o Writing any trace message to the Application event log. Once in the event log, enterprise monitoring products can alert accordingly.

o Using the built-in SMTP functionality. Setting all SMTP parameters in a configuration file enables SMTP functions to send a message when match is found and optionally when a file upload is complete.

o Using the eventcommand to run a process that does any additional notifications. An example of this would be to forward an event using eventcreate.exe.

• Action - Cdfmonitor can run a specified command when a match occurs. This can be a path to script or a command with arguments. Examples of this are:

o Run a command with arguments and with eventcommandwait that gathers logging to be compressed for URL.

o Run additional notification type commands as mentioned above.

o Run a script to perform multiple commands and eventcommandwait for logging of results or for synchronization.

Detail:

Cdfmonitor is a .net console utility that uses Microsoft Event Tracing for Windows (ETW) to consume specified Citrix module trace events as they occur. The utility is configured by editing the Cdfmonitor.exe.config. By default the utility will write match information to the console. Optional capabilities are:

• Write an event ID 100 to the Application event log when match occurs

• Write match and debug information to a log file

• Run as a service for permanent monitoring

• Manage remote instances of cdfmonitor

• Run a command when match occurs

• Write an event ID 101 to the Application event log with command results

• Send a SMTP message when a match occurs

• Zip and upload specified files to a URL when a match occurs

This utility is completely stand-alone and does not require the enablement of any CDF tracing/logging outside of the utility for the utility to work. When the utility is launched, it creates a classic ETW controller and consumer session to register for specified module or modules. The flags are hard coded to level 16 and trace consumer is set to real-time as compared to an output file. A console with utility configuration is displayed unless hidden configuration is enabled. As each event is received, it is sent to a background worker thread to be parsed to find a match for the given Regex expression. If a match is found, information is written to console and all other enabled options in the configuration file are performed. If eventthrottle is enabled, subsequent matches are ignored until a timer expires. The throttle and max match counts are checked and the utility exits if maxcount is reached. Before the utility exits, the controller and consumer session are disposed and the missed event count if any appears. Missed events should not normally occur.

Average CPU utilization of Cdfmonitor should be 0 to less than 3 percent, depending on the configuration. Misconfiguration of the configuration file could cause performance issues. For example, a wild-card regex with logfile and writeevent enabled takes more resources than a specific regex with no logging or eventing would take. Always test the configuration before deploying and make sure utilization of Cdfmonitor is as expected. There are two specific configurations to throttle the utility and should only be disabled if needed once a configuration has been tested. They are eventthrottle and eventmaxcount.

Console output displays different colors depending on type and content of the message. This does not necessarily indicate that the message is an issue. They are simple string matches in the trace string and used to notify a match or debug trace. The colors are hard coded to use the following colors and are applied in this order:

Prerequisites

The following components are required to use CDFMonitor:

• A Windows machine with at least .Net 3.5.

• A Citrix product that produces CDF traces.

How to Use CDFmonitor

Arguments:

All configurations are in the 'cdfmonitor.exe.config' file. Arguments can be displayed by typing cdfmonitor.exe /?.

All arguments with a colon(:) require a space between argument and value. ex: /path: c:\temp.

Optional arguments:

Configuration File (Cdfmonitor.exe.config):

The configuration file contains all variables for the utility. All numbered values and True or False values are populated by default. All empty values take text strings in the default configuration file shown below. All empty values are optional except for GUID and regex which are both required for the utility to run:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key="modules" value=""/>
    <add key="regex" value= "" />
    <add key="tmfguid" value= "" />
    <add key="tmffunction" value= "0" />
    <add key="debug" value= "False" />
    <add key="writeevent" value= "False" />
    <add key="eventthrottle" value="1" />
    <add key="eventcommand" value="" />
    <add key="eventcommandwait" value="False" />
    <add key="eventmaxcount" value="1" />
    <add key="startupcommand" value="" />
    <add key="logfilename" value="" />
    <add key="logtoconsole" value="True" />
    <add key="hidden" value="False" />
    <add key="smtpserver" value="" />
    <add key="smtpport" value="25" />
    <add key="smtpsendto" value="" />
    <add key="smtpsendfrom" value="" />
    <add key="smtpsubject" value="" />
    <add key="smtpuser" value="" />
    <add key="smtppassword" value="" />
    <add key="smtpssl" value="False" />
    <add key="urlfiles" value="" />
    <add key="urlsite" value="" />
    <add key="urluser" value=""/>
    <add key="urlpassword" value=""/>
    <add key="tmfcachedir" value= "" />
    <add key="tmfserver" value= "" />
  </appSettings>
</configuration>

Configuration File Definitions:

• Modules - modules is a single or multiple Citrix CDF module Guids. Use ‘/enummodules’ to list all module guids from registry. Multiple guids are separated by semicolon and wrapped in braces ‘{}’. Asterisk ‘*’ can be used to specify all modules though this is not normally recommended for performance reasons.

• Regex - regex is a regular expression pattern used to find matching trace messages to trigger an event on. Regex is standardized across multiple languages. See 'References' for additional information.

• TmfGuid – tmfguid can be used to specify specific tmf file guid that contains trace message. This is not normally used but is there if performance is a concern.

