Can splunk listen to events written to ETW the way the new Semantic Logging application block can?
There's a SLAB sink for Splunk now: http://www.nuget.org/packages/Splunk.Logging.SLAB/
For more info, see this blog post.
As you probably already know, the Windows Event Log is built on top of ETW...needless to say, ETW has been around for a long time. For most of these type of technologies, ETW requires a registered provider (such as an application) and a consumer. Obviously, if the ETW is writing to the Event Log, then it is easy for Splunk to consume. What if it is not? In that case you have a couple options:
1- use the logman command
2- Powershell(?)/ C#: you will need to hack some code together to consume the data and forward it to Splunk.
Feel free to describe more about you use case and hopefully we can help you out further.
Here is a blog post with logman examples as well as links to other tools: http://blogs.msdn.com/b/oanapl/archive/2009/08/05/etw-event-tracing-for-windows-what-it-is-and-usefu...
I think that a complete answer to this question should have samples that work with Splunk.
Maybe I was not clear and I apologize for that. The answer is, yes Splunk can get data from ETW. However, as you stated from one of your comments, there has to be listeners configured. Splunk can do that. It's done all the time. If the data is human readable, or made to be human readable, the data can be Splunked. Here is a reference to a doc. http://docs.splunk.com/Documentation/Splunk/5.0.1/Data/Setupcustominputs
My suggestion is to start playing with Splunk. It is very flexible and agile...even for Windows app and os monitoring.
In case I was not clear with my original question -- I realize that Splunk can consume flat files and windows event log. From your responses (and thanks for taking time to answer) I understand that Splunk cannot listen to ETW. That is all I wanted to know. It would be great if anyone from Splunk could confirm it.
In this case you have 2 options: send the data to a syslog for consumption and get Splunk to grab it from there; the other option is to have Splunk read the Event Log. This will save coding time.
Yes, you will need to install a forwarder on your Windows machine but the impact is very minimal especially for something like this.
Also, search on this forum to see the impact from other users forwarders consume. Most of the answers are being answered by non-Splunk employees.
I'm not at all familiar with Splunk in detail. I hoped it was more than just listening to file system and then parsing those files.
AFAIK ETW does not write anywhere unless there are listeners capturing. So I have listeners that hear and write to files and windows Event Log. For that I have to explicitly run a windows service and implement and configure eventlog listener. Splunk in turn listening to what I produce would be an overhead. I hoped Splunk could go directly, the way PerfView can, for example.