Where are event log levels defined, and how can I convert them to a humanreadable string?

Question

Where are event log levels defined, and how can I convert them to a humanreadable string?

Shane 46

I want to write a function that converts from an event log level to a humanreadable string for the log level.

More specifically, I want to take Level member of an _EVENT_DESCRIPTOR structure and produce a human readable string representation the log level.

The docs page I link to for this structure says

Level values 0 through 5 are defined by Microsoft (see evntrace.h and winmeta.h). Level values 6 through 15 are reserved. Level values 16 through 255 can be defined by the event provider.

The table below this quote shows the values LOG_ALWAYS, CRITICAL, ERROR, WARNING, INFO, and VERBOSE.

Is there a function available in the Windows API to produce a humanreadable string from the Level value?

If not, are the values LOG_ALWAYS, CRITICAL, ERROR, WARNING, INFO, and VERBOSE defined somewhere in the Windows API (as an enumeration or some other way) so I can write the function myself? When I #include evntrace.h or winmeta.h, LOG_ALWAYS, etc. are not defined.

Specifically, when I say "humanreadable string", I mean I want to produce the same string as what the Event Viewer would display for an event with that log level.

Accepted answer

0 additional answers

Your answer

Answer 1

If not, are the values LOG_ALWAYS, CRITICAL, ERROR, WARNING, INFO, and VERBOSE defined somewhere in the Windows API (as an enumeration or some other way) so I can write the function myself? When I #include evntrace.h or winmeta.h, LOG_ALWAYS, etc. are not defined.

As the doc says, in winmeta.h :

#define WINEVENT_LEVEL_LOG_ALWAYS 0x0
#define WINEVENT_LEVEL_CRITICAL 0x1
#define WINEVENT_LEVEL_ERROR 0x2
#define WINEVENT_LEVEL_WARNING 0x3
#define WINEVENT_LEVEL_INFO 0x4
#define WINEVENT_LEVEL_VERBOSE 0x5
#define WINEVENT_LEVEL_RESERVED_6 0x6
#define WINEVENT_LEVEL_RESERVED_7 0x7
#define WINEVENT_LEVEL_RESERVED_8 0x8
#define WINEVENT_LEVEL_RESERVED_9 0x9
#define WINEVENT_LEVEL_RESERVED_10 0xa
#define WINEVENT_LEVEL_RESERVED_11 0xb
#define WINEVENT_LEVEL_RESERVED_12 0xc
#define WINEVENT_LEVEL_RESERVED_13 0xd
#define WINEVENT_LEVEL_RESERVED_14 0xe
#define WINEVENT_LEVEL_RESERVED_15 0xf

and also in the .XAML :

  <!-- Standard Windows system reporting levels -->
        <levels>
            <level name="win:LogAlways" symbol="WINEVENT_LEVEL_LOG_ALWAYS" value="0" message="$(string.level.LogAlways)"> Log Always </level>
            <level name="win:Critical" symbol="WINEVENT_LEVEL_CRITICAL" value="1" message="$(string.level.Critical)"> Only critical errors </level>
            <level name="win:Error" symbol="WINEVENT_LEVEL_ERROR" value="2" message="$(string.level.Error)"> All errors, includes win:Critical </level>
            <level name="win:Warning" symbol="WINEVENT_LEVEL_WARNING" value="3" message="$(string.level.Warning)"> All warnings, includes win:Error </level>
            <level name="win:Informational" symbol="WINEVENT_LEVEL_INFO" value="4" message="$(string.level.Informational)"> All informational content, including win:Warning </level>
            <level name="win:Verbose" symbol="WINEVENT_LEVEL_VERBOSE" value="5" message="$(string.level.Verbose)"> All tracing, including previous levels </level>

            <!-- The following are unused.  They are place holders so that users dont accidentally use those values in their own definitions -->
            <level name="win:ReservedLevel6" symbol="WINEVENT_LEVEL_RESERVED_6" value="6"/>
            <level name="win:ReservedLevel7" symbol="WINEVENT_LEVEL_RESERVED_7" value="7"/>
            <level name="win:ReservedLevel8" symbol="WINEVENT_LEVEL_RESERVED_8" value="8"/>
            <level name="win:ReservedLevel9" symbol="WINEVENT_LEVEL_RESERVED_9" value="9"/>
            <level name="win:ReservedLevel10" symbol="WINEVENT_LEVEL_RESERVED_10" value="10"/>
            <level name="win:ReservedLevel11" symbol="WINEVENT_LEVEL_RESERVED_11" value="11"/>
            <level name="win:ReservedLevel12" symbol="WINEVENT_LEVEL_RESERVED_12" value="12"/>
            <level name="win:ReservedLevel13" symbol="WINEVENT_LEVEL_RESERVED_13" value="13"/>
            <level name="win:ReservedLevel14" symbol="WINEVENT_LEVEL_RESERVED_14" value="14"/>
            <level name="win:ReservedLevel15" symbol="WINEVENT_LEVEL_RESERVED_15" value="15"/>
            <!-- End of reserved values -->
        </levels>

Shane 46 Reputation points

2022-03-25T19:29:59.56+00:00

In the Windows Event Viewer, the level is displayed as a string in the Level column. For example, if the Level is WINEVENT_LEVEL_INFO, the Event Viewer shows "Information" as the level for the event in the table.

Is there any function in the Windows API to map from the WINEVENT_* value to the corresponding string representation?
Castorix31 90,521 Reputation points

2022-03-25T20:17:23.613+00:00

Mainly with EvtFormatMessage, like at Formatting Event Messages
Junjie Zhu - MSFT 21,646 Reputation points

2022-03-28T02:29:24.573+00:00

Hi, @Shane
Have you solved your problem yet?

Share via

Where are event log levels defined, and how can I convert them to a humanreadable string?

0 additional answers

Your answer