Embodiments of the invention provide methods, systems, software and data structures for monitoring, analyzing, storing and/or collecting events on a monitored computer. In a set of embodiments, a monitoring process monitors one or more applications for events occurring in those application. The monitoring process, in some cases, runs in common a thread of execution with one or more of the applications. If the monitoring process detects an event, it might notify an event capture process, which might capture the event. In some embodiments, an analysis process might determine whether the event should be collected, and if so, maintain a representation of the event (perhaps in a specialized data structure). In other embodiments, a data management process is configured to store information about one or more events in an event cache, which might comprise a plurality of file streams and/or metafile streams, enabling efficient storage of information about events.