将事件日志添加到注册表

Question

I'm attempting to access a 'ForwardedEvents' events log on a server using

el = new EventLog("ForwardedEvents", serverName);

this isn't working.

I believe it's not working because the log isn't contained in the registry where Eventlog would expect to find it (HKLM/System/CurrentControlSet/Services/Eventlog/.. ).

How would add the log to registry so it is found, or is there another method to access a log that's not specified in that location?

Answer 1

Remedied the issue by creating a new registry entry for the Log at: (HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\LOGNAME).

Did this by.. ( on windows server 2008 R2 ) ..

1) Right Click on parent folder (eventlog) -> New -> Key

2) Name the key like the evtx file found at (C:\\Windows\\System32\\winevt\\Logs\\LOGNAME)

3) In the right pane of the registry explorer, right click -> new -> Expandable String Value

4) Name the newly created REG_EXPAND_SZ "File"

5) Right click on the Name "File"

6) Modify

7)In the "Value Data" box, add path to evtx file like

( %SystemRoot%\\System32\\winevt\\Logs\\ForwardedEvents.evtx )

Answer 2

This is close to the other registry solution offered here, but this is how I did it on Windows 7, and will write to the Application log, not the Forwarded Events log:

• Windows logo > type regedit in the search and press Enter

• Expand HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog

• Find the Application key and create a new key for your application: MyApp

• In MyApp , right-click the right side window in the blank area and select New > Expandable String Value . This will create a REG_EXPAND_SZ entry. Give it the name EventMessageFile .

• Double-click the new entry to set a value. For the value, enter: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\EventLogMessages.dll Select OK .

• Leave the (Default) string value alone with its (value not set) value.

• Repeat two more times by replacing CurrentControlSet with ControlSet001 and ControlSet002 .

And if you need to then move your application to another computer, you can right-click the key and select Export . You save the file as a .reg file, and then copy it to the next computer. There, you double-click to run it (while logged in as an Administrator). In this way, you don't have to manually re-create it, and for other apps, you can actually edit the .reg file in Notepad and simply change the name of the app, save it (be sure to change the format to "All Files", so it retains the .reg on the end, and not save it as a .txt file), and then you can double-click it to run and insert the new app's EventLog key.

Answer 3

If you still want to do this the programmatic way as opposed to manually creating the log via the registry, there is a way. You need to check and see if the EventSource exists first, and if it doesn't you need to create it. This has to happen all before you try to create an EventLog instance with that source. Just note the latency between creation and use, so make sure to handle this (see http://msdn.microsoft.com/en-us/library/2awhba7a(v=vs.110).aspx for more information).

// Create the source, if it does not already exist. 
if(!EventLog.SourceExists("MySource"))
{
    //An event log source should not be created and immediately used. 
    //There is a latency time to enable the source, it should be created 
    //prior to executing the application that uses the source. 
    //Execute this sample a second time to use the new source.
    EventLog.CreateEventSource("MySource", "MyNewLog");
    Console.WriteLine("CreatedEventSource");
    Console.WriteLine("Exiting, execute the application a second time to use the source.");
    // The source is created.  Exit the application to allow it to be registered. 
    return;
}

// Create an EventLog instance and assign its source.
EventLog myLog = new EventLog();
myLog.Source = "MySource";

// Write an informational entry to the event log.    
myLog.WriteEntry("Writing to event log.");