asked on

Howto get a Windows eventlog EventID

Hello,

I need to get the Eventlog EventID out of the InstanceID. Below is some code I found that does it perfectly, but sometimes it does not return the correct value. Does this code look right?

private void ValidateEventID (long instanceID)
		{
			int eventID = GetEventID (instanceID);
			if (eventID < ushort.MinValue || eventID > ushort.MaxValue)
				throw new ArgumentException (string.Format (CultureInfo.InvariantCulture,
					"Invalid eventID value '{0}'. It must be in the range between"
					+ " '{1}' and '{2}'.", instanceID, ushort.MinValue, ushort.MaxValue));
		}
 
		internal static int GetEventID (long instanceID)
		{
			long inst = (instanceID < 0) ? -instanceID : instanceID;
 
			// MSDN: eventID equals the InstanceId with the top two bits masked
			int eventID = (int) (inst & 0x3fffffff);
			return (instanceID < 0) ? -eventID : eventID;
		}

Open in new window

Bob Learned

You would need to show where this fails to work, because it worked for me. Also, I have learned that just because the EventLogEntry.EventId property is marked as Obsolete, you can still use it (since it is just a warning).

Test code:

           Dictionary<string, EventLog> logList = new Dictionary<string, EventLog>();
            foreach (EventLog log in EventLog.GetEventLogs())
                logList.Add(log.LogDisplayName, log);
 
            foreach (EventLogEntry entry in logList["Application"].Entries)
            {
                long instanceID = entry.InstanceId;
                long eventID = entry.EventID;
                long calculatedEventID = entry.InstanceId & 0x3fffffff;
                if (eventID != calculatedEventID)
                    Console.WriteLine("{0}, {1}, {2}", eventID, instanceID, calculatedEventID);
            }

Open in new window

pyrokin

ASKER

TheLearnedOne,

When the InstanceID = 1101, I get 1101. When the InstanceID = 3223978043, I get
2752571, when the eventid should be "59". What is interesting is that the EventID property returns 2752571 as well. Any Ideas?

Bob Learned

Why do you think that the event ID should be 59?

Bob

Binary math:
 
11000000001010100000000000111011
00111111111111111111111111111111
--------------------------------
00000000001010100000000000111011 = 2752571

Open in new window

pyrokin

ASKER

When I look in the eventlog and match the event text, TimeGen, Source, Type, etc. The EventID in the EventViewer is "59", also aren't eventIDs suppose to be between 0-65535?

ASKER CERTIFIED SOLUTION

Bob Learned

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Bob Learned

Sample usage:

List<Win32_NTLogEvent> list = Win32_NTLogEvent.GetList("Application");

Bob

pyrokin

ASKER

TheLearnedOne,

Thanks for the info. After using your example code I get the correct EventID for the entry in question. Is there any chance of getting this info from Eventlog InstanceID? Is this normal?

Bob Learned

I would have to do some more investigation. I don't go into that much detail with event log processing. I am more of a WMI guy, so I don't go beyond what is already working for me (unless I have to).

Bob

pyrokin

ASKER

Can you recommend any zones to figure out how to get this to work with the Eventlog dotnet component?