How to get Critical Entrys from EventLog?

Question

0.00/5 (No votes)

See more:

Hey out there,

i'm trying to write a simple application for reading the EventLog from Windows.

For example i want to display all entrys with the Level "Critical" / Level 1 in XML

XML

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <!-- ... -->
  <Level>1</Level>
  <!-- ... -->

In .NET are only this Types available:

C#

// Zusammenfassung:
public enum EventLogEntryType
{
    Error = 1,
    Warning = 2,
    Information = 4,
    SuccessAudit = 8,
    FailureAudit = 16,
}

So there is no Critical.

I searched in the net and found this link.

I tryed it out but if i use it like this

C#

EventLog log = new EventLog( "Application" );
foreach( EventLogEntry entry in log.Entries )
{
    if( entry.EntryType == 0 )
        Console.WriteLine( "<{0} {1} {2}>", entry.EventID, entry.Source, entry.Message );
}

it put more lines out than the EventLog Viewer from Microsoft if i limit to "Critical" errors only in my "Application" Protocol (3 Entrys here).

Even if i try the post at the link and do it like this

C#

if( (entry.EntryType != EventLogEntryType.Error) &&
   ( entry.EntryType != EventLogEntryType.FailureAudit ) &&
   ( entry.EntryType != EventLogEntryType.Information ) &&
   ( entry.EntryType != EventLogEntryType.SuccessAudit ) &&
   (entry.EntryType != EventLogEntryType.Warning) )
{
    Console.WriteLine( "<{0} {1} {2}>", entry.EventID, entry.Source, entry.Message );
}

nothing usable here...

So is there a way i can limit only to the critical entrys using C#?

Thank you so much guys for your help!

Posted 27-Mar-14 5:29am

C3D1

Add a Solution

Comments

gggustafson 2-Apr-14 14:45pm

Other than the Software Protection Platform Service messages, what are you trying to retrieve?

C3D1 3-Apr-14 4:46am

Exactly i want to get every entry in the eventlog for the protocol "Security" from the provider "Microsoft-Windows-Security-Auditing" with the EventID 4625 at Level 0 or 1

gggustafson 3-Apr-14 15:08pm

See my solution below.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

gggustafson · Answer 1 · 2014-04-03T09:07:00

According to the documentation at EventLogEntry Class[^] you are using the wrong method to access Event Logs.

The following code is the correct way to access the log entries:

C#

const long    EVENT_ID = 4616L;
const string  LOG = "Security";

// *************************************** collect_log_entries

List < EventLogEntry > collect_log_entries ( )
    {
    List < EventLogEntry >  filtered_entries;
    EventLog                log;
    EventLogEntryCollection log_entries;

    filtered_entries = new List < EventLogEntry > ( );

    log = new EventLog ( LOG, "." );
    log_entries = log.Entries;

    for ( int i = 0; ( i < log_entries.Count ); i++ )
        {
        EventLogEntry entry;
        long          event_ID;

        entry = log_entries [ i ];
        event_ID = ( entry.InstanceId & 0x3FFF );

        if ( event_ID == EVENT_ID )
            {
            filtered_entries.Add ( entry );
            }
        }

    return ( filtered_entries );
    }

Note that the event_ID is the lower 30 bits of the InstanceId so we mask off the top two bits.