EventLog & EventLogEntries

  • Thread starter Thread starter Bill Smith
  • Start date Start date
B

Bill Smith

I've been using System.Diagnostic.EventLog & EventLogEntries for over a year
and I still do not understand some aspects of how they are supposed to work.
Here is one particular issue I have never made sense of:

The EventLogEntries is the framework's only mechanism to fetch event logs.
This can be done by fetching by index within this special collection class.
This all seems simple and straightforward with one exception: the bounds and
contents of this collection appear to change dynamically during the lifetime
of this object. For example, I can fetch the Security log for a remote
target and see in the EventLogEntries object that this log has 1000 entries
that begin with record # 653617 and end with record # 653716. But while
iterating the collection, I can find that suddenly the object has 980
entries and all entries have moved underneath me (e.g. record # 653716 was
at index 999 and is now at index 979).

I realize the underlying cause is that the event logs on the remote target
are being pruned based on their configuration (e.g. based on the maximum log
size). However, it is undecipherable to me how anyone could be expected to
work a collection of entries whose contract with the caller appears to be
that its size and contents can change at any time, for any reason and
without any event notification.

If someone can help me make sense of this, it would be appreciated.
 
Bill said:
I realize the underlying cause is that the event logs on the remote
target are being pruned based on their configuration (e.g. based on
the maximum log size). However, it is undecipherable to me how
anyone could be expected to work a collection of entries whose
contract with the caller appears to be that its size and contents can
change at any time, for any reason and without any event notification.

If someone can help me make sense of this, it would be appreciated.
Click to expand...

Yes you are right and it comes from the underlying native Event Log API. To
read from the event log with Win32 you have to call ReadEventLog and pass a
buffer big enough to read all of the messages that you want to read, and
then you have to extract each record individually from your buffer. The
problem is that each message is a different size, so you do not know how big
to make the buffer to read messages individually, and there is no API to
determine the size of the event log so that you can read all messages in one
go. (But there is an API to get the total number of messages in the event
log, which isn't much use). In Win32 you can read the MaxSize value in the
registry for the specific event log (eg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application).

Since event logs can get large (on my XP machine Application is 512Kb) it
might be a pain to read all of the event log in one go. Another option is to
use BackupEventLog to copy it to a temporary file and then use
OpenBackupEventLog to read it in chunks with ReadEventLog.

Given the previous information you could write your own version of
EventLogEntryCollection on the static collection of messages.

Richard
 
Back
Top