Here are a few things to take note when dealing with EventLog.
- You can't create a log that are belongs to an existing source.
- You can't create a source that is already exists on another log.
- The first eight characters of the log name cannot be the same as the existing log name.
- You can't delete a source's name that has the same as log name.
- Moving a source by deleting the source from a log and then creating the same source to a different log will not work until the machine is being rebooted. Which means, if you attempt to move the source from 1 log to another log. Writing an event to this source will still appear on the previous log. To remedy this, just reboot the machine.
You might not aware of what log and source is all about. To clarify this, log is the place that holds all the written logs. By default, there are 3 logs (Application, Security, System) and they are located at the left pane of the Event Viewer window. On the other hand, the source is for you to identify which applications it belongs to. Each log can contains 1 or more sources but each source can only be tied to a single log.
This is how you can write an event to event log. Unlike code, it is mandatory to fill in the log and eventid for PowerShell. Eventid is for you to define or customize, it can be something like an error code. But in this case, we can leave the eventid as 0. If you want to change the event's default icon (Information) to something else, just change the entrytype value.
[C#]
EventLog.WriteEntry("SourceName", "Message", EventLogEntryType.Information);
[C# Alternative]
using (EventLog eventLog = new EventLog())
{
eventLog.Source = "SourceName";
eventLog.WriteEntry("Message", EventLogEntryType.Information)
}
[VB]
EventLog.WriteEntry("SourceName", "Message", EventLogEntryType.Information)
[VB Alternative]
Using eventLog As EventLog = New EventLog()
eventLog.Source = "SourceName"
eventLog.WriteEntry("Message", EventLogEntryType.Information)
End Using
[PowerShell]
write-eventlog -logname LogName -source SourceName -message "Message" -eventid 0 -entrytype Information
The following is for you to create a new log and the log's source. When creating a new log with the source's name and the log's name is different, a source with the same name as the log's name will be created automatically.
[C#]
EventLog.CreateEventSource("SourceName", "LogName");
[VB]
EventLog.CreateEventSource("SourceName", "LogName")
[PowerShell]
new-eventlog -logname LogName -source SourceName
If you want to change the log's maximum size and the action to take if reached the maximum size, you can do so with the following code. What the following does is to set the maximum size to 2048 KB and delete the oldest event if exceeded the maximum size.
[C#]
using (EventLog eventLog = new EventLog(LOG_NAME))
{
eventLog.MaximumKilobytes = 2048;
eventLog.ModifyOverflowPolicy(OverflowAction.OverwriteAsNeeded,
0);
}
[VB]
Using eventLog As EventLog = New EventLog(LOG_NAME)
eventLog.MaximumKilobytes = 2048
eventLog.ModifyOverflowPolicy(OverflowAction.OverwriteAsNeeded,
0)
End Using
[PowerShell]
limit-eventlog -logname LogName -maximumsize 2048KB -overflowaction overwriteasneeded
Other than configuring them in code or with PowerShell, you can do so through the Event Viewer window by navigating to the log's properties.
Sample code can be obtained here. https://onedrive.live.com/redir?resid=E6612168B803803D!344&authkey=!ABtZZS6ROWUDg-Y&ithint=file%2czip
No comments:
Post a Comment