1

Does anyone have an idea why the '.NET Runtime' Event source does not behave like a normal event source?

var logCheckOne = EventLog.Exists(".NET Runtime");

var logCheckTwo = EventLogSession
                    .GlobalSession
                    .GetLogNames()
                    .Any(s => string.Equals(s, ".NET Runtime", StringComparison.OrdinalIgnoreCase));

Both of these lines of code return false and yet in Event Viewer, there is clearly a ".NET Runtime" event source AND I can write to it without issue.

Why is this broken? Is there a way to get a 'true' list of Event Sources?

Bitfiddler
  • 3,942
  • 7
  • 36
  • 51

2 Answers2

3

The 'LogName' is 'Application', the 'Source Name' is '.NET Runtime', so it seems you are not querying correctly.

try:

var logCheckOne = EventLog.SourceExists(".NET Runtime")
E.J. Brennan
  • 45,870
  • 7
  • 88
  • 116
1

What you see as EventLog is in reality a complex beast which is composed of many ETW (Event Tracing for Windows) Providers. The code

foreach(var log in EventLogSession.GlobalSession.GetLogNames())
{
 Console.WriteLine($"{log}");
}

gives you over 1000 entries. This are ETW providers with different channel settings which show up as "new" Event Logs since Windows Vista. Before Windows Vista there were only the Event Logs

  • Application
  • Security
  • System

and potentially a few others and some custon logs created by other applications. The data went into .evt Files where each Event Log has registered in the Registry the Event Sources and their resource dlls for message formatting and localization.

Since Vista and later versions this was reworked and under the hood now the "old" registry based approach is still there but most event log sources got in the regitry no longer an message dll but a reference to an ETW Provider id which is now looked up.

Hence your confusion when you did enumerate the EventLogSession which is a mixture of ETW providers and their configured channels which still can log to the Application event log.

The good old world with EventLog and its methods shows the "old" pre Vista View with log names and sources.

            foreach(var log in EventLog.GetEventLogs())
            {
                Console.WriteLine($"{log.LogDisplayName}");
            }
  • Application
  • Hardware Events
  • Internet Explorer
  • Security
  • System

See my article https://aloiskraus.wordpress.com/2020/07/20/ms-performance-hud-analyze-eventlog-reading-performance-in-realtime/ for more information.

Alois Kraus
  • 13,229
  • 1
  • 38
  • 64
  • Thank you for posting this info. Although it was not the source of my issue, this is valuable background that others can use. – Bitfiddler Mar 16 '21 at 21:29