Event Log Monitor Not Working Correctly

[Guest]

I've created a basic Event Log monitoring application which is supposed to write a message to the console whenever the specified Event Log receives a new entry. The problem I'm having is that if the entries are created in rapid succession, the monitoring program is not notified of the event.

Since the ultimate goal of this project is to send a notification message whenever a file is deleted, I setup the test environment accordingly

- turn on object access auditing for Success in Local Security Polic
- change folder security to audit successful File/Folder Delete
- created a bunch of files in the audited folde
- started the monitoring application for the "Security" lo

If I delete one or two files, the monitoring program picks them up and writes the messages to the console (7 messages per file deleted). However, if I delete 10 or 20 files at a time, the monitor may catch one, a few, or none, but never all of them

I'm running the test on an XP Pro machine, using v1.1 of the CLR.

If anyone has any idea of where I'm going wrong, please speak up! The following is the code which I'm using

Imports Syste
Imports System.Environmen
Imports System.Diagnostic
Imports System.Threadin

Namespace LogMonito
Module LogMonito

Public Sub Main(
Dim args As String(
Dim appName As Strin
args = Environment.GetCommandLineArgs(
appName = args(0

If (args.Length <> 2 And args.Length <> 3) The
Console.WriteLine("Usage: " + appName + " <log> [<machine>]"
Console.WriteLine(
Console.WriteLine("Press Enter to continue..."
Console.ReadLine(
Exit Su
End I

Dim log As Strin
Dim machine As Strin
log = args(1

If (args.Length = 3) The
machine = args(2
Els
machine = "." ' local machin
End I

If (Not EventLog.Exists(log, machine)) The
Console.WriteLine("The log does not exist!"
Exit Su
End I

Dim aLog As EventLo
aLog = New EventLo
aLog.Log = lo
aLog.MachineName = machin

Console.WriteLine("Started monitoring for deleted files at " + DateString + " " + TimeString
AddHandler aLog.EntryWritten, AddressOf OnEntryWritte

aLog.EnableRaisingEvents = Tru

Console.WriteLine("Press 'q' to quit the sample"
While (Console.Read() <> 113
Thread.Sleep(500
End Whil
End Su

Sub OnEntryWritten(ByVal source As Object, ByVal e As EntryWrittenEventArgs

Tr
Console.WriteLine("Index: " + e.Entry.Index.ToString
+ " ID: "
+ e.Entry.EventID.ToString
Catch ex As Exceptio
Console.WriteLine(ex.Message
End Tr

Exit Su

End Su
End Modul
End Namespac

 

[Elliot M. Rodriguez]

You could use the FileSystemWatcher to do this... you could roll it up as a
service and have it, say, fire an email or an Event Log entry when a file or
folder is deleted.

The MS Press book Coding Techniques for Visual Basic .NET has a start to
finish sample of a service that does exactly this. You can read the whole
chapter at: http://www.microsoft.com/mspress/books/sampchap/4909.asp. You
may want to give that a look.


--
Elliot M. Rodriguez, MCSD

My .Net blog, with tips here and there:
http://derivedclass.europe.webmatrixhosting.net

I've created a basic Event Log monitoring application which is supposed to

write a message to the console whenever the specified Event Log receives a
new entry. The problem I'm having is that if the entries are created in
rapid succession, the monitoring program is not notified of the event.

Since the ultimate goal of this project is to send a notification message

whenever a file is deleted, I setup the test environment accordingly:

- turn on object access auditing for Success in Local Security Policy
- change folder security to audit successful File/Folder Deletes
- created a bunch of files in the audited folder
- started the monitoring application for the "Security" log

If I delete one or two files, the monitoring program picks them up and

writes the messages to the console (7 messages per file deleted). However,
if I delete 10 or 20 files at a time, the monitor may catch one, a few, or
none, but never all of them.

I'm running the test on an XP Pro machine, using v1.1 of the CLR.

If anyone has any idea of where I'm going wrong, please speak up! The

following is the code which I'm using:

Imports System
Imports System.Environment
Imports System.Diagnostics
Imports System.Threading

Namespace LogMonitor
Module LogMonitor

Public Sub Main()
Dim args As String()
Dim appName As String
args = Environment.GetCommandLineArgs()
appName = args(0)

If (args.Length <> 2 And args.Length <> 3) Then
Console.WriteLine("Usage: " + appName + " <log>

Console.WriteLine()
Console.WriteLine("Press Enter to continue...")
Console.ReadLine()
Exit Sub
End If

Dim log As String
Dim machine As String
log = args(1)

If (args.Length = 3) Then
machine = args(2)
Else
machine = "." ' local machine
End If

If (Not EventLog.Exists(log, machine)) Then
Console.WriteLine("The log does not exist!")
Exit Sub
End If

Dim aLog As EventLog
aLog = New EventLog
aLog.Log = log
aLog.MachineName = machine

Console.WriteLine("Started monitoring for deleted files at " + DateString + " " + TimeString)
AddHandler aLog.EntryWritten, AddressOf OnEntryWritten


aLog.EnableRaisingEvents = True

Console.WriteLine("Press 'q' to quit the sample")
While (Console.Read() <> 113)
Thread.Sleep(500)
End While
End Sub

Sub OnEntryWritten(ByVal source As Object, ByVal e As EntryWrittenEventArgs)

Try
Console.WriteLine("Index: " + e.Entry.Index.ToString _
+ " ID: " _
+ e.Entry.EventID.ToString)
Catch ex As Exception
Console.WriteLine(ex.Message)
End Try

Exit Sub

End Sub
End Module
End Namespace

 

[Guest]

I briefly looked at a FileSystemWatcher, but I couldn't figure out how to get the user profile responsible for the file deletion. Since this is an auditing tool, knowing which user deleted the file is essential

 

[Guest]

After many hours of searching, I've finally found the problem. As it turns out, this behaviour is due to a long standing bug in the Event Logging Service. The problem is documented here

http://support.microsoft.com/default.aspx?scid=kb;en-us;24560
http://support.microsoft.com/default.aspx?scid=kb;en-us;83301

In a nutshell, the Event Logging Service can't reliably issue notifications. Any of the following conditions may (read WILL) cause notification problems

1) Logging Service get's too busy (ie: definition of "busy" depends upon the speed of your machine).
2) Logging Service is redirected to write an entry into differnet log while in process of notifiying listeners
3) Log is cleared with active listeners

RANT-ON

This problem has been around since NT was first released (I've found reports on Google going back to 1995), and has still not been fixed. More importantly, even though it makes Event Notification inherently unreliable, and therefore practically useless, it's not mentioned in any of the API documentation. The only way that I was able to discover what was happening was by stumbling across the fact that the System.Diagnostic.Event* objects were wrappers around the Win32 API "NotifyChangeEventLog()", then Googling for that API

It disturbs me to think of how many magazine articles I've come across which (blindly) recommend the use of this feature for auditing the event logs. I wonder how many security products have been built upon this fragile foundation

Microsoft, you should be ashamed