Hi,
I am developing an application that reads the event log in windows. I have managed to retrieve everything correctly except the Event ID. Most EventIS's are similar but for e.g. "Broadcom NetXtreme 57xx Gigabit Controller" Windows Event-ID is 15 and when I retrieve it programatically it is 327695. Another Event ID also for this controller is 6 and 327686. The difference between both are 9.
Can anyone explain this
Can it be fixed
Best
/M
Programmatically retrieved event log EventID does not correspond to Windows EventID
Cheesle
Thank you for answering. Seems that the problem is advanced
I have made the row containing .eventid bold and larger in my previous post so you see it. I have tried to replace the row with:
oEvent.InnerText = (oEventLogEntry.EventID And &H63FFFFFF).ToString
without anything happening at all. the problem still exist.
Using the calculator to convert the numbers to binary. I see that EventID 35 (and turns out to be 31452707) is 100011 in binary. The larger number is 1110111111110111000100011 having the same 5 low bits.
How can I use this information
Best
/M
DKB
Yes, no problem
I log events to an xml file for further use. Each event of interest is logged to an XML file using this function. The code is as follows (simplified):
Public
Function LogSingleEvent(ByVal oEventLogEntry As EventLogEntry) As BooleanDim xmlDoc As New XmlDocument
xmlDoc.Load("..\X_Queue.xml")
Dim oAlarm As XmlElement = xmlDoc.CreateElement("alarm")
Dim oEvent As XmlElement = xmlDoc.CreateElement("event")
oEvent.InnerText = oEventLogEntry.EventID
oAlarm.AppendChild(oEvent)
xmlDoc.DocumentElement.AppendChild(oAlarm)
xmlDoc.Save("..\X_Queue.xml")
End Function
Best
/M
Scott Boyd
Can you try .Net 2
There is a source in C on codeproject that monitors event log activity and displays a balloon tip when an entry is written, if you do not have C it would not take much to convert it and run it to see what it is getting.
http://www.codeproject.com/csharp/rteventreader.asp
Worth a try.
As I can not recreate your problem using VS2005 and .Net 2.0 it must be a VS2003 or .Net 1.1 problem.
Nerick
In which case it would appear that the eventid is being stored with the top two bits on and .EventId is kept for compatibility in VS2005 and simply strips the bits.
So all you have to do is turn them off...
In the example I gave you I would do this:
Console.WriteLine((myLogEntry.InstanceId And &H63FFFFFF).ToString)
I will leave it to you to locate EventId in your source as I still can not see it clearly and AND it yourself with the hex value given above and that will turn off the top two bits giving the original value once more.
Example:
2147489654:6006:The Event log service was stopped.
2147489654 And &H63FFFFFF = 6006
AirMike
OK, here is my complete code...
I don't have the possibility to use InstanceID in my code. It is not an option in Visual Studio 2003.NET
I want the number under Event in the Event Viewer and it is not always the same retrieved from code and in the Event Viewer. Event ID is application specific.
Grateful for all help
Best
/ M
Here is the code from the class that retrieves the log:
Private
Sub GetEvents() 'this uses local machine, you can pass machine name to constrcutor to use a different machineoEventLogs = EventLog.GetEventLogs()
' Loop through all retrieved event logs For Each oEventLog In oEventLogs ' Consider only system events If oEventLog.LogDisplayName = "System" ThenConsole.WriteLine("Started")
Dim counter As Int32 = 0 ' Loop through all event log entries For Each oEventLogEntry In oEventLog.Entries Dim bresult = oEventLogHandler.LogSingleEvent(oEventLogEntry)counter = counter + 1
If counter = 10 Then Exit For End If NextConsole.WriteLine("Stopped")
End If NextoEventLogs =
NothingoEventLogEntry =
NothingoEventLog =
Nothing End SubHere is the code where the event is logged into the XML file
Public
Function LogSingleEvent(ByVal oEventLogEntry As EventLogEntry) As Boolean ' If file X_Queue.xml is in use, exit function and return false If bFileXQueueIsInUse = True Then Return False Else ' Set file is in usebFileXQueueIsInUse =
True End If Try ' Load user xml document Dim xmlDoc As New XmlDocumentxmlDoc.Load("..\X_Queue.xml")
' Create elements to insert Dim oAlarm As XmlElement = xmlDoc.CreateElement("alarm") Dim oType As XmlElement = xmlDoc.CreateElement("type") Dim oDate As XmlElement = xmlDoc.CreateElement("date") Dim oTime As XmlElement = xmlDoc.CreateElement("time") Dim oSource As XmlElement = xmlDoc.CreateElement("source") Dim oCategory As XmlElement = xmlDoc.CreateElement("category") Dim oEvent As XmlElement = xmlDoc.CreateElement("event") Dim oUser As XmlElement = xmlDoc.CreateElement("user") Dim oComputer As XmlElement = xmlDoc.CreateElement("computer") Dim oLastUpdateTime As XmlElement = xmlDoc.CreateElement("last_update_time") Dim oHasSMSBeenSent As XmlElement = xmlDoc.CreateElement("has_sms_been_sent") Dim oDescription As XmlElement = xmlDoc.CreateElement("description") ' Initialize the elements If oEventLogEntry.EntryType = EventLogEntryType.Information Then ' Retrieve typeoType.InnerText = "Information"
