I'd like to enable my app to make warnings and errors visible to the global "Application" log in Windows Event Viewer. I've successfully followed the directions here that helped me get ETW up and running, but I only see events when I explicitly enable logging via a tracing program, and even then they only show up in the generated .etl file, not in the global log.
How can I programmatically register and write events to the global Application log, so that when users run event viewer, they'll see events from my app? Is it even possible? In a nutshell, I want to end up with something like the screenshot below, just with less photoshopping required:
ETW seems to be quite complex for your purpose, here's the procedure to write to the Event Log:
a) One-time (you would typically do this while installing your application) Register your application as a Event Provider; only the EventMessageFile entry is really required:
- key = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\MyCoolGame
- string name (REG_EXPAND_SZ) = EventMessageFile
- string value = C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll
b) On program startup: Register Event Source and receive a handle:
hEventLog = RegisterEventSource(NULL, lpszAppNameName);
c) Use the ReportEvent function to write entries to the Event Log:
TCHAR szLogBuffer[] = _T("Started new multiplayer server.");
const TCHAR *lpszEventStrings[2] = {szLogBuffer, NULL};
ReportEvent(hEventLog, EVENTLOG_INFORMATION_TYPE, 0, 1, NULL, 1, 0, lpszEventStrings, NULL)
d) On program shutdown:
DeregisterEventSource(hEventLog);
The Windows Event Tracing API was intended to supersede the older Windows Event Logging API for logging events to the Event Log, starting with Windows Vista. But to this day it is difficult to find clear examples online showing how to use this newer Event Tracing for Windows (ETW) API.
It is fundamental for applications - and especially services - to log events to the Windows Event Log under System or Application. But Microsoft does not provide any clear documentation for this very common use case. Instead, the current online documentation for Event Tracing drags you through the entire complexity of ETW.
That said, Microsoft offers a sample solution for native VC++ which works well. The solution and project (from VS2008!) loaded fine into Visual Studio 2022.
The included XML manifest in this sample defines 5 events, but only the first, fourth and fifth are associated with the "channel" for the Windows Application Event Log. The second and third events are associated with an "analytic channel" for ETW and will not appear in Application or System logs within Event Viewer (such ETW events are typically captured/monitored through other means). So the sample demonstrates how to log to the Event Log or to ETW using the newer API. The readme.txt file in this solution is instructive.
Also helpful is an archived Microsoft forum posting called FAQ: Common Questions for ETW and Windows Event Log. It describes the various ETW channels, defines what WPP means and provides a number of other details.
There is a third Windows API for ETW logging called TraceLogging which builds upon and simplifies the ETW API; however, for logging to the traditional Application and System Event Logs shown in Event Viewer, you must stay with either manifest-based ETW logging or the older Windows XP/Server 2003 Event Logging API.
Related
Probably this already was answered here, but i not found.
Then i want know how execute a c++ console application/service (installs itself as service) of way that i can see all output's (printf()) during your execution (similar to how happens in a normal console application when system("pause");is used in main())? until now i'm able to see you console window only while Avast DeepScreen is executing he :-).
Thanks in advance.
EDITION:
I already insert getchar(); in ServiceMain() and a while (true) ... Sleep() but without success.
A service does not have a console window. And even if it did, a service does not run in an interactive desktop, so you couldn't see such a window anyway.
You need to rethink your logging approach. Either
write your log messages to the Windows Event Log, and use the Windows Event Viewer to see the messages.
create a separate visual app that runs in the user's interactive desktop and communicates with the service process to receive log messages. Then you can display the messages however you want.
Well, take the execution of any program using a c++ program, you can simply do it using the command prompt.
Just type in :
system(“path to the program”);
And, the program will be executed. If it’s a console window program, it will pop-up.
You can see the outputs, well, follow these :
1 The System.Diagnostics.Trace class has a similar interface to the Console class so you could migrate your code quite easily to this.
2 It can then be configured to output to a file. You can use the System.Diagnostics.EventLog class to write to the Event Log which you can then monitor using Event Viewer.
3 You can use the third-party open-source log4net library which is very flexible.
I have an embedded system with busy box in it. Busy box manual page states that:
"Note that this version of syslogd ignores /etc/syslog.conf."
There is an option -O, but it redirects all messages to custom file.
I`m sending messages from C++.
Found somewhere option -f for settings external config file - does not work.
