How to create event log under a folder

Question

2.60/5 (5 votes)

See more:

Hi,

I would like to create an event log which instead of located directly under "Application and Services Logs", located under another folder.

for example:
the current location of my event log is
"Application and Services Logs/My Event Log"

I wanted it to be
"Application and Services Logs/Event Log Folder/My Event Log"

Is there anyone who can suggest me the way to achieve this?

Posted 13-Feb-11 20:58pm

sirius007greatstar

Updated 4-Sep-18 3:46am

Add a Solution

Comments

Sergey Alexandrovich Kryukov 14-Feb-11 3:34am

Good question. My 5.
--SA

Delphiwizard 18-Nov-20 8:31am

I know this is 9 years old but i am looking for the same, but in Delphi not in C#, i am looking for a similar solution in Delphi code, if anyone has accomplished this, please let me know.

3 solutions

Solution 3

I was struggling to get the subfolder piece working as well, as I would like to have a structure like:

- Application and Services Logs
-- Company Name
--- Application 1
---- ApplicationLog
--- Application 2
---- SecurityLog
---- OperationalLog

I could not find any way to do this directly using C, however after doing some trial and error with registry keys and the documentation provided at https://docs.microsoft.com/en-us/windows/desktop/eventlog/eventlog-key I finally got it to work.
It seems that you need to create keys at HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels, where the primary registry key name is key to the 'folder' structure. a '-' is seen as a deeper structure. So for example: CompanyName\Application\Log, should be a key named CompanyName-Application-Log.

Below is an example script to do this using PowerShell:

# Create the eventlog (in a subfolder structure)
# Params()
$PrimaryEventKey = 'Company'
$ApplicationName = 'Application'
$LogName = 'NewLog'

# Vars()
$primarylocation = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
$LogName = $PrimaryEventKey + '-' + $ApplicationName + '-' + $LogName
$EventRoot = (Join-Path $primarylocation $LogName)

if (!(Test-Path $EventRoot)) {
    New-Item -Path $EventRoot
    New-ItemProperty -Path $EventRoot -Name Enabled -PropertyType DWord -Value 1
    New-ItemProperty -Path $EventRoot -Name Type -PropertyType DWord -Value 1
    New-ItemProperty -Path $EventRoot -Name Isolation -PropertyType DWord -Value 0
    New-ItemProperty -Path $EventRoot -Name RestrictGuestAccess -PropertyType String -Value 1
    New-ItemProperty -Path $EventRoot -Name OwningPublisher -PropertyType String -Value "{$($GUID)}"

    # See https://docs.microsoft.com/en-us/windows/desktop/eventlog/eventlog-key for documentation on the ChannelAccess or or RestrictGuestAccess (see: RestrictGuestAccess / Isolation)
}
else {
    Write-Warning 'Event Log (Key) Already exists in registry'
}

# Write into the event log (Example)
$eventType = ([System.Diagnostics.EventLogEntryType]::Information)
$evt = New-Object System.Diagnostics.EventLog($LogName)
$evt.Source = "SomeSource"
$evt.WriteEntry("random message", $eventType, 60001)

Posted 4-Sep-18 3:46am

DdenBraver

Updated 10-May-22 22:41pm

v4

Comments

rajeshaz09 10-May-22 21:29pm

@DdebBraver, could you update PowerShell script with "$secondarylocation" path? looks like it is missing.

DdenBraver 11-May-22 4:43am

Hm, seems I accedentally copied this compare line from my original test back then.
Those 2 lines should not be required to get it to work. I removed them above from the solution :-)

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Abhinav S · Accepted Answer · 2011-02-13T21:07:00

Solution 1

Try

EventLog.CreateEventSource("Event Log Folder", "My Event Log"); 
EventLog.WriteMessage("Event Log Folder", "My message");

Posted 13-Feb-11 21:07pm

Abhinav S

Comments

Sergey Alexandrovich Kryukov 14-Feb-11 3:21am

Apparently you completed you typing faster then I did. My 5.
--SA

Abhinav S 14-Feb-11 3:22am

Thanks. You posted a longer answer. :)

sirius007greatstar 14-Feb-11 3:22am

Hi Abhinav,

Thanks for the quick reply.
I tried the method you mentioned, however, it still create the log directly under "Application and Services Logs"..

If you see in your Event viewer, you will see "Microsoft" folder under the "Application and Services Logs". I wanted my event log to be like that..

Thanks..
Best regards,
Paulus

Sergey Alexandrovich Kryukov 14-Feb-11 3:27am

Try to reboot the machine after creation of event log: there are situations when the system get messed up as a result of debug runs.

Also, I don't remember exactly, I'm not sure Abhinav used correct parameter.
Try:
EventLog.WriteMessage("My Event Log", "My message");

Sergey Alexandrovich Kryukov 14-Feb-11 3:30am

Here is the API you need:

public static void WriteEntry(
string source,
string message
)
First parameter is event source, which is "My Event Log", not "Event Log Folder" in Anhinav's example.