• TmfFunction – tmffunction is used in association with tmfguid to specify the trace message id specified in tmf file. This is not normally used but is there if performance is a concern.

• Debug - debug is a switch to turn on debug logging in the console and log file. Debug logging will be dark yellow in console output. Debug will show some extra debugging information as well as guid, process, thread, tmf function id, and event bytes for every matched trace statement.

• WriteEvent - writeevent will write an event to the Application event log using event ID 100 when trace match is found.

• EventThrottle - eventthrottle will only process a match once per specified value in minutes. A value of 0 will disable throttle. Disabling throttle is not recommended unless that is the intended result. The throttles design is to limit unintended triggers due to misconfiguration of the utility and\or multiple matches in short time frame.

• EventCommand - eventcommand (optional) is a semicolon separated list of commands to be run when match is found. If named groups are used in ‘regex’ expression, the named group matches can be inserted into command string. See ‘REGEX’ section for additional information.

• EventCommandWait - eventcommandwait will wait for command value specified in eventcommand to finish. It will also write eventcommand output to application eventlog eventid 101. Cdfmonitor is multi-threaded but traces could drop if eventcommandwait is set to ‘True’ and eventcommand takes a long time to complete.

• EventMaxCount - eventmaxcount will limit the total amount of times Cdfmonitor can match an event. When match count equals specified value, Cdfmonitor will exit. A value of 0 will disable max count. Disabling eventmaxcount is not recommended until configuration has been tested and that is the intended result. The max count value is to limit unintended triggers due to misconfiguration of the utility.

• LogFileName - logfilename (optional) will write all Cdfmonitor console output to log file.

• LogToConsole –logtoconsole when true will write all information to console window.

• Hidden - hidden determines whether console is displayed when utility is started.

• SMTP settings. Sending SMTP messages is optional and all smtp settings have to be populated except for smtpuser and smtppass to work. Leave settings unpopulated to disable.

o SMTPServer - smtpserver is the FQDN of the smtp server

o SMTPPort - smtpport is the TCP port used to communicate with SMTPServer. This should normally be port 25.

o SMTPSendTo - smtpsendto is the recipients email address to be notified when match occurs. Multiple addresses can be set separated by semicolon.

o SMTPSendFrom - smtpsendfrom is the senders email address.

o SMTPSubject - smtpsubject - is the subject of the SMTP email

o SMTPUser - smtpuser (optional) is the user authentication if needed to send smtp. The format used is same as for other authentication mechanisms. Example ‘domain\user’, ‘user@domain’, ‘user’, …

o SMTPPassword - smtppassword (optional) is the password if needed to send smtp. If smtpuser is populated and smtppassword is empty, a credentials dialog will be displayed to enter password.

o SMTPSSL - smtpssl is used to enable SSL communications for SMTP.

• URL settings. Compressing and sending files to URL server is optional and all URL settings have to be populated for URL to work. Leave settings unpopulated to disable. FTP, HTTP, and HTTPS are supported. HTTPS automatically accepts all certificates. Proxy information if populated will be inherited from Internet Explorer settings.

o URLFiles - URLfiles is a semicolon separated absolute path and name list of files to compress and URL when match occurs. Currently only files of mime type ‘text’ are compressed.

o URLSite - urlsite is the url to upload compressed file to after files are compressed.

o URLUser - urluser is the url user account.

o URLPassword - urlpassword is the url user password. If urluser is populated and urlpassword is empty, a credentials dialog will be displayed to enter password.

• TmfCacheDir – tmfcachedir is location where downloaded tmf files are stored or can be stored.

• TmfServer – tmfserver is a semicolon separated list of either UNC or url addresses to be searched when tmf file is needed. The default Citrix tmf location is ‘http://ctxsym.citrix.com/tmfs/xaxd/’.

REGEX:

The Regex expression is the trace string pattern to match. The expression can contain multiple patterns; see References section for additional information. Any standard Regex syntax should work with this utility. XML format however, requires escaping of the following predefined entities:

With Regex named groups, ‘<’ = ‘ &lt;’ and ‘>’ = ‘&gt;’. An example escaped Regex string formatted for config file with named groups (?<%name%>):

• Before XML Parser: <add key="regex" value= "deregister reason : (?&lt;reason&gt;\w{1,})|register for worker\s*(?&lt;rsid&gt;.*?):.*?:(?&lt;rsession&gt;.*)&quot;|deregister for worker\s*(?&lt;dsid&gt;.*?):.*?:(?&lt;dsession&gt;.*)&quot;|SetWorkerHostUriSpn:\s*ipAddress:(?&lt;ipaddress&gt;.*?),\s*workerAddress:(?&lt;workeraddress&gt;.*?),.*" />

• After XML Parser: deregister reason : (?<reason>\w{1,})|register for worker\s*(?<rsid>.*?):.*?:(?<rsession>.*)"|deregister for worker\s*(?<dsid>.*?):.*?:(?<dsession>.*)"|SetWorkerHostUriSpn:\s*ipAddress:(?<ipaddress>.*?),\s*workerAddress:(?<workeraddress>.*?),.*

EVENTCOMMAND:

