TraceEvent is a library used by the PerfView tool and has the benefits of being a well-designed .NET API. Unfortunately, it doesn’t perform well for scenarios where we want to keep memory usage to a minimum. System.Diagnostics.Tracing has the advantage of being part of the .NET BCL but we’ve observed intermittent exceptions and unexpected behavior in the past. Additionally, it suffers from the same memory consumption issue that TraceEvent does.
In response to these challenges, Office 365 Security chose to implement our own API with three primary goals:
•Intuitive and flexible API
•High performance – filtering events in the native layer
•Available both in .NET and native C++
The result of this work is krabsetw, a library we’ve open-sourced under the MIT license. It contains both a native C++ API as well as a .NET API. This library is used in production today across Office 365 workloads on more than 100,000 machines. With filtering, we’re able to process more than more than 500 billion events per day, generating more than 7TB of data per day across the machines.
Is this still true?.. It is written one year ago (May 9, 2017), and other API's have updates since.
I want to know what API I can depend on, if not now, at least in upcoming updates.
Another question: Do I have to use these NuGets too?
Microsoft.Diagnostics.Tracing.TraceEvent.SupportFiles
Microsoft.Diagnostics.Tracing.EventRegister
What API souuld I use to consume ETW:
I read this at https://blogs.technet.microsoft.com/office365security/hidden-treasure-intrusion-detection-with-etw-part-2/:
Is this still true?.. It is written one year ago (May 9, 2017), and other API's have updates since. I want to know what API I can depend on, if not now, at least in upcoming updates.
Another question: Do I have to use these NuGets too? Microsoft.Diagnostics.Tracing.TraceEvent.SupportFiles Microsoft.Diagnostics.Tracing.EventRegister