Event Logging Management Information
Event logging management information is stored in the
Services key of the configuration database and can be modified by a system
administrator.
The structure of the configuration information is as follows:
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
EventLog
Application
Security
System
The EventLog key contains several subkeys, called
logfiles. The default logfiles are
Application,
Security, and
System. Each logfile subkey can contain subkeys, called
sources. You cannot use a source name that has been used as a logfile name, and
source names should not be hierarchical. (The backslash character [\] cannot be used
in a registry key.) Each source entry contains information specific to the
source of the event, as shown in the following table.
Value
| Description
|
EventMessageFile
| Specifies the path for the event identifier message file. This value has the type REG_EXPAND_SZ.
|
CategoryMessageFile
| Specifies the path for the category message file. The event category and event identifier message strings can be in the same file. This value has
the type REG_EXPAND_SZ.
|
ParameterMessageFile
| Specifies the path for the event source's parameter message file. This file
contains language-independent strings that are to be inserted into the event description strings. You can use the same message file for parameter, category, and event
identifier message strings. This value has the type REG_EXPAND_SZ.
|
CategoryCount
| Specifies the number of categories supported. This value has the type
REG_DWORD.
|
TypesSupported
| Specifies a bitmask of supported types. This value has the type REG_DWORD.
|
When an application uses the
RegisterEventSource or
OpenEventLog function to get a handle of an event log, the event logging service searches
for the specified source name in the registry. For example, the
Application logfile might have configured sources of Microsoft® SQL Server™ and Microsoft® Excel. If an application uses
RegisterEventSource or
OpenEventLog with a source name of Application, SQL, or Excel, the event logging service
returns a handle to the
Application logfile.
An application can use the
Application event log without adding a new source key to the registry. If the application
calls
RegisterEventSource, passing a source name that cannot be found in the registry, the event
logging service uses the
Application logfile by default. However, because there is not a message or category
string file, the event viewer will not be able to map the
event identifier or category to a replacement string. For this reason, the recommended
procedure is to add a unique source name for the application to the registry. This
allows you to specify message files for the event identifier and category in your
events. Applications and services should add their source names to the
Application logfile. Device drivers should add their source name to the
System logfile.
An event viewer application uses the
OpenEventLog function to open the event log for an event source. The event viewer can then
use the
ReadEventLog function to read event records from the log.
ReadEventLog returns a buffer containing an
EVENTLOGRECORD structure and additional information that describes a logged event. The
EventID member of the
EVENTLOGRECORD is the identifier of a description string in the source's event message file.
The event viewer uses the
LoadLibrary function to load the file indicated by the source's
EventMessageFile registry value. The viewer then uses the
FormatMessage function to retrieve the description string from the loaded module.
The description string may contain insertion string placeholders, such as %
n, where %1 indicates the first insertion string, and so on. In this case, the
buffer returned by
ReadEventLog contains the insertion strings. The
NumStrings member of the
EVENTLOGRECORD indicates the number of insertion strings. The
StringOffset member of the
EVENTLOGRECORD indicates the location of the first insertion string in the buffer.
An insertion string may also contain placeholders of the form %%
n, where
n is the identifier of a string in the source's parameter message file. In this
case, the event viewer uses
LoadLibrary and
FormatMessage to retrieve the insertion string from the file indicated by the source's
ParameterMessageFile registry value.
For more information about using the registry, see
Registry. For more information about creating and using message files, see your
message compiler documentation.
- Software for developers
-
Delphi Components
.Net Components
Software for Android Developers
- More information resources
-
MegaDetailed.Net
Unix Manual Pages
Delphi Examples
- Databases for Amazon shops developers
-
Amazon Categories Database
Browse Nodes Database
