System.Diagnostic.Tracing.EventListener for existing ETW Providers

Question

I am confused how to create an EventListener for an existing system ETW Provider. The EnableEvents method expects to be passed in a EventSource instance. Do I need to create that by hand? Is there a way to generate that EventSource class?

I can find out details out a provider doing either:

logman query providers Microsoft-Windows-WinHttp
wevtutil get-publisher Microsoft-Windows-WinHttp

I can even generate the instrumentationManifest xml with:

.\PerfView.exe /nogui userCommand DumpRegisteredManifest Microsoft-Windows-WinHttp

open System.Diagnostics.Tracing

let printfn format = Printf.ksprintf System.Diagnostics.Debug.WriteLine format

[<EventSource(Name="Microsoft-Windows-NDIS-PacketCapture", Guid="2ed6006e-4729-4609-b423-3ee7bcd678ef")>]
type NdisPacketCaptureEventSource() =
    inherit EventSource()

let Ethernet = LanguagePrimitives.EnumOfValue<int64, EventKeywords>(0x1L)
let WirelessWAN = LanguagePrimitives.EnumOfValue<int64, EventKeywords>(0x200L)

let Api = LanguagePrimitives.EnumOfValue<int64, EventKeywords>(0x1L)
let Send = LanguagePrimitives.EnumOfValue<int64, EventKeywords>(0x100000000L)

[<EventSource(Name="Microsoft-Windows-WinHttp", Guid="7d44233d-3055-4b9c-ba64-0d47ca40a232")>]
type WinHttpEventSource() =
    inherit EventSource()

type MyEventListener() =
    inherit EventListener()

    override x.OnEventSourceCreated source =
        printfn "OnEventSourceCreated %A" source
        base.OnEventSourceCreated source

    override x.OnEventWritten args =
        printfn "OnEventWritten %A" args
        base.OnEventWritten args

[<EntryPoint>]
let main argv = 
    use listener = new MyEventListener()

//    use ndis = new NdisPacketCaptureEventSource()
//    printfn "Name: %s, Guid: %A" ndis.Name ndis.Guid
//    listener.EnableEvents(ndis, EventLevel.Verbose, EventKeywords.All)
//    listener.EnableEvents(ndis, EventLevel.Verbose, Ethernet)
//    listener.EnableEvents(ndis, EventLevel.Verbose, WirelessWAN)

    use winHttp = new WinHttpEventSource()
//    listener.EnableEvents(winHttp, EventLevel.Verbose, EventKeywords.All)
    listener.EnableEvents(winHttp, EventLevel.Verbose, Send)

//    for i in 0 .. 5 do
//    System.Console.ReadKey() |> ignore
    while true do
        System.Threading.Thread.Sleep 100
    0

I haven't been able to trigger OnEventWritten and I don't know why. Any ideas?

Update on 2015-12-02

I was able to get EventSource events logging using SemanticLogging. The details are here. It is using Microsoft.Diagnostics.Tracing.TraceEvent. Using it appears like it may be the solution.

Answer 1

I didn't quite understand what I was asking. I wanted to log events from ETL. On Vance Morrison's Weblog, he explains EventSource keeps these track of these data item names and types so that processors (either EventListeners or ETW). The EventListener I was trying to use was for events in the same process. TraceEvent can be used for getting the events from another process. The samples he made available are great and I used them to create this.

open System

// https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/
open Microsoft.Diagnostics.Tracing
open Microsoft.Diagnostics.Tracing.Session

// toggle this on for VS Output window or off for Console window
let printfn format = Printf.ksprintf System.Diagnostics.Debug.WriteLine format

[<EntryPoint>]
let main argv = 
    
    if not (TraceEventSession.IsElevated().GetValueOrDefault()) then
        printfn "you must run as admin"
        1

    else 
        let name = "Microsoft-AdoNet-SystemData"
        let guid = TraceEventProviders.GetProviderGuidByName name
        printfn "name: %s, guid: %A" name guid
        use sn = new TraceEventSession("MySession")
        sn.Source.add_AllEvents (fun evt -> printfn "event: %A" evt)
        sn.EnableProvider(name, TraceEventLevel.Verbose) |> ignore
        Console.CancelKeyPress.Add (fun args -> args.Cancel <- true; sn.Dispose())
        sn.Source.Process() |> ignore
        0