Event Log Scenarios

Article
07/28/2009

The System.Diagnostics.Eventing.Reader namespace classes enable you to read and manage event logs. This topic describes some common scenarios for using these classes.

Scenario 1: Querying for Events in Event Logs or Trace Logs

See code at How to: Query for Events.

You can query for events in an active event log (a channel), an archived event log, or a trace log using an XPath-based query. This allows you to access only the events that contain the specific property values you are interested in. A query will filter the events in the event log and return the events that match the query criteria.

When you have the events from the query results, you can then access and display event properties such as the event description, the level of the event, and the event identifier.

You can also query for events on a remote computer to monitor the health of the remote computer.

Scenario 2: Subscribing to Events in an Event Log

See code at How to: Subscribe to Events in an Event Log.

You can create an application that subscribes to events in an event log, so that the application is alerted when a specific event is published to the event log. These types of applications are often used to monitor the health or performance of a system and to trigger an action when an event is raised. Specify the events to subscribe to by specifying an XPath-based query for the events.

Scenario 3: Accessing and Reading Event Information

See code at How to: Access and Read Event Information.

When you obtain an instance of an event from an event log by either querying or subscribing to events in the log, you can then read the property values of the event. You can also read and display an XML representation of the event that contains the event property values in the elements of the XML. Some of the event properties that you can access and read are the event description, the event identifier, the severity level of the event, and custom data that is published by the event provider.

Scenario 4: Configuring and Reading Event Log Properties

See code at How to: Configure and Read Event Log Properties.

You can access and change the information (metadata) associated with an event log by getting and setting the configuration properties for the log. This allows you to read and manage properties such as an event log size and the security descriptor that defines the users who can query and write to an event log.

Scenario 5: Retrieving Information about an Event Publisher

See code at How to: Retrieve Information About an Event Provider.

You can access static information about an event publisher to find information about the events published by the publisher. For example, you can get the publisher name, the collection of events defined in the publisher, and the path to the resource files for the event publisher.

Scenario 6: Exporting, Archiving (Saving Events), and Clearing Event Logs

See code at How to: Export, Archive, and Clear Event Logs.

You can save events from an event log to a file which can later be queried. This allows you to archive the events or save events to a file so the file to be reviewed by a support technician or tool. You can either save the events in the file with their event messages or without the messages.

You can also clear (delete) specific events or all the events from an event log. The cleared events can be saved in an external (.evtx) file.

Scenario 7: Listening for Events and Storing them in a SQL Database for Mining

How to: Listen for Events and Store Them in a SQL Database.

You can save events from an event log into a SQL database which can later be mined. A bookmark is used to resume reading events where the previous run of the example stopped.

Send comments about this topic to Microsoft.