none
How to Show Enumeration Symbols in Event Viewer RRS feed

  • Question

  • Is EventViewer capable of showing the symbolic value of an enumeration? To date I can only get it to display the enum's integer value.  

    Background:  I am working a minifilter.  It uses ETW to generate events.
    The events are generated ok and appear in EventViewer.
    However the "FailedOp" datum, which is an enumerated value, always shows up as an number.
    I have defined a mapping from integers to symbols and would like (and expect) EventViewer to show 
    the symbolic value or perhaps both the symbolic and numeric values.

    Here are the relevant portions of the ETW manifest.  The .RC builds ok and the mapping appears
    in the .RES file but EventViewer seems to ignore it.

    The event of interest is described in the manifest using:
              <event
                  channel="FOO-ANALYTIC"
                  level="win:Informational"
                  message="$(string.FailedScanOp.EventMessage)"
                  opcode="win:Info"
                  symbol="FailedOp"
                  template="tid_failed_op_template"
                  value="41"
                  />

    The template is described using:

              <template tid="tid_failed_op_template">
                <data
                    inType="win:UInt16"
                    name="failedOp"
                    map="FailedOpMap"  
                    />
               <data
                    inType="win:HexInt32"
                    name="status"
                    outType="win:NTSTATUS"
                    />
                <data
    ... snip
                    />
              </template>

    The map is described using:
            <maps>
              <valueMap name="FailedOpMap" symbol="FOO_FAILED_OP_MAP" >            
                <map value="0"  symbol="FOM00" message="$(string.FailedOpMessage.value00)" />
                <map value="1"  symbol="FOM01" message="$(string.FailedOpMessage.value01)" />
                <map value="2"  symbol="FOM02" message="$(string.FailedOpMessage.value02)" />
                <map value="3"  symbol="FOM03" message="$(string.FailedOpMessage.value03)" />
                <map value="4"  symbol="FOM04" message="$(string.FailedOpMessage.value04)" />
                <map value="5"  symbol="FOM05" message="$(string.FailedOpMessage.value05)" />
    ... snip
              </valueMap>

    The referenced strings are describe using:

          <stringTable>
            <string
                id="FailedScanOp.EventMessage"
                value="FailedScanOp"
                />
            <string id="FailedOpMessage.value00" value="value00" />
            <string id="FailedOpMessage.value01" value="value01" />
            <string id="FailedOpMessage.value02" value="value02" />
            <string id="FailedOpMessage.value03" value="value03" />
            <string id="FailedOpMessage.value04" value="value04" />
            <string id="FailedOpMessage.value05" value="value05" />
    ... snip
         </stringTable>




    Monday, December 17, 2012 9:40 PM

All replies

  • I think you can only display the value if you are provding an integer into the log

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, December 17, 2012 9:42 PM
  • The inType is an integer.  A UInt16.  See:

    ...

    inType="win:UInt16"
    name="failedOp"
    map="FailedOpMap"

    Monday, December 17, 2012 9:44 PM