Menu
I have been trying, without much success, to capture ETW events created by IIS or ASP.NET which include the request URL.
I am using Windows 8 (development) and Windows Server 2008 R2 (production), so IIS 8.0 and 7.5 respectively. I am aware that in IIS 8.5 there is better ETW support but that's not going to help at the moment unfortunately.
Using PerfView, collecting system-wide events and with the following Additional Providers I get some events in the Microsoft-Windows-IIS-Configuration namespace but nothing that includes individual request details.
Additional Providers
Microsoft-Windows-IIS-APPHOSTSVC:*:5,Microsoft-Windows-IIS-Configuration:*:5,Microsoft-Windows-IIS-FTP:*:5,Microsoft-Windows-IIS-IisMetabaseAudit:*:5,Microsoft-Windows-IIS-IISReset:*:5,Microsoft-Windows-IIS-W3SVC:*:5,Microsoft-Windows-IIS-W3SVC-PerfCounters:*:5 ,Microsoft-Windows-IIS-W3SVC-WP:*:5,Microsoft-Windows-IIS-WMSVC:*:5
If I run logman query providers I get the following, so I know these providers are available (on my Windows 8 machine).
Provider GUID
-------------------------------------------------------------------------------
Microsoft-Windows-IIS-APPHOSTSVC {CAC10856-9223-48FE-96BA-2A772274FB53}
Microsoft-Windows-IIS-Configuration {DC0B8E51-4863-407A-BC3C-1B479B2978AC}
Microsoft-Windows-IIS-FTP {AB29F35C-8531-42FF-810D-B8552D23BC92}
Microsoft-Windows-IIS-IisMetabaseAudit {BBB924B8-F415-4F57-AA45-1007F704C9B1}
Microsoft-Windows-IIS-IISReset {DA9A85BB-563D-40FB-A164-8E982EA6844B}
Microsoft-Windows-IIS-W3SVC {05448E22-93DE-4A7A-BBA5-92E27486A8BE}
Microsoft-Windows-IIS-W3SVC-PerfCounters {90303B54-419D-4081-A683-6DBCB532F261}
Microsoft-Windows-IIS-W3SVC-WP {670080D9-742A-4187-8D16-41143D1290BD}
Microsoft-Windows-IIS-WMSVC {23108B68-1B7E-43FA-94FB-EC3066805744}
I've also tried using logman to create an ETL file, but this doesn't seem to capture anything IIS related:
etw.ps1
logman start ASPTrace -pf providers.txt -ets
Start-Sleep -Seconds 30
logman stop ASPTrace -ets
providers.txt
"Microsoft-Windows-IIS-APPHOSTSVC" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-Configuration" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-FTP" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-IisMetabaseAudit" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-IISReset" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-W3SVC" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-W3SVC-PerfCounters" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-W3SVC-WP" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-WMSVC" 0xFFFFFFFE 5
I have tried the above with 0xFFFFFFFE and 0xFFFFFFFF.
466
In IIS 8.5, the administrator has the option of sending logging information to Event Tracing for Windows (ETW). This option gives the administrator the ability to use standard query tools, or create custom tools, for viewing real-time logging information in ETW.
Protocol listeners receive protocol-specific requests, send them to IIS for processing, and then return responses to requestors. For example, when a client browser requests a Web page from the Internet, the HTTP listener, HTTP. sys, picks up the request and sends it to IIS for processing.
This file can be found in the C:\logs folder. If this folder does not exist, it must be created or no traces are generated. Then, run SetupETW. bat on the client and server computers to begin the ETW Trace Session.
IIS works with ASP.NET Core A request comes in to the IIS server from the web, which sends the request to the ASP.NET Core application, which processes the request and sends its response back to the IIS server and the client who originated the request.
Microsoft-Windows-HttpService {DD5EF90A-6398-47A4-AD34-4DCECDEF795F}
Look at the Deliver event. It has RequestUrl, and the app pool the request got forwarded to.
This is available in Windows Vista and higher.
65
Create your own ETW provider class with System.Diagnostics.Tracing.EventSource and log here the request url in your project if you need it.
You can now also use WPT to capture the events.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
