21

My windows service writes to the event log, but I've had various problems getting this correct. So in the process I used a number of different names. I followed an article describing how to set up event logs in windows services. So after adding an EventLog component in the designer, I have added this to the constructor:

if (!System.Diagnostics.EventLog.SourceExists("AS0604"))
   System.Diagnostics.EventLog.CreateEventSource("AS0604", "SIRR");

eventLog1.Source = "AS0604";
eventLog1.Log = "SIRR";
eventLog1.WriteEntry("AS is initializing...", EventLogEntryType.Information, 16);

I found out that there is trouble if the source has the same name as the service name of the windows service. But I kept changing the names a lot for both the Log and the Source. The 

EventLog[] eventLogs = EventLog.GetEventLogs();

Lists the eventlogs and I was able to remove those I didn't use with EventLog.Delete command.

But how does this work? Are there still registered sources in these deleted logs? Can I get a list of registered sources?

Kasper Hansen
  • 6,307
  • 21
  • 70
  • 106

3 Answers3

13

Since the accepted answer is lost, here is another. Unfortunately I found no alternative to examining the Windows Registry directly.

  • PowerShell (Get-ChildItem HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\<EventLogName>).pschildname

E.g. to list the Windows Application Event Log's Sources:

  • PowerShell (Get-ChildItem HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application).pschildname

I threw this up after reading several sources. Unfortunately none were very clear or direct.

ScottWelker
  • 1,701
  • 17
  • 30
  • 1
    Great, helpful answer. Thanks. I had an Event Log name which had a space in it so if you alter the code to include double-quotes around the HKLM string then it works for all. Example: (Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\").pschildname – raddevus Mar 22 '23 at 12:51
1

I don't have a C# answer, but here is a WMI solution:

$Sources = Get-WmiObject -Namespace "root\cimv2" -Class "Win32_NTEventLOgFile" | Select-Object FileName, Sources | ForEach-Object -Begin { $hash = @{}} -Process { $hash[$_.FileName] = $_.Sources } -end { $Hash }

This will list the source even if there is no entry currently in the log for the given source.

Slogmeister Extraordinaire
  • 2,890
  • 2
  • 25
  • 39
0

via powershell:

Get-EventLog -LogName Application |Select-Object Source -Unique

see: https://social.technet.microsoft.com/Forums/windowsserver/en-US/48d1e34d-6ded-4039-a8a4-3b17d9c69488/list-eventlog-sources?forum=winserverpowershell

timB33
  • 1,977
  • 16
  • 33
  • 3
    This doesn't show ALL registered sources. If there's no entry currently in the log for given source it won't be shown here. – dstarkowski Jun 28 '18 at 09:22
  • 1
    @dstarkowski is correct. This gets all events currently in the Application event log and then lists their distinct (unique) sources. That is very likely just a subset of registered sources. – ScottWelker Jun 12 '19 at 21:50