What event id to use for my custom event log entries?

Question

Is there any ranges of valid event IDs which should be used by custom applications while logging to Windows EventLog? Or I can use any event ID of my choice (1,2,3,4....). P.S, I am developing in C#.NET.

score 42 · Answer 1 · edited Jul 10 '14 at 18:49

42

EventIds are application specific so you can use whatever ranges you like. Just ensure you document what you have used and where so that you can ensure you don't use an id twice, or to facilitate easier debugging.

But keep in mind...

Like when Henry Ford said "you can have any color you want as long as it's black" - you can also use whatever range you like as long as that range falls inside the range of 0 and 65535.

edited Jul 10 '14 at 18:49

Community

1
1

answered Nov 18 '09 at 12:37

Martin

39,569
20
99
130

7

where 65535 is `ushort.MaxValue` – Junior Mayhé Feb 02 '15 at 17:19

score 8 · Answer 2 · answered Jan 31 '13 at 17:09

Sure enough, it is up to the author to define and track event IDs they use and what they mean.

Here is a reference: http://msdn.microsoft.com/en-us/library/e29k5ebc.aspx - Particularly interesting is the part about not writing messages with IPv6 addresses (because of the % character) to the event log. I bet you can use a parameter to work around that though.

JRV · Answer 3 · 2017-08-27T22:21:12.760

The hi bits of the ID are reserved for testing, debug and other flags used for development. The usable bits are:

0x0000 - 0xffff

See: Event Message Structure

The upper bits should be avoided but all values for the bottom bits are available if you create a custom source. If you use a system or pre-existing source you will collide and likely get the wrong message. Messages are taken from the registered sources message DLL file. A custom message file can be built using the message file compiler from the SDK.

score 1 · Answer 4 · edited Mar 31 '20 at 10:38

1

Edit1: I tested that and it is not true that eventID is 32bits. It is only 16 bits.

eventId is Int32, from -2,147,483,648 to 2,147,483,647

EventLog.WriteEntry Method (String, String, EventLogEntryType, Int32)

public static void WriteEntry(
    string source,
    string message,
    EventLogEntryType type,
    int eventID
)

edited Mar 31 '20 at 10:38

Liam

27,717
28
128
190

answered Aug 27 '14 at 10:54

MrHIDEn

1,723
1
25
23

2

Yes, accepts a int32 as a parameter, but if you enter a int that is not in the range of 0 and 65535 throws an exception. – Albert Cortada Sep 18 '14 at 14:43
2

Yes. You are right. I tested it now and I am surprised that MS claims it is 32 bits... – MrHIDEn Sep 19 '14 at 15:41
2

Unfortunately, many APIs avoid unsigned integer types. They are [not CLS-compliant](http://stackoverflow.com/questions/6325/why-are-unsigned-ints-not-cls-compliant). – Tom Blodget Sep 25 '14 at 18:02
Why -1? Any comment? Prove? – MrHIDEn Mar 21 '17 at 23:09

Vinod Srivastav · Answer 5 · 2023-02-10T13:15:37.540

0

Technically you can use any values between 1 - 65536 for that.

But if you are someone who writes tons of verbose log like me you will find it difficult to relate a bunch of entries together then I would suggest to generate a random unique value every time the code executes with this you can identify the events, even the much better idea would be to create your own log & source to use this instead of writing everything in the Application log. like

 Random rnd = new Random();
 EventId = rnd.Next(0, 65535);

edited Feb 10 '23 at 13:15

answered Mar 24 '17 at 20:52

Vinod Srivastav

3,644
1
27
40

7

Probably because the purpose of the eventId to to uniquely identify the _type of event_. All events of the same type should have the same id. This for example allows that automated monitoring can take certain actions when certain events occur. Assigning a random ID defies this purpose – Pete Aug 18 '17 at 07:28
@Pete That make sense when you log in the Application log although it was just a suggestion. – Vinod Srivastav Aug 21 '17 at 10:41
While it takes work to keep track of a set of event IDs, it does seem silly to generate a random number you cannot trace back to where it happened. What I've done for my PowerShell scripts is to use the line number of the source file where the event is being reported. Of course that only works for an app where the code is a single source file and not spread across modules. – KillerRabbit Jun 21 '18 at 14:18
@KillerRabbit Assuming to have the code in a single file itself is silly, information like where it happen can be written in the log itself but when it comes to modules one can define multiple source within the log for each module when the log is a custom one and not the default `Application` log. I was running an service that consumes 60k+ messages a day and the messages was processed in a pipeline of modules so random Id's helped me to identify & club them together as DateTime was always same – Vinod Srivastav Jun 22 '18 at 19:02
I know this an old post. But... This is one of the dumbest things I have read for a while, and defeats the object of using Event Ids completely. – Paul Wardle Feb 10 '23 at 12:17
Hi @PaulWardle The objective in a custom Event Log source will not be defined by Microsoft the objective was to track a message with 7 stage in a pipeline and to retrieve all the incident happened with it (No Automation). may not be a very good design but You think it can be done in a better way without investing much resource do it me know. – Vinod Srivastav Feb 10 '23 at 13:01

What event id to use for my custom event log entries?

5 Answers5