.NET Security : Programming the Event Log Service (part 3) - Using Custom Event Logs, Monitoring Event Logs

5. Using Custom Event Logs

You can create custom event logs by specifying the name you wish to use with the Log property of the EventLog class. When you write the first event to the log with the WriteEntry method, the ELS will create the custom log automatically. The event source specified by the Source property will be registered and associated with the new custom log. The following statements demonstrate how to create the custom log MyCustomEventLog; ELS does not create the custom log until the WriteEntry statement is executed:

# C#

// create a new instance that refers to the custom log
EventLog x_local_log = new EventLog(  );
x_local_log.MachineName = ".";
x_local_log.Log = "MyCustomEventLog";

// specify the event source that we'll use to record events
x_local_log.Source = "MyCustomEventSource";

// write a log entry - the custom log will not be created until this point
x_local_log.WriteEntry("MyApplication exited unexpectedly");

# Visual Basic .NET

' create a new instance that refers to the custom log
Dim x_local_log As EventLog = New EventLog(  )
x_local_log.MachineName = "."
x_local_log.Log = "MyCustomEventLog"

' specify the event source that we'll use to record events
x_local_log.Source = "MyCustomEventSource"

' write a log entry - the custom log will not be created until this point
x_local_log.WriteEntry("MyApplication exited unexpectedly")

Custom logs can be deleted with the Delete method defined by the EventLog class, as demonstrated by the following statements:

# C# 

// delete the custom event log
EventLog.Delete("MyCustomEventLog");

# Visual Basic .NET

' delete the custom event log
EventLog.Delete("MyCustomEventLog")

Use the Delete method with caution; the event log will be removed and all of the entries and event sources will be lost permanently. An instance of the System.InvalidOperationException exception is thrown by the Delete method if you attempt to delete a log that does not exist.

The EventLog.Delete method will delete the Application and System default event logs without warning. Deleting these logs can cause applications to behave erratically.

6. Monitoring Event Logs

The EventLog class provides an event mechanism that allows us to monitor an event log. In this section, we demonstrate how to use this feature, which relies on the .NET event delegate mechanism; consult the .NET documentation if you are unfamiliar with .NET delegates.

We can register for event notification by adding an instance of the EntryWrittenEventHandler delegate to the EntryWritten event defined by the EventLog class, as demonstrated by the statements below. The delegate method signature defines the EntryWrittenEventArgs class, which makes the event that has been written available as an instance of EventLogEntry accessible through the Entry property:

# C#

using System;
using System.Diagnostics;

public class EventLogMonitor {

    public static void Main(  ) {

        // create a new instance of the EventLog class
        EventLog x_local_log = new EventLog("MyCustomEventLog");

        // create a delegate to process events from the ELS
        EntryWrittenEventHandler x_handler 
            = new EntryWrittenEventHandler(MyOnEntryWrittenMethod);

        // add the delegate to the EventLog event
        x_local_log.EntryWritten += x_handler;

        // enable event processing
        x_local_log.EnableRaisingEvents = true;

        // wait to read a lone from the console - just to stop
        // the application from exiting
        Console.ReadLine(  );
    }

    public static void MyOnEntryWrittenMethod(object p_source, 
        EntryWrittenEventArgs p_args) {

        // extract the event object from the event arguments
        EventLogEntry x_entry = p_args.Entry;
        // write out the event details
        Console.WriteLine("Event Source: {0}, Event ID {1}, Event Message {2}",
            x_entry.Source, x_entry.EventID, x_entry.Message);

    }
}

# Visual Basic .NET

Imports System.Diagnostics

Class EventLogMonitor

    Shared Sub Main(  )

        ' create a new instance of the EventLog class
        Dim x_local_log As EventLog = New EventLog("MyCustomEventLog")

        ' create a delegate to process events from the ELS
        AddHandler x_local_log.EntryWritten, AddressOf MyOnEntryWrittenMethod

        ' enable event processing
        x_local_log.EnableRaisingEvents = True

        ' wait to read a lone from the console - just to stop
        ' the application from exiting
        Console.ReadLine(  )
    End Sub

    Public Shared Sub MyOnEntryWrittenMethod(ByVal p_source As Object, _
    ByVal p_args As EntryWrittenEventArgs)

        ' extract the event object from the event arguments
        Dim x_entry As EventLogEntry = p_args.Entry
        ' write out the event details
        Console.WriteLine("Event Source: {0}, Event ID {1}, Event Message {2}", _
            x_entry.Source, x_entry.EventID, x_entry.Message)

    End Sub
End Class

					  

Events will not be raised until the value of the EnableRaisingEvents property is set to true (C#) or True (Visual Basic .NET). The EventWritten event is raised five seconds after an entry has been added to the monitored event log; if several events have been written during the five-second period, only the last event will be signaled via the delegate.

The EventLog class does not support monitoring event logs managed by other computers—only local logs can be monitored.