Documentation
¶
Overview ¶
Package etw provides utilities for Event Tracing for Windows (ETW): - StopETWSession: stop an ETW trace session by name - ProcessETLFile: read and process events from an ETL trace file - Event property parsing via GetEventPropertyString
Index ¶
- func GetEventPropertyString(e *Event, name string) string
- func MustParseGUID(s string) windows.GUID
- func ProcessETLFile(etlPath string, callback EventCallback, opts ...ProcessOption) error
- func StopETWSession(sessionName string) error
- type Event
- func (e *Event) EventProperties() (map[string]interface{}, error)
- func (e *Event) GetEventID() uint16
- func (e *Event) GetPropertyByName(name string) (string, error)
- func (e *Event) GetPropertyString(name string) string
- func (e *Event) GetProviderID() windows.GUID
- func (e *Event) GetTimestamp() time.Time
- type EventCallback
- type EventRecordFilter
- type ProcessOption
- type ProcessOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetEventPropertyString ¶ added in v0.78.0
GetEventPropertyString returns the string value of a named property. GetPropertyString on Event provides the same functionality as a method.
func MustParseGUID ¶ added in v0.78.0
MustParseGUID parses a GUID string (e.g. "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"). Panics if the string is invalid.
func ProcessETLFile ¶ added in v0.78.0
func ProcessETLFile(etlPath string, callback EventCallback, opts ...ProcessOption) error
ProcessETLFile reads an ETL file and invokes the callback for each event. Blocks until the file is fully processed or an error occurs.
func StopETWSession ¶ added in v0.78.0
StopETWSession stops an ETW trace session by name (e.g. an autologger session). Uses ControlTraceW with EVENT_TRACE_CONTROL_STOP.
Types ¶
type Event ¶ added in v0.78.0
type Event struct {
ProviderID windows.GUID
EventID uint16
Timestamp time.Time
// contains filtered or unexported fields
}
Event represents a parsed ETW event from an ETL file. ProviderID, EventID, and Timestamp are available directly. Use EventProperties or GetEventPropertyString for event-specific data. The Event is only valid during the ProcessETLFile callback; do not use it after the callback returns.
func (*Event) EventProperties ¶ added in v0.78.0
EventProperties returns a map of property names to values for this event. Uses TDH (Trace Data Helper) to parse the event schema and user data.
func (*Event) GetEventID ¶ added in v0.78.0
GetEventID returns the event's ID.
func (*Event) GetPropertyByName ¶ added in v0.78.0
GetPropertyByName retrieves a single property by name using TdhGetProperty. Unlike GetPropertyString (which parses all properties sequentially), this directly looks up the named property and is resilient to schema mismatches in other properties within the same event.
func (*Event) GetPropertyString ¶ added in v0.78.0
GetPropertyString returns the string value of a named property. Implements the interface used by logonduration for event property access.
func (*Event) GetProviderID ¶ added in v0.78.0
GetProviderID returns the event's provider GUID.
func (*Event) GetTimestamp ¶ added in v0.78.0
GetTimestamp returns the event's timestamp.
type EventCallback ¶ added in v0.78.0
type EventCallback func(event *Event)
EventCallback is called for each event that passes the filter (or all events if no filter).
type EventRecordFilter ¶ added in v0.78.0
EventRecordFilter is an optional filter called for each raw event before parsing. Return true to process the event (call EventCallback), false to skip. Use for fast filtering by ProviderID and EventID to avoid parsing unwanted events.
type ProcessOption ¶ added in v0.78.0
type ProcessOption func(*ProcessOptions)
ProcessOption configures ProcessETLFile.
func WithEventRecordFilter ¶ added in v0.78.0
func WithEventRecordFilter(f EventRecordFilter) ProcessOption
WithEventRecordFilter sets a filter to skip events before parsing.
type ProcessOptions ¶ added in v0.78.0
type ProcessOptions struct {
Filter EventRecordFilter
}
ProcessOptions configures ETL file processing.
Source Files