all possible information to determine the fault. So there are a variety of tools such as process Monitor, process Explorer, performance Monitor (PerfMon), and performance Analysis Log (PAL) to help us get far more information than event logs, but unfortunately, sometimes we need more information.

ETW can collect enough information without additional equipment, and has many advantages. For example:

Use a per-processor kernel buffer that is not a page pool so that it is not affected by application crashes and hangs

Extremely low CPU consumption

System architecture for X86, X64, and IA64

Trace can be started and turned off without restarting the application

Windows event tracking seems like a great tool, but there is another problem with using this tool. There is no graphical interface or user wizard. Also, some initialization work needs to be done before outputting the results that can be analyzed.

To output valid results, you need a consumer (consumer). Generate a consumer named Tracerpt.exe in Windows Serer. As you know, the Tracerpt command is characterized by providing a specific output format, so it is important to be proficient in tools such as Tracerpt and Logman, which are built-in tools for Windows 2003 and beyond, such as Windows 7 and Vista.

It is also important to understand the architecture of ETW. As shown in the figure, the controller is used to start and stop a tracking conversation. In windows Server 2003 and 2008, the controller tool is Logman.exe.

Figure 1.ETW architecture

Windows Server 2003 also includes a small number of event providers that return specific events, including the following active Directory related providers:

Active Directory: Core

Active Directory: Kerberos

Active Directory: SAM

Active Directory: NetLogon

For example, specifying Active Directory: Kerberos as the provider returns only Kerberos-specific events.

Event providers vary depending on the version of Windows. For example, Windows Server 2003 has 22 providers and Windows 2008 has 387. It provides more powerful tracking and more tracking range. However, when it comes to LDAP traffic, Active Directory: Core as a provider is basically the same for both Windows versions.

You can also bundle multiple event providers into a single trace. Because Kerberos authentication is mentioned in the above example, I still use the Active Directory: Kerberos and Active Directory: Core provider examples here, using both the Logman command and the parameter-PL, as shown in the following example:

Logman Create Trace CoreKerb-pf c:\ etw\ input.txt-o c:\ etw\ coreKerb

The parameter-pf means to read an input text file (such as input.txt in this case). Its format is shown in figure 2.

Figure 2. Enter text file format

Now that we know what event tracking is, let's take a look at how to use Windows event tracking (ETW)

It is introduced that ETW is a * * method through examples. An engineer recently told me that he needs to know how the active Directory responds to Unix client authentication LDAP requests submitted to domain controllers. He uses the Unix command to view the binding request on the Unix side, and hopes to have a similar output on the Windows side, which is shown below:

[23/Sep/2010:15:04:44 + 0200] conn=31 fd=65 slot=65 connection from 10.50.20.173 to 10.50.12.119

[23/Sep/2010:15:04:44 + 0200] conn=31 op=0 BIND dn= "uid=dorsa,ou=people,o=Corp.net" method=128 version=3

[23/Sep/2010:15:04:44 + 0200] conn=31 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn= "uid=dorsa,ou=people,o=corp.net"

[23/Sep/2010:15:04:44 + 0200] conn=31 op=1 SRCH base= "ou=people,o=hp.com" scope=2 filter= "(| (uid=dorsa) (cn=mdilln.dodgcty))" attrs=ALL

[23/Sep/2010:15:04:44 + 0200] conn=31 op=1 RESULT err=0 tag=101 nentries=2 etime=0

[23/Sep/2010:15:04:44 + 0200] conn=31 op=2 UNBIND

[23/Sep/2010:15:04:44 + 0200] conn=31 op=2 fd=65 closed-U1

[23/Sep/2010:15:04:44 + 0200] conn=29 op=-1 fd=64 closed error 11 (Resource temporarily unavailable)-

To get this output, I open the NTDS Diagnostics registry key, which is located in HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NTDS\ Diagnostics, and set the LDAP Interface value to 5. 0. This only provides the operation time to run, and it doesn't have much to do with the Unix output, so I decided to try ETW. Because I use Windows Server 2003, I use the Active Directory: Core provider, which provides detailed LDAP information.

The following steps and commands are used to create an ETW trace and generate logs. These commands save LDAP data during authentication for the Unix engineer. At the same time, I create an ETW folder under disk C to store all the data.

1.C: > Logman Query Providers-- this command lists all available providers. Note that we want to get information about LDAP, so the provider used is Active Directory: Core.

2.Logman create trace "LDAP1"-p "Active Directory: core"-o c:\ etw\ LDAP1 LDAP1-this is the name of the trace (it can be found in the tracking list).

-identifies specifies Active Directory: Core as the provider

-o specify the output file (suffix .etl) path C:\ etw\ ldap1. The output file is saved as LDAP1_000001.etl. Note that when the trace runs for the second time, the output file will be named LDAP1_000002.etl, and so on.

3. Once the Logman create trace trace command is executed successfully, you can see it in the command queue using the command: C: > Logman Query. In figure 3, the LDAP1 trace is shown in the red box. Please note that these traces I have set up to start and stop at any time for reuse.

Figure 3. ETW tracking

4. Start the trace command as follows:

Logman Start LDAP1

Using Logman Query at this point will show that LDAP1 is running

5. Then, we need to use the copy operation to replicate the problem or event we want to track. In this example, I execute a login and run some LDIFDE commands to perform a LDAP search. Once these commands are executed, you should start tracking as soon as possible so that tracking errors can be minimized and easier to read.

6. Next, use the command Logman Stop LDAP1 to stop tracking

7. Show that the LDAP1 trace file LDAP1_000002.etl has been created in the C:\ ETW directory:

C:\ ETW > dir ldap1*

Volume in drive C has no label.

Volume Serial Number is 309D-BA04

Directory of C:\ ETW

10/13/2010 04:22 PM 1015 ldap1

10/13/2010 04:20 PM 262144 LDAP1_000001.etl

01/21/2011 02:12 AM 262144 LDAP1_000002.etl

8. Because this is the second time to run the trace, the file is named 000002.

Since the log file with the suffix .etl is unreadable, we can use the Tracerpt command to get some useful data. An example of this command is as follows:

TRACERPT LDAP1_000001.etl-o Ldap1.csv

-of sets the file type (default is CSV) (for more formats, please see the online help.)

-o indicates that the output file name is default, its name is dumpfile.csv and produces the most interesting LDAP active storage

-Summary,-Report for statistics (not used in this example)

Use Excel (or notepad) to open the LDAP1.csv file to view the data. As shown in figure 4, the LDAP request and response are highlighted. As you can see, the search and bind requests are in column A, while in column B, you can see the start and end requests in pairs. You can also see the filtering and scope of user data and LDAP requests and other relevant information on the right.

Figure 4.LDAP1.csv data

The exciting thing about ETW is that there are countless providers. Providers include Group Policy, Kerberos, LDAP clients, Netlogon, FSRM, IIS, and in Windows Server 2008, there are more providers than those mentioned above.

Although I used to use event logs and similar log files in the past, now I use Windows event tracking to get deeper and more detailed information to help me solve any problems I encounter. Very simple commands are used to track and generate reports. Of course, you can find more command items and more detailed information through the network.

This is the end of what is the introduction and use of Windows event tracking. I hope the above content can be helpful to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.