Creating an eventlog in a folder

Question

I have created a new event log for my application all works fine I can log to it as it should be.

string logName = "My IMBA log";

System.Diagnostics.EventLog eventLog1 = new System.Diagnostics.EventLog();
if (!System.Diagnostics.EventLog.SourceExists(source.ToString()))
   {
    System.Diagnostics.EventLog.CreateEventSource(source.ToString(), logName);
 }
 eventLog1.Source = source.ToString();
 eventLog1.Log = logName;

Now my question:

If I check the event log on my machine I notice that some of them are in folders.

How can I create a folder for my main application IMBA Application then have sevral different event logs for each of the parts under my application

Example:

IMBA Application:
- Windows Service
- Web API
- UI

Not sure if you still need it, but see my answer at: https://stackoverflow.com/questions/26335960/create-event-log-in-sub-directory-under-applications-and-settings-logs — Danny Den Braver, Sep 04 '18 at 13:39

Phyusix · Answer 1 · 2023-04-03T10:10:14.017

I had the same issue and I've managed to achieve this by slightly modifying @Kantium answer. While creating the PublisherKey the code was creating a SubKey "ChannelReference", the correct SubKey name would be "ChannelReferences". I can't add a comment to his reply because of reputation requirements, so I'll just add fixed code here:

    static string EVTXAppName = "MyEventLog";
    static string EVTXLogName = "Operational";
    static string EVTXLogGUID = "{004995f9-47e7-4c6d-ad51-6ae6c06faddd}";

    static string FilePath;
    static string FolderName;
    // static string EVTXFilePath;

    static RegistryKey localKey32 = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);
    static RegistryKey _FilePathKey;
    static RegistryKey _FolderNameKey;
    static RegistryKey _PublisherKey;

    static WindowsEventLogHelper()
    {
        FilePath = EVTXAppName + "/" + EVTXLogName;
        FolderName = EVTXAppName;
        // EVTXFilePath = @"%SystemRoot%\System32\Winevt\Logs\" + FolderName + "%4" + EVTXLogName + ".evtx";

        RegistryKey _FilePath = localKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Winevt\Channels", true);
        RegistryKey _FolderName = localKey32.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\EventLog\Application", true);
        RegistryKey _Publisher = localKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers", true);
        _FilePathKey = _FilePath.OpenSubKey(FilePath, true);
        _FolderNameKey = _FolderName.OpenSubKey(FolderName, true);
        _PublisherKey = _Publisher.OpenSubKey(EVTXLogGUID, true);
    }


    public static bool Exist()
    {
        RegistryKey localTestKey32 = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);
        RegistryKey _LocationTestOne = localTestKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Winevt\Channels", true);
        RegistryKey _LocationTestTwo = localTestKey32.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\EventLog\Application", true);
        RegistryKey _PublisherTest = localTestKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers", true);
        RegistryKey _FilePathTestKey = _LocationTestOne.OpenSubKey(FilePath, true);
        RegistryKey _FolderNameTestKey = _LocationTestTwo.OpenSubKey(FolderName, true);
        RegistryKey _PublisherTestKey = _PublisherTest.OpenSubKey(EVTXLogGUID, true);

        return (_PublisherTestKey != null && _FolderNameTestKey != null && _FilePathTestKey != null);
    }

    public static void Delete()
    {
        RegistryKey localTestKey32 = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);
        RegistryKey _LocationTestOne = localTestKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Winevt\Channels", true);
        RegistryKey _LocationTestTwo = localTestKey32.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\EventLog\Application", true);
        RegistryKey _PublisherTest = localTestKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers", true);
        _LocationTestOne.DeleteSubKeyTree(FilePath, true);
        _LocationTestTwo.DeleteSubKeyTree(FolderName, true);
        _PublisherTest.DeleteSubKeyTree(EVTXLogGUID, true);

    }

    public static bool BuildAllTree()
    {
        if (_FilePathKey == null)
        {
            RegistryKey _FilePath = localKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Winevt\Channels", true);
            _FilePathKey = _FilePath.CreateSubKey(FilePath);
        }

        _FilePathKey.SetValue("Enabled", 1, RegistryValueKind.DWord);
        _FilePathKey.SetValue("Type", 1, RegistryValueKind.DWord);
        _FilePathKey.SetValue("Isolation", 0, RegistryValueKind.DWord);
        _FilePathKey.SetValue("RestrictGuestAccess", "1", RegistryValueKind.String);

        _FilePathKey.SetValue("Retention", 0, RegistryValueKind.DWord);
        _FilePathKey.SetValue("ChannelAccess", "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)", RegistryValueKind.String);
        _FilePathKey.SetValue("OwningPublisher", EVTXLogGUID, RegistryValueKind.String);
        _FilePathKey.SetValue("MaxSize", 541589504, RegistryValueKind.DWord); //Decimal 512Mo
        _FilePathKey.SetValue("MaxSizeUpper", 0, RegistryValueKind.DWord);

        if (_FolderNameKey == null)
        {
            RegistryKey _FolderName = localKey32.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\EventLog\Application", true);
            _FolderNameKey = _FolderName.CreateSubKey(FolderName);
        }

