Search code examples
.netwindowsevent-logeventlog-source

Windows Event IDs


Is there a specific range of Event IDs in Windows reserved for application developers?

I'm working on a .Net application that will write errors to the windows event log. This application actually targets servers, and will be run as a scheduled task by paranoid sys admins who will want to lock it down as much as possible (including running it with a reduced privilege maintenance account). The app will not be formally installed — in fact, I'm not even building an installer for this; just a zip file with the .exe and app.config file.

Here's the trick: in Windows, you need administrator privileges to create a source in the Application event log. Since I can't count on this and I don't want to make overworked sys admins need to create one, I'm using "Application Error" (used by MS Office) as a fallback. (Picking a better fallback is on my todo list, since office isn't as often installed on servers).

The problem is that I still want my events to stand out a bit, rather than just masquerading as Office. This way, my sys admins can easily filter down to just those events in Event Viewer or the log aggregator of their choice. The best solution I'm aware of right now is using the Event ID, but I'm worried about conflicting with internal Windows Events, especially considering my target audience.

I've looked, but I can't find any documentation on this. So, is there a specific range of Event IDs I should use, will I be okay using whatever, or should I look at a completely different option here?


Solution

  • Not really. At the top level you have an Event Source. Each Event Source has its own Event Categories. Each Event Message is "owned" by an Event Source and falls into one of its Event Categories. If you're going to be logging your events under someone else's Event Source, you're breaking this convention and could quite possibly have Event ID collisions.

    On the other hand, Event IDs are structurally similar to HRESULTs and there is a Customer bit you could set. There is also a Facility Code field, but Microsoft only provides one facility for 3rd parties (the rest are reserved). Even if you mess with these bits, you are still at the mercy of the owner of the Event Source; if Microsoft were ever to write something to the Event Source you are using and set the Customer bit or Facility Code (e.g. perhaps non-Windows components such as Office or something), you would be right back in the same danger of collisions. Or if some other developer decides to do the same thing you are doing. Really the safest way is to define your own Event Source.