This post is extension is my last post on Event Viewer. Please the find the link below.
Working with EventViewer using C#
We’ll be talking about the reading event logs. In my last post I discussed about reading the event logs. But that is very slow because that loads all the event entries in memory and then iterate one by one. Say if we have around one five thousand entries in the log then it will load all the entries in memory and then allows to iterate one by one. It makes the reading of logs very slow. Also at certain point of point we might require to read the event logs on some specific criteria or want to read some specific logs then also we need to load all the events and iterate and find the required entry.
What if we want to read specific event logs with specific type or with specific specific level etc. .NET3.5 introduces new classes that are every helpful for querying the vent logs based on some criteria and it is very performance oriented.
To start with, lets start with from the base so that you get a very good Idea. An event entry in event viewer is also available in XML format and it is as
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="MySource" /> <EventID Qualifiers="0″>1004</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0×80000000000000</Keywords> <TimeCreated SystemTime="2013-08-15T16:21:21.000000000Z" /> <EventRecordID>7</EventRecordID> <Channel>MyNewLog</Channel> <Computer>Brij-HP</Computer> <Security /> </System> <EventData> <Data>An error has been generated by the application.</Data> </EventData> </Event>
If we see above then we can find it contains all the details of an event entry. As all these data is available in XML tags we can write the queries based on it.
So let’s first the Classes that we’ll use to query the event logs.
- EventLogQuery – It represents the query that will be used fetch the events and other related information.
- EventLogReader – Takes EventLogQuery object as parameter and allows us to read the events based on the query.
- EventRecord – EventLogReader returns the object of EventRecord which contains the basic details of the event entry.
- EventLogRecord – This class implements EventRecord and provides additional details of the event like container etc.
All the above classes were introduced with .NET 3.5 and provides super fast reading of the class. Lets jump to the code
string query = "*[System/EventID=903]";
EventLogQuery eventsQuery = new EventLogQuery("Application", PathType.LogName, query);
try
{
EventLogReader logReader = new EventLogReader(eventsQuery);
for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
{
// Read Event details
}
}
catch (EventLogNotFoundException e)
{
Console.WriteLine("Error while reading the event logs");
return;
}
First string variable query contains the query for fetching the events. Here we have defined the query to fetch the event with EventID = 903. If we see the XML for the event that I put initially then we find that EventID comes under System so defined the query as
string query = "*[System/EventID=903]";
After that created the instance of EventLogQuery which takes parameter of .. and query. Then created EventLogReader instance which takes parameter of type EventLogQuery. EventLogReader enables us to read the events. ReadEvent() method reads the next event of the reader and if there is no next event then it returns null. We used the same logic in above code. event detail contains the details of the event.
So we can read the events based on the query provided. I’ll here show you some sample queries and the details that can be used.
1 ) Reading all the event entries which is critical ( for critical level is 1)
string query = "*[System/Level=1]";
2) Reading all the event with EventRecordID as 7.
string query = "*[System/EventRecordID=7]";
3) Reading an element based on some element’s attribute value. Reading all event entries which provider name is “MySource”.
string query = "*[System/Provider/@Name=\"MySource\"]";
Similarly, we can write a query for any element under System element as above. We can also write a query for some combinations using and/or as.
4) Reading all the event entries which is critical and ( for critical level is 1 and error it is 2)
string query = "*[System/Level=1 or System/Level=2]";
Even we can provide the search criteria to our users and can create the query on the fly as well.
Hope you have enjoyed the post
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
