How to display URL Rewrite ETW Events in the Event Viewer

IIS Failed Request Tracing is a powerful way to troubleshoot Web Requests, it provides an easy way to track each execution step for one specific request. URL Rewrite Module provides several events that can be tracked using Failed Request Tracing, here is an article that explains how: https://learn.iis.net/page.aspx/467/using-failed-request-tracing-to-trace-rewrite-rules/

IIS Modules have the ability to publish ETW Events almost for free and URL Rewrite was not the exception and implemented this feature. There are many ways to listening for ETW Event, but one way that I found really easy is using the Event Viewer and the Reliability and Performance tools in Windows 2008 (and Vista).

I’m running Windows 2008, so let me show you how to listen the URL Rewrite ETW events using the Server Manager tool.

  1. Be sure IIS Failed Request Tracing is enabled by following the article above.
  2. Open Server Manager and navigate to Server Manager / Diagnostics / Reliability and Performance / Data Collector Sets / Event Trace Sessions
  3. In the Action Pane select More Actions > New > Data Collector Set
  4. Choose a Name and click Next
  5. In the “Which event trace providers would you like to enable?” step, click Add (wait some seconds) and choose “IIS: WWW Server”:
  6. Step 1
  7. Choose the property “Keywords(Any)” and click Edit. For URL Rewrite events, you need to choose Manual and type the value 0x400. You can optionally mix this value with any other flag available like IISSecurity or IISModule (0x200); if you select Automatic and the flag, you will see in the Manual text box the flag value. Click OK to close the Property dialog.
  8. Now choose the property “Level” and click Edit, this time select Manual and type the number 5. Click OK and the Finish.
  9. A new Event Trace Session has been created. You can click the Start button any time to start listening and recording all the URL Rewrite events.
  10. Step 2
  11. By default, all the recorded data will be stored in the directory %LOCALAPPDATA%, to change this, select the session “URL Rewrite” and choose Properties from the contextual menu. There is a Directory and File tabs change your settings.

Let’s do a break. At this point you had configured Windows to start listening URL Rewrite events; those events will be recorded in a ETL file that can be processed by many tools like Log Parser and TraceRpt.exe. To display those event in the Event Viewer you need:

  1. In the Server Manager tool, navigate to Server Manager / Diagnostics / Event Viewer / Application And Services Logs
  2. Click the action Open Saved Log and choose the ETL file, if you didn't’ change the default settings, it should be at “%LOCALAPPDATA%\URL Rewrite.etl”. Click OK to close the “Open Saved Log” dialog.
  3. Select the URL Rewrite log from the Saved Logs folder:
  4. Step 3
  5. Now you will realized that the Event Viewer only has one part of the information available, the ETL file, it still needs to match that data to some other metadata stored in the WMI repository store in order to show you the formatted data.
  6. Select the “URL Rewrite” log and click the action “Save Events As” and safe the log as “URL Rewrite Events.evtx” (note the new extension).
  7. Once saved, open the new file using, again, the action “Open Saved Log”
  8. Now you click any Event in the list. The General tab won’t show anything relevant, but the Details will:
  9. Step 4

I will have some conclusions later, I have to leave now. Hope you find it somehow useful.

Comments