Using named groups along with a specially formatted eventcommand will allow the group match to be inserted into the eventcommand string. ‘?<%name%>command:’ at the beginning of the command identifies the command to only be run when that named group is matched. If this is not specified, the command will run for any regex match. ‘?<%name%>’ is used where the named group match is to be placed in the eventcommand string. Example eventcommand string with named groups:

• Before XML Parser: add key="eventcommand" value="?&lt;workeraddress&gt;command:cmd.exe /c echo connect sid: ?&lt;rsid&gt; session: ?&lt;rsession&gt; workeraddress:?&lt;workeraddress&gt; &gt;&gt; c:\temp\sessions.txt;?&lt;reason&gt;command:cmd.exe /c echo disconnect sid: ?&lt;dsid&gt; session: ?&lt;dsession&gt; reason: ?&lt;reason&gt; &gt;&gt; c:\temp\sessions.txt;?&lt;ipaddress&gt;command:ping ?&lt;ipaddress&gt;" />

• After XML Parser:

o eventcommand:?<workeraddress>command:cmd.exe /c echo connect sid: ?<rsid> session: ?<rsession> workeraddress:?<workeraddress> >> c:\temp\sessions.txt

o eventcommand:?<reason>command:cmd.exe /c echo disconnect sid: ?<dsid> session: ?<dsession> reason: ?<reason> >> c:\temp\sessions.txt

o eventcommand:?<ipaddress>command:ping ?<ipaddress>
If using multiple named groups in the regex expression, matches for the named group will be cached until a new match replaces it. This gives the ability to use named group matches from multiple trace statements in the same eventcommand command string.

From the above regex and eventcommand examples, the following would occur on a XenDesktop 4 broker when a VDA de-registers and registers:

• de-registration matches:

o regex:

§ deregister for worker\s*(?<dsid>.*?):.*?:(?<dsession>.*)"

§ deregister reason : (?<reason>\w{1,})

o trace matches:

§ 2011-05-17T23:27:30.1843855-04:00:"CdsController:2:1:Deregister for worker S-1-0-00-1111111111-222222222-3333333333-4444:3333333333333333:333333333333333333"

§ 2011-05-17T23:27:30.1912431-04:00:"CdsController:2:1: Worker deregister reason : Shutdown"

o commands:

§ starting eventcommand C:\WINDOWS\system32\cmd.exe /c echo disconnect sid: S-1-0-00-1111111111-222222222-3333333333-4444 session: 634412592452177938 reason: Shutdown >> c:\temp\sessions.txt with wait

o result in sessions.txt:

§ disconnect sid: S-1-0-00-1111111111-222222222-3333333333-4444 session: 634412592452177938 reason: Shutdown

• registration matches:

o regex:

§ register for worker\s*(?<rsid>.*?):.*?:(?<rsession>.*)"

§ SetWorkerHostUriSpn:\s*ipAddress:(?<ipaddress>.*?),\s*workerAddress:(?<workeraddress>.*?),.*

o trace matches:

§ 2011-05-17T23:29:34.4711002-04:00:"CdsController:2:1:Register for worker S-1-2-11-2222222222-222222222-222222222222222:444444444444444444:44444444444444444"

§ 2011-05-17T23:29:34.5163182-04:00:"CdsController:2:1:SetWorkerHostUriSpn: ipAddress:10.10.10.10, workerAddress:CTRIXTest.get.citrix.com, workerSpn:HOST/CITRIX-TEST1"

o commands:

§ starting eventcommand C:\WINDOWS\system32\cmd.exe /c echo connect sid: S-1-2-11-2222222222-222222222-222222222222222 session: 634412861639306753 workeraddress:CTRIXTest.get.citrix.com >> c:\temp\sessions.txt with wait

§ starting eventcommand ping 10.10.10.10 with wait

o result in sessions.txt:

§ connect sid: S-1-2-11-2222222222-222222222-222222222222222 session: 634412861639306753 workeraddress:CTRIXTest.get.citrix.com

o result from ping:

§ SUCCESS: eventcommand process result:

Pinging 10.10.10.10 with 32 bytes of data:

Reply from 10.10.10.10: bytes=32 time<1ms TTL=128
Reply from 10.10.10.10: bytes=32 time=1ms TTL=128
Reply from 10.10.10.10: bytes=32 time<1ms TTL=128
Reply from 10.10.10.10: bytes=32 time<1ms TTL=128

Ping statistics for 10.10.10.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

Console Output from example:

