The schema of EventEntry was not updated using out-of-process semantic logging

Question

I write a custom EventSource class and add a method for log as below:

[EventSource(Name = "MyCompany")]
public class MyCompanyEventSource : EventSource
{
[Event(6, Message = "test.", Keywords = Keywords.Perf,
            Level = EventLevel.Warning)]
        public void Test()
        {
            this.WriteEvent(6);
        }
}

And I used the SemanticLogging-svc.exe -c to start the trace event service, and before execute this cmd I also config the SemanticLogging-svc.xml to

<eventSource name="MyCompany" level="LogAlways"/>

And then I start to call the Test() method. For the first time, the flatFileSink will record the correct level of the event as Warning. However, after I changed the Test() method's level in the attribute to Critical and call the Test() method, the flatFileSink will still record the level as Warning. It was totally wrong! I know it was the the schema of the EventEntry which is the OnNext methods parameter. But if I use in-process listener, the level could be able to updated to Critical which is correct.

So, why is the level still the old one if I use the out-of-process? Is that something issue with the ETW? It looks like there are some cache in the machine. And this cache could not be clear no matter stop and delete the Event Trace Session in Performance Monitor nor restart the computer. I really want to clear this cache but I did not know how to make it.

And I know that if I changed the Version in the Event Attribute or changed the EventSource Name to another, the level will be update for the out-of-process. But it's not a good way I think since we may forgot to change the Version.

So, could someone help me?

Answer 1

The problem stems from the Out-of-Process Logger caching the manifests for event sources: TraceEventManifestsCache.

This cache writes the manifest XML to a temp directory generated with the path:

Path.Combine(Path.GetTempPath(), "7D2611AE-6432-4639-8B91-3E46EB56CADF");

The value of Path.GetTempPath() depends on the user the service is running as, as well as the version of Windows you're running on. In this temp directory you can find your cached manifest.

The service doesn't make it clear under what conditions it flushes the cached manifest, however it doesn't seem to always trigger when you expect.

If you delete the cached file for your manifest, it will force the provider to fetch a new version of the manifest. You should restart the service to make it grab the manifest immediately.

Answer 2

In theory, updating the Version property of the Event attribute should do the trick. Emphasize on should.

It doesn't always work, the schema of your EventSource is stored in a secret magic undocumented location that gets updated somehow at some point if etw feels like it. Rebooting doesn't even help.