Event Sources

Each log in the Eventlog key contains subkeys called event sources. The event source is the name of the software that logs the event. It is often the name of the application or the name of a subcomponent of the application if the application is large. You can add a maximum of 16,384 event sources to the registry. The Security log is for system use only. Device drivers should add their names to the System log. Applications and services should add their names to the Application log or create a custom log.

The structure of the event sources is as follows:

You cannot use a source name that has already been used as a log name. In addition, source names cannot be hierarchical; that is, they cannot contain the backslash character («\»).

Each event source contains information (such as a message file) specific to the software that will be logging the events, as shown in the following table.

Registry Value	Description
CategoryCount	Number of event categories supported. This value is of type REG_DWORD.
CategoryMessageFile	Path to the category message file. A category message file contains language-dependent strings that describe the categories. This value can be of type REG_SZ or REG_EXPAND_SZ.
EventMessageFile	Path to one or more event message files; use a semicolon to delimit multiple files. An event message file contains language-dependent strings that describe the events. This value can be of type REG_SZ or REG_EXPAND_SZ.
ParameterMessageFile	Path to the parameter message file. A parameter message file contains language-independent strings that are to be inserted into the event description strings. This value can be of type REG_SZ or REG_EXPAND_SZ.
TypesSupported	Bitmask of supported types. This value is of type REG_DWORD. It can be one or more of the following values: EVENTLOG_AUDIT_FAILURE (0x0010) EVENTLOG_AUDIT_SUCCESS (0x0008) EVENTLOG_ERROR_TYPE (0x0001) EVENTLOG_INFORMATION_TYPE (0x0004) EVENTLOG_WARNING_TYPE (0x0002)

When an application uses the RegisterEventSource or OpenEventLog function to get a handle to an event log, the event logging service searches for the specified event source in the registry. For example, the Application log might contain event sources for Microsoft SQL Server and Microsoft Excel. If an application uses RegisterEventSource or OpenEventLog with a source name of Application, SQL, or Excel, the event logging service returns a handle to the Application log.

An application can use the Application log without adding a new event source to the registry. If the application calls RegisterEventSource and passes a source name that cannot be found in the registry, the event-logging service uses the Application log by default. However, because there are no message files, the Event Viewer cannot map any event identifiers or event categories to a description string, and will display an error. For this reason, you should add a unique event source to the registry for your application and specify a message file.

Windows Event Logs — Event Log FAQ

What is Windows event log?

Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these types of events occur, Windows records the event in an event log. Users might find the details in event logs helpful when troubleshooting problems with Windows and other programs.

Unlike UNIX syslog, Microsoft event log is not a text file and it is impossible to view it with simple text editors. Microsoft Windows event log is a binary file that consists of special records – Windows events.

Microsoft Windows runs Event Log Service to manage event logs, configure event publishing, and perform operations on the logs. Windows Event Log service exposes a special API, which allows applications to maintain and manage event logs.

Windows event logging was introduced in Windows NT operating system (version 3.1) in 1993. This Windows edition came with three Windows logs: Application event log, System event log and Security event log. Modern versions of Windows come with more than a hundred of Windows eventlogs, and third party applications can create and integrate into Windows logging their own event logs.

How to view event logs?

You can view eventlogs using Event Viewer (comes with Windows operating system) or third-party Windows event viewers. We recommend using our Event Log Explorer software – it provides a lot of advanced features for event log management.

What is Windows Event Log Service?

Windows Event Log Service is a Windows service that manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It helps to display events in both XML and plain text format. This service is enabled and starts automatically by default. You should not stop or disable this service. Stopping Windows Event Log service may compromise security and reliability of the system.

What are Windows event log files?

Windows Event Log Service lets users to save (backup) event logs to files. Windows NT, 2000 and XP/2003 save event logs to EVT format. Windows Vista/2008 and better save logs to EVTX format. Having backup event files are essential for incident investigation.

Windows event logs are also files, but they are commonly locked by Windows (Event Log Service) and it is impossible to open these files on «live» system. But if the computer is started from another disk or the system drive from the analyzed machine is connected to another computer, you can read event logs as files. The default location of event logs on Vista/2008 and better is «C:\Windows\System32\winevt\Logs\». Windows Event Viewer allows you to open event file as follows:

Click Open Saved Log in Actions pane of Event Viewer.

Select your event log file and it will appear in Windows Event Viewer as a log.

Our Event Log Explorer software also works with event files and does it even better than Event Viewer, e.g. it lets you read even damaged event files.

What is Windows Application event log?

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log. Program developers decide which events should be logged. E.g. Microsoft SQL Server logs details about important events linked with SQL server, e.g. «out of memory», «backup failure» etc. One application log commonly contains events logged from different sources (applications), so it is incorrect to rely solely on event ID when analyzing the Application log. You should always rely on event ID along with event source. Some applications, such as Internet Explorer, Power Shell create own event log instead of using Windows application event log. Such logs look exactly like standard Windows event logs and Event Viewer (as well as Event Log Explorer) can read these event logs. Application logs are commonly useful for application support teams.

What is Windows System event log?

The System log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log. The event types logged by system components are predetermined by Windows. Similarly to Application log, System event log lists events from different sources (system components) so you should not rely only on event ID when analyzing System log, instead you should rely on event ID along with event source. System logs are essential for system administrators and technicians.

Event Log. Source Свойство

Определение

Возвращает или задает имя источника, регистрируемого в журнале и используемого при записи в журнал событий. Gets or sets the source name to register and use when writing to the event log.

Значение свойства

Имя, регистрируемое в журнале событий как имя источника записей. The name registered with the event log as a source of entries. Значение по умолчанию — пустая строка («»). The default is an empty string («»).

Исключения

При таком имени источника длина пути к разделу реестра превышает 254 символа. The source name results in a registry key path longer than 254 characters.

Примеры

В следующем примере создается источник MySource , если он еще не существует, и записывается запись в журнал событий MyNewLog . The following example creates the source MySource if it does not already exist, and writes an entry to the event log MyNewLog .

Комментарии

Источник события указывает, в каком журнале регистрируется событие. The event source indicates what logs the event. Часто это имя приложения или имя подкомпонента приложения, если приложение велико. It is often the name of the application, or the name of a subcomponent of the application, if the application is large. Приложения и службы должны записывать в журнал приложений или пользовательский журнал. Applications and services should write to the Application log or a custom log. Драйверы устройств должны записывать в системный журнал. Device drivers should write to the System log.

При записи в журнал событий необходимо указывать только источник событий. You only need to specify an event source if you are writing to an event log. Перед записью записи в журнал событий необходимо зарегистрировать источник событий в журнале событий в качестве допустимого источника событий. Before writing an entry to an event log, you must register the event source with the event log as a valid source of events. При написании записи журнала система использует Source свойство для поиска соответствующего журнала, в котором будет размещена запись. When you write a log entry, the system uses the Source property to find the appropriate log in which to place your entry. При чтении журнала событий можно указать либо Source , либо Log и MachineName . If you are reading the event log, you can either specify the Source, or a Log and MachineName.

При MachineName подключении к журналу на локальном компьютере указывать параметр не требуется. You are not required to specify the MachineName if you are connecting to a log on the local computer. Если не указать MachineName , предполагается, что используется локальный компьютер («.»). If you do not specify the MachineName, the local computer («.») is assumed.

Используйте WriteEvent и WriteEntry для записи событий в журнал событий. Use WriteEvent and WriteEntry to write events to an event log. Для записи событий необходимо указать источник события. перед записью первой записи с источником необходимо создать и настроить источник события. You must specify an event source to write events; you must create and configure the event source before writing the first entry with the source.

Создайте новый источник событий во время установки приложения. Create the new event source during the installation of your application. Это позволяет операционной системе обновлять свой список зарегистрированных источников событий и их конфигурацию. This allows time for the operating system to refresh its list of registered event sources and their configuration. Если операционная система не обновила список источников событий и вы пытаетесь написать событие с новым источником, операция записи завершится ошибкой. If the operating system has not refreshed its list of event sources, and you attempt to write an event with the new source, the write operation will fail. Новый источник можно настроить с помощью EventLogInstaller или с помощью CreateEventSource метода. You can configure a new source using an EventLogInstaller, or using the CreateEventSource method. Для создания нового источника событий необходимо иметь права администратора на компьютере. You must have administrative rights on the computer to create a new event source.

Можно создать источник событий для существующего журнала событий или нового журнала событий. You can create an event source for an existing event log or a new event log. При создании нового источника для нового журнала событий система регистрирует источник для этого журнала, но журнал не создается, пока в него не будет записана первая запись. When you create a new source for a new event log, the system registers the source for that log, but the log is not created until the first entry is written to it.

Источник должен быть уникальным на локальном компьютере; новое имя источника не может совпадать с существующим именем источника или именем существующего журнала событий. The source must be unique on the local computer; a new source name cannot match an existing source name or an existing event log name. Каждый источник может записывать только один журнал событий; Однако приложение может использовать несколько источников для записи в несколько журналов событий. Each source can write to only one event log at a time; however, your application can use multiple sources to write to multiple event logs. Например, приложению может потребоваться несколько источников, настроенных для различных журналов событий или разных файлов ресурсов. For example, your application might require multiple sources configured for different event logs or different resource files.

При изменении Source значения EventLog закрывается объект, в который он зарегистрирован, и освобождаются все дескрипторы событий. If you change the Source value, the EventLog to which it is registered is closed and all event handles are released.

Источник должен быть настроен либо для записи локализованных записей, либо для записи прямых строк. The source must be configured either for writing localized entries or for writing direct strings. Если приложение записывает записи, используя как идентификаторы ресурсов, так и строковые значения, необходимо зарегистрировать два отдельных источника. If your application writes entries using both resource identifiers and string values, you must register two separate sources. Например, можно настроить один источник с файлами ресурсов, а затем использовать этот источник в WriteEvent методе для записи записей, использующих идентификаторы ресурсов, в журнал событий. For example, configure one source with resource files, and then use that source in the WriteEvent method to write entries using resource identifiers to the event log. Затем создайте другой источник без файлов ресурсов и используйте этот источник в WriteEntry методе для записи строк непосредственно в журнал событий с помощью этого источника. Then create a different source without resource files, and use that source in the WriteEntry method to write strings directly to the event log using that source.

Чтобы изменить сведения о конфигурации существующего источника, необходимо удалить источник, а затем создать его с новой конфигурацией. To change the configuration details of an existing source, you must delete the source and then create it with the new configuration. Если другие приложения или компоненты используют существующий источник, создайте новый источник с обновленной конфигурацией, а не удалите существующий источник. If other applications or components use the existing source, create a new source with the updated configuration rather than deleting the existing source.

Если источник уже сопоставлен с журналом и вы переменяете его в новый журнал, необходимо перезагрузить компьютер, чтобы изменения вступили в силу. If a source has already been mapped to a log and you remap it to a new log, you must restart the computer for the changes to take effect.