TraceLog Main Topic | Next
TraceLog Syntax
tracelog [Management options] [Buffer options] [Log file options] [System level tracing options] [Provider-specific options] | [-h | -help | -?]
Where:
Management options: Starting, stopping, updating and querying a trace session
- -guid file
- starts tracing for providers in file specified. The file with a list of GUIDs for event tracing. Each GUID corresponds to a traceable event. One cannot just provide a GUID, even if it is just one GUID; it has to be included in a file. To begin system tracing, no GUID file is necessary (see example 1). To enable directory service events, the control.guid file has been provided with the tool (see example 2).
- -start [logger_name]
- starts a trace session. You need to give a logger name for the events to trace. If it is a system trace, you don't need to specify a logger name, since the default logger name would be taken as "NT kernel logger" (see examples 1 and 2).
Note
System and application traces could be started simultaneously, but you must specify a different logger name for the application trace (see example 3).
- -stop [logger_name]
- stops a trace session. You have to specify the instance name of the events for which you would like tracing to discontinue. For stopping system tracing, you need not specify any logger name (see example 4).
- -update [options] [logger_name]
- Update the current trace session. This would be useful when you would like to change the file name of the log file (maybe directing it to a different disk) or change some buffer parameters, or change to real time mode, or some other changes.
The following options can be updated for the kernel logger (system trace):
| Option | Action |
| -rt | Mode switch. To switch to and from real time mode. |
| -f logfile_name | New logfile name to switch logfile. |
| -ft n | Change the flush timer. |
| -max n | Change the maximum number of buffers. |
| "-nodisk" "-noprocess" "-nothread" "-nonet" "-fio" "-pf" "-hf" "-img" "-cm" | Flags. These flags apply only to the NT kernel logger. |
All updates should be provided in a single update statement. For example, to switch to real-time processing and increase the maximum number of buffers:
Tracelog ûupdate ûrt ûmax 40
- -x
- stops all active trace sessions. Stops all system and otherwise traces. Completes halt to event tracing.
- -l
- queries to list all the ongoing traces.
- -q
- queries to list the system trace only.
Buffer options
- -b n
- sets buffer size to n kilobytes. gives the buffer size. You would generally like to give the size to be multiple of the page size (for x86-based computers the page size is 4 kilobytes). A small size increases the flush frequency. The kernel, depending on the memory capacity, chooses the default.
- -min n
- sets minimum buffers. This is the number of buffers to pre-allocate. If logging is frequent, set a higher number. Default is 2.
- -max n
- sets maximum buffers in pool. This limits the amount of memory consumed for each tracing session. Default is 25.
- -ft n_seconds
- Set flush timer to n seconds. After a buffer gets filled up, it gets flushed to the log file or to the consumer-for real time tracing. This option allows you to specify the time after which to force a flush. Especially useful for real time tracing.
- -age n_minutes
- modifies aging decay time. If a buffer has been allocated but isn't being used, or the last n minutes have passed, it is freed. This is generally useful for light tracing, so that memory is freed. This has nothing to do with maximum buffers that have been allocated. That value remains the same. Default is 15 minutes.
Log file options
- -rt [b]
- enables tracing in real time mode.
- -f name
- logs to name file. Specifies the log file to which the buffer will be flushed. The consumer will use this file for its analysis. The default name and location is c:\logfile.etl. Use a different file name for each instance of tracing required (-o filename option).
- -seq n_mbytes
- sequential logfile of up to n indicates that the logging should be sequential and the file size is n megabytes. By default, logging is sequential.
- -cir n_mbytes
- Circular logfile of n megabytes. indicates that logging should be circular. After the file size is reached, logging starts from the beginning of the file again. The header information is not lost however.
System level tracing options
Provide more specific control over system level (kernel) tracing. In order to understand these controls, it is important to understand something about system level tracing. The following events can be traced at the system level:
- Process start/end
- Disk I/O
- Network TCP/IP, UDP/IP
- Thread start/end
- Image Load
- Registry calls
- File I/O
- Page Fault
Of these, the first 4 are enabled by default. The last 4 are not enabled, as this would generate a significant amount of extra load (resource utilization), which is best to avoid.
- -nf n
- sequentially to new file every n Mb.
- -fio
- enables file I/O tracing.
- -pf
- enables page faults tracing.
- -hf
- enables hard faults tracing. Hard page faults are those that involve a physical read, such as: read from the disk.
- -img
- enables image load tracing.
- -um
- enables Process Private tracing. In this case, the buffer is established in the private process space instead of the kernel space.
Note
By default, the buffer is started in the kernel space.
Provider specific options: Provider level options
In order to use the following options, the provider should have this functionality enabled. One would therefore have to check with the provider (like the operating system or the directory service), before using these options.
- -level n
- provider-specific: a provider could have number of levels of tracing. A higher number would indicate a deeper level of tracing.
- -flags n
- provider-specific: perform more specific tracing. The flag passed depends on functionality available in the provider used.
- [-h | -help | -?]
- displays command-line help.
The default with no options is: tracelog -q.