Debugging a logon process event

[Guy Noir]

Hello.
OK, Thanks to the help I have the remote debugging worked out.

Here is my next hurdle.

I have a service that is supposed to be catching Event Log written
events.

this.eventLog1.EntryWritten += new
System.Diagnostics.EntryWrittenEventHandler(this.eventLog1_EntryWritten);

It catches event log entries just fine when I am logged in and catches
the log off events, but it does not seem to catch the logon events.

I figured I could remote debug this, however since I have to have the
remote debugging monitor running, I can't debug while the user is
logged off.

Any ideas as how to debug this particular problem? That is, debug
before a user has signed on?

Or even better yet, any ideas as to why my
System.Diagnostics.EntryWrittenEventHandler(this.eventLog1_EntryWritten)
is not catching anything until after a user signs in? It's a service,
so it is indeed running before a user signs in.

Thanks as always!
-A

 

[Willy Denoyette [MVP]]

| Hello.
| OK, Thanks to the help I have the remote debugging worked out.
|
| Here is my next hurdle.
|
| I have a service that is supposed to be catching Event Log written
| events.
|
| this.eventLog1.EntryWritten += new
| System.Diagnostics.EntryWrittenEventHandler(this.eventLog1_EntryWritten);
|
| It catches event log entries just fine when I am logged in and catches
| the log off events, but it does not seem to catch the logon events.
|
| I figured I could remote debug this, however since I have to have the
| remote debugging monitor running, I can't debug while the user is
| logged off.
|
| Any ideas as how to debug this particular problem? That is, debug
| before a user has signed on?
|
| Or even better yet, any ideas as to why my
| System.Diagnostics.EntryWrittenEventHandler(this.eventLog1_EntryWritten)
| is not catching anything until after a user signs in? It's a service,
| so it is indeed running before a user signs in.
|
| Thanks as always!
| -A
|

This is not a reliable method to receive specific eventlog notifications,
the system only raises one event per 5 seconds, that means that messages
written within the 5 seconds windows following an eventlog event will not
result in another event getting raised.

Willy.

 

[Guy Noir]

Interesting!

Is there another way to collect specific event log entries "real time"?
Or could you point me in the right direction?

Thanks so much!
-A

 

[Guy Noir]

Here is what I am proposing. It seems a bit kludgy but so does the
..EntryWrittenEventHandler.

Keep collecting events via .EntryWrittenEventHandler

But every 10 minutes parse the event log using the Date/Time/INDEX
Number as a primary key. The idea is that the EventWrittenEventHandler
can catch events, the ones we miss are parsed every 10 minutes.

Worst case: events are missed by the EventWrittenEventHandler and the
machine shuts down before the 10 minute cycle has run.

Then again, as long as the machine is shut down gracefully, I could
include the log parse method in the onstop method.

Just seems kind of kludgy to me.

 

[Willy Denoyette [MVP]]

| Here is what I am proposing. It seems a bit kludgy but so does the
| .EntryWrittenEventHandler.
|
| Keep collecting events via .EntryWrittenEventHandler
|
| But every 10 minutes parse the event log using the Date/Time/INDEX
| Number as a primary key. The idea is that the EventWrittenEventHandler
| can catch events, the ones we miss are parsed every 10 minutes.
|
| Worst case: events are missed by the EventWrittenEventHandler and the
| machine shuts down before the 10 minute cycle has run.
|
| Then again, as long as the machine is shut down gracefully, I could
| include the log parse method in the onstop method.
|
| Just seems kind of kludgy to me.
|

I would parse the eventlog at every event, the minimum interval between
these is 5 seconds, this won't hurt system performance, anyway if that much
events are logged, you need to parse at a higher rate anyway.
When the system shuts-down you parse a last time in your Service OnShutdown
eventhandler.

Willy.