--SA

Sergey Alexandrovich Kryukov 14-Feb-11 3:33am

Please see all overloads of System.Diagnostics.EventLog.WriteEntry.
This is static approach. Non-static approach is creating an instance of EventLog and assign the event source permanently.
If you still did not sort it out, I'll write instructions on usage later.
--SA

sirius007greatstar 14-Feb-11 3:44am

Hi SA,

Thanks for the reply.

I am not sure if I miss something in here, but i tried both methods and it's still giving me the same result = event log created directly under "Application and Services Logs, no folder or whatsoever"

The only difference is that the entries written stated different source in the "source" column.

Rebooting my pc is not solving the problem either.

Thank you..
Best Regards,
Paulus

Sergey Alexandrovich Kryukov 14-Feb-11 10:46am

See my updated answer: added usage sample, works as intended!
--SA

Member 12001038 3-Nov-15 15:38pm

Hey did you got the solution for this ?

Sergey Alexandrovich Kryukov 14-Feb-11 3:35am

Abhinav, I thing you made a bug in usage. See above.
Will you check up and fix it?
--SA

Sergey Alexandrovich Kryukov 14-Feb-11 10:47am

Abhinav, I added usage sample to my Answer and tested it; it works.
You may want to test yours.
--SA

Abhinav S 14-Feb-11 10:50am

Unfortunately I could not test this code. Perhaps will do so later.
If your code works, the OP can use your code snippet anyway. :)

Sergey Alexandrovich Kryukov 14-Feb-11 11:58am

Sure. Thank you.
--SA

Nish Nishant 14-Feb-11 11:54am

Voted 5.

Abhinav S 14-Feb-11 12:08pm

Thanks Nish.
This is one of few questions where I've seen answer comments go into 2 pages. ;)

Member 12001038 3-Nov-15 15:37pm

Did anyOne found the solution for this ? I am facing the same problem.

Sergey Alexandrovich Kryukov · Accepted Answer · 2011-02-13T21:15:00

Solution 2

Do you mean Windows System Log?
Yes, this is not so easy to understand. You need to install your own Event Source.

C#

using System.Diagnostics;

internal class DefinitionSet {
    //define how much do you need:
    internal const int MaximumLogSizeKilobytes = 2048;
} //class DefinitionSet

public class EventLogInstallationHelper {

    public EventLogInstallationHelper(
        string applicationName, string eventLogName) {
            this.EventLogName = eventLogName;
            this.ApplicationName = applicationName;
    } //EventLogInstallationHelper

    public void Install() { //can throw exception!
        if ((!string.IsNullOrEmpty(ApplicationName)) &&
            (!string.IsNullOrEmpty(EventLogName)))
                  EventLog.CreateEventSource(
                      ApplicationName,
                      EventLogName);
        EventLog log = new EventLog(EventLogName);
        log.MaximumKilobytes = DefinitionSet.MaximumLogSizeKilobytes;
        log.ModifyOverflowPolicy(OverflowAction.OverwriteAsNeeded, 0);
    } //Install

    public void Uninstall() { //can throw exception!
        if (!string.IsNullOrEmpty(EventLogName)) {
                EventLog deletingLog = new EventLog(EventLogName);
                deletingLog.Clear();
        } //if
        if (!string.IsNullOrEmpty(ApplicationName))
                EventLog.DeleteEventSource(ApplicationName);
        result |= true;
        if (!string.IsNullOrEmpty(EventLogName))
                EventLog.Delete(EventLogName);
        result |= true;
    } //Uninstall

    string ApplicationName, EventLogName;

} //class EventLogInstallationHelper

The non-trivial part here is exception. You should deal with the case when you install Event Source if it is already done and uninstall when it is not installed.

Now, this is an example of the usage:

C#

string Application = "Event Log Test";
string EventLogName = "CodeProject";
EventLogInstallationHelper helper =
    new EventLogInstallationHelper(
        Application,
        EventLogName);

try {
    helper.Install();
} catch {
    System.Console.WriteLine("Event Log already installed");
} //exception

EventLog.WriteEntry(Application, "some log");
EventLog.WriteEntry(Application, "some warning", EventLogEntryType.Warning);
EventLog eventLog = new EventLog();
eventLog.Source = Application;
eventLog.WriteEntry("another log");
eventLog.WriteEntry("some error", EventLogEntryType.Error);

System.Console.WriteLine("See event log now, then press any key");
System.Console.ReadKey(true);

try {
    helper.Uninstall();
} catch {
    System.Console.WriteLine("Event log already uninstalled");
} //exception

The idea here is that you can have EventLogName name, it represents all your logging applications in one separate folder. Another name, Application, will represent a name of one of your application as a source in each log's properties.

