EzDevInfo.com

Is it possible to automate saving event viewer errors as text files?

I currently spend a considerable amount of time copying and pasting event viewer logs into text files and then copying them to a repository on another computer.

Is it possible to automate the saving these event viewer logs between a specified date/time to the computer (so that they can then be copied to the repository).

Ideally, if it's possible, it has to be achieved by C# .NET code.

The purpose of this is for automated tests, which run on Windows Server 2003/2008 machines.

Thank you

Windows Performance Analyzer Time stamp formatting

How do i get time stamps for Microsoft-Windows-Kernel-Power provider from Windows performance recorder. i see Windows performance analyzer gives me a some formatted time but not the exact time stamp.Thanks in advance

Example of source for NTEventLogAppender?

I'm trying to learn how to log from java eclipse to event viewer and I've read the api, various sites and similar questions on stack overflow.

But when I follow the steps I always get:

Exception in thread "main" java.lang.UnsatisfiedLinkError: org.apache.log4j.nt.NTEventLogAppender.registerEventSource(Ljava/lang/String;Ljava/lang/String;)I
at org.apache.log4j.nt.NTEventLogAppender.registerEventSource(Native Method)
at org.apache.log4j.nt.NTEventLogAppender.<init>(NTEventLogAppender.java:79)
at org.apache.log4j.nt.NTEventLogAppender.<init>(NTEventLogAppender.java:65)

What is the source supposed to be?

if anyone could show a full example of such a program that would be excellent. Please go into as much detail as possible, thanks.

My code right now is:

package Output;

import org.apache.log4j.BasicConfigurator;
import org.apache.log4j.ConsoleAppender;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.apache.log4j.PatternLayout;
import org.apache.log4j.PropertyConfigurator;
import org.apache.log4j.nt.NTEventLogAppender;

public class EventLog {
    public static void main(String[] args) 
    {   

        Logger myLogger = Logger.getLogger(EventLog.class);

        String mySource = "the source";
        PatternLayout myLayout = new PatternLayout("[%c][%l][%p][%thread]: %m%n");

        NTEventLogAppender eventLogAppender= new NTEventLogAppender(mySource,myLayout);

        ConsoleAppender consoleAppender= new ConsoleAppender(myLayout);

        myLogger.addAppender(consoleAppender);
        myLogger.addAppender(eventLogAppender);

        myLogger.setLevel(Level.WARN);

        myLogger.fatal("Come on print");
    }    
}

Windows Event Viewer holds a lock on my EXE file

I'm curious about something. I'm developing a Windows service and log all the diagnostic events into the Windows Event Log. So when the service is running I open the Event Viewer (from Administrative tools) to view the results of my service's operation.

This works great except for the moment when I need to uninstall my program (again, for the testing purposes.) For some weird reason the Event Viewer holds a lock on the .exe image file for my service so the uninstaller fails to delete it with the error code ERROR_SHARING_VIOLATION:

The process cannot access the file because it is being used by another process.

This happens only on Vista and later OS and seems not to be an issue on XP.

Any idea how to make Event Viewer release the file lock? (I'm asking about programmatic approach. I can obviously close it manually, but that's not what I'm after.)

How to get a list of all Windows Event Logs (Event Viewer Logs) with their hierarchy and friendly names in C#

I'm trying to sort of replicate the following from the Event Viewer

I'm having trouble with a few things. First some of the names I get back are not the display names or friendly names. For example, for "Microsoft Office Alerts" i just get back "OAlerts". How can i get the full "Microsoft Office Alerts" from "OAlerts"?

The second problem is figuring out the hierarchy. It seems all i can do is parse out the dashes and do some sort of a best guess. There doesn't seem to be an easy way in the API to figure it out. The GetLogNames just gives you a flat list of all the logs

EventLogSession session = new EventLogSession();
List<string> logNames = new List<string>(session.GetLogNames());
foreach (string name in logNames)
{
   //EventLogConfiguration config = new EventLogConfiguration(name); //looks useful but doesn't give me any of the info i'm looking for.

