ETW (Event Tracing for Windows) is a kernel-level mechanism in Microsoft Windows that enables high-efficiency recording of kernel or application-defined events. It is an advanced debugging feature provided by Microsoft that allows you to create customized event tracing using a provider-consumer model. You can configure different Windows services, such as the Windows Firewall and DNS Server, to log events through Windows Event Tracing.

Debug and Analytical channels rely on ETW, and you cannot collect them through regular Windows Event Log channels. NXLog provides the im_etw input module to read event traces directly for maximum efficiency. Unlike other solutions, im_etw does not require saving log data to an intermediate file on disk. Instead, it reads the data straight from the ETW provider.

ETW, Event Tracing for Windows, Windows Event Tracing, event tracing

Event Tracing for Windows (im_etw)
Collecting ETW logs
DNS logging via ETW providers
Solving log collection challenges with Event Tracing for Windows (whitepaper)