This source is built on top of Windows ETW, which has resource limitations and was not initially designed for long-term monitoring. Please use with caution on your host systems.
While the source supports reading events from ETL logs, using them for continuous event collection may result in dropped events and increased resource utilization on your hosts if not tuned to your specific environment (the default settings may not work out of the box).
This source creates a Real-Time ETW Session to ingest Event Tracing Logs from Windows using the Event Tracing API. Currently, only real-time monitoring sessions are supported.
For more information on ETW, refer to Microsoft’s ETW Documentation.
| Platform | Supported |
|---|---|
| Windows | ✓ |
Available in Bindplane Distro for OpenTelemetry Collector v1.75.0+.
| Field | Description |
|---|---|
| Session Name | Name of the ETW session to create and monitor. Default: "Bindplane-ETW-Session" |
| Providers | Provider names or GUIDs to monitor (e.g., Microsoft-Windows-Kernel-File) |
| Enable Raw Logs (XML) | When enabled, logs are saved as raw XML strings instead of parsed objects. Useful for XML analysis in some destinations. |
| Level | Maximum event level to ingest. Options: none, verbose, informational, warning, error, critical. |
| Session Buffer Size | Buffer size for the ETW session. Default: 64 KiB |
| Require All Providers | When enabled, source only starts if all providers are available. Default: false |
| Provider Name |
|---|
| Microsoft-Windows-Kernel-File |
| Microsoft-Windows-DNS-Client |
To list all registered ETW providers on your system, run this command in an administrative PowerShell session:
logman query providers
Event Trace Sessions