none
Problem obtaining EventLog Entries RRS feed

  • Question

  • Hello all,

    I'm using Visual C++ 2008, .NET 3.5, and I've created a Windows Service which works except for one thing. I'm trying to access the "Application" event log to obtain the DateTime of the latest occurence of a specific event. The problem is, when I create and EventLog object and bind it to the "Application" log (via the constructor), the EventLog object is null! It doesn't throw a nullreference exception, but in debug mode the "Entries" property (and many others as well) reads: "Error: cannot obtain value". Why doesn't it contain the 16,000+ entries contained in the machine's Application log? What did I do wrong???

    Thanks for your help.

    System::DateTime lastStop;
    ::EventLog^ myLog = gcnew ::EventLog("Application");
    System::Collections::IEnumerator^ myEnum = myLog->Entries->GetEnumerator();
    
    while ( myEnum->MoveNext() )
    {
    	EventLogEntry^ entry = safe_cast<EventLogEntry^>(myEnum->Current);
    	if (entry->CategoryNumber == 1 || entry->CategoryNumber == 2)
    	{ lastStop = entry->TimeWritten; break; }
    }




    Monday, November 26, 2012 11:31 AM

Answers

  • The code below worked for me in a quick and dirty console app.  If it doesn't work in your service the problem may be security related.

    using namespace System;
    using namespace System::Collections;
    using namespace System::Diagnostics;
    
    int main(array<System::String^>^ args)
    {
        try
        {
            EventLog^ log;
            DateTime  lastStop;
    
            log = gcnew EventLog("Application");
            for each (EventLogEntry^ entry in log->Entries)
                if (1 == entry->CategoryNumber
                ||  2 == entry->CategoryNumber)
                {
                    lastStop = entry->TimeWritten;
                    break;
                }
    
            Console::WriteLine("Stopped at {0}", lastStop);
        }
        catch(Exception^ x)
        {
            Console::WriteLine(x);
        }
        return 0;
    }
    


    This signature unintentionally left blank.

    Monday, November 26, 2012 1:49 PM

All replies

  • The code below worked for me in a quick and dirty console app.  If it doesn't work in your service the problem may be security related.

    using namespace System;
    using namespace System::Collections;
    using namespace System::Diagnostics;
    
    int main(array<System::String^>^ args)
    {
        try
        {
            EventLog^ log;
            DateTime  lastStop;
    
            log = gcnew EventLog("Application");
            for each (EventLogEntry^ entry in log->Entries)
                if (1 == entry->CategoryNumber
                ||  2 == entry->CategoryNumber)
                {
                    lastStop = entry->TimeWritten;
                    break;
                }
    
            Console::WriteLine("Stopped at {0}", lastStop);
        }
        catch(Exception^ x)
        {
            Console::WriteLine(x);
        }
        return 0;
    }
    


    This signature unintentionally left blank.

    Monday, November 26, 2012 1:49 PM
  • Thanks Nick!

    I think we're getting somewhere. I created a "quick and dirty" console app and copied your code into it and it looks like it's reading events! It starts with the oldest first, though, so what I'm doing right now is copying the events into an array, reversing the array, and looping on the reversed array (unless you know of a better way). If that works, I'll copy the code to my windows service, and if THAT doesn't work, then it's probably a security issue as you suggested (though I don't see how that's possible, I have rights up the yingyang on this machine). I'll post an update later on.

    Monday, November 26, 2012 5:45 PM
  • Well since you asked for a 'better way', I wouldn't write a custom service to poll the event log.

    Windows Task Scheduler already has functionality to detect when an event is logged and launch a program, send an email, etc..  I'd create a task (or tasks) that watch for your events and act appropriately.

    If you must have a service, a WMI query might give you better control to filter/order events that are returned so you only get the ones you are interested in.


    This signature unintentionally left blank.

    Tuesday, November 27, 2012 2:41 PM