How to write to an event log by using Visual C#

This step-by-step article shows you how to add your own entries to the operating system's event log by using the Microsoft .NET Framework.

Requirements

The following list describes the recommended hardware, software, network infrastructure, and service packs that you will need:

• Microsoft Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server, or Windows NT 4.0 Server
• Microsoft Visual Studio C#

Write to an event log

Event logging provides a standard, centralized way for your applications to record important software and hardware events. Windows supplies a standard user interface for viewing the logs, the Event Viewer. By using the common language's run-timeEventLog component, you can connect to existing event logs easily, on both local and remote computers, and write entries to these logs. You can also read entries from existing logs and create your own custom event logs. In its simplest form, writing to an event log involves only a few steps to create a sample application. To do this, follow these steps:

1. Open Visual Studio C#.
2. Create a new Console application in Visual C#. The Console application creates a public class and an empty Mainmethod for you.
3. Verify that the project references at least the System.dll file.
4. Use the using directive on the System and System.Diagnostics namespaces so that you do not have to qualify declarations from these namespaces later in your code. You must use these statements before any other declarations.
   
   

   using System;
   using System.Diagnostics;
        

5. To write to an event log, you must have several pieces of information: Your message, the name of the log you to which you want to write (which will be created if it does not already exist), and a string that represents the source of the event. You can register a particular source with only a single event log; if you want to write messages to more than one log, you must define multiple sources.
   
   

   string sSource;
   string sLog;
   string sEvent;
   
   sSource = "dotNET Sample App";
   sLog = "Application";
   sEvent = "Sample Event";
        

6. Use two static methods of the EventLog class to check whether your source exists, and then, if the source does not exist, to create this source that is associated with a particular event log. If the log name that you specify does not exist, the name is created automatically when you write your first entry to the log. By default, if you do not supply a log name to the CreateEventSource method, the log file is named "Application Log."
   
   

   if (!EventLog.SourceExists(sSource))
    EventLog.CreateEventSource(sSource,sLog);
        

7. To write a message to an event log, you can use the EventLog.WriteEntry static method. This method has several different overloaded versions. The following sample code shows the simplest method, which takes a source string and your message, and one of the more complex methods, which supports specifying the event ID and event type:
   
   

   EventLog.WriteEntry(sSource,sEvent);
   EventLog.WriteEntry(sSource, sEvent, EventLogEntryType.Warning,  234);
        

8. Save your application. Run your application, and then check the Application log in the Event Viewer to see your new events.

Complete code listing

using System;
using System.Diagnostics;

namespace WriteToAnEventLog_csharp
{
 /// Summary description for Class1.
 class Class1
 {
  static void Main(string[] args)
  {
   string sSource;
   string sLog;
   string sEvent;

   sSource = "dotNET Sample App";
   sLog = "Application";
   sEvent = "Sample Event";

   if (!EventLog.SourceExists(sSource))
    EventLog.CreateEventSource(sSource,sLog);

   EventLog.WriteEntry(sSource,sEvent);
   EventLog.WriteEntry(sSource, sEvent,
    EventLogEntryType.Warning, 234);
  }
 }
}
    

How to view and manage event logs in Event Viewer in Windows XP

Event Viewer

In Windows XP, an event is any significant occurrence in the system or in a program that requires users to be notified, or an entry added to a log. The Event Log Service records application, security, and system events in Event Viewer. With the event logs in Event Viewer, you can obtain information about your hardware, software, and system components, and monitor security events on a local or remote computer. Event logs can help you identify and diagnose the source of current system problems, or help you predict potential system problems.

Event Log Types

A Windows XP-based computer records events in the following three logs:

• Application log
  
  The application log contains events logged by programs. For example, a database program may record a file error in the application log. Events that are written to the application log are determined by the developers of the software program.
• Security log
  
  The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log.
• System log
  
  The system log contains events logged by Windows XP system components. For example, if a driver fails to load during startup, an event is recorded in the system log. Windows XP predetermines the events that are logged by system components.

