Windows Log Output to Event Viewer or Text File
Jason A. Donenfeld
Jason at zx2c4.com
Thu Oct 14 19:52:50 UTC 2021
On Thu, Oct 14, 2021 at 12:43 PM StarBrilliant <coder at poorlab.com> wrote:
> In fact, Windows Event Logging has two APIs: ETW and WPP.
> The ETW API is, indeed, slow and clunky.
> However, the WPP API is very high-performance. The trace function in Windows native TCP stack is implemented with WPP.
Yes. I have no interest in using binary WPP traces. The kernel driver
now mimics linux's, having the exact same messaged logs in a simple
printk-like buffer.
> If someone like Frank has the time and ability, they could check this MSDN documentation and try to implement it:
> https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing
Not interested. I won't take patches for that.
> I am not sure if I get Jason's idea: Is current Wireguard driver using a ring buffer of 2,048 messages for logging?
No. Frank is conflating the kernel driver and a simple userspace
service. The userspace service uses a very simple ringlogger format,
with multiple implementations, used for years on different platforms.
The kernel driver doesn't have an on-disk format; it uses a ring
buffer of sorts, but so far that remains irrelevant to this
discussion.
Jason
More information about the WireGuard
mailing list