Logging to files or to event viewer?

Question

I was wondering what is the 'correct' way to log information messages; to files, or to a special log in the event viewer?

I like logging to files since I can use rolling flat file listener and see fresh new log from each day, plus in the event viewer I can only see one message at a time - where in a file I can scan through the day much easily. My colleague argues that files just take up space and he likes having his warnings, errors and information messages all in one place. What do you think? Is there a preferred way? If so, why?

Also, are there any concurrency issues in any of the methods? I have read that entlib is thread-safe and generates a Monitor.Enter behind if the listener is not thread safe, but I want to make sure (we're just using Logger.Write). We are using entlib 3.1.

Thank you in advance.

Answer 1

Here's the rule of thumb that I use when logging messages.

EventLog (if you have access of course) - We always log Unhandled Exceptions - In most cases we log Errors or Fatals - In some cases we log Warnings - In some very rare cases we log Information - We will never log useless general messages like: "I'm here, blah, blah, blah"

Log File - General rule, we log everthing but can chose the type of level or filter to use to turn down the volume of messages being logged

The EventLog is always a good option because its bound to WMI. This way products like Open View and alike, can monitor and alert ops if something went haywire. However, keep the messages to a minimum because its slow, its size limited on a per messaeg basis and it, entry limit as you can easily fill up the EventLog quite quickly and you application has to handle the dreaded "EventLog is Full" exception :)

Hope this helps...

Answer 2

There is no 'correct' way. It depends on your requirements.

You 'like' looking at flat files but how many (thousands) of lines can you really read every day?

What you seem to need is a plan (policy) and that ought to involve some tooling. Ask yourself how quickly will you notice an anomaly in the logs? And the absence of something normal?

The eventlog is a bit more work/overhead but it can be easily monitored remotely (multiples servers) by some tool. If you are using (only) manual inspection, don't bother.