CODEWITHSUNDEEP
c#.netwindowsvb.netvisual-studio
Kidada
Kidada

Reputation: 225

Windows Event Log

I am developing an app to capture event logs (security) from multiple Windows systems. I have a handler to EntryWritten. I am able to map most fields from the Event Viewer to the EntryWrittenEventArgs entry in .net. However, I cannot seem to find the mappings for the Level, OpCode and Task Category fields which show up in Event Viewer. Any ideas on how I get this in vb.net or c#? Thanks

Upvotes: 3

Views: 2419

Answers (1)

Arian Motamedi
Arian Motamedi

Reputation: 7413

The EventLog class in the System.Diagnostics namespace does not contain fields for Level, OpCode or Task. There is, however, the EventRecord class in the System.Diagnostics.Eventing.Reader namespace which is capable of returning those fields. Note that this namespace is mainly used for retrieving event logs from a remote machine. Even though you could use it to get logs on the local machine as well, it opens a local pipe to the system, which makes it slower than the EventLog class. If you really need to access those fields though, this is how this class is generally used:

    private void LoadEventLogs()
    {
        List<EventRecord> eventLogs = new List<EventRecord>();

        EventLogSession session = new EventLogSession();

        foreach (string logName in session.GetLogNames())
        {
            EventLogQuery query = new EventLogQuery(logName, PathType.LogName);
            query.TolerateQueryErrors = true;
            query.Session = session;

            EventLogWatcher logWatcher = new EventLogWatcher(query);
            logWatcher.EventRecordWritten += 
                   new EventHandler<EventRecordWrittenEventArgs>(LogWatcher_EventRecordWritten);

            try
            {
                logWatcher.Enabled = true;
            }
            catch (EventLogException) { }


            // This is how you'd read the logs
            //using (EventLogReader reader = new EventLogReader(query))
            //{
            //    for (EventRecord eventInstance = reader.ReadEvent(); eventInstance != null; eventInstance = reader.ReadEvent())
            //    {
            //        eventLogs.Add(eventInstance);
            //    }
            //}
        }
    }

And the LogWatcher_EventRecordWritten event handler:

 private void LogWatcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
    {
        var level = e.EventRecord.Level;
        var task = e.EventRecord.TaskDisplayName;
        var opCode = e.EventRecord.OpcodeDisplayName;
        // Other properties
    }

Note that I wrapped the logWatcher.Enabled = true; statement in a try-catch block, because not all sources allow entry-written listeners (security should work fine). The commented-out section shows you an example of reading all the logs, if you need it.

Upvotes: 4

Related Questions