(untagged)

A realtime event log monitoring tool

Marc Merritt

0.00/5 (No votes)

27 Aug 2003

Demonstrates how to do realtime event log monitoring

Introduction

I'm an instant gratification kind of person. I like to see who and from where my machine is being accessed, as it occurs. This tool allows you to do just that and provides a number of other event log monitoring capabilities.

Background

While testing a piece of software that provides Windows event logging, our QA team questioned if there was a way to monitor events as they are written to the Windows event log, hence the creation of this little utility. The notifications that the tool displays are done so using the most-excellent NotifyIconEx class by Joel Matthias.

Capturing Events

The EventLog class contains an event handler called EntryWritten. This handler expects an argument of type EntryWrittenEventArgs. To capture events as they happen, we simply set the EnableRaisingEvents property to true and declare the method name that will handle the event.

private void StartWatch()
{      
  EventLog myLog = new EventLog(watchLog);
        
  // set event handler

  myLog.EntryWritten += new EntryWrittenEventHandler(OnEntryWritten);
  myLog.EnableRaisingEvents = true;
}

Displaying Events

When events that match the specified criteria occur, a balloon notification is displayed with the details of the last event that was written. (To capture and display Security log events, you must have auditing turned on.)

private void OnEntryWritten(object source, EntryWrittenEventArgs e)
{
  string logName = watchLog;
  GetLogEntryStats(watchLog);
  
  if (logType == eventFilter || eventFilter.Length == 0)
  {
    // show balloon

    NotifyIcon.ShowBalloon("Event Log Monitor",
      "An event was written to the "+logName+" event log."+
      "\nType: "+LogType+
      "\nSource: "+LogSource+
      "\nCategory: "+LogCategory+
      "\nEventID: "+EventID+
      "\nUser: "+User,
      NotifyIconEx.NotifyInfoFlags.Info,
      5000);
        
    LogNotification();
  }
}
    
private void GetLogEntryStats(string logName)
{
  int e = 0;
  
  EventLog log = new EventLog(logName);
  e = log.Entries.Count - 1; // last entry


  logMessage = log.Entries[e].Message;
  logMachine = log.Entries[e].MachineName;
  logSource = log.Entries[e].Source;
  logCategory = log.Entries[e].Category;
  logType = Convert.ToString(log.Entries[e].EntryType);
  eventID = log.Entries[e].EventID.ToString();
  user = log.Entries[e].UserName;
  logTime = log.Entries[e].TimeGenerated.ToShortTimeString();
  log.Close();  // close log

}

The GetEventLogs() method provides an overload for retrieving the logs from a remote machine. It is feasible to assume that event monitoring should work the same on a remote machine as it does on the local computer, given the appropriate permissions. As time permits, I'll be expanding the filtering capabilities of the tool and provide the ability to monitor multiple machines.

Compatibility Issues

The code has only been tested on Windows XP SP1 but should run on Windows 2000. However, while the NotifyIconEx class contains an event handler called BalloonClick, this isn't supported on Windows 2000. Will not work on Win9x or NT4 as they are incapable of displaying balloon notifications.

History

Version 1.0 - 08.22.2003

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here