C:\temp>CDFMonitor
--------------------------------------------------------------------------------------------
New CDFMonitor session:5/17/2011 11:25:44 PM
modules:*
regex:deregister reason : (?<reason>\w{1,})|register for worker\s*(?<rsid>.*?):.*?:(?<rsession>.*)"|deregister for worker\s*(?<dsi
d>.*?):.*?:(?<dsession>.*)"|SetWorkerHostUriSpn:\s*ipAddress:(?<ipaddress>.*?),\s*workerAddress:(?<workeraddress>.*?),.*
tmfguid:
tmffunction:0
writeevent:False
debug:False
eventthrottle:0
eventcommand:?<workeraddress>command:cmd.exe /c echo connect sid: ?<rsid> session: ?<rsession> workeraddress:?<workeradd
ress> >> c:\temp\sessions.txt
command:C:\WINDOWS\system32\cmd.exe
arguments:/c echo connect sid: ?<rsid> session: ?<rsession> workeraddress:?<workeraddress> >> c:\temp\sessions.txt
eventcommand:?<reason>command:cmd.exe /c echo disconnect sid: ?<dsid> session: ?<dsession> reason: ?<reason> >> c:\temp\
sessions.txt
command:C:\WINDOWS\system32\cmd.exe
arguments:/c echo disconnect sid: ?<dsid> session: ?<dsession> reason: ?<reason> >> c:\temp\sessions.txt
eventcommand:?<ipaddress>command:ping ?<ipaddress>
command:ping
arguments:?<ipaddress>
eventcommandwait:True
eventmaxcount:0
sessionName:CDFMonitor
logfilename:c:\temp\cdfmonitor.log
logtoconsole:True
hidden:False
smtpserver:
smtpport:25
smtpsendto:
smtpsendfrom:
smtpsubject:
smtpuser:
sendsmtp:False
smtpssl:False
urlfiles:
urlsite:
urluser:
sendURL:False
tmfserver:http://ctxsym.citrix.com/tmfs/xaxd/
tmfcachedir:c:\temp\tmfs
CDFMonitor Running. If using psexec, Press 'Q' and 'Enter' to quit.
2011-05-17T23:27:30.1843855-04:00:"CdsController:2:1:Deregister for worker S-1-0-00-1111111111-222222222-3333333333-4444
:3333333333333333:333333333333333333"
2011-05-17T23:27:30.1912431-04:00:"CdsController:2:1: Worker deregister reason : Shutdown"
starting eventcommand C:\WINDOWS\system32\cmd.exe /c echo disconnect sid: S-1-0-00-1111111111-222222222-3333333333-4444
session: 634412592452177938 reason: Shutdown >> c:\temp\sessions.txt with wait
SUCCESS: eventcommand process result:

2011-05-17T23:29:34.4711002-04:00:"CdsController:2:1:Register for worker S-1-2-11-2222222222-222222222-222222222222222:444444444444444444:44444444444444444"
2011-05-17T23:29:34.5163182-04:00:"CdsController:2:1:SetWorkerHostUriSpn: ipAddress:10.10.10.10, workerAddress:CITRIX-E
4ECF1BE.get.services.citrite.net, workerSpn:HOST/CITRIX-TEST1"
starting eventcommand C:\WINDOWS\system32\cmd.exe /c echo connect sid: S-1-2-11-2222222222-222222222-222222222222222 ses
sion: 634412861639306753 workeraddress:CTRIXTest.get.citrix.com >> c:\temp\sessions.txt with wait
SUCCESS: eventcommand process result:
starting eventcommand ping 10.10.10.10 with wait
SUCCESS: eventcommand process result:
Pinging 10.10.10.10 with 32 bytes of data:

Reply from 10.10.10.10: bytes=32 time<1ms TTL=128
Reply from 10.10.10.10: bytes=32 time=1ms TTL=128
Reply from 10.10.10.10: bytes=32 time<1ms TTL=128
Reply from 10.10.10.10: bytes=32 time<1ms TTL=128

Ping statistics for 10.10.10.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

Output:

When the trace is stopped, the console and optional log display the following session information:

• Tmf server missed events – the number of unique tmf file download failures from the tmf server. Tmf files are dynamically downloaded from the tmf server. If the tmf file does not exist on the server, it is not re-requested.

• Tmf server hit events – the number of unique tmf file download successes from the tmf server.

• Tmf cache missed events – the number of unique tmf file missed events from the tmf cache location specified in the configuration file tmfcachedir.

• Tmf cache hit events – the number of unique tmf file hit events from the tmf cache location specified in the configuration file tmfcachedir.

• Tmf parse errors – the number of errors that occurred while trying to parse a tmf. There are multiple reasons for a tmf parse error. These only occur for unmanaged code when: the tmf file is not available, the tmf file is the wrong version, there was an error formatting a trace event string with the configured tmf format, or if the machine running the utility cannot contact the public tmf server. As long as the trace statements being searched for are not the traces causing the error, then this value should not be a concern. To determine exactly why these errors are occurring, use a debug build of CDFMonitor and DebugView from SysInternals to capture detailed output from the TMF parser.

• Error|warning|fail|exception events – The number of events processed by the utility that contained any of the following words: error, warning, fail, exception. The traced message containing these words may or may not be an issue but are common words to look for.

• Processed events – the number of events processed from the ETW controller by the utility.

• Matched events - matched events are the number of events that were parsed with a regex expression and were matched.

• Throttled events - throttled events are the number of events that were matched but no action was taken because of configuration of eventthrottle in the configuration file.

• Missed events - missed events are the number of events that were received by the consumer but were not processed no background worker threads were available. This is not a counter of missed events from controller to consumer.

• Missed console events – number of events missed by console output. These missed console events are still parsed for match and written to the logfile.

• Missed controller events – the number of events reported by the ETW controller that have been missed by the consumer.

• Start time - start time is when Cdfmonitor was started.

• End time - end time is when Cdfmonitor was stopped.

• Finalizing - cleanup of the session has started.

• Finished - finished is the last output from the utility when the utility is closed.