   Console.WriteLine(name);
}         

Putting XML Data into the Windows Event Log

How can I write XML data into the Windows Event Log?

I have noticed that there is a way to insert XML into the windows event log (and not by just stuffing it into the description). The effect is that you get just your description message in the General view on Windows Vista. You can see your XML data in the Details view.

If you select the Friendly radio button, it appears under the Event Data node. If you select the XML view, then you get to see the XML.

I thought that the rawData byte array in the EventLog.WriteEntry() method would allow me to do this. I tried stuffing the output of XMLWriter into it. That put data into the event log, but it is viewed as binary instead of XML.

powershell: get-winevent has no messsage data?

When I run the script below to retrieve log files, the get-winevent "message" field is blank but has data if I run get-eventlog. Any ideas why?

#has message data 
Get-Eventlog -LogName application -Newest 10

 #date 10 days ago 
$EventStartDate = get-date("10 May 2012") 
$EventEndDate = get-date("11 May 2012") 
$EventLogNames = @("Application", "system")

#critea for winevent 
$EventCritea = @{logname = $EventLogNames; StartTime=$EventStartDate; EndTime=$EventEndDate}

#Retrieves the event log 
$RetreivedEvents = Get-WinEvent -computername localhost -FilterHashtable $EventCritea
$RetreivedEvents | fl id, logname, MachineName, Message, TimeCreated

SqlDependency subscription not dropped from dm_qn_subscriptions on shutdown

My SqlDependency works fine, and the Broker Queue and Service get dropped properly when the application exists (I do execute SqlDependency.Stop(...) as recommended before terminating the process), yet I notice that the notification subscription created by the SqlDependency lives on in the table "sys.dm_qn_subscriptions" after the application shuts down.

If I later (post-app shutdown) execute the condition that ought to make this subscription fire, it does seem to fire, as SQL Server logs an Info message in Event Viewer to the effect that:

The query notification dialog on conversation handle '{3F03B693-C0A5-E211-A97B-E06995EBDB20}.' closed due to the following error: '-8490Cannot find the remote service 'SqlQueryNotificationService-0ea1f686-e554-4e25-aa7d-4f6d85171cc3' because it does not exist.'.

and the subscription is then dropped from "sys.dm_qn_subscriptions".

Note: the subscription also fires properly when the application is alive. Nothing works wrong as far as my application is concerned, but it worries me that the subscriptions are not wiped automatically in the database system table once the broker queue/service they depend on are terminated. This can lead (at the very least) to an abundance of phantom/undead subscription records accumulating in the database and to needless SQL Server cleanup messages in Event Viewer (each app run generates new undead records in "sys.dm_qn_subscriptions").

Is this behaviour normal? Can things be made neater?

Thanks in advance,

D.

Where are archived evtx files stored?

I know that you can view any evtx files in the event viewer but when you use the option to archive them off what folder are they stored in?

I know that I can find all my evtx files in C:\Windows\System32\winevt\Logs but when I go into that folder I do not see any archived files. Then again I don't think that my logs have filled up enough to even archive anything.

I am running Windows 7 Home and also Windows 7 professional on my desktop. I would like to know if there is any difference between the two.

Also, are the files just named Archive-* ? Meaning the word archive and then whatever they come from (security, application etc...)

Thank you in advance for your help.

How to enumerate all the registerd sources for an EventLog

If I select to filter the "Application" log in the EventLog viewer, I can see a lot of Sources registered with the "Application" log. How could I programatically enumerate all these sources via C#? And it seems I cannot register my own evento source with "Application" and "System" log, why?

BTW: The concept of "event source" is really confusing...

IIS 7.0 gives 503 error and stops the application pool

When I start the application pool, and request a page in an application in that pool, I get a "HTTP Error 503. The service is unavailable."

