Back to the WFC main page


$Revision: 37 $


This class handles playing with NT's Event Logger.

Data Members

ComputerName - Name of the computer where the event log resides.

LogName - Name of the log you're playing with.


BOOL Backup( LPCTSTR name_of_backup_file )
Saves the log to name_of_backup_file.
BOOL Clear( LPCTSTR name_of_backup_file )
Empties the event log and will optionally save it to a backup file specified by name_of_backup_file. If name_of_backup_file is NULL, no backup is made.
BOOL Close( void )
Closes your session with the event log.
BOOL CreateApplicationLog( LPCTSTR application_name, LPCTSTR file_containing_message_table_resource, DWORD supported_types )
This creates a source of strings for the event log. Basically, it registers your executable with the event logger. This allows the event logger to go to your executable's message table resource for strings to display to the user via the Event Viewer.
BOOL CreateCustomLog( LPCTSTR log_name,
                      LPCTSTR log_filename = NULL,
                      DWORD   maximum_file_size = 0x800000,
                      DWORD   overwrite_after_this_many_seconds = 604800 )
This allows you to create your own custom event log file. The maximum_file_size specifies the maximum size of the event log file. The overwrite_after_this_many_seconds let's you specify the age of an entry before it will be overwritten. The default for these parameters is 8MB file size and 7 days before events will be overwritten.
Delete( LPCTSTR log_name )
This will delete an event log. WARNING! This is a very dangerous method. It will delete any and all event logs in the system. Use with caution.
BOOL DeleteApplicationLog( LPCTSTR application_name )
Disconnects the application from the Event Log.
BOOL DeregisterSource( void )
Deregisters the source. It basically releases the source of event strings.
BOOL EnumerateLogs( DWORD& enumerator ) const
Initializes enumerator so you can enumerate through the logs that are installed on the system.
DWORD GetErrorCode( void ) const
Retrieves the error code. Call this function to find out why any other class member returned FALSE.
HANDLE GetHandle( void ) const
Returns the encapsulated event log handle so you can call the Win32 API directly (i.e. you don't have to use this class).
BOOL GetNextLog( DWORD& enumerator, CString& log_name )
Allows you to get the next log while enumerating them. The enumerator must be initialized via the EnumerateLogs() method. Normally, when you enumerate the logs, you will get the default three logs:
  • Application
  • Security
  • System
However, when an application creates a custom log, it will show up in this list.
BOOL GetNumberOfRecords( DWORD& number_of_records )
This function is gets the number of records in the log.
DWORD GetOldestRecordNumber( void )
Returns the record number of the oldest record in the log. If it returns zero, the call failed.
BOOL NotifyChange( HANDLE event_handle, HANDLE log_handle = NULL )
Allows you to watch a log and be notified if it changes.
BOOL OpenBackup( LPCTSTR name_of_backup_file, LPCTSTR name_of_computer = NULL )
Opens a log that has been backed up to a file. If name_of_computer is NULL, the local backup is openend.
BOOL Open( LPCTSTR log_name, LPCTSTR name_of_computer = NULL )
Opens a specified log on a specified machine. If name_of_computer is NULL, the local log is openend.
BOOL Read( DWORD  record_number, 
           LPVOID buffer, 
           DWORD& number_of_bytes_to_read, 
BOOL Read( DWORD record_number,
                  CEventLogRecord& record,
Reads a specific record from the log.
BOOL RegisterSource( LPCTSTR source_name, LPCTSTR name_of_computer )
Basically loads the event strings for source_name. If name_of_computer is NULL, the local source is openend.
BOOL Report( EventType event_type,
             WORD      category,
             DWORD     event_id,
             WORD      number_of_strings   = 0,
             LPCTSTR * string_array        = NULL,
             DWORD     number_of_raw_bytes = 0,
             LPVOID    raw_data_buffer     = NULL,
             PSID      user_sid            = NULL )
Makes an entry into the log. The event_type parameter may be one of the following:
  • eventError
  • eventWarning
  • eventInformation
  • eventSuccess
  • eventFailure
BOOL ReportError( LPCTSTR string_to_report )
Makes an entry into the log flagged as an Error message. This is the lazy man's way of writing to the event log. It calls Report() with eventError.
BOOL ReportInformation( LPCTSTR string_to_report )
Makes an entry into the log flagged as an Informational message. This is the lazy man's way of writing to the event log. It calls Report() with eventInformation.


#include <wfc.h>
void test_CEventLog( void )
   WFCTRACEINIT( TEXT( "test_CEventLog()" ) );

   CEventLog log( TEXT( "Dodah" ) );

   LPCTSTR string_array[ 1 ];

   string_array[ 0 ] = TEXT( "Hello World" );

   log.Report( CEventLog::eventInformation, 0, 0, 1, string_array );
   log.ReportInformation( TEXT( "ReportInformation" ) );
   log.ReportError( TEXT( "ReportError" ) );

API's Used

Copyright, 2000, Samuel R. Blackburn
$Workfile: cevntlog.cpp $
$Modtime: 1/17/00 9:00a $