The reason I'm asking is I would like to use the out-of-proc mode, but I cannot install a service on each user's workstation, only on a central server. Is the communication between event source and listener service an ETW thing, or is there some kind of RPC I could use?
Asked
Active
Viewed 817 times
2 Answers
0
Yes, the out-of-process mode works by using ETW. All ETW events are system wide so the service just has to listen to ETW events.
ETW only works locally and does not offer a remote solution you could use. Your options are to install a service on each workstation, listen to ETW events (here or here) and forward them to your server with a RPC solution you build yourself. Using MSMQ comes to mind. Or have your application forward the events to your server directly so you don't need the service. Either way, you will have to build it yourself.
Lars Truijens
- 42,837
- 6
- 126
- 143
-
Shucks, thanks. I was hoping to be able to use the XML config available for OOP listening, which seems to have to be done programmatically for IP listening. I'm sure a config reader I build would be useful to many though, so that's my next course of action. My reason for not installing a service on each workstation is not having admin rights for the install. It has to be plain XCOPY. – ProfK May 16 '14 at 02:13
0
To add to Lars' answer, you could also log to SQL. There is a SQL sink you can use but like everything else, to get the most customized fit, you would build your own (or inherit from another class to give you a good starting point). Be careful though. Not all sinks are created the same. They all have their pros and cons. For example, with SQL and Azure sinks, you have to worry about high latency. The XML formatter doesn't write the root starting and ending node so it's not well-formed xml. Whatever reads that file would have to provide them. Good luck!
SteveB
- 233
- 3
- 12