Ent+Documentation Index
Fetch the complete documentation index at: https://docs.honeycomb.io/llms.txt
Use this file to discover all available pages before exploring further.
This feature is available as an add-on for the Honeycomb Enterprise plan.
Please contact your Honeycomb account team for details.
Prerequisites
This source creates a Real-Time ETW Session to ingest Event Tracing Logs from Windows using the Event Tracing API. Currently, only real-time monitoring sessions are supported.System Requirements
- Windows system with Event Tracing for Windows (ETW) enabled
- Familiarity with ETW provider GUIDs for configuration
- Administrative privileges for ETW session creation
Supported Platforms
| Platform | Supported |
|---|---|
| Windows | ✓ |
v1.75.0+.
Configuration Fields
| Field | Description |
|---|---|
| Session Name | Name of the ETW session to create and monitor. Default: “Bindplane-ETW-Session” |
| Providers | Provider names or GUIDs to monitor (e.g., Microsoft-Windows-Kernel-File) |
| Enable Raw Logs (XML) | When enabled, logs are saved as raw XML strings instead of parsed objects. Useful for XML analysis in some destinations. |
| Level | Maximum event level to ingest. Options: none, verbose, informational, warning, error, critical. |
| Session Buffer Size | Buffer size for the ETW session. Default: 64 KiB |
| Require All Providers | When enabled, source only starts if all providers are available. Default: false |
Common ETW Providers
| Provider Name |
|---|
| Microsoft-Windows-Kernel-File |
| Microsoft-Windows-DNS-Client |
Discovering Available Providers
To list all registered ETW providers on your system, run this command in an administrative PowerShell session:Best Practices
- Start with a minimal set of providers and expand gradually based on monitoring needs
- Monitor resource usage when enabling multiple providers
- Use Performance Monitor to view session settings under
Event Trace Sessions - Consider the impact on system performance when enabling verbose logging levels