Search code examples
c#.netpowershellevent-logsystem.diagnostics

System.Diagnostics.EventLog doesn't contain correct message

In some cases, when retrieving event logs from System.Diagnostics.EventLog, message like this

The description for Event ID '10016' in Source 'DCOM' cannot be found...

is returned. I found out that this response is also returned by Get-EventLog command in Powershell.

The actual message should look like this:

The application-specific permission settings do not grant Local Activation permission...

and is returned by Get-WinEvent command.

Is there any way to retrieve the second message in .Net Framework project? (without calling an independent Powershell script)?

UPDATE

I implemented the suggested solution, but now I stumbled on a different problem - how can I retrieve Audit Success and Audit Failure information? The EventLogEntry had an enum that contained them, but EventRecord doesn't

Update 2

I found a way to deal with Audits. EventRecord has a Keywords property, I compared it to StandardEventKeywords enum

Solution

  • As mentioned in the comments, Get-WinEvent uses the EventLogReader class to enumerate the events queried, and then calls EventRecord.FormatDescription() on each resulting record to render the localized message.

    Here's a sample console application to fetch and print the rendered message of each of the first 10 Warning (Level=3) events in the Application log:

    using System;
using System.Diagnostics.Eventing.Reader;

class Program
{
    static void Main(string[] args)
    {
        // construct an EventLogQuery object from a log path + xpath query
        var xpath = "*[System[Level=3]]";
        var query = new EventLogQuery("Application", PathType.LogName, xpath);

        // instantiate an EventLogReader over the query
        var reader = new EventLogReader(query);

        // read the events one by one
        var counter = 0;
        EventRecord record = null;
        while ((record = reader.ReadEvent()) is EventRecord && ++counter <= 10)
        {
            // call FormatDescription() to render the message in accordance with your computers locale settings
            var renderedMessage = record.FormatDescription();
            Console.WriteLine(renderedMessage);
        }
    }
}

    Beware that it's entirely possible for FormatDescription() to return an empty string - this will occur when the event logging provider didn't provide a message template for the given event id.