        _FolderNameKey.SetValue("ProviderGuid", EVTXLogGUID, RegistryValueKind.String);
        // _FolderNameKey.SetValue("File", EVTXFilePath, RegistryValueKind.ExpandString);

        if (_PublisherKey == null)
        {
            RegistryKey _Publisher = localKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers", true);
            _PublisherKey = _Publisher.CreateSubKey(EVTXLogGUID);

            RegistryKey _PublisherChannelReferenceKey = _PublisherKey.OpenSubKey("ChannelReferences", true);
            if (_PublisherChannelReferenceKey == null)
            {
                _PublisherChannelReferenceKey = _PublisherKey.CreateSubKey("ChannelReferences");

                RegistryKey _Publisher0Key = _PublisherChannelReferenceKey.OpenSubKey("0", true);
                if (_Publisher0Key == null)
                {
                    _Publisher0Key = _PublisherChannelReferenceKey.CreateSubKey("0");
                }
                _Publisher0Key.SetValue("Flags", 0, RegistryValueKind.DWord);
                _Publisher0Key.SetValue("Id", 16, RegistryValueKind.DWord);
                _Publisher0Key.SetValue("", FilePath, RegistryValueKind.String);
            }
            _PublisherChannelReferenceKey.SetValue("Count", 1, RegistryValueKind.DWord);
        }
        _PublisherKey.SetValue("Enabled", 1, RegistryValueKind.DWord);
        _PublisherKey.SetValue("", FolderName, RegistryValueKind.String);

        return Exist() == true;
    }

Edit: the evtx file path seems to be not mandatory, as it gets created by windows, so I've commented it out here. If anyone finds it useful then just uncomment it. I've removed it so that I can re use the code (minus the creation of the "FolderKey") to add other entries into the folder.

score 0 · Answer 2 · answered Apr 12 '16 at 08:52

0

Try this when creating your log:

EventLog.CreateEventSource(your_app_name, your_event_log_name);

the event log name is the "folder" you see if I'm not mistaken.

answered Apr 12 '16 at 08:52

Noctis

11,507
3
43
82

right now I have the same your_event_log_name with different your_app_name (source) They are all going into the same log. if I change your_event_log_name I get a different eventlog but its not in a folder – Linda Lawton - DaImTo Apr 12 '16 at 08:56
you're right. Seems [this guy](http://stackoverflow.com/q/26335960/1698987) tried a year ago, and still no cake ? :( – Noctis Apr 12 '16 at 10:34
nope I have kinda of run out of ideas that's why I posted it here. Its not really something I "need" to add but its more like a nice to have and a curiosity about if its even possible. – Linda Lawton - DaImTo Apr 12 '16 at 10:43
1

here's [another fail](http://www.yusufozturk.info/windows-powershell/how-to-create-event-log-folder-with-powershell.html). Fun to read though ... he tried with power shell ...still no cake .. – Noctis Apr 12 '16 at 10:54
Excuse me, I also want to do it, but I haven't got it yet. I looked at the link "another fail", it supposes to say that we need to name a log separated with '-' (dash) to create the log under a folder. Then I tried to create an eventlog with powershell "New-Eventlog -LogName 'Company-Product-LogName' -Source 'Example'". A new log named 'Company-Product-LogName' had created. I expected a log named 'LogName' under a nested folder 'Company' -> 'Product'. Furthermore I saw other posts. Some of them showed that we need manipulate the windows registry. I'm not sure it is correct, or not. – Yusuke Masuda Sep 13 '18 at 23:24
@YusukeMasuda couldn't tell you, i had to reread this all question and my answer just to remember what we're talking about ...it's been 6 years after all :) If you do figure something out, do post an answer with what you've done :) – Noctis Sep 13 '18 at 23:49

score 0 · Answer 3 · answered Nov 14 '22 at 15:52

I know this is an old thread, but I had the same wish. I was only able to get this result so far :

I unfortunately spend too many time on this, I don't know why the folder name is the same as the logname, I strictly duplicated another registry key structure without luck. I'm giving up, but I'm leaving my C# code here in case someone can figure out what's wrong. It's based on the PowerShell script from frankenTUX on the linked answer :

    static string EVTXAppName = "MyEventLog";
    static string EVTXLogName = "Operational";
    static string EVTXLogGUID = "{004995f9-47e7-4c6d-ad51-6ae6c06faddd}";

    static string LocationOneKeyName;
    static string LocationTwoKeyName;
    static string EVTXFilePath;

    static RegistryKey localKey32 = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);
    static RegistryKey _LocationOneKey;
    static RegistryKey _LocationTwoKey;
    static RegistryKey _PublisherKey;

    static WindowsEventLogHelper()
    {
        LocationOneKeyName = EVTXAppName + "/" + EVTXLogName;
        LocationTwoKeyName = EVTXAppName;
        EVTXFilePath = @"%SystemRoot%\System32\Winevt\Logs\" + LocationTwoKeyName + "%4" + EVTXLogName + ".evtx";

