Reading Event Logs with the new Windows Event Log API, Vista/2008 RRS feed

  • Question

  • Hi everyone,

    I'm writing an application that is able to read windows event logs in XP and Vista environment by switching back and forth on the old and new windows event log api based on what OS the app is running at.

    What I'm noticing is that when using the new api in Vista, for a lot of logs I'm not able to read all of the fields, specially the important ones, like the Message fields.  This is especially true for "Application" type logs. 

    Once I open a publisher metadata with EvtOpenPublisherMetadata method, then use EvtFormatMessage with flag "EvtFormatMessageEvent", for most Application events when trying to get the message field I get error:

    "the message resource is present but the message is not found in the string/message table"

    Obvisly the new api is not working with these events.  When I use the old api for the same event in Vista, Im able to get the message fields just fine, by finding the path to the message file in the registry, loading the file, and use FormatMessage...

    What's going on?  Anybody has any idea.  Are we supposed to use both apis at the same time?
    I'm just assuming that when in Vista/2008 environment I need to use the new api, in XP/2003 the old one.

    Any comments on this issue is greatly appriciated.

    Ledio - Splunker

    Tuesday, September 23, 2008 11:26 PM

All replies

  • By the way, I got this working by only using the new Vista Win Evt api.  I still have to switch to the old api when in a non Vista environment.

    I'm still noticing that for some events EvtFormatMessage is not able to format opCode or Task, even when I use the MessageId to pull the string version of each fields.

    Tuesday, September 30, 2008 10:38 PM
  • Hello

    I am using the FormatFunction to format the message from Windows event log adadpter. For Windows XP, 2000, 2003 it is working correctly.

    For Window 2008 i am not able to get the message form the event?

    I think you had the same problem. Please can you share come comments on this how to use the new windows api.(EvtFormatMessage )

     Is is avaliable on windows 2008?



    Tuesday, August 17, 2010 6:19 PM