If I look at the application pools in IIS, I can see that it has now stopped. Going to the event viewer I find this error message:

'The identity of application pool Badge.Web is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.'

I'm very sure the credentials I'm using is correct. Something else is causing the app pool to stop.

log4net doesn't log in Windows Event Viewer

I would like to log in the Windows Event Viewer using log4net.
I created a Console Application (.NET Framework 4), I added the reference log4net.dll, I put the following code in my App.config:

<configuration>
 <configSections>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler,log4net"/>
 </configSections>

<log4net>
<appender name="EventLogAppender" type="log4net.Appender.EventLogAppender">
  <layout type="log4net.Layout.PatternLayout">
    <conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline"/>
  </layout>
</appender>
<root>
  <level value="ALL"/>
  <appender-ref ref="EventLogAppender"/>
</root>
</log4net>

<startup><supportedRuntime version="v2.0.50727"/></startup>
</configuration>

And I put the following code :

class Program
{
    static void Main(string[] args)
    {
        log4net.ILog log = log4net.LogManager.GetLogger(typeof(Program));
        log.Error("test error", new Exception("error's exception", new Exception("error's innerexception")));

        Console.Read();
    }
}

It doesn't log, nothing happens, why?

Thanks

How to interpret windows APPCRASH mysterious log?

How should I interpret these logs to identify the cause of the appcrash?

Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: InsightAnalysisEngine.exe
P2: 1.0.0.0
P3: 4f4dee84
P4: KERNELBASE.dll
P5: 6.1.7600.16850
P6: 4e211485
P7: c03d0000
P8: 0000b9bc
P9: 
P10: 

Attached files:
C:\Users\devservice\AppData\Local\Temp\WER44D1.tmp.appcompat.txt
C:\Users\devservice\AppData\Local\Temp\WER461A.tmp.WERInternalMetadata.xml
C:\Users\devservice\AppData\Local\Temp\WER462A.tmp.hdmp
C:\Users\devservice\AppData\Local\Temp\WER48E9.tmp.mdmp

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_InsightAnalysisE_857bf71fb86d6845394e6281199ee78ad305d_cab_1cc34a1e

Analysis symbol: 
Rechecking for solution: 0
Report Id: 8a13d73c-62b8-11e1-ab53-0050ba3279b5
Report Status: 4

Ye another which is equally mysterious:

Faulting application name: Engine.exe, version: 1.0.0.0, time stamp: 0x4f4dee84
Faulting module name: KERNELBASE.dll, version: 6.1.7600.16850, time stamp: 0x4e211485
Exception code: 0xc03d0000
Fault offset: 0x0000b9bc
Faulting process id: 0x1414
Faulting application start time: 0x01ccf6c528f9f803
Faulting application path:C:\projects\AnalysisEngine\Debug\Engine.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 8a13fe4c-62b8-11e1-ab53-0050ba3279b5

More specifically, what is Fault offset? In what ways this information is helpful?

Writing to event log in C# - do I need to use EventLog.CreateEventSource when writing to Application log?

When I use the following code to write to Application Event log, everything works fine:

EventLog log = new EventLog();
log.Source = "Application";
log.WriteEntry("test message", EventLogEntryType.Error);

When I use the code that is from MSDN and all other blogs, I get the security error (I am guessing because CreateEventSource raises it).

string sSource = "MyWebService";
string sLog = "myApplication";
string sMsg = errorMessage;

if (!EventLog.SourceExists(sSource))
   EventLog.CreateEventSource(sSource, sLog);

 EventLog.WriteEntry(sSource, sMsg, EventLogEntryType.Error);  

So, do I need to check whether the source exists if all I need is to write to Application log which is there by default?

What is the proper way to write to EventViewer?

Time when Windows 7 was started/booted [closed]

I want to check the operating system's start time. That is, for the last one month, the times when Windows was booted up. Is it possible to find this out?