Monitoring Windows Event logs with managed C + +

Source: Internet
Author: User

With the growing number of viruses, rogue software, adware, and so on, many people are starting to use registry monitors, which typically pop up a warning window to prompt the user when the software tries to modify the registry. However, where security issues are often overlooked is the Windows event log-especially the security log, which typically records the operations of the Windows operating system and critical system applications, such as attempts to log on illegally, port scans, and other security-related events.

This article demonstrates how to monitor the Windows event log in your application, and, of course, expands the program, such as sending an e-mail notification to the user when the event log is logged to a specific event type.

Monitoring with. NET EventLog

The code in this article uses the. NET 1.0/1.1 managed C + + syntax, and if you are using a later version of. NET, you need to set the/clr:oldsyntax compilation option in the Engineering Properties dialog box, or adjust the following code to conform to the new managed syntax.

Key to the Windows event log. NET type is the Diagnostics::eventlog class.

1. Define a managed class and implement an event log notification handler

The handler (Onnewlogentry) is invoked when the new event log entry event is raised, and note the Entrywritteneventhandler here, here is the sample code:

//用于监视新事件日志项的示例代码
__gc class NewLogEntryEventHandler
{
 public:
  NewLogEntryEventHandler() {}
 public:
  void OnNewLogEntry(Object* sender, EntryWrittenEventArgs* e)
  {
   //获取并处理最近创建的项
   EventLogEntry* entry = e->Entry;
  }
};

2, instantiate a EventLog object and set its EnableRaisingEvents property to True

Property Eventlog::enableraisingevents is a Boolean type that controls whether an event is raised when the item is added to the log specified by the EventLog object:

EventLog* log = new EventLog("Application");
log->EnableRaisingEvents = true;

3, the event handler to connect to the "new Event log Entry" event

First, instantiate the object that defines the event handler (in this case, Newlogentryeventhandler), and then add the event method (Onnewlogentry) to the Eventlog::entrywritten list of event handlers:

NewLogEntryEventHandler* handler = new NewLogEntryEventHandler();
log->EntryWritten +=
new EntryWrittenEventHandler( handler,&NewLogEntryEventHandler::OnNewLogEntry);

4. Write code for handling specific events

Looking back at a onnewlogentry method, you can see that the Entrywritteneventargs object passed to the event handler has a member named EventLogEntry that contains details about the record item, with the following properties:

· machinename--the computer system name that created the event log.

· source--creates the event source or program source for this event.

· message--users can read this text value in Event Viewer, which describes the logged event.

· Event type--This value, which represents EventLogEntryType, is an enumeration value that represents the logged event type: information (default), warning, error, audit success, audit failure.

· Event id--is a specific number for the events program.

· data--This value is typically used to store binary information, such as a memory dump, that is also associated with an event.

The inadequacy of the place

As can be seen from the above,. NET makes it easy to access the event log, however, there are some restrictions on handling the event log as follows:

• Events can only be monitored on the local system.

·. NET document does not indicate that if a large number of events are recorded in a short period of time, it is guaranteed that each event can be raised.

• If you monitor event logs that are particularly frequent updates, events may not be immediately raised, there is likely to be a lag between event items, and then a large number of event notifications suddenly enter Message Queuing.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.