Event Logs and Channels in Windows Event Log
A channel is a named stream of events that transports events from an event publisher to an event log file, where an event consumer can get an event. Event channels are intended for specific audiences and have different types for each audience.
While most channels are tied to specific event publishers (they are created when publishers are installed and deleted when publishers are uninstalled), there are a few channels that are independent from any event publisher. System Event Log channels and event logs, such as System, Application, and Security, are installed with the operating system and cannot be deleted.
A channel can be defined on any independent Event Tracing for Windows (ETW) session. Such channels are not controlled by Windows Event Log, but by the ETW consumer that creates them.
Channels defined by event publishers are identified by a name and should be based on the publisher name.
There are restrictions on channel naming. Channel names can contain spaces, but a channel name cannot be longer than 255 characters, and cannot contain '>', '<', '&', '"', '|', '\', ':', '`', '?', '*', or characters with codes less than 31. Additionally, the name must follow the general constraints on file and registry key names. These constraints can be found in Naming a File, and Registry Element Size Limits.
The following XML example shows a valid default channel name.
Channels are defined in an instrumentation manifest for an event publisher.
Event types and channel types can be considered the same thing because the type of channel defines the type of event that travels through the channel to an event log. Each channel group contains two event\channel types, based on the event audiences. While any user can look at any event, you can identify the primary audience for each channel type.
- Serviced channel
Offers a reliable delivery of events in the serviced channel. The event consumer subscriptions to a serviced channel are based on XPath queries; thus, only events that match the query are delivered to the subscribers.
Events in the serviced channel can be forwarded to another system. Forwarding is subscription based and selected events can be forwarded from any number of channels.
Serviced channels have the following types:
These events are primarily targeted to the end users, administrators, and support. The events that are found in the Admin channels indicate a problem and a well-defined solution that an administrator can act on. An example of an admin event is an event that occurs when an application fails to connect to a printer. These events are either well-documented or have a message associated with them that gives the reader direct instructions of what must be done to rectify the problem.
Operational events are used for analyzing and diagnosing a problem or occurrence. They can be used to trigger tools or tasks based on the problem or occurrence. An example of an operational event is an event that occurs when a printer is added or removed from a system.
- Direct channel
You cannot subscribe to a direct channel, but you can query a direct channel.
A direct channel is performance-oriented. Events are not processed in any way by the eventing system. This allows the direct channel to support high volumes of events.
Direct channels have the following types:
Analytic events are published in high volume. They describe program operation and indicate problems that cannot be handled by user intervention.
Debug events are used solely by developers to diagnose a problem for debugging.
Note The Debug channel is disabled by default. Once the channel is enabled, you can receive events from the channel and access the information delivered with each event. However, you cannot read the event descriptions using the Event Viewer until the trace message format file (.tmf file) for the channel is added into the %SYSTEMROOT%\System32\winevt\traceformat folder. You can create a .tmf file for your private trace files. For more information, see Creating a TMF file. You do not need a trace format file when a Microsoft support technician requests a trace because the technician already has the file.
Some channels are already defined in the Winmeta.xml file that is included in the Windows SDK. These channels can be imported using the importChannel element. The following table contains a list of these channels.
|Events for classic ETW event tracing.|
|This channel is used by applications running under system service accounts (installed system services), drivers, or a component or application that has events that relate to the health of the computer system.|
|Events for all user-level applications. This channel is not secured and it is open to any applications. Applications which log extensive information should define an application-specific channel.|
|The Windows Audit Log. This event log is for exclusive use of the Windows Local Security Authority. User events may appear as audits if supported by the underlying application.|
Build date: 5/7/2009