How to: Create and Remove Custom Event Logs

[This documentation is for preview only, and is subject to change in later releases. Blank topics are included as placeholders.]

You can use the EventLog class to create a custom event log on a local or remote computer. You might create a custom log if you wanted to organize your entries in a more granular way than is allowed when your components write entries to the default Application log. For example, suppose you have a component called OrderEntry that writes entry information to an event log. You are interested in backing up and saving these entries for a longer period of time than some other entries in the Application log. Rather than registering your component to write to the Application log, you can create a custom log called OrdersLog and register your component to write entries to that log instead. That way, all of your order information is stored in one place and will not be affected if the entries in the Application log are cleared.

You can indirectly use the CreateEventSource method to create a custom log. This method creates a new source and lets you specify the log to write to. If you specify that you want to write to a log that does not already exist, the system automatically creates a custom log for you and registers your component as a source for that log.

Note

You remove a custom log the same way you remove any log — by calling the Delete method. For more information, see How to: Delete Event Logs.

It is important to note the difference between creating an event log and creating an instance of the EventLog component. When you use the CreateEventSource method, you are creating a new custom event log in Windows, rather than a component in your project or application. When you create an instance of the EventLog component, you create a component inside your project that references an external event log. You can view the event logs created with the CreateEventSource method in the Event Viewer, but you cannot view component instances there.

Note

In general, create the new event source during the installation of your application. This allows time for the operating system to refresh its list of registered event sources and their configuration. If the operating system has not refreshed its list of event sources and you attempt to write an event with the new source, the write operation will fail. If creating the source during installation is not an option, then try to create the source well ahead of the first write operation, perhaps during your application initialization. If you choose this approach, be sure your initialization code is running with administrator rights on the computer. These rights are required for creating new event sources.

You can view custom logs in Server Explorer, or in the Windows 2000 Computer Management window. For more information, see How to: Work with Event Logs in Server Explorer or How to: Launch Event Viewer from the Server Explorer.

You must have appropriate access rights on the remote computers to create and delete logs. For more information, see Security Ramifications of Event Logs.

Security noteSecurity Note

When you create an event log, be aware that the resource may already exist. Another process, perhaps a malicious one, may have already created the resource and have access to it. When you put data in the event log, the data is available to the other process. For information on existing event logs, see How to: Determine If Specific Event Logs Exist.

To create a custom event log

  • Call the CreateEventSource method and specify the source string and the name of the log file you want to create.

    Note

    If you specify null ("") as the log name, it defaults to the Application log. This will not create a new log, but will register the specified source for the Application log. If you create a new log, only the first eight letters are evaluated when determining if the name is unique.

    The following example shows how to create a custom log called MyNewLog on the local computer. This code assumes that an Imports or using statement exists for the System.Diagnostics namespace:

    EventLog.CreateEventSource("ApplicationName", "MyNewLog")
    
            System.Diagnostics.EventLog.CreateEventSource("ApplicationName", "MyNewLog");
    

    To create a custom event log on a remote computer, specify the computer name as a third parameter. The following code shows an example.

    Dim creationData As New EventSourceCreationData("ApplicationName", "MyNewLog")
    creationData.MachineName = "ServerName"
    EventLog.CreateEventSource(creationData)
    
            System.Diagnostics.EventSourceCreationData creationData = new
                System.Diagnostics.EventSourceCreationData("ApplicationName", "MyNewLog");
            creationData.MachineName = "ServerName";
            EventLog.CreateEventSource(creationData);
    

See Also

Tasks

How to: Delete Event Logs

How to: Work with Event Logs in Server Explorer

How to: Launch Event Viewer from the Server Explorer

Reference

EventLog

Concepts

Security Ramifications of Event Logs

Introduction to the EventLog Component

Other Resources

Administering Event Logs