That is how I connect to logger from my application:
bool Log::start()
{
/* Launch process here */
setlogmask(LOG_UPTO (LOG_DEBUG));
openlog(LOG_IDENTITY, LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1);
return true;
}
Can different log location for certain facility or facility mask for whole syslog by calling functions from my application? Or somehow?
We faced this same problem (not Busybox, but redirecting an application's syslog to a different log file using the bare-bones syslogd). The solution is two steps:
Update the application's call to openlog() to set the 3rd parameter to int facility and then create the configuration code that converts LOCAL0 through LOCAL7 into the LOG_LOCAL0 through LOG_LOCAL7 labels. Then we configure the application to specify LOCAL3 for those hosts where only that application's log data is needed.
Then our Operations folks are working to configure syslogd to redirect the log data for the LOCAL3 facility to a separate file. I don't know exactly what they have come up with, so I won't speculate further. But they had asked me to configure the facility in the knowledge that they can redirect syslogd output based on the facility.
One thing that I noticed is that you use LOG_CONS. I used to do that, but found that when syslogd could not be written to, this caused syslog to fork a child process and the Solaris x86_64 process table filled with zombies. So I don't use that flag anymore.
I have been tasked with writing entries to the Windows security log. The entire project is Win32 C++ code. I have already written (with help from various online resources) a logging class that handles registration, deregistration, and code for executing the ReportEvent() call. Also, I've done the mc.exe and rc.exe steps for my event logging, if that helps establish where I'm at in the project.
My question is a multi-parter:
I've noticed at Filling Windows XP Security Event Log that there are some who believe this is not allowed by Windows. Others ( How to write log to SECURITY event Log in C#? ) imply otherwise. Possible or not?
If it is possible, how to get it to write to the security log. Is it as simple as specifying "Security" as my source name when calling RegisterEventSource()?
As far as deregistration, when should that occur? When the app is uninstalled? When the app closes? When the log entry is written?
How do I look up my log entries? I look in the Windows Event Viewer, but I don't see the entries I add with my test app, despite all the appropriate return values from the system calls. Where would I look up the events that I specified with a source name of "yarp" when I made my call to RegisterEventSource()?
For the moment, I'll just deal with the first question, because the answer to that probably renders the rest irrelevant.
Only Local Security Authority (lsass.exe) can write to the security log. This isn't a matter that something else attempting to get the privilege will fail -- it's a matter of there not being a way for anything else to even request the privilege at all (and this is by design).
From there, about the only answer to your other questions is "Sorry!"
We've got an old legacy win32 service, developed with C++, and we've just recently noticed that when the service starts up and stops, there is an informational message in the event logs about our missing event descriptions. To be more precise, the message looks like this:
The description for Event ID 0 from source [application] cannot be
found. Either the component that raises this event is not installed on
your local computer or the installation is corrupted. You can install
or repair the component on the local computer.
So we understand what this means, basically we're missing a library which has a message table compiled into it. This way when the event ID for changing status (start/stop) arrives, it can look up the message and print it in the event logs.
The question is, for these universal messages (changing status etc) which pretty much every service is going to have, surely there are default message table that we can use, rather than having to go to the trouble of creating another project, just for this, adding registries and updating our installer.
Seems like a lot of hassle for something that should surely be a default somewhere? Like the standard win32 error messages?
I've created a number of managed services in the past, and I'm pretty sure we didn't need to do anything like this before!
So to wrap this up, I guess the answer is that the a new message table/file is always required, regardless (so no there are no default messages you can use), so I'll just have to chuck in a message table into my services resource file and add a registry entry to the installer.
Still find it baffling thought that every native service has it's own 'service has stopped/started' message...!
Thanks!
How can i programatically check if the windows shell (explorer) has loaded all startup programs & the user login process is over ?
There is a somewhat documented event you can wait for, but it is signaled when explorer has started loading. On XP this event is called "msgina: ShellReadyEvent" and "ShellDesktopSwitchEvent" on Vista. I linked to the sources of some alternative shells in a post related to this event.
Another alternative would be to listen for the Taskbar Creation Notification message. It can fire more than once so you would need to keep track of that.
On Vista+ there is one last alternative that might just work: Programs set to run at startup are part of a job object so they cannot run at high priority. If your program runs at startup you could maybe check for this, either by using IsProcessInJob or SetPriorityClass+GetPriorityClass in a loop. (SetPriorityClass will lie about its return value IIRC)