24
  • I am logging messages using Enterprise Library.
  • I want some of these (typically errors and warnings) to be passed to the Windows event-system). I today route these via entlib.config.

This solution works and so far, so good. But, I have more needs than what this solution provides me. I have multiple installations that should log to different logs, but I want their names to be logical and intuitive in the event-viewer. But, the Windows event-system cannot have two categories where the first 8 characters in the name are the same. The category-name can be longer, but only the first 8 letters is used to distinguish them. .Net actually outputs a warning if this happens:

Only the first eight characters of a custom log name are significant, and there is already another log on the system using the first eight characters of the name given.

Currently I have to resort to cryptical prefixes, but I am still in danger of having multiple installations "colliding" with each other in regrads to the logname, so I need a better solution.

However, in the event viewer on my computer I can see that there are also hierarchies of lognames - which is exactly what I need. Both Microsoft and Cisco obviously has found a way to do this:

Microsoft and Cisco have a hierarchy

But, how can I create such an hierarchy for logging, where each application may be installed a number of times? Like this:

CompanyName
  ApplicationName
    Installation1
    Installation2
Spiralis
  • 3,232
  • 2
  • 39
  • 53
  • Do you mean a tree-view for general use? Is it coming from a database or directly from event log? – Control Freak May 03 '12 at 09:03
  • I am not sure I follow your question. My question regards how to *write* to a hierarchical log. In my program I am writing to the event-log using enterprise library. Instead of just writing to a logname within the "Applications and Services" node, I want to write to a log that resides deeper in a hierarchy, like "Applications and Services/IntelliSearch/ESP/Site-1/". Just like the Cisco and Microsoft event logs have a hierarchy ("Cisco/ESP/FAST/") - see the picture. – Spiralis May 03 '12 at 09:58
  • Do you want it saved to a database, or directly to the event log? – Control Freak May 03 '12 at 18:18
  • The log-entries are to be saved to the standard Windows event-log, making the event-entries available to view in the event-viewer, like the events reported by for instance Cisco. – Spiralis May 07 '12 at 10:44
  • Not sure if you can do that directly into the Error Log without some sort of Hack. I would maybe suggest extracting them into a database, then you manipulate and organize them how you please. – Control Freak May 08 '12 at 02:37
  • 1
    Cisco and Microsoft is able to write entries to the Windows Event Log and have them organized in a hierarchy (see the picture attached). Since they can do it I guess that it should be possible for anyone to do it. As for the suggestion on adding it to a database: How would that help? The sysadmins that are to monitor the logs need to see the messages in the Microsoft Event Viewer, the same way they monitor and diagnose all their servers. – Spiralis May 08 '12 at 08:45
  • 2
    +1 hmm, interesting question, it looks like your not the only one wanting this: http://stackoverflow.com/questions/4751265/how-to-store-event-log-in-folder, http://www.codeproject.com/Questions/157322/How-to-create-event-log-under-a-folder, http://www.codeproject.com/Questions/268704/How-to-create-an-eventlog-SUB-Folder - the closest was this: http://stackoverflow.com/questions/6386463/organizing-eventlogs-into-folders – Jeremy Thompson May 09 '12 at 03:34
  • Thanks for the links, @JeremyThompson . I found very few when I searched myself. But, like you indicate, none with a solution on how to do this - afaict. – Spiralis May 09 '12 at 10:31
  • 1
    We need to ask for help as its un-documented, I've trawled the web and this info I cant find publicly. I built http://eventanalyser.appointmentsbook.com, but as I was going to mention in a previous post it looks more like a filtering feature (of Vista + Win7, etc) rather than a sub-folder. Sort of like the `Filter 1 in my web video` > when I scroll down past (File, Type & Category) to show the `Sources`. Also put your email in your profile and I'll send you another goodie.. – Jeremy Thompson May 09 '12 at 12:47
  • Thanks @Jeremy. Mail-address added :) – Spiralis May 11 '12 at 09:23
  • @Spiralis Did you ever figure out how to do this? I'm using the native Event Log API and am wondering the same thing. – Michael Steele Mar 21 '13 at 23:25
  • @MichaelSteele, I didn't find a solution. But, I see that you have added an answer youreslf. I'll try that soon. Thanks. – Spiralis May 02 '13 at 21:52

2 Answers2

23

.NET 4 Answer

What it looks like you are seeing are the channels from Event Tracing for Windows (ETW). You can see the relevant items in the registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT.

