Редактиране

Споделяне чрез


Logging to NT Event Log Based on an Event

The NTEventLogEventConsumer class writes a message to the Windows Event log when a specified event occurs. This class is a standard event consumer that WMI provides.

Note

Authenticated users cannot, by default, log events to the Application log on a remote computer. As a result, the example described in this topic will fail if you use the UNCServerName property of the NTEventLogEventConsumer class and specify a remote computer as its value. To learn how to change event log security, consult this KB article.

 

The basic procedure for using a standard consumer is described in Monitoring and Responding to Events with Standard Consumers. The following are additional steps beyond the basic procedure, required when using the NTEventLogEventConsumer class. The steps describe how to create an event consumer that writes to the Application event log.

The following procedure describes how to create an event consumer that writes to the NT Event Log.

To create an event consumer that writes to the Windows Event Log

  1. In a Managed Object Format (MOF) file, create an instance of NTEventLogEventConsumer to receive the events you request in the query. For more information about writing MOF code, see Designing Managed Object Format (MOF) Classes.

  2. Create, and name, an instance of __EventFilter, and then create a query to specify the type of event which triggers writing to the NT Event Log.

    For more information see, Querying with WQL.

  3. Create an instance of __FilterToConsumerBinding to associate the filter with the instance of NTEventLogEventConsumer.

  4. Compile the MOF file by using Mofcomp.exe.

Example

The example in this section is in MOF code, but you can create the instances programmatically by using the Scripting API for WMI or the COM API for WMI. The example shows how to create a consumer to write to the Application event log by using NTEventLogEventConsumer. The MOF creates a new class named "NTLogCons_Example", an event filter to query for operations, such as creation, on an instance of this new class, and a binding between filter and consumer. Because the last action in the MOF is to create an instance of NTLogCons_Example, you can immediately see the event in the Application event log by running Eventvwr.exe.

The EventID=0x0A for SourceName="WinMgmt" identifies a message with the following text. The "%1", "%2", "%3" are placeholders for corresponding strings specified in InsertionStringTemplates array.

Event filter with query "%2" could not be [re]activated in 
namespace "%1" because of error %3. Events may not be delivered 
through this filter until the problem is corrected.

The following procedure describes how to use the example.

To use the example

  1. Copy the MOF listing below into a text file and save it with a .mof extension.

  2. In a Command window, compile the MOF file by using the following command:

    Mofcomp filename**.mof**

  3. Run Eventvwr.exe. Look at the Application event log. You should see an event with ID = 10 (the EventID), Source = "WMI", and Type = Error.

  4. Double-click the Information type message from WMI with 10 in the Event column. The following description will be displayed for the event.

    Event filter with query "STRING2" could not be [re]activated in 
    namespace "STRING1" because of error STRING3. Events cannot be 
    delivered through this filter until the problem is corrected.
    
// Set the namespace as root\subscription.
// The NTEventLogEventConsumer is already
// compiled in the root\subscription namespace. 

#pragma namespace ("\\\\.\\Root\\subscription")
class NTLogCons_Example
{
 [key] string name;
 string InsertionString;
};

// Create an instance of the NT Event log consumer
// and give it the alias $CONSUMER

instance of NTEventLogEventConsumer as $CONSUMER
{
    // Unique instance name
    Name = "NTConsumerTest"; 
    // System component that generates the event
    SourceName = "WinMgmt";
    // Event message WBEM_MC_CANNOT_ACTIVATE_FILTER
    EventID = 0xC000000A;
    // EVENTLOG_ERROR_TYPE
    EventType = 1;
    // WMI event messages do not have multiple categories
    Category = 0;
    // Number of strings in InsertionStringTemplates property
    NumberOfInsertionStrings = 3;

    InsertionStringTemplates =
       {"%TargetInstance.Name%",
        "%TargetInstance.InsertionString%",
        "STRING3"};
};

// Create an instance of the event filter
// and give it the alias $FILTER
// The filter queries for any instance operation event
// for instances of the NTLogCons_Example class

instance of __EventFilter as $FILTER
{
    // Unique instance name
    Name = "NTLogConsFilter";
    Query = "SELECT * from __InstanceOperationEvent"
            " WHERE TargetInstance ISA \"NTLogCons_Example\"";
    QueryLanguage = "WQL";
};

// Create an instance of the binding
// between filter and consumer instances.

instance of __FilterToConsumerBinding
{
    Consumer = $CONSUMER;
    Filter = $FILTER;
};

// Create an instance of this class right now. 

instance of NTLogCons_Example
{
   Name = "STRING1";
   InsertionString = "STRING2";
};

Monitoring and Responding to Events with Standard Consumers