When to log into the windows event log?

Question

So far all my applications have been logging to files only. It works fine for me and I never had any problem with it.

A friend of mine suggested I could also use the Windows Event log but I am not sure about that. I always had the idea the Event Log is only for some very important messages and I should not write into it if it can be avoided.

When can I / should I write into the Window Event Log?

Answer 1

In my opinion, the decision as to whether or not to log to the Windows event log, depends on your application, and the people running your software.

There is definitely no downside to logging to the event log, and anybody employing a log monitoring solution will appreciate your efforts.

Generally speaking you should definitely avoid logging "debug"-type messages to the event log, or anything that produces a large quantity of messages in a short amount of time. But any information that is useful to the person administering your software, could (and should) be logged to the event log.

STATUS_ACCESS_DENI also mentioned localization, an important advantage over traditional logging.

You would log things like:

• Errors and Warnings that require intervention
• Significant status reports (software started, stopped, updated itself, etc.)

You may want to take a look at this blog article that outlines how to create your own message dll, the preferred way when logging to the Windows event log:

http://www.eventlogblog.com/blog/2010/11/creating-your-very-own-event-m.html

One thing to probably keep in mind, is to design your logging so that it doesn't pollute the event log with duplicate events in a short period of time. Microsoft SQL Server, for example, will literally log thousands of identical events within seconds under certain circumstances. This can be frustrating for a sysadmin. Most log monitoring solutions can account for that, but it's still annoying.

Bottom line: Yes, you should consider logging to the event log.

Answer 2

First of all you can register your own event log in addition to the three defaults (System, Application, Security) and thus separate your messages from the rest. This is one of the oft overlooked possibilities.

In general I would always recommend using message tables in your binaries and the event log facilities over any home brew method. The reasons are easy:

1. you can log to remote machines easily, if needed (or the local one)
2. you can read the event log from a remote machine (e.g. the admin can list event logs inside his domain on any client machine)
3. message tables save space
4. message tables allow easy localization