We are using nxLog for sending all kind the logging information to a Graylog. This is working for both the SQL Server error log and SQL audit logs but also for other none SQL Server logs. We where initially looking into using SQL audit for getting the application name of the user connection but we are running SQL Server 2016 and it is only available starting with SQL Server 2017. Instead we have tried to use extended events for the logging. The basic ideas are working and when opening the extended events file in SSMS we can see the requested information. The problem is that the extended event files are binaries and we can't use the same type of nxLog configuration as for error log or SQL audit logs. Instead we have been trying to use etw_classic_sync_target and Event Tracing for Windows(ETW).

We are using nxLog module im_etw for collecting the ETW information. I have verified the nxLog configuration (nxLog -v) and basically the configuration seems to be working and some events are sent forward. The problem is that it is not the events from our extended event session! The reason most likely is that we are not using the correct ETW provider. I have not been able to find any information of what provider that SQL Server and extended events are using. I have tried to most obvious ones as e.g. sqlserver but none seems to be the correct.

Does anyone know the name of the ETW provider that the extended event etw_classic_sync_target is using? OR does someonw see some other reason why this is not working?

We have set up the nxLog module as this

<Input xe_etw>
    Module      im_etw
    Provider    sqlserver
AskedJune 10, 2020 - 7:56am

Answer (1)

Hey Peter,

Please check the list of available providers by executing...

logman query providers

Comments (1)

  • Peter Åkerlund's picture

    Hi Manuel,

    thank you for the tip. I did forget to write that I already have tried this. The problem is that the list of providers are very long. I have tried the most in my opinion most likely like e.g. sqlserver. This provider seems to work but not with the extended event output but instead some other sqlserver output.