Read EventLog - position to newest record / end of EventLog ???

Read EventLog - position to newest record / end of EventLog ???

Post by Chuck Chop » Thu, 20 Apr 2006 23:38:34


There's an API function to get the oldest event record in an open EventLog.
However, I don't see anything that allows me to immediately jump to the
end of the EventLog so that I can wait for notifications of new events.

Is it more appropriate to position to the oldest event and then read
forwards until the end of the log is reached, following by waiting on an
event notification that signals the arrival of a new event in the EventLog?
Or, is it better to explicitly read the oldest event and then read
backwards sequentially by 1 record?

The reason that I ask.... I'm not interested in existing events in the
EventLog [only new ones that arrive after I'm running], I don't want to
programmatically clear the EventLog as the administrator might need the
contents, and the EventLog might be configured to overwrite itself as a
ring-buffer so the lowest # event record might not actually be the oldest
event in the EventLog. I simply need to spin past all events to the current
end of the EventLog and then wait for new events. If the EventLog is large,
I'd rather position directly to the end rather than incurring the overhead
of reading every single record.


TIA,

Chuck
--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.yqcomputer.com/

RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651

"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.yqcomputer.com/

Do not send me unsolicited commercial email.
 
 
 

Read EventLog - position to newest record / end of EventLog ???

Post by Jeff Henke » Fri, 21 Apr 2006 04:01:12

In the past I've dealt with this by periodically polling the eventlog,
calling GetNumberOfEventLogRecords and GetOldestEventLogRecord each time.
Using those two values you can figure out the number of the last event log
record. If that value changes from one interval to the next you know events
have arrived.

 
 
 

Read EventLog - position to newest record / end of EventLog ???

Post by David Jone » Fri, 21 Apr 2006 09:07:00

Why not use NotifyChangeEventLog? Polling like that seems terribly
inefficient.

However, you're right in that using the record count + oldest record
should give the first new record since you can't delete individual
entries from the log.

David
 
 
 

Read EventLog - position to newest record / end of EventLog ???

Post by Chuck Chop » Fri, 21 Apr 2006 10:13:05


OK, I got it figured out...

I was already using NotifyChangeEventLog() to get notification of new events
going into the eventlog after I'd already read to the end of the eventlog.

If ReadEventLog() returns FALSE, a call to GetLastError() is now being doen
to reveal the exact reason for the failure.

If I get the oldest eventlog record # and seek to it, then read backwards
sequentially 1 record, get the record #, add 1 to the record # and then seek
directly to that record #, I walk off the end of the eventlog and
GetLastError() returns 38 - ERROR_HANDLE_EOF. In that situation, I know
I've reached the end of the file and then I sleep until eventlog change
notification wakes me up again to read records. When I get to the end of
the file again, I just repeat the sleep until notification is received and
things are well. No matter how large the eventlog is, when I do those
steps, I get to the end of the eventlog ASAP w/o having to sequentially
ready & process every single event in the eventlog file.


--
Chuck Chopp

ChuckChopp (at) rtfmcsi (dot) com http://www.yqcomputer.com/

RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651

"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.yqcomputer.com/

Do not send me unsolicited commercial email.
 
 
 

Read EventLog - position to newest record / end of EventLog ???

Post by Jeff Henke » Fri, 21 Apr 2006 21:00:37

IIRC, there are some issues with NotifyChangeEventLog when the event log is
on a remote machine, and when I was working with these APIs 18 months ago, I
was dealing mostly with remote machines.