3.1.1.3 Event Sources

The event source is intended to identify the software that reports the event. It can be interpreted as the event provider. In the EventLog Remoting Protocol, the event source is specified as a string. The server maintains an association between event sources and logs. If a client attempts to register an event source that does not exist in the registry under any of the event logs, the event log service still allows the client to succeed and writes these events to the application event log, creating this log if it did not already exist.

When a client calls a method such as ElfrRegisterEventSourceW to get a handle for writing, the server uses that association to determine what log will receive any events subsequently published using that handle. The server stores the sources as the subkeys of the logs in the registries. The association is described in detail in the following sections.

By definition, an event source is only associated with one log in the system.

The event sources are created by servers before the client starts to use them. Event sources are created by creating subkeys in the registry. These subkeys are located under the keys used to define event logs (see section 3.1.1.2). The name of the subkey is the name of the event source. For example, a log named Log1 would be defined by this key:

 HKEY_LOCAL_MACHINE\
      system\currentcontrolset\services\eventlog\Log1

If there were two sources for that log named source1 and source2, there would be the following two keys:

 HKEY_LOCAL_MACHINE\
      system\currentcontrolset\services\eventlog\Log1\source1
 HKEY_LOCAL_MACHINE\
      system\currentcontrolset\services\eventlog\Log1\source2

In addition, the name of the event source needs to be added to the REG_MULTI_SZ "Sources" value defined for the event log.

Each event source can contain the following registry values:

Registry Value

Description

CategoryCount

Number of event categories supported. This value is of type REG_DWORD.

CategoryMessageFile

Path to the category message file. A category message file contains language-dependent strings that describe the categories. This value can be of type REG_SZ or REG_EXPAND_SZ.

EventMessageFile

Path to one or more event message files; use a semicolon to delimit multiple files. An event message file contains language-dependent strings that describe the events. This value can be of type REG_SZ or REG_EXPAND_SZ.

ParameterMessageFile

Path to the parameter message file. A parameter message file contains language-independent strings that are to be inserted into the event description strings. This value can be of type REG_SZ or REG_EXPAND_SZ.

TypesSupported

Bitmask of supported types. This value is of type REG_DWORD. It can be one or more of the following values:

  • EVENTLOG_AUDIT_FAILURE (0x0010)

  • EVENTLOG_AUDIT_SUCCESS (0x0008)

  • EVENTLOG_ERROR_TYPE (0x0001)

  • EVENTLOG_INFORMATION_TYPE (0x0002)

  • EVENTLOG_WARNING_TYPE (0x0004)