Possible bugs when capturing events. about krabsetw HOT 4 CLOSED

I will look into this one today. It may take me a little time.

from krabsetw.

Alright - I had some success in understanding the issues you're seeing. Here's the short version:

1. The "message" and "ex" fields you're logging aren't being logged as ANSI strings, they're being logged as Counted Strings. You need to call record.GetCountedString("message")
2. I cannot explain why the record.Id fields are wrong but I was able to confirm that krabsetw is parsing them correctly. I pulled dumped the events in PerfView and they show the IDs to be 4 and 5 respectively, like you're seeing in krabsetw.

Long Version

For the issue of ANSI versus Counted String, this one is hard to identify without using a debug version of the Lobsters DLL (O365.Security.Native.ETW). With the debug version, it will assert under the debugger if you try to call the wrong type-getter on a field. I will open an issue to either create a debug-version of this lobsters or make a multi-configuration nuget package.

Here's an example of the assert:

For the record ID thing, I'm not sure how to think about that. We don't use System.Diagnostics.Tracing.EventSource in our code base so this is the first time I've tried to debug one. Here's what I'm seeing under PerfView when I dump the events:

Dumped LogEvent event

Dumped LogError event

from krabsetw.

Debug version of O365.Security.Native.ETW available now as NuGet package: https://www.nuget.org/packages/O365.Security.Native.ETW.Debug/1.0.0.

This will produce the type asserts I screen-shotted above.

from krabsetw.

Please let me know if you're still having trouble. If I don't hear from you I'll close the issue on Friday.

from krabsetw.