Logging Messages in Event Logs
Microsoft Windows provides a built-in event logging system where informational messages, warnings, errors and audit details can be stored and viewed with the Event Viewer utility. This system is ideal for logging messages generated by a .NET application.
Event Logging System
There are many occasions when you will want to log messages to describe the current status of your application. During development, you may log events to assist in debugging complex problems. For applications that have no user interface, such as Windows services or application plug-ins, a log of events may be your only visibility of the activities performed. In live systems, event logs can help you to understand and resolve user support requests.
Each of these scenarios requires a method of storing structured messages and a means of viewing those messages at a later time. This is the purpose of the event logging system provided by Microsoft Windows. The system allows events to be stored centrally within a set of pre-configured or custom event logs.
The Windows event logging system separates messages into event logs, each holding a timestamped list of logged items. Three standard logs are available on versions of the operating system from Windows NT 4.0 onwards:
- Application Log. This log is used to store messages produced by application software that has been installed by the user. This is the preferred target log for events generated by your .NET programs if you wish to use a built-in log.
- System Log. The system log is used to hold operating system events. These events provide information relating to built-in services, components and drivers. You can create events in this log from a .NET program but should carefully consider whether this is appropriate.
- Security Log. This log records security events, such as failed attempts to log into Windows or firewall issues. This log cannot be written to using the methods described in this article.
There can be many more logs in addition to the application, system and security logs. Some may be defined by newer versions of Windows and some by installed applications. These can include event logs that you have created yourself using the methods described later in this article.
There are five different types of event that can be added to an event log. Each has a particular meaning that should be considered when you log your own messages:
- Error. Indicates a significant problem or failure. This may signify that data was lost or that functionality failed to execute.
- Warning. Signals a problem that is less significant than an error. Warnings are often used to highlight a condition that has the potential to become a problem, such as low disk space or memory, or an issue that was overcome automatically but that should be investigated.
- Information. This type of message is commonly used to log successful activities that do not require any intervention. For example, you may log an informational message to indicate that a batch process was completed.
- Success Audit. Denotes a successful audited security access attempt. Success audits are used extensively in the security log to indicate, for example, a successful logon attempt. This type of message is uncommon in application logs.
- Failure Audit. A failure audit event describes an unsuccessful audited security access attempt. This type of message is uncommon in application logs.
The Event Viewer
To view the centralised set of event logs and the messages contained within, you use the Event Viewer application. This tool can be found in the Administrative Tools section of the Control Panel.
The above diagram shows a sample of the Event Viewer from Windows XP. In later operating systems, such as Vista, the layout of the window is quite different although the basic elements are the same. To the left is a hierarchical list of all of the event logs registered in the operating system. In the figure above you can see the three standard logs and an additional application-specific log for Internet Explorer.
The right side of the window shows the individual events that have been created in the currently selected log. The events are displayed in a grid with columns that identify information such as the type of message logged, the date and time at which the event was created and the event source. The event source is a named source that usually represents a single application or module within a system. To see the full text of a logged message, you can double-click it.
The Event Logger provides many options for viewing, filtering, saving and clearing logs. However, these are beyond the scope of this article.
31 August 2008