        RegistryKey _LocationOne = localKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Winevt\Channels", true);
        RegistryKey _LocationTwo = localKey32.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\EventLog\Application", true);
        RegistryKey _Publisher = localKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers", true);
        _LocationOneKey = _LocationOne.OpenSubKey(LocationOneKeyName, true);
        _LocationTwoKey = _LocationTwo.OpenSubKey(LocationTwoKeyName, true);
        _PublisherKey = _Publisher.OpenSubKey(EVTXLogGUID, true);
    }


    public static bool Exist()
    {
        RegistryKey localTestKey32 = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);
        RegistryKey _LocationTestOne = localTestKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Winevt\Channels", true);
        RegistryKey _LocationTestTwo = localTestKey32.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\EventLog\Application", true);
        RegistryKey _PublisherTest = localTestKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers", true);
        RegistryKey _LocationOneTestKey = _LocationTestOne.OpenSubKey(LocationOneKeyName, true);
        RegistryKey _LocationTwoTestKey = _LocationTestTwo.OpenSubKey(LocationTwoKeyName, true);
        RegistryKey _PublisherTestKey = _PublisherTest.OpenSubKey(EVTXLogGUID, true);

        return (_PublisherTestKey != null && _LocationTwoTestKey != null && _LocationOneTestKey != null);
    }

    public static bool BuildAllTree()
    {

        if (_LocationOneKey == null)
        {
            RegistryKey _LocationOne = localKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Winevt\Channels", true);
            _LocationOneKey = _LocationOne.CreateSubKey(LocationOneKeyName);
        }

        _LocationOneKey.SetValue("Enabled", 1, RegistryValueKind.DWord);
        _LocationOneKey.SetValue("Type", 1, RegistryValueKind.DWord);
        _LocationOneKey.SetValue("Isolation", 0, RegistryValueKind.DWord);
        _LocationOneKey.SetValue("RestrictGuestAccess", "1", RegistryValueKind.String);

        _LocationOneKey.SetValue("Retention", 0, RegistryValueKind.DWord);
        _LocationOneKey.SetValue("ChannelAccess", "O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)", RegistryValueKind.String);
        _LocationOneKey.SetValue("OwningPublisher", EVTXLogGUID, RegistryValueKind.String);
        _LocationOneKey.SetValue("MaxSize", 541589504, RegistryValueKind.DWord); //Decimal 512Mo
        _LocationOneKey.SetValue("MaxSizeUpper", 0, RegistryValueKind.DWord);

        if (_LocationTwoKey == null)
        {
            RegistryKey _LocationTwo = localKey32.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\EventLog\Application", true);
            _LocationTwoKey = _LocationTwo.CreateSubKey(LocationTwoKeyName);
        }

        _LocationTwoKey.SetValue("ProviderGuid", EVTXLogGUID, RegistryValueKind.String);
        _LocationTwoKey.SetValue("File", EVTXFilePath, RegistryValueKind.ExpandString);

        if (_PublisherKey == null)
        {
            RegistryKey _Publisher = localKey32.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers", true);
            _PublisherKey = _Publisher.CreateSubKey(EVTXLogGUID);

            RegistryKey _PublisherChannelReferenceKey = _PublisherKey.OpenSubKey("ChannelReference", true);
            if (_PublisherChannelReferenceKey == null)
            {
                _PublisherChannelReferenceKey = _PublisherKey.CreateSubKey("ChannelReference");

                RegistryKey _Publisher0Key = _PublisherChannelReferenceKey.OpenSubKey("0", true);
                if (_Publisher0Key == null)
                {
                    _Publisher0Key = _PublisherChannelReferenceKey.CreateSubKey("0");
                }
                _Publisher0Key.SetValue("Flags", 0, RegistryValueKind.DWord);
                _Publisher0Key.SetValue("Id", 16, RegistryValueKind.DWord);
                _Publisher0Key.SetValue("", LocationOneKeyName, RegistryValueKind.String);
            }
            _PublisherChannelReferenceKey.SetValue("Count", 1, RegistryValueKind.DWord);
        }
        _PublisherKey.SetValue("Enabled", 1, RegistryValueKind.DWord);
        _PublisherKey.SetValue("", LocationTwoKeyName, RegistryValueKind.String);

        return Exist() == true;
    }

Creating an eventlog in a folder

3 Answers3

Linked