What is Event Log Service ?
Types of event logs and their purpose.
How and when the Event Log is useful?
What is Event Viewer?
Briefing Event Structure.
Different Event Types
Event Logging Functions
The Event Log Service (ELS) is a component of the
Windows operating system used to record and monitor
significant events in a common and unified way.
Many applications record errors and events in various
proprietary error logs. These proprietary error logs
have different formats and display different user
interfaces. Moreover, you cannot merge the data to
provide a complete report. Therefore, you need to
check a variety of sources to diagnose problems.
To handle this problem, we have Event logging mechanism. It
provides a standard, centralized way for applications (and the
operating system) to record important software and hardware
logging service stores events from various sources in a
single collection called an
. The Event Viewer enables you
to view logs; the programming interface also enables you to examine
The ELS acts as a mediator between the source of an event
(an application, device driver, etc.) and the log file in which the
event is written.
All the classes required for logging events to the windows
event log are in the System. Diagnostics package. The most
important class is the EventLog class. This allows reading
and writing of event log entries. However, before any logs
can be written an EventSource must be defined.
A single line of event logging can greatly ease the tracking
down of all exceptions that are not being specifically caught
by the application code. The following line of code can be
The ELS supports three default event logs, each of which has a
The System Log:
The System log records significant events that occur within
components of the operating system (for example, a failure within a
The Application log:
The Application log records events from applications (for example,
an unexpected application failure).
The Security log:
The Security log provides a record of audited security activity (for
example, accessing a protected file).
Additional logs may be needed depending on the configuration of the
For example: A computer configured as a Domain Name System(DNS)
server, will have a DNS server log.
When an error occurs, the system administrator or support
representative must determine what caused the error,
attempt to recover any lost data, and prevent the error from
It is helpful if applications, the operating system, and other
system services record important events such as low
memory conditions or excessive attempts to access a disk.
Then the system administrator can use the event log to help
determine what conditions caused the error and the context
in which it occurred.
By periodically viewing the event log, the system
administrator may be able to identify problems (such as a
failing hard drive) before they cause damage.
To go into details:
Event logs store records of significant events on behalf of the
system and applications running on the system. Because the
logging functions are general purpose, you must decide what
information is appropriate to log. Generally, you should log
only information that could be useful in diagnosing a
hardware or software problem. Event logging is not intended
to be used as a tracing tool.
Choosing Events to Log:
If an application gets into a low
(caused by a code bug or inadequate memory) that degrades
performance, logging a warning event when memory allocation fails
might provide a clue about what went wrong.
If a device driver encounters a disk controller time
power failure in a parallel port, or a data error from a network
or serial card, logging information about these events can
help the system administrator diagnose hardware problems.
The device driver logs the error.
Bad sectors :
If a disk driver encounters a bad sector, it may be able to
read from or write to the sector after retrying the operation,
but the sector will go bad eventually. Therefore, if the disk
driver can proceed, it should log a warning; otherwise, it
should log an error event. If a file system driver finds a large
number of bad sectors, fixes them, and logs warning events,
logging information of this type might indicate that the disk is
about to fail.
A server application (such as a database
server) records a user logging on, opening a
database, or starting a file transfer. The server can
also log error events it encounters (cannot access
file, host process disconnected, and so on), a
corruption in the database, or whether a file
transfer was successful.
Event Viewer is a Windows component that logs
program, security and system events on your
You can use the Event viewer to manage the
event logs, gather information about the software
problems and monitor system events.
To open the
Event Viewer, go to
The ELS uses a standardized structure to represent all
events, irrespective of the log in which the event will be
stored. The following is the structure of an event:
Event source name:
This is the name of the event source
used to log the event.(Typically name of the application).
This component gives description of the event,
which may be used in determining the cause of a problem.
There are five types of events that can be
logged. All event classifications have well
data and can optionally include event
specific data. The
application indicates the event type when it reports an event.
Event identifier and event category:
The event identifier and
category are application
specific numeric values.
The event may contain binary data that is of use
to someone trying to resolve the problem that caused this
event to occur
The Event types are classified into the following different types.
This type indicates a successful operation of an
An example is a successful loading of a new virus
definition file by antivirus software.
This type indicates that there could be a potential
problem in the future.
The entries help in taking preventive
This type indicates a significant problem.
It lets us know if
there was a failure in a critical task
This type indicates that an audited security event
is successfully completed. For example, when a user authenticates
successfully, there may be an entry of this type.
This type indicates that there was a failure of an
audited security event.
Implementing the Event Logging mechanism in a .NET
<param name="intNumerator">Numerator</param> ///
WriteToEventLog(e.Message , EventLogEntryType.Error);
When an exception occurs, it calls the
to write to the Event Log.
Saves the specified event log to a backup file.
Clears the specified event log, and optionally
saves the current copy of the log to a backup file.
Closes a read handle to the specified event log.
Retrieves information about the
specified event log.
Retrieves the number of records
in the specified event log.
Writes an entry at the end of the specified event log.
Adam Freeman, Allen Jones