Making a permanent record of system status
information is important, especially when an error occurs. Windows uses
the term event
to indicate a change. Events aren't necessarily errors. In fact, some
events are informational, while others are simply warnings. Windows also
provides a number of other events, such as security events where it
performs an audit of the security on a system. Generally, though, you'll
only consider three kinds of events: informational, warning, and
errors. The following sections describe the utilities for working with
system events.
|
Windows records all
events in the event log. You can use the Event Viewer console in the
Administrative Tools folder of the Control Panel to view the events. The
standard logs for events are Application, Security, and System.
Unfortunately, many users don't know the event logs exist and
administrators don't find time to use them. In many cases, someone will
call me in to look at their system and I find the answers I need to fix
the error right in the event log that they failed to review. In fact,
I'm amazed at how often the event log entry tells me what action to take
or at least provides enough specifics that I can research the repair in
the Microsoft Knowledge Base.
Educating yourself about
the event log and understanding how to use it effectively are
important. You can learn more about the event log in general on the
Microsoft Web site at http://technet2.microsoft.com/windowsserver/en/library/9930c8f1-54ed-4d07-afa6-bc3c597bbe9c1033.mspx.
However, effective event
log usage goes even further. As you begin writing your own applications
(even batch file applications), consider adding event log entries to
one of the standard logs or use a special log for the purpose. The Code
Project article (http://www.codeproject.com/dotnet/evtvwr.asp) shows how to add new event logs using registry
entries. You'll also want to review the MSDN "EventLog Key" article at http://msdn2.microsoft.com/en-us/library/aa363648.aspx.
|
18.1.1. Managing
System Events with the EventCreate Utility
The EventCreate utility
adds a new event log entry. You can send an event log entry to any
current log, including any custom log that you create. In fact, this
utility can create event log entries with the same complexity and level
of information that any application can create. This utility uses the
following syntax:
EVENTCREATE [/S system [/U username [/P [password]]]] /ID eventide
[/L logname] [/SO srcname] /T {ERROR | WARNING | INFORMATION} /D description
Notice that you must
provide the /ID, /T, and /D
command line switches. The following list describes each of the command
line arguments.
/S system
Specifies a remote
system. You can use any connected system to store the event log entries.
Some administrators send event log entries to a central location to
ensure someone sees them. The remote system must allow the required
access.
/U [domain\] user
Defines the
user context for executing the command. The user context is important
because not every user has access to the event log. In addition, the
user context appears as part of the event log entry.
/P [password]
Provides a
password for the user context. The utility prompts you for the password
(when necessary) if you don't include it on the command line. In most
cases, supplying the password when prompted is safer from a security
perspective than including this information on the command line or as
part of a batch file entry.
/L logname
Determines the name
of the log to use for the event entry. The three standard logs found on
every Windows machine are Application, Security, and System. Many
machines include additional event logs installed by applications that
the system uses.
/T {ERROR | WARNING | INFORMATION}
Specifies the kind
of event to create. Even though the Windows event log accepts other
event types, the only three acceptable types are error, warning, and
information. These three types reflect three levels of severity, with
information being the least severe and error being the most severe.
/SO source
Defines the source
of the event. You can use any string as the source. However, providing a
meaningful application identifier is usually the best idea. Given that
you'll use this feature from the command line, you might simply want to
use "Command Line" as your source. When working with a batch file, use
the batch filename as the source. Scripts and other forms of automation
should use the script or application name.
/ID id
Specifies the
event identifier for the event. The identifier is a number between 1 and
1,000. Whenever practical, provide specific numbers for specific
events. For example, you might assign a value of 500 to all file errors.
The event identifier lets you sort the events in a manner other than
type or source, so you should also keep this in mind when you create the
event identifier list for your application.
/D description
Provides an
event description. The description should tell the viewer what happened
to cause the event, the event effects, and any other pertinent
information the viewer might need to resolve event problems caused by
the event. Even informational events should include significant event
information. For example, you might record that your application
started, found no work to do, and terminated. Even though the
application didn't experience an error, the information is still
important to someone who expected your application to complete useful
work.
NOTE
The event log
accepts several additional pieces of information that you can't add
using the EventCreate utility. The event category requires that you
register a specialized DLL to handle the category information. Given
that you probably won't add the required DLL for a batch file
application, Microsoft left this particular entry out. An event can also
register data that amplifies the event description. The lack of support
for this feature is regrettable because you could use it to create
better event log entries. However, you can overcome this problem by
providing a detailed description and possibly including the data as part
of the description, rather than as a separate entry.
|
