About Windows Event Log
The Windows Event Log SDK enables an application to publish, access, and process events. An application publishes events by creating an event and sending it to a specific event log, where the event is stored. An application can access event information by querying or subscribing to events in an event log. An application can also process events by rendering event information in a usable format.
The Windows Event Log functions are available to computers running on the Windows Vista operating system. For more information about using the Event Log service on down-level systems (Windows Server 2003,Windows XP, or Windows 2000), see Event Logging.
Note An application that publishes events larger than 64 KB on a computer running on the Windows Server 2003, Windows XP, or Windows 2000 operating systems will not be able to publish events on a computer running on the Windows Vista operating system. Only event publisher applications, created using an instrumentation manifest (following the procedure in Developing Event Publishers), can publish events larger than 64 KB on a computer running on the Windows Vista operating system.
Windows Event Log Audiences
The following audiences receive events using the Windows Event Log. Consider each audience type when designing and creating events:
System Administrators
System administrators review event logs to detect critical errors.
Customer Support
Customer support representatives are contacted by system administrators and end users when problems are found.
Developers
Developers view events during development and when they are recommended to do so by a customer support representative. They diagnose problems and often use the source code to assist in problem diagnosis.
Tools
Monitoring and diagnostic tools may examine events to detect, troubleshoot, and resolve a problem.
End users
End users are seldom interested in events, but may look at event logs when a problem occurs.
Performing Operations from the Command Line
To access event log information from the command line, use the WevtUtil.exe tool. This tool is located in the %SystemRoot%\System32 directory. For WevtUtil.exe tool Help, use the wevtutil /? command.
Performing Operations from the Event Viewer User Interface
To access event log information from a graphical user interface, use the Event Viewer tool. Event Viewer is a Microsoft Management Console (MMC) snap-in that enables a user to browse and manage event logs. It is also useful for testing applications that use Event Log functions. For more information about using or starting Event Viewer, see Event Viewer Overview.
The Windows Event Log System
The Windows Event Log System contains components that work together to create, deliver, and display event information. First, events are designed for a specific audience. When the events are designed and all the information for an event is specified, the events can be defined in an instrumentation manifest (an XML document using the EventManifest Schema). The instrumentation manifest is passed into the Message Compiler (MC.exe) tool, which produces an .h file, an .rc file, and .bin files. An event publisher application uses these files along with the Windows Event Log API to publish events to an event channel, which is a named stream of events that channels the events into an event log. For more information about how events and event publishers are created, see Developing Event Publishers.
When an event is in an event log, an event consumer can get the event information and display it in a readable format. The Windows Event Viewer (EventVwr.exe) utility is an event consumer, and so are applications that use the Windows Event Log SDK to query for and subscribe to events. Queries can be XPath queries or queries in XML. For more information about forming event queries, see Event Selection. Event consumers process the event information, which is either XML (formatted by the Event Schema) or binary data and display the desired event information in a readable format; a process known as "rendering the event". For more information about event consumers, see Event Consumers in Windows Event Log.
For more information about how to use the Windows Event Log SDK to create components in the Windows Event Log system, see Using Windows Event Log.
Windows Event Log Components
The following table lists core components contained in the Windows Event Log data model.
| Component | Description |
|---|---|
| Event logs and channels | A named stream of events. A logical pathway for transporting events from the publisher to an event log file. |
| Events | An XML fragment that describes some interesting occurrence in the computer. |
| Event consumers | The entities that receive events from the computer. |
| Event publishers | A software component that creates an event and delivers it to the computer. |
Privacy Concerns
When designing events for an event publisher, carefully consider the information in the events written into the event logs, especially when these events are written into the global logs. As a general rule, no private information should ever be present in the events. This includes plaintext passwords and personal user information. Additionally, programs run by the user, URLs of user-visited sites, and other information related to the user activities on the system should be considered private.
Sometimes components and applications must record URLs and document names in the events. When this is required, such events should not be written into the Windows channels (System and Application), because these channels are readable by all authenticated users. Instead the event publisher application should write them into private Operational or Analytic channels. Such channels should have ACLs that allow reading of the events only to administrators. You may need to provide an appropriate disclosure to notify users of the fact that private information is made available to the administrators.
See Also
Send comments about this topic to Microsoft
Build date: 5/7/2009