Menu
I'm working on a project that needs to check the Windows Event Log frequently for certain events. I'm wondering - is there a way to create a subscription to the Windows Event Log for certain events?
So, when the event happens (e.g. event id = 00001), I can get a notification in the code?
If this cannot be done, then I will have to keep searching the event log, which is not efficient.
655
To subscribe to events, call the EvtSubscribe function. You can subscribe to events from one or more Admin or Operational channels. The channel can exist on the local computer or a remote computer. To specify the events that you want to subscribe to, you can use an XPath query or a structure XML query.
The Windows Event Collector service is responsible for managing continuous event subscriptions sourced from remote locations that support the Web Services-Management protocol. This includes event sources using the Intelligent Platform Management Interface (IPMI), hardware, and event logs.
As you're using C#, I think you should use Windows API to subscribe to certain Windows events. You can do it by using either EventLogWatcher or EventLog class. You can find an example of creating a Windows Event Log subscription using EventLog on MSDN.
If you prefer EventLogWatcher, refer to its limited documentation. And here is my example:
public static void subscribe()
{
EventLogWatcher watcher = null;
try
{
EventLogQuery subscriptionQuery = new EventLogQuery(
"Security", PathType.LogName, "*[System/EventID=4624]");
watcher = new EventLogWatcher(subscriptionQuery);
// Make the watcher listen to the EventRecordWritten
// events. When this event happens, the callback method
// (EventLogEventRead) is called.
watcher.EventRecordWritten +=
new EventHandler<EventRecordWrittenEventArgs>(
EventLogEventRead);
// Activate the subscription
watcher.Enabled = true;
for (int i = 0; i < 5; i++)
{
// Wait for events to occur.
System.Threading.Thread.Sleep(10000);
}
}
catch (EventLogReadingException e)
{
Log("Error reading the log: {0}", e.Message);
}
finally
{
// Stop listening to events
watcher.Enabled = false;
if (watcher != null)
{
watcher.Dispose();
}
}
Console.ReadKey();
}
// Callback method that gets executed when an event is
// reported to the subscription.
public static void EventLogEventRead(object obj,
EventRecordWrittenEventArgs arg)
{
// Make sure there was no error reading the event.
if (arg.EventRecord != null)
{
//////
// This section creates a list of XPath reference strings to select
// the properties that we want to display
// In this example, we will extract the User, TimeCreated, EventID and EventRecordID
//////
// Array of strings containing XPath references
String[] xPathRefs = new String[9];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetDomainName\"]";
// Place those strings in an IEnumberable object
IEnumerable<String> xPathEnum = xPathRefs;
// Create the property selection context using the XPath reference
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
IList<object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
Log("Time: ", logEventProps[0]);
Log("Computer: ", logEventProps[1]);
Log("TargetUserName: ", logEventProps[2]);
Log("TargetDomainName: ", logEventProps[3]);
Log("---------------------------------------");
Log("Description: ", arg.EventRecord.FormatDescription());
}
else
{
Log("The event instance was null.");
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