ElseIf oEventLogEntry.EntryType = EventLogEntryType.Error ThenoType.InnerText = "Error"
ElseIf oEventLogEntry.EntryType = EventLogEntryType.Warning ThenoType.InnerText = "Warning"
ElseIf oEventLogEntry.EntryType = EventLogEntryType.FailureAudit ThenoType.InnerText = "Failure Audit"
ElseIf oEventLogEntry.EntryType = EventLogEntryType.SuccessAudit ThenoType.InnerText = "Success Audit"
End IfoDate.InnerText = oEventLogEntry.TimeGenerated.ToString.Substring(0, 10)
' Retrieve only date partoTime.InnerText = oEventLogEntry.TimeGenerated.ToString.Substring(11, 8)
' Retrieve only time partoSource.InnerText = oEventLogEntry.Source
If oEventLogEntry.Category = "(0)" Then ' Retrieve category and modify non existing valueoCategory.InnerText = "None"
ElseoCategory.InnerText = oEventLogEntry.Category
End IfoEvent.InnerText = oEventLogEntry.EventID.ToString()
If oUser.InnerText = String.Empty Then ' Retrieve user and modify non existing valueoUser.InnerText = "N/A"
ElseoUser.InnerText = oEventLogEntry.UserName
End IfoComputer.InnerText = oEventLogEntry.MachineName
' Retrieve computer nameoLastUpdateTime.InnerText = Now.ToString
' Write X_Queue update timeoHasSMSBeenSent.InnerText = "No"
' No SMS has been sentoDescription.InnerText = oEventLogEntry.Message
' Retrieves event description ' Create XML structureoAlarm.AppendChild(oType)
oAlarm.AppendChild(oDate)
oAlarm.AppendChild(oTime)
oAlarm.AppendChild(oSource)
oAlarm.AppendChild(oCategory)
oAlarm.AppendChild(oEvent)
oAlarm.AppendChild(oUser)
oAlarm.AppendChild(oComputer)
oAlarm.AppendChild(oLastUpdateTime)
oAlarm.AppendChild(oHasSMSBeenSent)
oAlarm.AppendChild(oDescription)
' Append the newly created elements and save the modified documentxmlDoc.DocumentElement.AppendChild(oAlarm)
xmlDoc.Save("..\X_Queue.xml")
' File is no longer in usebFileXQueueIsInUse =
False Return True Catch ex As ExceptionConsole.WriteLine(ex.Message)
' File is no longer in usebFileXQueueIsInUse =
False Return False End Try End FunctionJessica Alba
There does not seem to be any sensible grouping to indicate what to do with the large number.
What does the help file with VS2003 say for EventId, does it have anything like I found in VS2005 about MS making use of bits to encode other info
Without some explanation as to the contents of EventId it is difficult to debug. Need an MS person to respond and help.What is also bizarre is that some events have the same number for my program, Instance and Event are the same, no rhyme or reason.
If I come up with anything I will let you know, but it is difficult as I do not have VS2003, are you using Framework 1.1 or 2
athadu
looks like a signed/unsigned number variable difference... can we see your code
MEder
Sorry can not tell from your code where the problem is, it is not showing the right place, would need to see the data collection code, the point where you pull information from the log to the XML file.
The EventId property has been superseded, which property did you use to get the id, was it InstanceId... Looked at event log stuff and found this:
"The InstanceId property uniquely identifies an event entry for a configured event source. The InstanceId for an event log entry represents the full 32-bit resource identifier for the event in the message resource file for the event source. The EventID property equals the InstanceId with the top two bits masked off. Two event log entries from the same source can have matching EventID values, but have different InstanceId values due to differences in the top two bits of the resource identifier."
The top bit usually indicates sign but obviously MS are using the top two for other purposes. EventId is still available but you will get a warning, if you use InstanceId you can mask out the top two bits to scale the number back to EventId, probably best as no gaurantee it will be available in future.
Wrote a quickie to enumerate eventlog, here is an example output to demonstrate the point:
2147489654:6006:The Event log service was stopped.
The first number is InstanceId, the second is EventId... go figure.
Here is the code:
Imports System
Imports System.Diagnostics
Module Module1
Sub Main()
Dim myEventLog As New EventLog("System", ".")
Dim myLogEntryCollection As EventLogEntryCollection = myEventLog.Entries
Dim myCount As Integer = myLogEntryCollection.Count
Dim i As Integer
For i = myCount - 1 To 0 Step -1
Dim myLogEntry As EventLogEntry = myLogEntryCollection(i)
If myLogEntry.EntryType = EventLogEntryType.Information Then
Console.WriteLine(myLogEntry.InstanceId.ToString + ":" + myLogEntry.EventID.ToString + ":" + myLogEntry.Message)
End If
Next i
Console.ReadLine()
End Sub
End Module
Fieldzy
Thank you for your help. I use .NET framework 1.1.
Best
/M