Accessing Extended Event Logs

Question

nerden 8 Newbie Poster

10 Years Ago

In the new versions of server 2008+ MS have added an "Application and Services" folder to Event Viewer,

I dont seem to be able to programaticaly access any logs in here,

My Code:

Dim strValue As String
Dim objLogs() As EventLog
Dim Logname As String = "Microsoft-Windows-Backup"
Dim objEntry As EventLogEntry
Dim objLog As EventLog     

objLogs = EventLog.GetEventLogs()
For Each objLog In objLogs
    If objLog.LogDisplayName = Logname Then Exit For
Next
For Each entry In objLog.Entries
    msgbox(entry.message)
Next

If you set the Logname to "Application" or "System" everything works OK, but I can't access any of the new Extended logs

With regards to a solution, I dont care how i get the information out of this event log. (I thought about just opening the file "%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Backup.evtx")

I have had the usual google but can't find anything that actually works.
(Please don't just point me to the MSDN article about access the Event log, it doesn't work for the extended logs)

Thanks in advance.

vb.net

3 Contributors
7 Replies
2K Views
1 Week Discussion Span
Latest Post 10 Years Ago Latest Post by nerden

All 7 Replies

Begginnerdev 256 Junior Poster

10 Years Ago

Have you tried cycling through the code in debug to see what the log names are?

Just place a break point before the loop, step into the loop (F11) then hover over the entry variable.

(You should change it to For Each e As Entry in objLog)

Edited 10 Years Ago by Begginnerdev

Begginnerdev 256 Junior Poster

10 Years Ago

Just a curiosity. Is the Microsoft folder an admin only folder,and you happen to be a restricted user?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

nerden 8 Newbie Poster · Answer 1 · 2013-08-20T18:56:03+00:00

Yea had a look at this,
when it hits objLogs = EventLog.GetEventLogs() if you break and mouse over the "GetEventLogs" bit it lists the logs:
Application
Security
Setup
System
Forwarded Events
Hardware Events
Key Managment Service
Microsoft Office Alerts
Windows PowerShell

Conviently skipping the Microsoft folder :(

I have still been tinkering with this and think it may have something to do with creating my own source. I have tried this but cant get it to make a folder under "Applications and Service logs"

Thanks for coming back to me though

nerden 8 Newbie Poster · Answer 2 · 2013-08-30T06:04:09+00:00

Don't think so, I ran VS as administrator. If you run as normal user or local admin without "run as administrator" it won't access the event logs at all

Begginnerdev 256 Junior Poster · Answer 3 · 2013-08-30T19:51:16+00:00

Does the local administrator have privelages over the domain, or are there two levels for admin? (Domain and local)

JorgeM 958 Problem Solver Team Colleague Featured Poster · Answer 4 · 2013-08-30T22:56:30+00:00

If you run as normal user or local admin without "run as administrator" it won't access the event logs at all

Since Vista, regardless of the account you use to log into a computer, running programs are done using regular user priviledges. You can run programs using "run as administrator" or other situations where programs that require admin priveledges to run UAC will pop on on the screen asking for the elevation.

are there two levels for admin? (Domain and local)

Being a network administrator by trade, when I hear or see references to local admin, you are generally referring to a local administrator on a stand alone or domain joined computer. The Domain Administrator generally refers to the built-in Administrator account in an Active Directory domain. Within the domain you have the Administrators (Domain Local) group as well as the Domain Admins (Global) group.

The Domain Administrator account is a member of the Domain Admins account. Every computer that joins the domain will have a local Administrators group. Once the computer joins, the Domain Admins group becomes a member of the local Administrators groups on that computer. So when a member of the domain admins group logs into the domain on a domain joined computer, the effect is that the person is an administrator of that computer.

Back to the Vista reference, even though you log in with admin priviledges, you still run exectubles using regular user privs. You have to specifically elevate your priveldges to get access to senstive areas/services.

nerden 8 Newbie Poster · Answer 5 · 2013-08-31T10:39:18+00:00

I have managed to solve this issue by cheating a little
1) Run VS as Administrator
2) create a registry key under "HKLM\SYSTEM\CurrentControlSet\services\eventlog\" with the name of the log I wanted "Microsoft-Windows-Backup" in my case (no need for any values)
I found this little trick when looking in to WMI
3) Add a reference to my project (Project>Add reference>System.Managment)
4)Using following code to implement a WMI search:

Public Function fnGetEvents()   
        Dim objEvent As ManagementObjectSearcher
        Dim objMgmt As ManagementObject

        Dim strevtCategory As String
        Dim strevtComputerName As String
        Dim strevtEventCode As String
        Dim strevtMessage As String
        Dim strevtRecordNumber As String
        Dim strevtSourceName As String
        Dim strevtTimeWritten As String
        Dim strevtEventType As String
        Dim strevtUser As String

        objEvent = New ManagementObjectSearcher("Select * from Win32_NTLogEvent " & "Where Logfile = 'Microsoft-Windows-Backup'")

        For Each objMgmt In objEvent.Get
            strevtCategory = objMgmt("Category").ToString()
            strevtComputerName = objMgmt("ComputerName").ToString()
            strevtEventCode = objMgmt("EventCode").ToString()
            strevtMessage = objMgmt("Message").ToString()
            strevtRecordNumber = objMgmt("RecordNumber").ToString()
            strevtSourceName = objMgmt("SourceName").ToString()
            strevtTimeWritten = objMgmt("TimeWritten").ToString()
            strevtEventType = objMgmt("Type").ToString()
            strevtUser = objMgmt("User").ToString()

            Console.WriteLine("Category: " & strevtCategory & vbNewLine _
 & "Computer Name: " & strevtComputerName & vbNewLine _
 & "Event Code: " & strevtEventCode & vbNewLine _
 & "Message: " & strevtMessage & vbNewLine _
 & "Record Number: " & strevtRecordNumber & vbNewLine _
 & "Source Name: " & strevtSourceName & vbNewLine _
 & "Time Written: " & strevtTimeWritten & vbNewLine _
 & "Event Type: " & strevtEventType & vbNewLine _
 & "User: " & strevtUser)

        Next


End Function

Thanks for everyones input

Accessing Extended Event Logs

Recommended Answers Collapse Answers

All 7 Replies

Recommended Answers