A realtime event log monitoring tool

• Download demo project - 82 Kb
• Download source - 107 Kb

Introduction

I'm an instant gratification kind of person. I like to see who and from where my machine is being accessed, as it occurs. This tool allows you to do just that and provides a number of other event log monitoring capabilities.

Background

While testing a piece of software that provides Windows event logging, our QA team questioned if there was a way to monitor events as they are written to the Windows event log, hence the creation of this little utility. The notifications that the tool displays are done so using the most-excellent NotifyIconEx class by Joel Matthias.

Capturing Events

The EventLog class contains an event handler called EntryWritten. This handler expects an argument of type EntryWrittenEventArgs. To capture events as they happen, we simply set the EnableRaisingEvents property to true and declare the method name that will handle the event.

private void StartWatch()
{      
  EventLog myLog = new EventLog(watchLog);
        
  // set event handler
  myLog.EntryWritten += new EntryWrittenEventHandler(OnEntryWritten);
  myLog.EnableRaisingEvents = true;
}

Displaying Events

When events that match the specified criteria occur, a balloon notification is displayed with the details of the last event that was written. (To capture and display Security log events, you must have auditing turned on.)

private void OnEntryWritten(object source, EntryWrittenEventArgs e)
{
  string logName = watchLog;
  GetLogEntryStats(watchLog);
  
  if (logType == eventFilter || eventFilter.Length == 0)
  {
    // show balloon
    NotifyIcon.ShowBalloon("Event Log Monitor",
      "An event was written to the "+logName+" event log."+
      "\nType: "+LogType+
      "\nSource: "+LogSource+
      "\nCategory: "+LogCategory+
      "\nEventID: "+EventID+
      "\nUser: "+User,
      NotifyIconEx.NotifyInfoFlags.Info,
      5000);
        
    LogNotification();
  }
}
    
private void GetLogEntryStats(string logName)
{
  int e = 0;
  
  EventLog log = new EventLog(logName);
  e = log.Entries.Count - 1; // last entry

  logMessage = log.Entries[e].Message;
  logMachine = log.Entries[e].MachineName;
  logSource = log.Entries[e].Source;
  logCategory = log.Entries[e].Category;
  logType = Convert.ToString(log.Entries[e].EntryType);
  eventID = log.Entries[e].EventID.ToString();
  user = log.Entries[e].UserName;
  logTime = log.Entries[e].TimeGenerated.ToShortTimeString();
  log.Close();  // close log
}

The GetEventLogs() method provides an overload for retrieving the logs from a remote machine. It is feasible to assume that event monitoring should work the same on a remote machine as it does on the local computer, given the appropriate permissions. As time permits, I'll be expanding the filtering capabilities of the tool and provide the ability to monitor multiple machines.

Compatibility Issues

The code has only been tested on Windows XP SP1 but should run on Windows 2000. However, while the NotifyIconEx class contains an event handler called BalloonClick, this isn't supported on Windows 2000. Will not work on Win9x or NT4 as they are incapable of displaying balloon notifications.

History