This code is well tested.

—SA

Posted 13-Feb-11 21:15pm

Sergey Alexandrovich Kryukov

Updated 14-Feb-11 4:49am

v5

Comments

Nuri Ismail 14-Feb-11 3:19am

Excellent helper. 5+

Sergey Alexandrovich Kryukov 14-Feb-11 10:50am

Thank you,
Added usage sample, tested
--SA

Abhinav S 14-Feb-11 3:22am

My 5. :)

Espen Harlinn 14-Feb-11 10:27am

Good effort, my 5

Sergey Alexandrovich Kryukov 14-Feb-11 10:50am

Thank you.
--SA

Sergey Alexandrovich Kryukov 14-Feb-11 10:45am

Added fixed in the code of the helper, missing declarations to make code compile, added the sample of usage, the sample is tested: showing logs in separate folder as required.
--SA

Nish Nishant 14-Feb-11 11:55am

Voted 5. Good detailed response.

Sergey Alexandrovich Kryukov 14-Feb-11 11:58am

Thank you, Nishant,
--SA

Sergey Alexandrovich Kryukov 14-Feb-11 12:01pm

Paulus,

This stuff becoming pretty popular :-)
Thank you for accepting my answer.

Good luck, call again,
--SA

Manfred Rudolf Bihy 14-Feb-11 16:58pm

Very good! 5+
You've raised the bar once again. Keep it up man!

Sergey Alexandrovich Kryukov 16-Feb-11 21:37pm

Oh, thanks a lot.
(OP still has a doubt it works.)
--SA

sirius007greatstar 15-Feb-11 21:10pm

Hi SA,
I really appreciate your help.
However, it still doesn't give me the expected result.

The solution that you give me provide the "EventLogName" as one log file, and the "Application" as the source of each log entry.

Using your solution, this is the structure that I can see from Event Viewer:
> Event Viewer(Local)
> Applications and Services Logs
CodeProject
Hardware Events
> Microsoft
> Windows
Windows PowerShell
(Clicking on "CodeProject" will show you all entries with "Application" as the source)

What I really wanted is that the "Application" will appear as the log file, not as the source. I should look like this:
> Event Viewer(Local)
> Applications and Services Logs
> CodeProject
Application1
Application2
Hardware Events
> Microsoft
> Windows
Windows PowerShell
(Clicking on "CodeProject" will expand the tree and show you the event log file under it)

If you have any other method to achieve this, please share with me. I am desperately trying to achieve this without success until now.

Once again, I really appreciate your help. Thank you..
Best Regards,
Paulus

Sergey Alexandrovich Kryukov 16-Feb-11 20:57pm

Paulus,

Thank you for accepting my answer.
I don't understand what's wrong? I tested the solution.
Maybe the problem is about naming thing. I have created a code that generates two-level structure:
1) Folder which I call "Log Name";
2) A value for a column in the log, I called "Application".
Now, be logical and follow me. There is only 2-level structure in this technique, no more.
My idea was: 1) use "Log Name" for, say, your company or big product, it will form a folder. 2) Use "Application" for a particular application inside the product, it will go to Source column.
Now, you say: "I want...". First, stay within two-level structure. Secondly: realize I operate only with name. Naming does not change functionality. You want lesser-scale, more fine-grain? Folder is your application? Fine, give a "Log name" the name of your application. Within your application, create one or more sources. Give them some semantic names, they will go to the sources; no matter that I call it "Application". After all, rename my Application member into something else, and LogName member into "Application". You still have 2-level classification, no more no less. You show three levels in your request -- merge two of them into one.
If you don't like it -- blame Microsoft and create your alternative to their System Log (quite possible, by the way).
I already translated Microsoft documentation into code for you, you could do it by yourself but did not get enough patience (because you know enough I think). That is all that can be done in principle with this facility it terms of folder/member structure. And I think this is enough for all practical purposes. You need to know how not to abuse possibilities.

Thank you for understanding,
--SA

sirius007greatstar 16-Feb-11 22:19pm

My knowledge is not good enough to create my own alternative, so I will just wait until Microsoft provides the capability to create more than 2-levels structure within their System Log. As for now, I guess there is no other way except to stay with the 2-levels structure.

Anyway, I really thank you for all your help. Marked yours as answer :)

Best Regards,
Paulus

Sergey Alexandrovich Kryukov 17-Feb-11 2:00am

You may have to wait too long time... I would use what's available. Believe me, it's good enough, and much better than most home-baked ways of logging.
Best,
--SA

munazza.farooq 17-Mar-12 11:23am

Sir if u got any solution for this problem kindly share it i am facing the same kinda problem

Sergey Alexandrovich Kryukov 18-Mar-12 14:54pm

Do you mean your problem? I don't know which one do you mean, could you please give me a link or ask a question?
--SA