How to collect Event, Error, and Boot Log Tracing logs

Technical Articles ID: KB72868
Last Modified: 11/3/2020

Environment

McAfee Host Intrusion Prevention (Host IPS) 8.0
Microsoft Windows

Summary

To collect Event Trace Logs (ETL) or Error Tracing for Windows (ETW) logs using the Trace Logging tool, perform the following steps:

Enable Host IPS 8.0 debug logging. See KB72869 for details.
Download the EtlTrace.zip tool, from the Attachment section of this article, to the affected system running the Host IPS software.
Extract the EtlTrace.zip tool to a local directory.
Click Start, type cmd.exe in the Search bar, right-click Command Prompt from the list, and select Run as administrator.
Navigate to the directory to which you extracted EtlTrace.zip, and run the following command with administrator rights:

EtlTrace.exe -Start

NOTE: Do not restart your computer after the ETL logging has started, because it will interrupt the logging process.
Reproduce the issue.
Return to the command prompt and run the following command:

EtlTrace.exe -Stop
Collect the EtlTrace.log and Syscore.etl files for Technical Support.

To collect Boot Log Tracing logs using the Trace Logging tool, perform the following steps:

Enable Host IPS 8.0 debug logging. See KB72869 for details.
Download the EtlTrace.zip tool, from the Attachment section of this article, to the affected system running the Host IPS software.
Extract the EtlTrace.zip tool to a local directory.
Press Windows+R, type cmd, and click OK.
Navigate to the directory to which you extracted EtlTrace.zip and run the following command:

EtlTrace.exe -StartBoot
Restart your computer.
At the command prompt, run the following command:

EtlTrace.exe -StopBoot
Collect the EtlTrace.log and Syscore.etl files for Technical Support.

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
Do not run a REG file that is not confirmed to be a genuine registry import file.

NOTE: For Windows Server 2012 R2 systems, the boot time ETL is limited to 100 KB when using EtlTrace.exe. To remove this limitation, add the following registry keys before rebooting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\_Syscore_Etl_Trace
(DWORD) BufferSize = 0x20
(DWORD) MaximumBuffers = 0x40

Attachment

EtlTrace_18.9.zip
83K • < 1 minute @ broadband

Affected Products

Diagnostic Data Collection
Host Intrusion Prevention 8.0

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

How to collect Event, Error, and Boot Log Tracing logs

Environment

Summary

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

How to collect Event, Error, and Boot Log Tracing logs

Environment

Summary

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title