EventSource 不在 windows 事件查看器中写入日志
EventSource doesn't write logs in windows event viewer
我正在尝试编写登录 Windows 事件查看器。我创建了 class 并创建了用于捕获异常的方法。这是我的代码:
[EventSource(Name = "Samples-EventSourceDemos-EventLog")]
public sealed class MinimalEventSource : EventSource
{
public static MinimalEventSource Log = new MinimalEventSource();
[NonEvent]
public void WriteLog(Exception exception)
{
UnhandledException(exception.Message);
}
[Event(601, Message = "Unhandled exception occurred. Details: {0}", Keywords = EventKeywords.None, Level = EventLevel.Critical)]
private void UnhandledException(string exceptionMsg)
{
this.WriteEvent(601, exceptionMsg);
}
}
static void Main(string[] args)
{
AppDomain.CurrentDomain.UnhandledException += CurrentDomain_UnhandledException;
throw new Exception("TestException");
}
private static void CurrentDomain_UnhandledException(object sender, UnhandledExceptionEventArgs e)
{
MinimalEventSource.Log.WriteLog(e.ExceptionObject as Exception);
Process.GetCurrentProcess().Kill();
}
在 Windows 事件查看器中我找不到这个日志
我从 nuget 安装了 Microsoft.Diagnostics.Tracing.EventSource。它在重建后创建清单。这里是调试文件夹
我决定通过代码注册它:
string commandOfRegistringEventSource = "";
using (Process process = new Process())
{
ProcessStartInfo startInfo = new ProcessStartInfo
{
WindowStyle = ProcessWindowStyle.Hidden,
FileName = "cmd.exe",
Arguments = commandOfRegistringEventSource
};
process.StartInfo = startInfo;
process.Start();
}
我尝试使用 wevtutil.exe im <EtwManifestManFile> /rf:"<EtwManifestDllFile>" /mf:"<EtwManifestDllFile>" 执行,但它显示 The system cannot find the file specified. 之类的错误,...请帮我编写注册字符串事件源的 cmd 命令。这是清单
C:\Users\dilshodk\source\repos\ETW loggiing\ETW loggiing\bin\Debug\ETW loggiing.Samples-EventSourceDemos-EventLog.etwManifest.dll
C:\Users\dilshodk\source\repos\ETW loggiing\ETW loggiing\bin\Debug\ETW loggiing.Samples-EventSourceDemos-EventLog.etwManifest.man
我过去这样做过写入事件日志Application:
using (EventLog eventLog = new EventLog("Application"))
{
eventLog.Source = "Application";
eventLog.WriteEntry("Log message test", EventLogEntryType.Information, 101, 1);
}
您需要执行更多步骤才能使其正常工作。首先,你需要像这样设置Event属性的Channel属性:
[EventSource(Name = "Samples-EventSourceDemos-EventLog")]
public sealed class MinimalEventSource : EventSource
{
public static MinimalEventSource Log = new MinimalEventSource();
[NonEvent]
public void WriteLog(Exception exception)
{
UnhandledException(exception.Message);
}
[Event(601, Channel = EventChannel.Admin, Message = "Unhandled exception occurred. Details: {0}", Keywords = EventKeywords.None, Level = EventLevel.Critical)]
private void UnhandledException(string exceptionMsg)
{
this.IsEnabled().Dump();
this.WriteEvent(601, exceptionMsg);
}
}
其次,您的事件源需要注册。步骤大纲 here:
One requirement introduced by channel support is the need to statically register the ETW provider manifest. The NuGet package supports generating the files needed for static registration as part of your build. After your build completes a new step is run that generates a pair of files for each of the event source types defined in the project:
..etwManifest.man and
..etwManifest.dll
The first file contains the ETW manifest while the second one contains the binary form of the ETW manifest plus any needed native resources (localization string tables in particular).
The tool that generates the above two files is “eventRegister.exe” and it performs two functions:
It ensures the registration files are generated for all event source types that need static registration, and
It performs a number of validation checks on all the event source types defined in the output assembly.
Deploying your component will need to include these files and perform one registration step at installation time and one un-registration step at un-installation time.
Registration:
wevtutil.exe im <EtwManifestManFile> /rf:"<EtwManifestDllFullPathName>" /mf:"<EtwManifestDllFullPathName>"
Unregistration:
wevtutil.exe um <EtwManifestManFile>
For static registration eventRegister.exe generates manifests that include all localization information. This is needed because the manifest is generated at build time, when there’s no information regarding the culture in which the final application will run.
Note you will see that in the .etwManfest.man file that the build generated, there are path names for the resource file and manifest file in this file. They are the paths that existed at build time. These paths are NOT used if you use the /rf and /mf options. Thus you should always specify the /rf: and /mf options (unless you hand modify the .etwManifest.man file to specify deployment-time file paths for the DLL).
Finally, it is important that you use FULLY qualified names for the /mf: and /rf: options. You can use environment variables THAT ARE AVAILABLE TO ALL PROCESSes (e.g. %SystemRoot% or %ProgramFiles%), but you should not use relative paths (it is not clear what they are relative to, probably System32, but don’t count on it).
The general recommendation is to copy your etwManifest.dll and .etwManifest.man to a directory under %ProgramFiles% and then use wevtutil to register them at that location.
