Click here to Skip to main content
15,173,818 members
Articles / Programming Languages / C#
Posted 27 Aug 2003


109 bookmarked

A realtime event log monitoring tool

Rate me:
Please Sign up or sign in to vote.
4.59/5 (30 votes)
27 Aug 2003CPOL2 min read
Demonstrates how to do realtime event log monitoring

Image 1


I'm an instant gratification kind of person. I like to see who and from where my machine is being accessed, as it occurs. This tool allows you to do just that and provides a number of other event log monitoring capabilities.


While testing a piece of software that provides Windows event logging, our QA team questioned if there was a way to monitor events as they are written to the Windows event log, hence the creation of this little utility. The notifications that the tool displays are done so using the most-excellent NotifyIconEx class by Joel Matthias.

Capturing Events

The EventLog class contains an event handler called EntryWritten. This handler expects an argument of type EntryWrittenEventArgs. To capture events as they happen, we simply set the EnableRaisingEvents property to true and declare the method name that will handle the event.

private void StartWatch()
  EventLog myLog = new EventLog(watchLog);
  // set event handler
  myLog.EntryWritten += new EntryWrittenEventHandler(OnEntryWritten);
  myLog.EnableRaisingEvents = true;

Displaying Events

When events that match the specified criteria occur, a balloon notification is displayed with the details of the last event that was written. (To capture and display Security log events, you must have auditing turned on.)

private void OnEntryWritten(object source, EntryWrittenEventArgs e)
  string logName = watchLog;
  if (logType == eventFilter || eventFilter.Length == 0)
    // show balloon
    NotifyIcon.ShowBalloon("Event Log Monitor",
      "An event was written to the "+logName+" event log."+
      "\nType: "+LogType+
      "\nSource: "+LogSource+
      "\nCategory: "+LogCategory+
      "\nEventID: "+EventID+
      "\nUser: "+User,
private void GetLogEntryStats(string logName)
  int e = 0;
  EventLog log = new EventLog(logName);
  e = log.Entries.Count - 1; // last entry

  logMessage = log.Entries[e].Message;
  logMachine = log.Entries[e].MachineName;
  logSource = log.Entries[e].Source;
  logCategory = log.Entries[e].Category;
  logType = Convert.ToString(log.Entries[e].EntryType);
  eventID = log.Entries[e].EventID.ToString();
  user = log.Entries[e].UserName;
  logTime = log.Entries[e].TimeGenerated.ToShortTimeString();
  log.Close();  // close log

The GetEventLogs() method provides an overload for retrieving the logs from a remote machine. It is feasible to assume that event monitoring should work the same on a remote machine as it does on the local computer, given the appropriate permissions. As time permits, I'll be expanding the filtering capabilities of the tool and provide the ability to monitor multiple machines.

Compatibility Issues

The code has only been tested on Windows XP SP1 but should run on Windows 2000. However, while the NotifyIconEx class contains an event handler called BalloonClick, this isn't supported on Windows 2000. Will not work on Win9x or NT4 as they are incapable of displaying balloon notifications.


  • Version 1.0 - 08.22.2003

  • License

    This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


    About the Author

    Christian Merritt
    Chief Technology Officer
    Australia Australia
    Living abroad and loving life.

    Comments and Discussions

    QuestionIs this code still working? Pin
    turbosupramk35-Apr-17 11:06
    Memberturbosupramk35-Apr-17 11:06 
    SuggestionOdd way to get the message details Pin
    Jerome Wilson26-Aug-15 7:28
    MemberJerome Wilson26-Aug-15 7:28 
    GeneralRe: Odd way to get the message details Pin
    Christian Merritt19-Oct-15 12:31
    MemberChristian Merritt19-Oct-15 12:31 
    QuestionBallon disappears automatically, How can I stop that Pin
    abhi_in19-Jun-15 1:53
    Memberabhi_in19-Jun-15 1:53 
    QuestionUnable to load the demo project provided in Visual studio 2010 on Win7 Pin
    Member 967436313-Dec-12 19:08
    MemberMember 967436313-Dec-12 19:08 
    QuestionHow to monitor Application and Services Logs/Microsoft/Windows/Diagnosis-PLA Pin
    Member 424543724-May-12 1:05
    MemberMember 424543724-May-12 1:05 
    GeneralMy vote of 1 Pin
    mmmgedadads27-Feb-11 0:09
    Membermmmgedadads27-Feb-11 0:09 
    GeneralMy vote of 1 Pin
    blizznet20-Dec-10 5:54
    Memberblizznet20-Dec-10 5:54 
    GeneralCross-Thread Operation Pin
    kjward15-Apr-10 8:18
    Memberkjward15-Apr-10 8:18 
    GeneralEvent Log Watcher Pin
    tuxplorer15-Feb-10 0:11
    Membertuxplorer15-Feb-10 0:11 
    GeneralEvent log monitoring is not supported for remote machines Pin
    Bruce Ritter29-Aug-08 8:53
    MemberBruce Ritter29-Aug-08 8:53 
    GeneralCross-thread operation not valid: Pin
    Will Saunders30-Jul-08 5:05
    MemberWill Saunders30-Jul-08 5:05 
    GeneralRe: Cross-thread operation not valid: Pin
    eyal.flato9-Dec-08 0:54
    Membereyal.flato9-Dec-08 0:54 
    QuestionDoesn't work for me Pin
    Kai Radewald24-Aug-07 0:49
    MemberKai Radewald24-Aug-07 0:49 
    AnswerRe: Doesn't work for me Pin
    Christian Merritt24-Aug-07 7:39
    MemberChristian Merritt24-Aug-07 7:39 
    QuestionVista Pin
    chemelli6-Jul-07 22:20
    Memberchemelli6-Jul-07 22:20 
    AnswerRe: Vista Pin
    Christian Merritt8-Jul-07 5:05
    MemberChristian Merritt8-Jul-07 5:05 
    GeneralException trying to recompile and run the event log monitoring source code using Visual Studio 5 Pin
    Ntanga27-Jun-07 3:42
    MemberNtanga27-Jun-07 3:42 
    GeneralRe: Exception trying to recompile and run the event log monitoring source code using Visual Studio 5 Pin
    Christian Merritt28-Jun-07 17:19
    MemberChristian Merritt28-Jun-07 17:19 
    QuestionHow to read event full description from remote machine ? Pin
    remotehuang19-Jun-07 5:49
    Memberremotehuang19-Jun-07 5:49 
    AnswerRe: How to read event full description from remote machine ? Pin
    Christian Merritt28-Jun-07 17:12
    MemberChristian Merritt28-Jun-07 17:12 
    AnswerRe: How to read event full description from remote machine ? Pin
    Cool Cassis6-Jul-07 13:16
    MemberCool Cassis6-Jul-07 13:16 
    Questioncontact Marc Pin
    Chris Blue29-Mar-07 20:32
    MemberChris Blue29-Mar-07 20:32 
    AnswerRe: contact Marc Pin
    jbono00711-May-07 13:51
    Memberjbono00711-May-07 13:51 
    AnswerRe: contact Marc Pin
    Christian Merritt28-Jun-07 17:21
    MemberChristian Merritt28-Jun-07 17:21 

    General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

    Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.