NXLog Docs

ETW (Event Tracing for Windows)

What is ETW?


ETW (Event Tracing for Windows) is a kernel-level mechanism in Microsoft Windows that enables high-efficiency recording of kernel or application-defined events. It is an advanced debugging feature provided by Microsoft that allows you to create customized event tracing using a provider-consumer model. You can configure different Windows services, such as the Windows Firewall and DNS Server, to log events through Windows Event Tracing.

In the world of NXLog

Debug and Analytical channels rely on ETW, and you cannot collect them through regular Windows Event Log channels. NXLog provides the im_etw input module to read event traces directly for maximum efficiency. Unlike other solutions, im_etw does not require saving log data to an intermediate file on disk. Instead, it reads the data straight from the ETW provider.

Known as

ETW, Event Tracing for Windows, Windows Event Tracing, event tracing


Event Tracing for Windows (im_etw)
Collecting ETW logs
DNS logging via ETW providers

A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   R   S   T   U   V   W   X   Z