To use those features you would have to use the new Windows Event Log functionality which supersedes the Event Logging API starting from Vista and looks like it is mainly targeted at C/C++ development. It does appear that some of this is exposed via the System.Diagnostics.Eventing Namespace.

I found a good overview of ETW to be Improve Debugging And Performance Tuning With ETW.

The good news is that it looks like you can do what you want. You will need to create an XML manifest that contains provider information as well as the events that will be logged. Then you need to use the Message Compiler (MC.EXE!) on the manifest to create header, resource files, and logging classes and then register the provider.

If you download Microsoft Windows SDK for Windows 7 and .NET Framework 4 you will find in the Samples\winbase\Eventing\Provider\Simple\CSharp subdirectory a .NET sample solution that should lead you through all the steps.

While it does meet your hierarchical requirement and is sort of cool, for a typical line of business application this might be a bit of overkill in terms of complexity. Also, the code generated by the message compiler is unsafe code so that may also be a negative.

.NET 4.5 Answer

In .NET 4.5 there is much better support for ETW using the EventSource class. See Windows high speed logging: ETW in C#/.NET using System.Diagnostics.Tracing.EventSource for an introduction. There is also now Event Log support with EventSource. See Announcing the EventSource NuGet Package – Write to the Windows Event Log for a walkthrough. Basically, at compile time a manifest and manifest DLL are generated for each EventSource and these can be registered using wevtutil.exe. With the addition of EventSource and Event Log channel support this approach now looks to be straight forward and viable.

Finally, note for those interested in ETW that the patterns & practices team has an application block Semantic Logging Application Block that can use ETW.

Community
  • 1
  • 1
Randy Levy
  • 22,566
  • 4
  • 68
  • 94
  • Thanks @tuzo. Valuable information you are adding here. I am about to start working my way through the links. But, like you indicate, maybe overkill in my case. – Spiralis May 11 '12 at 09:26
  • 3
    Thanks for a very good explanation! There is not a lot of information on this subject out there. Your answer is the best summary I've found. – Nils Magne Lunde Jan 15 '13 at 09:07
4

Providers must be named something of the form "Company-Product-Component". To be clear, a provider's name must include 2 '-' symbols. Documentation on this may be found here.

Channels must have their names written out in a specific way as well. Again, the MSDN's documentation explains this. You should name your channel to something of the form "Company-Product-Component/type".

Here is a fragment of a manifest I wrote for you to use as an example:

<provider name="Our Company-OurApp-Service"
          guid="{4990f5dc-85a0-4660-9ce0-275e027a02d2}"
          symbol="GUID_PROVIDER"
          resourceFileName="C:\Program Files (x86)\Our Company\OurApp\service.exe"
          messageFileName="C:\Program Files (x86)\Our Company\OurApp\service.exe"
          parameterFileName="C:\Program Files (x86)\Our Company\OurApp\service.exe"
          message="$(string.Provider.Name)">
    <channels>
        <channel chid="c1"
                 name="Our Company-OurApp-Service/Operational"
                 type="Operational"
                 symbol="CHANNEL_1"
                 isolation="Application"
                 enabled="true"/>
    </channels>
    ...

Here is how my logs show up in the event viewer

The folder hierarchy we see in the event viewer is an illusion. It's really just a flat list of providers and channels rendered as a rigid 3-folder deep structure. This is why several folders under Microsoft/Windows have dashes in their names rather than nesting further.

Michael Steele
  • 15,512
  • 2
  • 23
  • 24
  • Interesting. Is it really this simple? I'll have to test this as soon as I get time to get back to this. Thanks for sharing. – Spiralis May 02 '13 at 21:51