Bagikan melalui


Technology Summary for Reading and Managing Event Logs

Applications log events in event logs to record information, warnings, and errors so that system administrators, customer support personnel, tools, or end users can monitor the health and actions of the application. Using the classes in the System.Diagnostics.Eventing.Reader namespace, you can retrieve information from events, event logs, and applications that log events (event providers), and also configure event log properties. These classes can only be used on computers running on the Windows Vista or Windows Server 2008 operating system. For a list of scenarios that use the event log classes, see Event Log Scenarios. For information about accessing event log information on Windows Server 2003, Windows XP, or Windows 2000, see https://go.microsoft.com/fwlink/?LinkId=99047.

Events

Each event contains an informational, warning, or error message. Events also contain properties such as the level (severity) of the event, the name of the event provider that logged the event, and the time the event was logged. Events are represented by EventLogRecord objects, so for a full list of event properties, view the members of the EventLogRecord class.

Each event can be represented in XML, with the event properties and message defined in XML elements. To retrieve the event XML, use the ToXml method. For more information about events and event XML, see https://go.microsoft.com/fwlink/?LinkID=94642 and Event Queries and Event XML.

To obtain an event message, use the FormatDescription method. For more information and a code example, see How to: Query for Events.

There are four different types of events defined by the EventLogType enumeration. Each type of event is aimed at a different audience. The most common event types are Operational and Administrative.

Event Logs

An event log holds related events, and each log can only contain one type of event. Event logs can be saved (archived) in .evtx files, which can later be read and queried programmatically or by the Event Viewer tool. The Windows logs are intended to store events from legacy applications (applications designed for Windows XP, Windows Server 2003, or Windows 2000) and events that apply to the entire system.

Windows Log Description

Application

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. Program developers decide which events to log.

Security

The Security log contains events such as valid and invalid logon attempts, as well as events related to resource use, such as creating, opening, or deleting files or other objects. Administrators can specify what events are recorded in the security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the security log.

System

The System log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by Windows.

Setup

The Setup log contains events related to application setup.

Forwarded Events

The Forwarded Events log is used to store events collected from remote computers.

Applications and Services logs are a different category of event logs than the Windows Logs. The Applications and Services logs store events from a single application or component rather than events that might have system-wide impact. They have a variety of names that are defined by event providers. There are many event logs that fall under this category. To browse the available event logs, use the tools mentioned in the Tools section.

The event logs in the Applications and Services logs category are split up into four types defined by the EventLogType enumeration: Administrative, Operational, Analytic, and Debug. Events in Administrative type logs are of particular interest to IT Professionals using the Event Viewer to troubleshoot problems. Events in Administrative type logs should provide information about how to respond to them. Events in Operational type logs are also useful for IT Professionals, but they are likely to require more interpretation.

Analytic and Debug type logs are not as user friendly. Analytic type logs store events that trace an issue and, often, a high volume of events are logged. Debug type logs are used by developers when debugging applications. Both Analytic and Debug type logs are hidden and disabled by default.

To gather information about an event log, use the EventLogInformation class. To configure event log properties, use the EventLogConfiguration class. Each event log contains a SecurityDescriptor property that determines which users can read and access the log. Each log also has a property that controls the maximum size of the log (the MaximumSizeInBytes property). Each log also has a property that controls how events are handled when the event log becomes full (the LogMode property). For more information about configuring event logs, see How to: Configure and Read Event Log Properties.

Event Providers

An application that logs an event is called an event provider. An event provider identifies the event logs that it can publish events to, and a provider also defines the events that it can publish. Each event provider is uniquely identified by a name and a globally unique identifier (GUID). You can gather information about an event provider using the ProviderMetadata class. The Events property of that class gets a collection of all the events the provider can publish. These event objects are defined by the EventMetadata class. For more information about accessing event provider data, see How to: Retrieve Information About an Event Provider.

You cannot create an event provider using the classes in the System.Diagnostics.Eventing.Reader namespace. For more information about creating an event provider, see Developing Event Providers.

Tools

To access event log information from the command line, use the WevtUtil.exe tool. This tool is located in the %SystemRoot%\System32 directory. For WevtUtil.exe tool help, use the wevtutil /? command.

To access event log information from a graphical user interface, use the Event Viewer tool. Event Viewer is a Microsoft Management Console (MMC) snap-in that enables a user to browse and manage event logs. It is also useful for testing applications that use Event Log functions. For more information about using or starting Event Viewer, see Event Viewer Overview.

See Also

Reference

System.Diagnostics.Eventing.Reader

Concepts

Event Log Scenarios
Event Queries and Event XML

Send comments about this topic to Microsoft.

Copyright © 2007 by Microsoft Corporation. All rights reserved.