Known Issues and Limitations:

The design of classic ETW is that it only allows one session to enable a classic provider. Because of ETW design, Cdfmonitor is designed to allow only one instance to execute. Additionally, this also means Cdfmonitor cannot be used at the same time with other ETW/CDF utilities using the same provider. An example of this is using CDFControl and Cdfmonitor concurrently on the same provider. This does NOT affect logging generated by modifying the .net ‘.config’ files of .net binaries to enable CDF logfile as mentioned in CTX articles above. .Net .config file logging and Cdfmonitor can be used concurrently. For additional information, see ‘EnableTrace Function’ link in References section below.

Troubleshooting:

In general, for any issue, it would be good to run CDFMonitor /update to check and download the latest version of the utility. Below are some common issues and troubleshooting steps that can be used if you are having problems with the utility:

• Utility displays no output or returns immediately:

1. Verify that the configuration file is properly formatted.

1. Test with a clean configuration file.

1. Verify that .net 3.5 is installed.

1. Verify that a Citrix product is installed on the machine where the utility is being run.

1. Run CDFMonitor /clean.

1. Set debug to True in the configuration file and run the utility.

1. Verify that there are no other instances of CDFMonitor running.

1. Verify that logtoconsole is set to True.

1. Verify that hidden is set to false.

• Utility shows high CPU usage:

1. Verify that the module list is correct and is the minimum list needed.

1. Verify that the regular expression is correct and is the least complex needed. See the Reference section below.

1. Test with a smaller module list or simpler regex.

1. Set debug to True in the configuration file and run the utility.

1. Gather the actual TMF GUID and TMF function ID from the utility in debug and configure those options in the configuration file.

• Utility not matching any events:

1. Set debug to True in the configuration file and run the utility.

1. Run CDFMonitor.exe /regex: .* /modules: * to get an all-module trace to see if any trace events are being received.

1. Verify that CDF tracing works with another utility like CDFControl.

1. Verify that the regular expression is correct and is the least complex needed. See Reference section below.

1. Run CDFMonitor /clean.

• Utility getting high count of tmf parse errors:

1. Verify that the utility has access to internet.

1. Run CDFMonitor /downloadtmfs to verify that the utility is able to download tmf files.

1. Verify that the tmfcachedir path is correct in the configuration file.

1. Verify that the tmfserver path is correct. Currently this is http://ctxsym.citrix.com/tmfs/.

1. Verify that the Citrix application being traced has tmf files on the tmf server. Currently, XenDesktop, XenApp, and ICA Client products are on the tmf server. Other Citrix products might have tmf files for download.

1. Run debug version of utility with DebugView to gather additional logging.

Example Configuration Files:

This sample configuration file monitors the XenDesktop 4 ImaProxy service module for a trace message containing the string ‘Exception’. When the string is matched, an event is written to the event log, and the procdump command from Sysinternals is executed. The procdump command creates a dump file for imaproxy. When the command completes, the imaproxy.dmp file and imaproxy.log file are zipped and sent to the FTP server ftp://ftpserver.foo.com. An SMTP email is sent to recipient@foo.com’ Based on throttle, this could only trigger once a day and after two matches, Cdfmonitor exits.

Sample Config file:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key=“modules” value="{56C6CDE1-7A81-4A23-82DA-1C5717AE1036}"/>
    <add key="regex" value= "Exception" />
    <add key="tmfguid" value=  />
    <add key="tmffunction" value= "0" />
    <add key="debug" value= "False" />
    <add key="writeevent" value= "True" />
    <add key="eventthrottle" value="1440" />
    <add key="eventcommand" value="procdump cdsimaproxy.exe c:\temp\imaproxy.dmp" />
    <add key="eventcommandwait" value="True" />
    <add key="eventmaxcount" value="2" />
    <add key="logfilename" value="cdfmonitor.log" />
    <add key="logtoconsole" value="True" />
    <add key="hidden" value="False" />
    <add key="smtpserver" value="smtp.foo.com" />
    <add key="smtpport" value="25" />
    <add key="smtpsendto" value="recipient@foo.com" />
    <add key="smtpsendfrom" value="cdfmonitor@foo.com" />
    <add key="smtpsubject" value="cdfmonitor" />
    <add key="smtpuser" value="" />
    <add key="smtppassword" value="" />
    <add key="smtpssl" value="False" />
    <add key="urlfiles" value="c:\temp\cdsimaproxy.dmp;c:\temp\cdsimaproxy.log" />
    <add key="urlsite" value="ftp://ftpserver.foo.com" />
    <add key="urluser" value="anonymous"/>
    <add key="urlpassword" value="cdfmonitor@foo.com"/>
    <add key="tmfcachedir" value=  />
    <add key="tmfserver" value= "http://ctxsym.citrix.com/tmfs/" />
  </appSettings>
</configuration>

This example will run continuously monitoring the XenDesktop 4 CDSController service module for Virtual Desktop Agent (VDA) soft registrations. When a match is found, it will be written to the Application event log and to cdfmonitor.log.
Sample Config file:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key=“modules” value="{C8549162-2B14-40e1-B644-BD921BB2FCC1}" />
    <add key="regex" value= "Accept soft registration for" />
    <add key="tmfguid" value=  />
    <add key="tmffunction" value= "0" />
    <add key="debug" value= "False" />
    <add key="writeevent" value= "True" />
    <add key="eventthrottle" value="0" />
    <add key="eventcommand" value="" />
    <add key="eventcommandwait" value="False" />
    <add key="eventmaxcount" value="0" />
    <add key="logfilename" value="cdfmonitor.log" />
   <add key="logtoconsole" value= "True" />
    <add key="hidden" value="False" />
    <add key="smtpserver" value="" />
    <add key="smtpport" value="25" />
    <add key="smtpsendto" value="" />
    <add key="smtpsendfrom" value="" />
    <add key="smtpsubject" value="" />
    <add key="smtpuser" value="" />
    <add key="smtppassword" value="" />
    <add key="smtpssl" value="False" />
    <add key="urlfiles" value="" />
    <add key="urlsite" value="" />
    <add key="urluser" value=""/>
    <add key="urlpassword" value=""/>
    <add key="tmfcachedir" value=  />
    <add key="tmfserver" value= "http://ctxsym.citrix.com/tmfs/" />
</appSettings>
</configuration>

This example monitors the XenDesktop 4 workstationagent service module for Virtual Desktop Agent (VDA) session disconnects for one match. When a match is found, all portica logs are copied into a single file, an Application event is logged with the results of the copy and are written to cdfmonitor.log.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key=“modules” value="{D076AEAB-F744-4154-94E0-C64DD3F73BB6}" />
    <add key="regex" value= "disconnect" />
    <add key="tmfguid" value=  />
    <add key="tmffunction" value= "0" />
    <add key="debug" value= "False" />
    <add key="writeevent" value= "True" />
    <add key="eventthrottle" value="1" />
    <add key="eventcommand" value="cmd.exe /c copy C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\*.log c:\temp\portica.log" />
    <add key="eventcommandwait" value="True" />
    <add key="eventmaxcount" value="1" />
    <add key="logfilename" value="cdfmonitor.log" />
    <add key="logtoconsole" value="True" />
    <add key="hidden" value="False" />
    <add key="smtpserver" value="" />
    <add key="smtpport" value="25" />
    <add key="smtpsendto" value="" />
    <add key="smtpsendfrom" value="" />
    <add key="smtpsubject" value="" />
    <add key="smtpuser" value="" />
    <add key="smtppassword" value="" />
    <add key="smtpssl" value="False" />
    <add key="urlfiles" value="" />
    <add key="urlsite" value="" />
    <add key="urluser" value=""/>
    <add key="urlpassword" value=""/>
    <add key="tmfcachedir" value=  />
    <add key="tmfserver" value= "http://ctxsym.citrix.com/tmfs/" />
  </appSettings>
</configuration>

This final example runs continuously, monitoring all modules for XenDesktop 5 Broker for fail, warning, exception, and error traces. When a match is found, it is written to cdfmonitor.log.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <appSettings>
