EVENT_TRACE_LOGFILE structure

The EVENT_TRACE_LOGFILE structure specifies how the consumer wants to read events (from a log file or in real-time) and the callbacks that will receive the events.

When ETW flushes a buffer, this structure contains information about the event tracing session and the buffer that ETW flushed.

Syntax


typedef struct _EVENT_TRACE_LOGFILE {
  LPTSTR                       LogFileName;
  LPTSTR                       LoggerName;
  LONGLONG                     CurrentTime;
  ULONG                        BuffersRead;
  union {
    ULONG LogFileMode;
    ULONG ProcessTraceMode;
  };
  EVENT_TRACE                  CurrentEvent;
  TRACE_LOGFILE_HEADER         LogfileHeader;
  PEVENT_TRACE_BUFFER_CALLBACK BufferCallback;
  ULONG                        BufferSize;
  ULONG                        Filled;
  ULONG                        EventsLost;
  union {
    PEVENT_CALLBACK        EventCallback;
    PEVENT_RECORD_CALLBACK EventRecordCallback;
  };
  ULONG                        IsKernelTrace;
  PVOID                        Context;
} EVENT_TRACE_LOGFILE, *PEVENT_TRACE_LOGFILE;

Members

LogFileName

Name of the log file used by the event tracing session. Specify a value for this member if you are consuming from a log file. This member must be NULL if LoggerName is specified.

You must know the log file name the controller specified. If the controller logged events to a private session (the controller set the LogFileMode member of EVENT_TRACE_PROPERTIES to EVENT_TRACE_PRIVATE_LOGGER_MODE), the file name must include the process identifier that ETW appended to the log file name. For example, if the controller named the log file xyz.etl and the process identifier is 123, ETW uses xyz.etl_123 as the file name.

If the controller set the LogFileMode member of EVENT_TRACE_PROPERTIES to EVENT_TRACE_FILE_MODE_NEWFILE, the log file name must include the sequential serial number used to create each new log file.

The user consuming the events must have permissions to read the file.

LoggerName

Name of the event tracing session. Specify a value for this member if you want to consume events in real time. This member must be NULL if LogFileName is specified.

You can only consume events in real time if the controller set the LogFileMode member of EVENT_TRACE_PROPERTIES to EVENT_TRACE_REAL_TIME_MODE.

Only users with administrative privileges, users in the Performance Log Users group, and applications running as LocalSystem, LocalService, NetworkService can consume events in real time. To grant a restricted user the ability to consume events in real time, add them to the Performance Log Users group or call EventAccessControl.

Windows XP and Windows 2000:  Anyone can consume real time events.

CurrentTime

On output, the current time, in 100-nanosecond intervals since midnight, January 1, 1601.

BuffersRead

On output, the number of buffers processed.

LogFileMode

Reserved. Do not use.

ProcessTraceMode

Modes for processing events. The modes are defined in the Evntcons.h header file. You can specify one or more of the following modes:

ValueMeaning
PROCESS_TRACE_MODE_EVENT_RECORD

Specify this mode if you want to receive events in the new EVENT_RECORD format. To receive events in the new format you must specify a callback in the EventRecordCallback member. If you do not specify this mode, you receive events in the old format through the callback specified in the EventCallback member.

Prior to Windows Vista:  Not supported.

PROCESS_TRACE_MODE_RAW_TIMESTAMP

Specify this mode if you do not want the time stamp value in the TimeStamp member of EVENT_HEADER and EVENT_TRACE_HEADER converted to system time (leaves the time stamp value in the resolution that the controller specified in the Wnode.ClientContext member of EVENT_TRACE_PROPERTIES).

Prior to Windows Vista:  Not supported.

PROCESS_TRACE_MODE_REAL_TIME

Specify this mode to receive events in real time (you must specify this mode if LoggerName is not NULL).

 

CurrentEvent

On output, an EVENT_TRACE structure that contains the last event processed.

LogfileHeader

On output, a TRACE_LOGFILE_HEADER structure that contains general information about the session and the computer on which the session ran.

BufferCallback

Pointer to the BufferCallback function that receives buffer-related statistics for each buffer ETW flushes. ETW calls this callback after it delivers all the events in the buffer. This callback is optional.

BufferSize

On output, contains the size of each buffer, in bytes.

Filled

On output, contains the number of bytes in the buffer that contain valid information.

EventsLost

Not used.

EventCallback

Pointer to the EventCallback function that ETW calls for each event in the buffer.

Specify this callback if you are consuming events from a provider that used one of the TraceEvent functions to log events.

EventRecordCallback

Pointer to the EventRecordCallback function that ETW calls for each event in the buffer.

Specify this callback if you are consuming events from a provider that used one of the EventWrite functions to log events.

Prior to Windows Vista:  Not supported.

IsKernelTrace

On output, if this member is TRUE, the event tracing session is the NT Kernel Logger. Otherwise, it is another event tracing session.

Context

Context data that a consumer can specify when calling OpenTrace. If the consumer uses EventRecordCallback to consume events, ETW sets the UserContext member of the EVENT_RECORD structure to this value.

Prior to Windows Vista:  Not supported.

Remarks

Be sure to initialize the memory for this structure to zero before setting any members.

Consumers pass this structure to the OpenTrace function.

When ETW flushes a buffer, it passes the structure to the consumer's BufferCallback function.

Requirements

Minimum supported client

Windows 2000 Professional [desktop apps only]

Minimum supported server

Windows 2000 Server [desktop apps only]

Header

Evntrace.h

Unicode and ANSI names

EVENT_TRACE_LOGFILEW (Unicode) and EVENT_TRACE_LOGFILEA (ANSI)

See also

BufferCallback
OpenTrace

 

 

Community Additions

ADD
Show:
© 2014 Microsoft