..
    generated, remove this comment to keep this file

``etl.etl``
===========

.. code-block:: console

    $ target-query <path/to/target> -f etl.etl


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``os.windows.log.etl.EtlPlugin``
    * - Output
      - ``records``

**Module documentation**

Plugin for fetching and parsing Windows ETL Files (*.etl)

**Function documentation**

Return the contents of the ETL files generated at last boot and last shutdown.

An event trace log (.etl) file, also known as a trace log, stores the trace messages generated during one or
more trace sessions. A trace session is period in which a trace provider (a component of a user-mode
application or kernel-mode driver that uses Event Tracing for Windows (ETW) technology to generate trace
messages or trace events) is generating trace messages.

References:
    - https://www.hecfblog.com/2018/06/etw-event-tracing-for-windows-and-etl.html
    - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-log

Yields dynamically created records based on the fields inside an ETL event.
At least contains the following fields:
    hostname (string): The target hostname.
    domain (string): The target domain.
    ts (datetime): The TimeCreated_SystemTime field of the event.
    Provider_Name (string): The Provider_Name field of the event.
    EventType (string): The type of the event defined by the manifest file.