Request trial
Request Trial

What are the name of the ETW prover that SQL Server extended events are using?

Tags:
#1 PeterAkerlund

We are using nxLog for sending all kind the logging information to a Graylog. This is working for both the SQL Server error log and SQL audit logs but also for other none SQL Server logs. We where initially looking into using SQL audit for getting the application name of the user connection but we are running SQL Server 2016 and it is only available starting with SQL Server 2017. Instead we have tried to use extended events for the logging. The basic ideas are working and when opening the extended events file in SSMS we can see the requested information. The problem is that the extended event files are binaries and we can't use the same type of nxLog configuration as for error log or SQL audit logs. Instead we have been trying to use etw_classic_sync_target and Event Tracing for Windows(ETW).

We are using nxLog module im_etw for collecting the ETW information. I have verified the nxLog configuration (nxLog -v) and basically the configuration seems to be working and some events are sent forward. The problem is that it is not the events from our extended event session! The reason most likely is that we are not using the correct ETW provider. I have not been able to find any information of what provider that SQL Server and extended events are using. I have tried to most obvious ones as e.g. sqlserver but none seems to be the correct.

Does anyone know the name of the ETW provider that the extended event etw_classic_sync_target is using? OR does someonw see some other reason why this is not working?

We have set up the nxLog module as this

<Input xe_etw>
    Module      im_etw
    Provider    sqlserver
</Input>
Permalink
#2 manuel.munozDeactivated Nxlog ✓
#1 PeterAkerlund
We are using nxLog for sending all kind the logging information to a Graylog. This is working for both the SQL Server error log and SQL audit logs but also for other none SQL Server logs. We where initially looking into using SQL audit for getting the application name of the user connection but we are running SQL Server 2016 and it is only available starting with SQL Server 2017. Instead we have tried to use extended events for the logging. The basic ideas are working and when opening the extended events file in SSMS we can see the requested information. The problem is that the extended event files are binaries and we can't use the same type of nxLog configuration as for error log or SQL audit logs. Instead we have been trying to use etw_classic_sync_target and Event Tracing for Windows(ETW). We are using nxLog module im_etw for collecting the ETW information. I have verified the nxLog configuration (nxLog -v) and basically the configuration seems to be working and some events are sent forward. The problem is that it is not the events from our extended event session! The reason most likely is that we are not using the correct ETW provider. I have not been able to find any information of what provider that SQL Server and extended events are using. I have tried to most obvious ones as e.g. sqlserver but none seems to be the correct. Does anyone know the name of the ETW provider that the extended event etw_classic_sync_target is using? OR does someonw see some other reason why this is not working? We have set up the nxLog module as this <Input xe_etw> Module im_etw Provider sqlserver </Input>

Hey Peter,

Please check the list of available providers by executing...

logman query providers
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS