none
.NET 4 with EventLog dumps entire log RRS feed

  • Question

  • My app has the following code to capture security event logs

    Dim SecobjLog As EventLog = New EventLog("Security")
    AddHandler SecobjLog.EntryWritten, AddressOf SecurityLog_OnEntryWritten
    SecobjLog.EnableRaisingEvents = True

    Sub SecurityLog_OnEntryWritten(ByVal [source] As Object, ByVal e As EntryWrittenEventArgs)
    '--- Process Logs
    End Sub

    This code has been working for years.   When a new security event is generated on the server, the .EntryWritten function fires and my program processes it.  However, I recently upgraded my app to use .NET 4.0 and something went wrong.  Now, at seemingly random intervals, the ENTIRE security log is captured.  At over 100,000 logs, you can see where my program would have some issues.   Why is the .EntryWritten function in VB dumping the entire security log?   It should only be dumping the latest logs as they happen.

    I have tried this with .NET 4.0 and .NET 4.5 and both seem to have this issue.  If I go back to using .NET 3.5, everything works fine again.  What changed?

    Does anyone have any idea why this is happening?





    "MC"

    • Moved by Carl Cai Tuesday, November 11, 2014 3:21 AM better place
    Thursday, November 6, 2014 5:08 PM

All replies

  • I wrote some code to work as a simulator to test the issue but I just need to find out how to write to the security logs without receiving access denied. After that I plan to test it at adding 500,000 entries while also monitoring them and then move up to 5,000,000 entries.

    So maybe today or this weekend I can let you know the results.

    Currently my max event log size is set to 20,480,000 bytes so I just reset it to 100,032,000 bytes. But what is yours set to if that's part of the issue? I went in event logs and where it displays Security right click and select properties to get/set that value. Although I think that value is for all event logs but could be wrong.


    La vida loca

    Friday, November 7, 2014 9:14 AM
  • The log size is not an issue.  I have mine set relatively small because I use my app to manage and store the logs.  The .EntryWritten function of the EvenLog class should trigger only when a new event occurs.  So when my program executes, I should see no event logs that occurred earlier in time.   However, for some reason, it occasionally dumps the entire contents of the log all at once and causes my app to become unresponsive during the dump.   Even logs that are days old are brought in.  To make matters worse, I collect logs from servers in other locations and this apparent bug is causing WAN issues.  This does not happen unless I compile my code for .NET 4 or .NET 4.5.  If I compile with .NET 3.5, everything works.

    "MC"


    • Edited by Tobore Friday, November 7, 2014 6:27 PM
    Friday, November 7, 2014 6:27 PM
  • Hello Tobore,

    Which method used to write enrty of the EventLog are you using? I compared the EventLog.WriteEntry Method and EventLog.WriteEvent Method from 3.5 to 4/4.5, it seems they do not have changes.

    Could you please share some in Process Logs?

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, November 12, 2014 7:17 AM
    Moderator
  • As shown in my sample code, I am not writing any events but instead reading from the Windows "Security" events.

    "MC"

    Wednesday, November 12, 2014 12:35 PM
  • Hi Tobre,

    Could you please share some code in "'--- Process Logs" related reading records from Windows "Security" events?

    Friday, November 14, 2014 9:35 AM
  • I don't see how that would be relevant to helping me with my .NET problem but...

    The "SecurityLog_OnEntryWritten" Sub saves the event message to a database 

    Sub SecurityLog_OnEntryWritten(ByVal [source] As Object, ByVal e As EntryWrittenEventArgs)

     '--- write e.Entry.Message to the database
     '--- write e.Entry.TimeWritten to the database
     '--- write e.Entry.MachineName to the database
     '--- write e.Entry.EntryType to the database
     '--- write e.Entry.Source to the database

    End Sub


    "MC"


    • Edited by Tobore Friday, November 14, 2014 3:59 PM
    Friday, November 14, 2014 3:52 PM
  • Hello Tobre,

    If you mean this step “'--- write e.Entry.Source to the database” that would pull all event records to datavase, could you please provide some related code?

    Regards.

    Friday, November 21, 2014 7:40 AM
  • No, it would not pull all event records.   e.entry.source: "Gets the name of the application that generated the event"

    The code the actually writes the event details to the database is irrelevant.  What is relevant is the example I provided in my original post.  What makes this work in .NET 3.5 and below and why is it now broken after .NET 4.0???


    "MC"

    Friday, November 21, 2014 2:42 PM
  • Hello,

    After reviewing your original post, it seems that the exact issue is not described. Since you mentions that the issus would occur in .NET 4.X, accoring to this blog, you could install the 4.5.1 and step through .NET framework sources to debug what happens.

    Monday, November 24, 2014 8:52 AM
  • SecobjLog.EntryWritten. "EntryWritten" is a part of a function in .net. I have no control over the code. "EntryWriten" allows me to look at the event that windows generated. In .net 3.5 and below, it works. Above .net it doesn't. Anything above .net 3.5 dumps the entire event log database instead of just one event. In other words, it causes the OnEventWritten sub to be called continuously until the entire log is dumped.

    "MC"

    Monday, November 24, 2014 12:32 PM
  • Hello Tobore,

    >> In other words, it causes the OnEventWritten sub to be called continuously until the entire log is dumped.

    This sounds strangely, I am wondering if the code inside this event could cause this event be called continuously.

    Do you ever try to comment out all code to see if this behavior still occurs with .NET Framework 4.X?

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Wednesday, November 26, 2014 9:38 AM
    Moderator
  • I must not be stating my issue clearly enough.  I am trying as hard as I can to be clear about what I am experiencing with my application.

    In any case, in regards to your reply, that is what I was originally thinking.  If the code somehow could cause events to fire off resulting in more calls to the function.   However, if you think about it, that is not the case here.  Look at the code in my original post.   Below are the lines if significance:

    Dim SecobjLog As EventLog = New EventLog("Security")
    AddHandler SecobjLog.EntryWritten, AddressOf SecurityLog_OnEntryWritten
    SecobjLog.EnableRaisingEvents = True

    Please note:   "AddHander SecobjLog.EntryWritten".   In other words: "When a NEW entry is written to the event log database".

    Soooooooooooooooooo.   If my app was in fact creating a situation that resulted in the generation of more event logs, I would be seeing a steady, non-stop flow of events.   That is not the case though because I am getting the entire event log.   Even events that were posted on the server days before are being dumped to the SecurityLog_OnEntryWritten sub.  

    What is it about newer .NET that breaks this function?  


    "MC"


    • Edited by Tobore Wednesday, November 26, 2014 7:30 PM
    Wednesday, November 26, 2014 7:29 PM
  • Hello,

    >> What is it about newer .NET that breaks this function? 

    According to your description, it seems that the new .NET framework causes the different behavior. As ToBeFirst mentions, you could debug the EntryWritten, since now .net is open source, you could copied all the open source code to your project and run these copied code instead of these ones in reference dll which is hard to debug.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, November 28, 2014 7:44 AM
    Moderator