Documentation
¶
Overview ¶
Package etw provides utilities for Event Tracing for Windows (ETW): - StopETWSession: stop an ETW trace session by name - ProcessETLFile: read and process events from an ETL trace file - Event property parsing via GetEventPropertyString
Index ¶
- func GetEventPropertyString(e *Event, name string) string
- func MustParseGUID(s string) windows.GUID
- func ProcessETLFile(etlPath string, callback EventCallback, opts ...ProcessOption) error
- func StopETWSession(sessionName string) error
- type Event
- func (e *Event) EventProperties() (map[string]interface{}, error)
- func (e *Event) GetEventID() uint16
- func (e *Event) GetPropertyByName(name string) (string, error)
- func (e *Event) GetPropertyString(name string) string
- func (e *Event) GetProviderID() windows.GUID
- func (e *Event) GetTimestamp() time.Time
- type EventCallback
- type EventRecordFilter
- type ProcessOption
- type ProcessOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetEventPropertyString ¶
GetEventPropertyString returns the string value of a named property. GetPropertyString on Event provides the same functionality as a method.
func MustParseGUID ¶
MustParseGUID parses a GUID string (e.g. "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"). Panics if the string is invalid.
func ProcessETLFile ¶
func ProcessETLFile(etlPath string, callback EventCallback, opts ...ProcessOption) error
ProcessETLFile reads an ETL file and invokes the callback for each event. Blocks until the file is fully processed or an error occurs.
func StopETWSession ¶
StopETWSession stops an ETW trace session by name (e.g. an autologger session). Uses ControlTraceW with EVENT_TRACE_CONTROL_STOP.
Types ¶
type Event ¶
type Event struct {
ProviderID windows.GUID
EventID uint16
Timestamp time.Time
// contains filtered or unexported fields
}
Event represents a parsed ETW event from an ETL file. ProviderID, EventID, and Timestamp are available directly. Use EventProperties or GetEventPropertyString for event-specific data. The Event is only valid during the ProcessETLFile callback; do not use it after the callback returns.
func (*Event) EventProperties ¶
EventProperties returns a map of property names to values for this event. Uses TDH (Trace Data Helper) to parse the event schema and user data.
func (*Event) GetPropertyByName ¶
GetPropertyByName retrieves a single property by name using TdhGetProperty. Unlike GetPropertyString (which parses all properties sequentially), this directly looks up the named property and is resilient to schema mismatches in other properties within the same event.
func (*Event) GetPropertyString ¶
GetPropertyString returns the string value of a named property. Implements the interface used by logonduration for event property access.
func (*Event) GetProviderID ¶
GetProviderID returns the event's provider GUID.
func (*Event) GetTimestamp ¶
GetTimestamp returns the event's timestamp.
type EventCallback ¶
type EventCallback func(event *Event)
EventCallback is called for each event that passes the filter (or all events if no filter).
type EventRecordFilter ¶
EventRecordFilter is an optional filter called for each raw event before parsing. Return true to process the event (call EventCallback), false to skip. Use for fast filtering by ProviderID and EventID to avoid parsing unwanted events.
type ProcessOption ¶
type ProcessOption func(*ProcessOptions)
ProcessOption configures ProcessETLFile.
func WithEventRecordFilter ¶
func WithEventRecordFilter(f EventRecordFilter) ProcessOption
WithEventRecordFilter sets a filter to skip events before parsing.
type ProcessOptions ¶
type ProcessOptions struct {
Filter EventRecordFilter
}
ProcessOptions configures ETL file processing.
Source Files