ETW Only Mode

You can disable detection rules and make Eolh to output ETW logs only.

eolh.exe --detect=false

Now you can see the Microsoft-Windows-Kernel-<File/Process/Network> ETW logs associated with container information.

You can use your own detection rules with ETW logs at CloudWatch Logs Insights.

filter @logStream = 'ip-<id_address>.ec2.internal-application.C.var.log.containers.monitor_default_monitor-<foobaa>.log'
 | filter strcontains(log_processed.cmdLine, "stratum")