    <add key=“modules” value="{B4CE2C0C-EB3C-E413-5731-05C545A94196};
        {8097A15B-53D3-6383-350D-7322BFDEEF13};
        {8B87DCDB-8B6C-E7B7-7710-E4C615000BCC};
        {71D9DA44-E905-26BC-56FC-2CC499FB17BD};
        {76713BFA-7379-E36D-3BA5-FE4CF74B1A8B};
        {6FDE1374-C984-4f7c-8ABD-3F9104B87553};
        {CFE860DE-EFDF-4810-A632-99209F274C3A};
        {DED227F9-8300-4f8f-993A-130AC3560DAE};
        {9FC72209-18FE-429c-B0D1-E14ED05F2ACE};
        {A08BD9E5-718A-43A2-AAD2-BA70A536AC46};
        {947ED9E4-6E98-423d-9E2E-A019278B1E0F};
        {C8549162-2B14-40e1-B644-BD921BB2FCC1};
        {C6D40A80-7714-43b4-9043-E1881A201F4D};
        {F4BCFDFC-BAD6-4f52-95CA-A084DD6DE963};
        {80EB94C4-E850-498a-B429-30CD3728B7C5};
        {48A1B4C3-AED0-49c0-BEF9-058117DCA6DB};
        {518FE13E-5611-4F6D-980C-82D0579004CF};
        {7207695F-9781-47a8-AA32-4558FA0A269A};
        {13DF1014-1FDB-46f3-9A8B-0300E42510FF};
        {05AF7868-C71B-3D9C-FECD-3AD74616C27A};
        {D123737B-E144-33EB-7485-6B3DACD2F145};
        {0E89CB54-26A3-9865-2F66-EF301DAE3194};
        {8ED077F2-4D29-245C-B53F-283CD055C743};
        {04D1EA53-C0C9-03E6-1386-3DAA6F7436BE};
        {23E410A4-CFDE-4FFD-AF1E-2E7F207F26DA};
        {DD96245C-0CF6-4fad-841A-D4D6D02B584D};
        {BA461BD9-815E-4780-9259-6EF57F958AAD};
        {F18221AF-29E0-647D-83F1-DC2868E870FA};
        {5C2B9703-61AC-EE7A-B3BC-EE3A4EAAAD12};
        {EF99F2A5-81D6-9340-F063-A54A29ECD0F2};
        {2D9B9316-8EFE-0865-7E72-333A65215C3D};
        {0C98C4DF-D14D-94DB-653B-92FEC18CAC1D};
        {4F2792CB-FAC9-0633-4D0C-261AD509E7EC};
        {19C65CE0-C571-D361-5DBE-DDF7FF6705D6};
        {F30EF994-C2A5-51F5-D087-16A78FFCBA4B};
        {03472E2E-EBE4-8022-DD63-AEE6FFF26CB5};
        {B2EAB5D9-F9AA-E1A6-471B-B291389D1E96};
        {E1509CEA-2291-4593-2EE7-AAC1E15A4898};
        {7541277A-9CB0-6CFA-DB6B-84CF2F8250BD};
        {FA2D8F49-2E00-5FD5-4402-A2DC5FEA69D9};
        {75863B1E-DF82-1A6B-EC91-1311FB8D9845};
        {D267A886-3C52-E06E-62A2-0C958F70F14C};
        {1DE90FAD-163A-485A-A180-6F6D38BAEB46};
        {738A2048-E88D-4448-990E-D1045D157D52};
        {85FAF435-82A1-4941-98E5-D4685DCDCA1D};
        {03D58FC0-18F3-4253-8398-303A2798AF87};
        {61E06B2F-1017-4941-9997-AA9771E60AAC}" />
    <add key="regex" value= "fail|exception|warning|error" />
    <add key="tmfguid" value=  />
    <add key="tmffunction" value= "0" />
    <add key="debug" value= "False" />
    <add key="writeevent" value= "False" />
    <add key="eventthrottle" value="0" />
    <add key="eventcommand" value="" />
    <add key="eventcommandwait" value="False" />
    <add key="eventmaxcount" value="0" />
    <add key="logfilename" value="cdfmonitor.log" />
    <add key="logtoconsole" value="True" />
    <add key="hidden" value="False" />
    <add key="smtpserver" value="" />
    <add key="smtpport" value="25" />
    <add key="smtpsendto" value="" />
    <add key="smtpsendfrom" value="" />
    <add key="smtpsubject" value="" />
    <add key="smtpuser" value="" />
    <add key="smtppassword" value="" />
    <add key="smtpssl" value="False" />
    <add key="urlfiles" value="" />
    <add key="urlsite" value="" />
    <add key="urluser" value=""/>
    <add key="urlpassword" value=""/>
    <add key="tmfcachedir" value=  />
    <add key="tmfserver" value= "http://ctxsym.citrix.com/tmfs/" />
  </appSettings>
</configuration>

