Why do we need to Create EventLog ?
No matter how well written and tested an application is, chances are high that there will be a bug or some unexpected behavior. Moreover, users typically aren’t developers and don’t use the same terminology that developers are accustomed to. It’s common to have users report problems using terminology that developers don’t recognize or understand. This communication gap makes bug verification a difficult process. And even when a bug can be verified, the circumstances that caused it might remain unknown. This reality makes identifying and fixing bugs difficult and can cause serious delays in repairing them.
Later versions of Windows such as Windows 2000, Windows XP, and Windows Server 2003 provide a mechanism to let applications log things that happen to them. This feature has many benefits. By using the event log, developers can record certain aspects of the state of an application, including serious errors. Essentially, developers can record just about anything that they think might be useful after the application is deployed. The ability to review significant events makes it much easier for support people to diagnose issues. A summary of the benefits of using Windows events and logging them are as follows:
§ Provide an easy mechanism to record specific items regarding an application’s state
§ Provide an easy mechanism to record situations that the developers consider to be out of the ordinary
§ Provide an easy mechanism for users to check on the state of applications that are running
Some Caveats about EvenLog
§ Creating an EventLog object, writing to it, and passing it to code executing in a partial trust setting can be a huge security vulnerability. EventLog objects, including EventLogEntry objects and EventLogEntryCollection objects, should never be passed to less trusted code. This means any less trusted code, so it’s important to be cognizant of the security context these objects are executing in.
§ The EventLogPermission is required for many actions that use EventLog manipulation. Granting this permission to partially trusted code can open a serious security vulnerability. For example, mischievous code running in a partial trust environment with this permission granted could easily spoof other applications. It could, for example, shut down a critical antivirus or spyware-detection application yet make it appear as if it’s still running. The potential for mischief is unlimited.
§ Reading and logging events are relatively resource intensive in terms of disk utilization, system processor time, and other resources. EventLog objects can also get filled up, at which point attempts to write to them will cause exceptions to be thrown. EventLog objects should be used as necessary, but judiciously as well.
Avoid EventLog objects in partial trust environments
Use of EventLog objects in a partial trust environment can cause serious security holes and should be avoided if at all possible.
Creating and Deleting an Event Log
To create an event log, the .NET Framework provides the EventLog class. To use it, the Source property needs to be specified and a message needs to be written, as shown in the following code, which requires the System.Diagnostics namespace:
' VB
Public Shared Sub CreateEventLog()
Dim DemoLog As New EventLog("Chap10Demo")
DemoLog.Source = "Chap10Demo"
DemoLog.WriteEntry("CreateEventLog called", EventLogEntryType.Information)
End Sub
// C#
public static void CreateEventLog()
{
EventLog DemoLog = new EventLog("Chap10Demo");
DemoLog.Source = "Chap10Demo";
DemoLog.WriteEntry("CreateEventLog called", EventLogEntryType.Information);
}
After you create an EventLog object and specify its source (which, by the way, can all be done in one of the overloaded constructors), information about the object should be visible from the Windows Event Viewer.
Deleting an event log is equally simple. You may want, for example, to delete the log that you just created as part of this exercise. To remove the demonstration log, use the Delete method of EventLog in code like the following:
' VB
Public Shared Sub DeleteEventLog()
EventLog.Delete ("Chap10Demo")
End Sub
// C#
Public static void DeleteEventLog()
{
EventLog.Delete("Chap10Demo");
}
Just be sure you don’t delete a log with valuable information by using this method!
Writing to an Event Log
Now that you have the code in place to create the log, it’s time to use it. Only one small enhancement needs to be made to the code sample you just created to get it to write to the event log:
' VB
Public Shared Sub CreateEventLog()
Dim DemoLog As New EventLog("Chap10Demo")
DemoLog.Source = "Chap10Demo"
DemoLog.WriteEntry("CreateEventLog called", EventLogEntryType.Information)
End Sub
// C#
public static void CreateEventLog()
{
EventLog DemoLog = new EventLog("Chap10Demo");
DemoLog.Source = "Chap10Demo";
DemoLog.WriteEntry("CreateEventLog called", EventLogEntryType.Information);
}
In this example, the WriteEntry method looks rather simple. However, there are 10 overloads for it. As is the case with many overloaded constructors, the minimal construction can be used and then you can set all necessary properties. Or you can specify all the information you need in the constructor. Although doing everything in the overload is typically considered more elegant and straightforward, you might encounter situations in which this approach won’t work well with the rest of your code. For example, you might not know the rest of the values that you intend to record.
