I want to view all the custom event viewer source on a server. Is there a way i could find these out by running a script instead of going through all the event logs.
It's safe to assume that all the custom sources will be all under Applications.
Ideally Script could be a cmd prompt or C#. If it can't be, i am happy to take a solution in other language as long as it doesn't require me to install anything new to run it on server 2008 R2.
Thanks
This C# program writes to console all distinct sources in Application event log:
using System;
using System.Linq;
using System.Diagnostics;
public static class Program
{
static void Main(string[] args)
{
new EventLog("Application")
.Entries
.Cast<EventLogEntry>()
.Select(entry => entry.Source)
.Distinct()
.ToList()
.ForEach(source => Console.WriteLine(source));
}
}
EDIT:
You can find all sources registered in Application event log in registry under key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application" (using e.g. regedit). To display them in console, use this program:
using System;
using System.Linq;
using Microsoft.Win32;
public static class Program
{
static void Main(string[] args)
{
Registry
.LocalMachine
.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\EventLog\Application")
.GetSubKeyNames()
.ToList()
.ForEach(source => Console.WriteLine(source));
}
}
Unfortunately, I don't know how to distinguish between preinstalled and custom sources (this information doesn't seem to be present in registry and I doubt that such information is available).
EDIT2: I took fresh installation of Windows server 2008 R2, made list of preinstalled sources and edited program not to show sources that are on that list. So only custom sources shoud be now displayed:
using System;
using System.Linq;
using Microsoft.Win32;
public static class Program
{
static string[] PreinstalledSources = new[] { ".NET Runtime", ".NET Runtime Optimization Service", "Application", "Application Error", "Application Hang", "Application Management", "Application-Addon-Event-Provider", "ASP.NET 2.0.50727.0", "ASP.NET 4.0.30319.0", "AutoEnrollment", "CardSpace 3.0.0.0", "CardSpace 4.0.0.0", "CEPSvc", "CertCli", "CertEnroll", "CESSvc", "Chkdsk", "Citrix Xen Guest Agent", "COM", "COM+", "Customer Experience Improvement Program", "Desktop Window Manager", "DiskQuota", "Ec2Config", "ESENT", "EventSystem", "Folder Redirection", "Group Policy", "Group Policy Applications", "Group Policy Client", "Group Policy Data Sources", "Group Policy Device Settings", "Group Policy Drive Maps", "Group Policy Environment", "Group Policy Files", "Group Policy Folder Options", "Group Policy Folders", "Group Policy Ini Files", "Group Policy Internet Settings", "Group Policy Local Users and Groups", "Group Policy Mail Profiles", "Group Policy Network Options", "Group Policy Network Shares", "Group Policy Power Options", "Group Policy Printers", "Group Policy Regional Options", "Group Policy Registry", "Group Policy Scheduled Tasks", "Group Policy Services", "Group Policy Shortcuts", "Group Policy Standard Edition", "Group Policy Start Menu Settings", "Interactive Services detection", "ipmiprv", "LoadPerf", "Microsoft-Windows-Application-Experience", "Microsoft-Windows-ApplicationExperienceInfrastructure", "Microsoft-Windows-Audio", "Microsoft-Windows-CAPI2", "Microsoft-Windows-CertificateServicesClient", "Microsoft-Windows-CertificateServicesClient-AutoEnrollment", "Microsoft-Windows-CertificateServicesClient-CertEnroll", "Microsoft-Windows-CertificateServicesClient-CredentialRoaming", "Microsoft-Windows-CertificationAuthorityClient-CertCli", "Microsoft-Windows-Crypto-RNG", "Microsoft-Windows-Defrag", "Microsoft-Windows-DirectShow-Core", "Microsoft-Windows-DirectShow-KernelSupport", "Microsoft-Windows-EapHost", "Microsoft-Windows-EFS", "Microsoft-Windows-EventCollector", "Microsoft-Windows-Folder Redirection", "Microsoft-Windows-LoadPerf", "Microsoft-Windows-PerfCtrs", "Microsoft-Windows-PerfNet", "Microsoft-Windows-PerfOS", "Microsoft-Windows-PerfProc", "Microsoft-Windows-propsys", "Microsoft-Windows-RemoteApp and Desktop Connections", "Microsoft-Windows-RestartManager", "Microsoft-Windows-RPC-Events", "Microsoft-Windows-SoftwareRestrictionPolicies", "Microsoft-Windows-Spell-Checking", "Microsoft-Windows-SpellChecker", "Microsoft-Windows-TerminalServices-ClientActiveXCore", "Microsoft-Windows-User Profiles General", "Microsoft-Windows-User Profiles Service", "Microsoft-Windows-Video-For-Windows", "Microsoft-Windows-Winsrv", "Microsoft-Windows-WMI", "Microsoft-Windows-XWizards", "Microsoft.Transactions.Bridge 3.0.0.0", "Microsoft.Transactions.Bridge 4.0.0.0", "MSDTC", "MSDTC 2", "MSDTC Client", "MSDTC Client 2", "MsiInstaller", "PDH", "PerfCtrs", "PerfDisk", "Perflib", "PerfNet", "PerfOs", "PerfProc", "Process Exit Monitor", "Profsvc", "RasClient", "SceCli", "SceSrv", "SCW", "SCW Analysis", "ServiceModel Audit 3.0.0.0", "ServiceModel Audit 4.0.0.0", "SideBySide", "Software Installation", "Software Protection Platform Service", "Standard TCP/IP Port", "System.IdentityModel 3.0.0.0", "System.IdentityModel 4.0.0.0", "System.IO.Log 3.0.0.0", "System.IO.Log 4.0.0.0", "System.Runtime.Serialization 3.0.0.0", "System.Runtime.Serialization 4.0.0.0", "System.ServiceModel 3.0.0.0", "System.ServiceModel 4.0.0.0", "usbperf", "Userenv", "VBRuntime", "VSS", "VSSetup", "WerSvc", "Windows Error Reporting", "Wininit", "Winlogon", "WinMgmt", "Wlclntfy", "WMI.NET Provider Extension", "Wow64 Emulation Layer", "WSH", "xensvc" };
static void Main(string[] args)
{
Registry
.LocalMachine
.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\EventLog\Application")
.GetSubKeyNames()
.Except(PreinstalledSources, StringComparer.InvariantCulture)
.ToList()
.ForEach(source => Console.WriteLine(source));
}
}