Security Permissions Required by CDFmonitor

The permissions required to run CDFMonitor are the same as required for CDFControl and ETW which is local administrator permissions.

Data Modified by CDFmonitor

There is no data modified by CDFMonitor utility. TMF files if configured are downloaded to local machine.

How to Undo the Changes Made by CDFmonitor

Remove files from TMF cache directory, if configured.

Uninstalling CDFmonitor

There is no installation for CDFMonitor because it is a stand-alone utility. To uninstall CDFMonitor, remove the CDFMonitor.exe file.

More Information

References:

Regex generator: http://gskinner.com/RegExr/

Regex Reference:

http://www.regular-expressions.info/reference.html

http://www.regular-expressions.info/brackets.html

http://www.regular-expressions.info/alternation.html

http://en.wikipedia.org/wiki/Regular_expression

Regular Expression Syntax (Scripting)

http://msdn.microsoft.com/en-us/library/1400241x(v=vs.85).aspx

MSDN EnableTrace reference:

http://msdn.microsoft.com/en-us/library/aa363710(v=VS.85).aspx

Sample log:

-------------------------------------------------------------------------------------------- New CDFMonitor session:5/6/2011 1:46:13 PM
modules:*
regex:dal
tmfguid:
tmffunction:0
writeevent:False
debug:False
eventthrottle:0
eventcommandwait:False
eventmaxcount:0
sessionName:CDFMonitor
logfilename:c:\temp\cdfmon.log
logtoconsole:True
hidden:False
smtpserver:
smtpport:25
smtpsendto:jason.gilbertson@citrite.net
smtpsendfrom:CDFMonitor@citrite.net
smtpsubject:test
smtpuser:
sendsmtp:False
smtpssl:False
urlfiles:
urlsite:
urluser:
sendURL:False
tmfserver:http://ctxsym.citrix.com/tmfs/xaxd/
tmfcachedir:c:\temp\tmfs
CDFMonitor Running. If using psexec, Press 'Q' and 'Enter' to quit.
2011-05-06T13:46:16.2757720-04:00:"MachineCreationServiceDAL:8:5:DAL >>> ServiceActivityPoll(1)"
2011-05-06T13:46:16.2769365-04:00:"MachineCreationServiceDAL:8:5:DAL <<< ServiceActivityPoll(): returns 0"
2011-05-06T13:46:16.3778399-04:00:"HostServiceDAL:8:5:DAL >>> HypervisorConnectionGetById(555555555-5555-5555-5555-55555555555)"
2011-05-06T13:46:16.3805894-04:00:"HostServiceDAL:8:5:DAL <<< HypervisorConnectionGetById(The retrieved row=danielgu): returns 0"
2011-05-06T13:46:18.5178171-04:00:"BrokerDAL:8:5:DAL >>> UpdateWorkerPowerStates(HypervisorUid=1)"
2011-05-06T13:46:18.5200958-04:00:"BrokerDAL:8:5:DAL <<< UpdateWorkerPowerStates()"
2011-05-06T13:46:19.1188790-04:00:"BrokerDAL:8:5:DAL >>> GetDesktopGroupIdlePoolDelta(Group=3, DayMask=32, HourMask=8192)"
2011-05-06T13:46:19.1202012-04:00:"BrokerDAL:2:1:GetDesktopGroupIdlePoolDelta result: allocated delta =2, unallocated delta =1"
2011-05-06T13:46:19.1202639-04:00:"BrokerDAL:2:1:Scheme=5, IdlePool(Group=3): Unallocated Target(On=0,Idle=1) : Unallocated Current(On=0,Idle=0,PendingOn=0,PendingOff=0)"
2011-05-06T13:46:19.1202985-04:00:"BrokerDAL:2:1: Allocated Target(On=2) : Allocated Current(On=0,Idle=0,offAndAlreadyReg=0)"
2011-05-06T13:46:19.1203453-04:00:"BrokerDAL:8:5:DAL <<< GetDesktopGroupIdlePoolDelta(Group=3): returns True"
2011-05-06T13:46:19.1204929-04:00:"BrokerDAL:8:5:DAL >>> GetDesktopGroupIdlePoolDelta(Group=6, DayMask=32, HourMask=8192)"
2011-05-06T13:46:19.1214180-04:00:"BrokerDAL:2:1:GetDesktopGroupIdlePoolDelta result: allocated delta =1, unallocated delta =1"
2011-05-06T13:46:19.1215412-04:00:"BrokerDAL:2:1:Scheme=11, IdlePool(Group=6): Unallocated Target(On=0,Idle=1) : Unallocated Current(On=0,Idle=0,PendingOn=0,PendingOff=0)"
2011-05-06T13:46:19.1215719-04:00:"BrokerDAL:2:1: Allocated Target(On=1) : Allocated Current(On=0,Idle=0,offAndAlreadyReg=0)"
2011-05-06T13:46:19.1216166-04:00:"BrokerDAL:8:5:DAL <<< GetDesktopGroupIdlePoolDelta(Group=6): returns True"
2011-05-06T13:46:19.1217251-04:00:"BrokerDAL:8:5:DAL >>> StartupIdlePoolMachine(3)"
2011-05-06T13:46:19.1229504-04:00:"BrokerDAL:2:1:Warning: IdlePool: no unallocated workers available to start: Group=3"
2011-05-06T13:46:19.1232525-04:00:"BrokerDAL:8:5:DAL <<< StartupIdlePoolMachine(3): returns False"
2011-05-06T13:46:19.1232679-04:00:"BrokerDAL:8:5:DAL >>> StartupIdlePoolMachine(6)"
2011-05-06T13:46:19.1241429-04:00:"BrokerDAL:2:1:Warning: IdlePool: no unallocated workers available to start: Group=6"
2011-05-06T13:46:19.1244401-04:00:"BrokerDAL:8:5:DAL <<< StartupIdlePoolMachine(6): returns False"
2011-05-06T13:46:19.1244703-04:00:"BrokerDAL:8:5:DAL >>> StartupAllocatedIdlePoolMachine(3)"
2011-05-06T13:46:19.1255840-04:00:"BrokerDAL:2:1:Warning: IdlePool: no allocated workers available to start: Group=3"
2011-05-06T13:46:19.1258031-04:00:"BrokerDAL:8:5:DAL <<< StartupAllocatedIdlePoolMachine(3): returns False"
2011-05-06T13:46:19.1258172-04:00:"BrokerDAL:8:5:DAL >>> StartupAllocatedIdlePoolMachine(6)"
2011-05-06T13:46:19.1267302-04:00:"BrokerDAL:2:1:Warning: IdlePool: no allocated workers available to start: Group=6"
2011-05-06T13:46:19.1269545-04:00:"BrokerDAL:8:5:DAL <<< StartupAllocatedIdlePoolMachine(6): returns False"
2011-05-06T13:46:19.1269695-04:00:"BrokerDAL:8:5:DAL >>> StartupAllocatedIdlePoolMachine(3)"
2011-05-06T13:46:19.1278005-04:00:"BrokerDAL:2:1:Warning: IdlePool: no allocated workers available to start: Group=3"
2011-05-06T13:46:19.1279749-04:00:"BrokerDAL:8:5:DAL <<< StartupAllocatedIdlePoolMachine(3): returns False"
finalizing
0 tmf server missed events
0 tmf server hit events
0 tmf cache missed events
0 tmf cache hit events
0 tmf parse errors
5 error|warning|fail events
66 processed events
31 matched events
0 throttled events
0 missed events
0 missed console events
0 missed controller events
Start time:5/6/2011 1:46:13 PM
Stop time:5/6/2011 1:46:22 PM
---------------------------------------------------------
Finished

Sample Console Screen shot:

Contact Information

Questions? Concerns? Send any feedback for this tool to supporttools@citrix.com.

Disclaimer

These software applications are provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.

Please note:
You can download the required file from the Citrix downloads website by visiting the following link: https://www.citrix.com/downloads/citrix-tools