创建上述文件的最简单方法是以 .docx 格式添加 this NuGet Package as it will create those files when building your project. It comes with the docs。
我正在尝试编写登录 Windows 事件查看器。我创建了 class 并创建了用于捕获异常的方法。这是我的代码:
[EventSource(Name = "Samples-EventSourceDemos-EventLog")]
public sealed class MinimalEventSource : EventSource
{
public static MinimalEventSource Log = new MinimalEventSource();
[NonEvent]
public void WriteLog(Exception exception)
{
UnhandledException(exception.Message);
}
[Event(601, Message = "Unhandled exception occurred. Details: {0}", Keywords = EventKeywords.None, Level = EventLevel.Critical)]
private void UnhandledException(string exceptionMsg)
{
this.WriteEvent(601, exceptionMsg);
}
}
static void Main(string[] args)
{
AppDomain.CurrentDomain.UnhandledException += CurrentDomain_UnhandledException;
throw new Exception("TestException");
}
private static void CurrentDomain_UnhandledException(object sender, UnhandledExceptionEventArgs e)
{
MinimalEventSource.Log.WriteLog(e.ExceptionObject as Exception);
Process.GetCurrentProcess().Kill();
}
在 Windows 事件查看器中我找不到这个日志
我从 nuget 安装了 Microsoft.Diagnostics.Tracing.EventSource。它在重建后创建清单。这里是调试文件夹
我决定通过代码注册它:
string commandOfRegistringEventSource = "";
using (Process process = new Process())
{
ProcessStartInfo startInfo = new ProcessStartInfo
{
WindowStyle = ProcessWindowStyle.Hidden,
FileName = "cmd.exe",
Arguments = commandOfRegistringEventSource
};
process.StartInfo = startInfo;
process.Start();
}
我尝试使用 wevtutil.exe im <EtwManifestManFile> /rf:"<EtwManifestDllFile>" /mf:"<EtwManifestDllFile>" 执行,但它显示 The system cannot find the file specified. 之类的错误,...请帮我编写注册字符串事件源的 cmd 命令。这是清单
C:\Users\dilshodk\source\repos\ETW loggiing\ETW loggiing\bin\Debug\ETW loggiing.Samples-EventSourceDemos-EventLog.etwManifest.dll
C:\Users\dilshodk\source\repos\ETW loggiing\ETW loggiing\bin\Debug\ETW loggiing.Samples-EventSourceDemos-EventLog.etwManifest.man
我过去这样做过写入事件日志Application:
using (EventLog eventLog = new EventLog("Application"))
{
eventLog.Source = "Application";
eventLog.WriteEntry("Log message test", EventLogEntryType.Information, 101, 1);
}
您需要执行更多步骤才能使其正常工作。首先,你需要像这样设置Event属性的Channel属性:
[EventSource(Name = "Samples-EventSourceDemos-EventLog")]
public sealed class MinimalEventSource : EventSource
{
public static MinimalEventSource Log = new MinimalEventSource();
[NonEvent]
public void WriteLog(Exception exception)
{
UnhandledException(exception.Message);
}
[Event(601, Channel = EventChannel.Admin, Message = "Unhandled exception occurred. Details: {0}", Keywords = EventKeywords.None, Level = EventLevel.Critical)]
private void UnhandledException(string exceptionMsg)
{
this.IsEnabled().Dump();
this.WriteEvent(601, exceptionMsg);
}
}
其次,您的事件源需要注册。步骤大纲 here:
One requirement introduced by channel support is the need to statically register the ETW provider manifest. The NuGet package supports generating the files needed for static registration as part of your build. After your build completes a new step is run that generates a pair of files for each of the event source types defined in the project: ..etwManifest.man and ..etwManifest.dll
The first file contains the ETW manifest while the second one contains the binary form of the ETW manifest plus any needed native resources (localization string tables in particular).
The tool that generates the above two files is “eventRegister.exe” and it performs two functions: It ensures the registration files are generated for all event source types that need static registration, and It performs a number of validation checks on all the event source types defined in the output assembly. Deploying your component will need to include these files and perform one registration step at installation time and one un-registration step at un-installation time.
Registration:
wevtutil.exe im <EtwManifestManFile> /rf:"<EtwManifestDllFullPathName>" /mf:"<EtwManifestDllFullPathName>"Unregistration:
wevtutil.exe um <EtwManifestManFile>For static registration eventRegister.exe generates manifests that include all localization information. This is needed because the manifest is generated at build time, when there’s no information regarding the culture in which the final application will run.
Note you will see that in the .etwManfest.man file that the build generated, there are path names for the resource file and manifest file in this file. They are the paths that existed at build time. These paths are NOT used if you use the /rf and /mf options. Thus you should always specify the /rf: and /mf options (unless you hand modify the .etwManifest.man file to specify deployment-time file paths for the DLL). Finally, it is important that you use FULLY qualified names for the /mf: and /rf: options. You can use environment variables THAT ARE AVAILABLE TO ALL PROCESSes (e.g. %SystemRoot% or %ProgramFiles%), but you should not use relative paths (it is not clear what they are relative to, probably System32, but don’t count on it). The general recommendation is to copy your etwManifest.dll and .etwManifest.man to a directory under %ProgramFiles% and then use wevtutil to register them at that location.
创建上述文件的最简单方法是以 .docx 格式添加 this NuGet Package as it will create those files when building your project. It comes with the docs。