How Do I Read Event Log Entries

Question

0.00/5 (No votes)

See more:

I have a server client program in c# and i need to access the event logs of the client for control. I will search for a specific id, 1149 and report every instance to server side. Also, on a different note, i will need overload this function to pull up the last shutdown and bootup events so if you know their proper id's I would appreciate it. Here is my code.

C#

private string Eventlog()
    {
        string query = "*[System/EventID=1149]";
        string x = "";
        EventLogQuery eventquery = new EventLogQuery("Application", PathType.LogName, query);
        try
        {
            EventLogReader logReader = new EventLogReader(eventquery);
            for(EventRecord eventDetail = logReader.ReadEvent();eventDetail!=null;eventDetail=logReader.ReadEvent())
            {
                x += eventDetail.TimeCreated.ToString();
            }
        }
        catch(EventLogNotFoundException e)
        {
            RichTextBoxConsole.AppendText("Error while reading event logs" + ServerURI + Environment.NewLine);
        }
        return x;
    }

The problem is that the for loop does not execute, because the eventDetail is null in the for loop. Can anybody assist? The code executes at client side btw.

Posted 3-Feb-16 4:21am

EvsizTospaa

Add a Solution

Comments

Richard MacCutchan 3-Feb-16 11:06am

Check that the format of your query string is correct, it looks different in https://msdn.microsoft.com/en-us/library/windows/desktop/aa385650(v=vs.85).aspx.

EvsizTospaa 3-Feb-16 11:34am

I tried it but to no avail. My guess is string query = "Event/System[EventID=1149]";
has the wrong format, and I couldnt find the right one.

Richard MacCutchan 3-Feb-16 11:53am

That looks the same as the MSDN sample, which is where I Looked. Unfortunately this is one of those areas where Microsoft's documentation is not very clear. All you can do is use the event viewer to select some known data, and try a few experiments until you get some data returned.

EvsizTospaa 4-Feb-16 2:47am

Yeah, guess i will do that, thanks man :)

Dave Kreskowiak 3-Feb-16 11:14am

You can get the Startup and Shutdown IDs yourself. All you have to do is look at your own Application and System event logs on your own machine.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)