To make the point a little clearer, here are each of the overloads in action:
' VB
Public Shared Sub CreateEventLog()
Dim DemoLog As New EventLog("Chap10Demo")
DemoLog.Source = "Chap10Demo"
DemoLog.WriteEntry("CreateEventLog called", EventLogEntryType.Information)
End Sub
// C#
public static void CreateEventLog()
{
EventLog DemoLog = new EventLog("Chap10Demo");
DemoLog.Source = "Chap10Demo";
DemoLog.WriteEntry("CreateEventLog called", EventLogEntryType.Information);
}
The following example shows how to use an overload to add an event ID:
' VB
Public Shared Sub CreateEventLog()
Dim DemoLog As New EventLog("Security")
DemoLog.Source = "Chap10Demo"
DemoLog.WriteEntry("CreateEventLog called", EventLogEntryType.Information, 100)
End Sub
// C#
public static void CreateEventLog()
{
EventLog DemoLog = new EventLog("Security");
DemoLog.Source = "Chap10Demo";
DemoLog.WriteEntry("CreateEventLog called", EventLogEntryType.Information, 100);
}
In addition to reading custom logs, the EventLog object also gives developers the ability to read from and write to built-in event logs. The built-in logs are the Application, Security, and System logs. Even though you might have a specified log for your application, you might want to take advantage of the built-in logs. Assume for a second that you have an ASP.NET Web application that authenticates users. Assume further that you have code in place to detect attempted SQL injection attacks. Developers of an application can do little about attempted attacks (other than ensuring that the code prevents them from being successful), but security administrators will be very interested in this type of activity, even when it is unsuccessful. Therefore it makes sense to write such events to the built-in Security log, where security personnel will be sure to see it.
( Meaning of SQL Injection - SQL injection attacks are hack attempts made through an application that trusts user input. The attacker uses special characters to change the nature of the input in order to embed SQL-database commands. Depending on what an attacker is allowed to do, he or she might be able to completely take over the database, as well as destroy it.)
Following are examples of how to write to each of the built-in logs. Remember that you must have permission to write to those logs.
Use the following code to write to the Application log:
‘ VB
Public Shared Sub WriteToApplicationEventLog()
Dim DemoLog As New EventLog("Application")
DemoLog.Source = "DemoApp"
DemoLog.WriteEntry("Written to Application Log", EventLogEntryType.Information)
End Sub
// C#
public static void WriteToApplicationEventLog()
{
EventLog DemoLog = new EventLog("Application");
DemoLog.Source = "DemoApp";
DemoLog.WriteEntry("Written to Application Log",EventLogEntryType.Information);
}
Use the following code to write to the Security log:
' VB
Public Shared Sub WriteToSecurityEventLog()
Dim DemoLog As New EventLog("Security")
DemoLog.Source = "DemoApp"
DemoLog.WriteEntry("A Sql Injection Attack just occurred fromIP Address 100.000.00.0", EventLogEntryType.Information)
End Sub
// C#
public static void WriteToSecurityEventLog()
{
EventLog DemoLog = new EventLog("Security");
DemoLog.Source = "DemoApp";
DemoLog.WriteEntry("A Sql Injection Attack just occurred fromIP Address 100.000.00.0", EventLogEntryType.Warning);
}
Use the following code to write to the System log:
' VB
Public Shared Sub WriteToSystemEventLog()
Dim DemoLog As New EventLog("System")
DemoLog.Source = "DemoApp"
DemoLog.WriteEntry("A DemoService Restarted due to reboot", EventLogEntryType.Information)
End Sub
// C#
public static void WriteToSystemEventLog()
{
EventLog DemoLog = new EventLog("System");
DemoLog.Source = "DemoApp";
DemoLog.WriteEntry("A DemoService Restarted due to reboot",
EventLogEntryType.Information);
}
Reading from an Event Log
At this point, an event log has been created and data has been written to it. The EventLog object has an Entries property. This property is an instance of the EventLogEntryCollection and contains EventLogEntry objects. After you have an instance of yourEventLog class, you can easily iterate through the log entries, as illustrated by thefollowing code:
' VB
Public Shared Sub ReadEventLog()
Dim DemoLog As New EventLog()
DemoLog.Log = "Chap10Demo"
For Each DemoEntry As EventLogEntry In DemoLog.Entries
Console.WriteLine(DemoEntry.Source + ": " + DemoEntry.Message)
Next
End Sub
// C#
public static void ReadEventLog()
{
EventLog DemoLog = new EventLog();
DemoLog.Log = "Chap10Demo";
foreach (EventLogEntry DemoEntry in DemoLog.Entries)
{
Console.WriteLine(DemoEntry.Source + ":" + DemoEntry.Message);
}
}
The only real task left to address is clearing a log. This method for doing this is one of the simplest methods to use. All you need to do is call the Clear method of the EventLog instance:
' VB
Public Shared Sub ClearEventLog()
Dim LogDemo As New EventLog("Chap10Demo")
LogDemo.Source = "DemoApp"
LogDemo.Clear()
End Sub
// C#
public static void ClearEventLog()
{
EventLog LogDemo = new EventLog("Chap10Demo");
LogDemo.Source = "DemoApp";
LogDemo.Clear();
}
If you use the ReadEventLog method after calling ClearEventLog, you should see no log entries. If you see any entries—other than entries that might have been written by another piece of code in the interim—something has failed.
Download logging events.doc
