Click here to Skip to main content
14,218,216 members

A realtime event log monitoring tool

Rate this:
4.59 (30 votes)
Please Sign up or sign in to vote.
4.59 (30 votes)
27 Aug 2003CPOL
Demonstrates how to do realtime event log monitoring

Introduction

I'm an instant gratification kind of person. I like to see who and from where my machine is being accessed, as it occurs. This tool allows you to do just that and provides a number of other event log monitoring capabilities.

Background

While testing a piece of software that provides Windows event logging, our QA team questioned if there was a way to monitor events as they are written to the Windows event log, hence the creation of this little utility. The notifications that the tool displays are done so using the most-excellent NotifyIconEx class by Joel Matthias.

Capturing Events

The EventLog class contains an event handler called EntryWritten. This handler expects an argument of type EntryWrittenEventArgs. To capture events as they happen, we simply set the EnableRaisingEvents property to true and declare the method name that will handle the event.

private void StartWatch()
{      
  EventLog myLog = new EventLog(watchLog);
        
  // set event handler
  myLog.EntryWritten += new EntryWrittenEventHandler(OnEntryWritten);
  myLog.EnableRaisingEvents = true;
}

Displaying Events

When events that match the specified criteria occur, a balloon notification is displayed with the details of the last event that was written. (To capture and display Security log events, you must have auditing turned on.)

private void OnEntryWritten(object source, EntryWrittenEventArgs e)
{
  string logName = watchLog;
  GetLogEntryStats(watchLog);
  
  if (logType == eventFilter || eventFilter.Length == 0)
  {
    // show balloon
    NotifyIcon.ShowBalloon("Event Log Monitor",
      "An event was written to the "+logName+" event log."+
      "\nType: "+LogType+
      "\nSource: "+LogSource+
      "\nCategory: "+LogCategory+
      "\nEventID: "+EventID+
      "\nUser: "+User,
      NotifyIconEx.NotifyInfoFlags.Info,
      5000);
        
    LogNotification();
  }
}
    
private void GetLogEntryStats(string logName)
{
  int e = 0;
  
  EventLog log = new EventLog(logName);
  e = log.Entries.Count - 1; // last entry

  logMessage = log.Entries[e].Message;
  logMachine = log.Entries[e].MachineName;
  logSource = log.Entries[e].Source;
  logCategory = log.Entries[e].Category;
  logType = Convert.ToString(log.Entries[e].EntryType);
  eventID = log.Entries[e].EventID.ToString();
  user = log.Entries[e].UserName;
  logTime = log.Entries[e].TimeGenerated.ToShortTimeString();
  log.Close();  // close log
}

The GetEventLogs() method provides an overload for retrieving the logs from a remote machine. It is feasible to assume that event monitoring should work the same on a remote machine as it does on the local computer, given the appropriate permissions. As time permits, I'll be expanding the filtering capabilities of the tool and provide the ability to monitor multiple machines.

Compatibility Issues

The code has only been tested on Windows XP SP1 but should run on Windows 2000. However, while the NotifyIconEx class contains an event handler called BalloonClick, this isn't supported on Windows 2000. Will not work on Win9x or NT4 as they are incapable of displaying balloon notifications.

History

  • Version 1.0 - 08.22.2003

  • License

    This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

    Share

    About the Author

    Marc Merritt
    Product Manager
    United States United States
    I work for one of the world's best companies as a technical architecture delivery manager.

    Comments and Discussions

     
    GeneralLimitations Pin
    Los Guapos22-Dec-04 3:30
    memberLos Guapos22-Dec-04 3:30 
    GeneralRe: Limitations Pin
    dm218-Apr-05 8:27
    memberdm218-Apr-05 8:27 
    GeneralRe: Limitations Pin
    Jonnystar21-Mar-06 11:05
    memberJonnystar21-Mar-06 11:05 
    GeneralProblem with the monitoring tool Pin
    pat27088128-Jul-04 6:38
    memberpat27088128-Jul-04 6:38 
    GeneralRe: Problem with the monitoring tool Pin
    Marc Merritt28-Jul-04 8:00
    memberMarc Merritt28-Jul-04 8:00 
    GeneralRe: Problem with the monitoring tool Pin
    pat27088128-Jul-04 8:13
    memberpat27088128-Jul-04 8:13 
    GeneralRe: Problem with the monitoring tool Pin
    Marc Merritt28-Jul-04 10:06
    memberMarc Merritt28-Jul-04 10:06 
    GeneralRe: Problem with the monitoring tool Pin
    pat27088128-Jul-04 10:09
    memberpat27088128-Jul-04 10:09 
    Have you already sent me the binary? - because i checked my email and i didn't get an other one from you..

    patrick

    Ps: Email: pat27@gmx.at
    GeneralRe: Problem with the monitoring tool Pin
    pat27088128-Jul-04 22:19
    memberpat27088128-Jul-04 22:19 
    GeneralRe: Problem with the monitoring tool Pin
    pat27088128-Jul-04 22:59
    memberpat27088128-Jul-04 22:59 
    GeneralRe: Problem with the monitoring tool Pin
    pat27088130-Jul-04 22:12
    memberpat27088130-Jul-04 22:12 
    GeneralRe: Problem with the monitoring tool Pin
    Marc Merritt1-Aug-04 6:13
    memberMarc Merritt1-Aug-04 6:13 
    GeneralRe: Problem with the monitoring tool Pin
    pat2708811-Aug-04 11:05
    memberpat2708811-Aug-04 11:05 
    GeneralRe: Problem with the monitoring tool Pin
    Marc Merritt2-Aug-04 16:02
    memberMarc Merritt2-Aug-04 16:02 
    GeneralRe: Problem with the monitoring tool Pin
    pat2708812-Aug-04 21:28
    memberpat2708812-Aug-04 21:28 
    GeneralRe: Problem with the monitoring tool Pin
    Marc Merritt3-Aug-04 3:01
    memberMarc Merritt3-Aug-04 3:01 
    GeneralRe: Problem with the monitoring tool Pin
    pat2708811-Aug-04 10:58
    memberpat2708811-Aug-04 10:58 
    GeneralRe: Problem with the monitoring tool Pin
    Marc Merritt2-Aug-04 16:00
    memberMarc Merritt2-Aug-04 16:00 
    QuestionExcellent.. How about reading more than one log automatically??? Pin
    gman4411-May-04 13:10
    membergman4411-May-04 13:10 
    AnswerRe: Excellent.. How about reading more than one log automatically??? Pin
    Marc Merritt14-May-04 3:26
    memberMarc Merritt14-May-04 3:26 
    GeneralRe: Excellent.. How about reading more than one log automatically??? Pin
    gman4414-May-04 15:08
    membergman4414-May-04 15:08 
    GeneralEvent logging in Win9X Pin
    CAmelinckx21-Apr-04 3:28
    memberCAmelinckx21-Apr-04 3:28 
    GeneralProblem with EntryWritten Event Pin
    Steffen20035-Nov-03 5:19
    memberSteffen20035-Nov-03 5:19 
    GeneralI've taken your code and made a tool... Pin
    NewtonTroy17-Oct-03 9:28
    memberNewtonTroy17-Oct-03 9:28 
    GeneralRe: I've taken your code and made a tool... Pin
    AdrianBromley22-Oct-03 6:22
    memberAdrianBromley22-Oct-03 6:22 

    General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

    Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

    Article
    Posted 27 Aug 2003

    Stats

    326.3K views
    10.3K downloads
    107 bookmarked