Collect ETW Trace Logs
Windows Events collected today are only from the 'classic' NT-style eventlogs (Application/System) as well as from the Crimson logs (Vista and above) that are saved in ETVX format.
It would be nice to enable collection of ETW Trace Logs too (.ETL), like /Analytics and /Debug logs.
Eli Arbel commented
Right now we need to install the Azure Diagnostics agent just so it could save the ETW logs into a storage table, which Log Analytics can read - and on top of it, it loses the all the ETW schema. If the Log Analytics agent collected ETW directly, it would be one less process in the machine and it would be easily configurable from the Log Analytics portal.
This could be very beneficial for Service Fabric clusters where there is a massive amount of logging done through ETW (both system and application logs). Currently we use Loggly for our application logs with a SLAB-based collector. If Log Analytics had this capability, we'd probably pick it over such custom solutions.
Simon Krasilnikov commented
The same here. The Trace Logs are very vital and massive. Those should be the first candidate for log analytics. And OMS still does not have this essential capability. We got stuck with the Microsoft-Windows-DNSServer/Analytical analysis -- we got 20+ millions logs a day. OMS is 100% suitable for these kind of things, but...
I can't imagine ETW tracing *not* being considered. This is extremely important!
For the time being we have removed those logs from the drop-down list in Log management configuration, to avoid confusion.
Daniele Muscetta commented
Our team has an implementation of an ETL parser module for the agent, but right now this is specialized to collect some very specific telemetry from the VMM stack in Cloud Platform Systems - learn more about CPS at http://www.microsoft.com/cps
If there is enough interest we will think of making this code more generic to support other scenarios.