Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing events when event burst happen even after setting the EVENT_TRACE_PROPERTIES to large number of buffers? #235

Open
subvert0r opened this issue May 29, 2024 · 3 comments
Open

Missing events when event burst happen even after setting the EVENT_TRACE_PROPERTIES to large number of buffers? #235

subvert0r opened this issue May 29, 2024 · 3 comments

Comments

@subvert0r
Copy link

subvert0r commented May 29, 2024
edited
Loading

I have minimized my callback function to just collect as much as info as possible and just pass that to another thread, But I am still missing some events when a particular provider sends too many events to my callback.

Note that I have a separate callback function for each provider, but I still lose events on all providers when one particular provider sends me too much events. I cannot make my callback functions any faster, and have already filtered as much as possible.

My question is, is there anyway I can configure krabs to somehow save events and not drop them? Memory usage is not a problem for me, if this causes more memory usage It's fine by me, I just don't want to lose any event. Is there anyway I can achieve this?

Even when I set the trace properties like below to a large number of buffers, I am still missing events. For example when I register to the Microsoft-Windows-RPC provider (which generates a lot of events):

    EVENT_TRACE_PROPERTIES properties = { 0 };
    properties.BufferSize = 128;
    properties.MinimumBuffers = 50;
    properties.MaximumBuffers = 500;
    properties.FlushTimer = 1;
    properties.LogFileMode = EVENT_TRACE_REAL_TIME_MODE;
    m_userTrace.set_trace_properties(&properties);

So why am I still missing events, even after setting the property to a large number of buffers (500 buffer in this case) ?
@subvert0r subvert0r changed the title Anyway to make sure I don't miss any event if a particular provider sends too many event to me? Missing events when event burst happen even after setting the EVENT_TRACE_PROPERTIES to large number of buffers? May 29, 2024
@swannman
Copy link
Member

Hi @subvert0r, another technique would be to divide the ETW providers across multiple trace sessions. Each trace session gets its own buffer, so you can create a dedicated trace session for each of your noisiest providers and let the low-volume providers share the default one.

@subvert0r
Copy link
Author

Hi @subvert0r, another technique would be to divide the ETW providers across multiple trace sessions. Each trace session gets its own buffer, so you can create a dedicated trace session for each of your noisiest providers and let the low-volume providers share the default one.

But why increasing the BufferSize and maximum number of buffers doesn't help in my case?

Any other way to solve this, other than creating a separate trace session?

@swannman
Copy link
Member

swannman commented Jun 3, 2024

I haven't experimented with configuring MinimumBuffers and MaximumBuffers, so I can't speak from experience here. If you the high volume of events is sustained, rather than a very short burst, then it makes sense that increasing the size or number of buffers would not solve the problem. Creating a separate trace session is the best way I'm aware of to solve this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@swannman @subvert0r