[Vb.net] Eventlog Watcher Service becomes unresponsive after large amount of entries

This is the situation:
I have written a Windows Service that monitors the Domain Controllers Security eventlog for certain events.
It filters the eventmessages and sends email if a filter is matched.

The service runs fine until our HR-->Active Directory import runs.
This adds ca. 2000 events to the Security eventlog within 2 seconds.
After this, the service still runs, but doesn't respond to new events anymore.
Hopefully someone can point me in the right direction to solve this

Imports System.Threading
Imports System.Net.Mail
Imports System.Security.Principal

Public Class EventLogWatcherService
    Private Shared signal As AutoResetEvent

    Protected Overrides Sub OnStart(ByVal args() As String)
        ' This is where the service starts 

        'Start the Event Log Watcher Service as a new thread
        Dim workerThread = New Thread(AddressOf WatchEventLog)
        workerThread.Start()

        'Write start message to Eventlog
        WriteLogMessage("Service Started", EventLogEntryType.Information)
    End Sub

    Public Sub WatchEventLog()
        'Set new event
        signal = New AutoResetEvent(False)

        'Connect to the OS-Security Eventlog
        Dim logwatcherlog = New EventLog("Security", ".", "LogMonitoringService")
        logwatcherlog.Source = "LogMonitoringService"

        'Add event handler to the Security Eventlog. This triggers at new events
        AddHandler logwatcherlog.EntryWritten, New System.Diagnostics.EntryWrittenEventHandler(AddressOf EventLog1_EntryWritten)
        logwatcherlog.EnableRaisingEvents = True

        'Wait for Event
        signal.WaitOne()
    End Sub

    Public Sub EventLog1_EntryWritten(ByVal [source] As Object, ByVal e As entryWrittenEventArgs)
        'Check the Events on EventID's. On match a new thread is fired to handle this event.
        If e.Entry.InstanceId = "4728" Or e.Entry.InstanceId = "4729" Then
            Dim thread As New Threading.Thread(AddressOf FoundEventToHandle)
            thread.Start(e)
        End If
    End Sub

    Public Sub FoundEventToHandle(ByVal e As EntryWrittenEventArgs)
            ‘Filters the eventmessage and sends an email on a filter match.

            '** WHEN HR-->AD IMPORT IS RUN, THIS PART ISN"T REACHED**
            
            'Dispose the current Entry to prevent unresponive service
            e.Entry.Dispose()

           'Sleep short and Signal for complete
           Thread.Sleep(1)
           signal.Set()
    End Sub

Open in new window

LVL 1
orbisictAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
Advertise Here
 
CodeCruiserConnect With a Mentor Commented:
I think it happens because you try to create 2000 threads within 2 seconds which overwhelms it. What you can do is change the approach and use a queue with a single thread. Whenever a new entry is written, you put the EntryWrittenEventArgs into a queue. A single thread can then keep monitoring this queue and process the items when found.
0
 
orbisictAuthor Commented:
Thanks @CodeCruiser, That was the solution !
I have it running already.

Just to be complete, here is part of the code that I changed:

In the Public Class, I added
Public EntryCollection As New Collection

Open in new window


in the Onstart I added a new thread to watch the eventlog queue
Dim EventCollectionWatcheTread = New Thread(AddressOf EventCollectionWatcher)
EventCollectionWatcheTread.start()

Open in new window


The Eventlog1 sub, where I handled the filter, now just looks like this:
Public Sub EventLog1_EntryWritten(ByVal [source] As Object, ByVal e As EntryWrittenEventArgs)
        'Add new entries to queue
        EntryCollection.Add(e)
        signal.Set()  
End Sub

Open in new window


The new Thread that watches the collection looks like this:
Public Sub EventCollectionWatcher()
       Do
            If EntryCollection.Count > 0 Then
                Dim e As EntryWrittenEventArgs = EntryCollection(1)
                If e.Entry.InstanceId = "4728" Or e.Entry.InstanceId = "4729" Then
                    Dim thread As New Threading.Thread(AddressOf FoundEventToHandle)
                    thread.Start(e)
                End If
                EntryCollection.Remove(1)
            End If
            Thread.Sleep(100)
        Loop
End Sub

Open in new window

0
 
orbisictAuthor Commented:
Exact description of the solution !
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

SEE THE WINNERS
 
CodeCruiserCommented:
By the way, you are still creating extra threads in EventCollectionWatcher method which you don't need to as this method is already executing on a separate thread so you can put the code from FoundEventToHandle method in there.
0
 
orbisictAuthor Commented:
Thanks CodeCruiser, I'm new to thread programming, therefore I really appreciate your assistance !
The 'FoundEventToHandle' sub is rather large and I'd like to leave it as a seperate sub.

Would it be ok to handle the event as shown below ?
Is it also correct to assume that I can delete the line  'Thread.Sleep(100)' too, because the code is now running as a single thread ?

Thanks !

Public Sub EventCollectionWatcher()
       Do
            If EntryCollection.Count > 0 Then
                Dim e As EntryWrittenEventArgs = EntryCollection(1)
                If e.Entry.InstanceId = "4728" Or e.Entry.InstanceId = "4729" Then
                       FoundEventToHandle()
                End If
                EntryCollection.Remove(1)
            End If
         Loop
End Sub

Open in new window

0
 
CodeCruiserCommented:
Yeah this should be fine.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.