How to View Event Logs

To open Event Viewer, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, click Event Viewer.
   
   The Application, Security, and System logs are displayed in the Event Viewer window.

How to View Event Details

To view the details of an event, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
3. In the details pane, double-click the event that you want to view.
   
   The Event Properties dialog box containing header information and a description of the event is displayed.
   
   To copy the details of the event, click the Copy button, then open a new document in the program in which you want to paste the event (for example, Microsoft Word), and then click Paste on the Edit menu.
   
   To view the description of the previous or next event, click the UP ARROW or DOWN ARROW.

How to Interpret an Event

Each log entry is classified by type, and contains header information, and a description of the event.

Event Header

The event header contains the following information about the event:

• Date
  
  The date the event occurred.
• Time
  
  The time the event occurred.
• User
  
  The user name of the user that was logged on when the event occurred.
• Computer
  
  The name of the computer where the event occurred.
• Event ID
  
  An event number that identifies the event type. The Event ID can be used by product support representatives to help understand what occurred in the system.
• Source
  
  The source of the event. This can be the name of a program, a system component, or an individual component of a large program.
• Type
  
  The type of event. This can be one of the following five types: Error, Warning, Information, Success Audit, or Failure Audit.
• Category
  
  A classification of the event by the event source. This is primarily used in the security log.

Event Types

The description of each event that is logged depends on the type of event. Each event in a log can be classified into one of the following types:

• Information
  
  An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully.
• Warning
  
  An event that is not necessarily significant, however, may indicate the possible occurrence of a future problem. For example, a Warning message is logged when disk space starts to run low.
• Error
  
  An event that describes a significant problem, such as the failure of a critical task. Error events may involve data loss or loss of functionality. For example, an Error event is logged if a service fails to load during startup.
• Success Audit (Security log)
  
  An event that describes the successful completion of an audited security event. For example, a Success Audit event is logged when a user logs on to the computer.
• Failure Audit (Security log)
  
  An event that describes an audited security event that did not complete successfully. For example, a Failure Audit may be logged when a user cannot access a network drive.

How to Find Events in a Log

The default view of event logs is to list all its entries. If you want to find a specific event, or view a subset of events, you can either search the log, or you can apply a filter to the log data.

How to Search for a Specific Log Event

To search for a specific log event, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
3. On the View menu, click Find.
4. Specify the options for the event that you want to view in the Find dialog box, and then click Find Next.

The event that matches your search criteria is highlighted in the details pane. Click Find Next to locate the next occurrence of an event as defined by your search criteria.

How to Filter Log Events

To filter log events, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
3. On the View menu, click Filter.
4. Click the Filter tab (if it is not already selected).
5. Specify the filter options that you want, and then click OK.

Only events that match your filter criteria are displayed in the details pane.

To return the view to display all log entries, click Filter on the View menu, and then click Restore Defaults.

How to Manage Log Contents

By default, the initial maximum of size of a log is set to 512 KB, and when this size is reached, new events overwrite older events as needed. Depending on your requirements, you can change these settings, or clear a log of its contents.

How to Set Log Size and Overwrite Options

To specify log size and overwrite options, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then right-click the log in which you want to set size and overwrite options.
3. Under Log size, type the size that you want in the Maximum log size box.
4. Under When maximum log size is reached, click the overwrite option that you want.
5. If you want to clear the log contents, click Clear Log.
6. Click OK.

How to Archive a Log

If you want to save your log data, you can archive event logs in any of the following formats:

• Log-file format (.evt)
• Text-file format (.txt)
• Comma-delimited text-file format (.csv)

To archive a log, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, expand Event Viewer, and then right-click the log in which you want to archive, and then click Save Log File As.
3. Specify a file name and location where you want to save the file. In the Save as type box, click the format that you want, and then click Save.

The log file is saved in the format that you specified.