Recipe8.10.Finding All Sources Belonging to a Specific Event Log

Recipe 8.10. Finding All Sources Belonging to a Specific Event Log

Problem

You need to determine which sources are attached to a particular event log before the log is examined and/or deleted. A source is a component or application that has registered itself to a particular event log as a source of events.

Solution

Use the following method to extract all of the source names registered to a log (pass the log's name in as the logName argument):

 public static List<string> FindSourceNamesFromLog(string logName) {     List<string> sourceNamesList = new List<string>();     // Get the registry key for the specific log.     RegistryKey keyLog = Registry.LocalMachine.OpenSubKey         (@"SYSTEM\CurrentControlSet\Services\Eventlog\" + logName);     if (keyLog != null && keyLog.SubKeyCount>0)     {         // Get the sources from the log key.         string[] sourceNames = keyLog.GetSubKeyNames();         // Set capacity for the list.         sourceNamesList.Capacity = keyLog.SubKeyCount;         // Add all of the sources into the list.         sourceNamesList.AddRange(sourceNames);     }     // Return the list.     return sourceNamesList; }

To obtain a listing of all logs and their registered sources, use the following method:

 public static Hashtable FindSourceNamesFromAllLogs() {     // Make a hashtable to store the logs and their sources.     Hashtable logsAndSources = new Hashtable();     // Get a list of all logs on the box.     string[] eventLogNames = Registry.LocalMachine.OpenSubKey         (@"SYSTEM\CurrentControlSet\Services\Eventlog").GetSubKeyNames();     foreach (string log in eventLogNames)     {         // Get all the source names for this log.         List<string> sourceNamesList = FindSourceNamesFromLog(log)         // Add the source name list with the log name         // as the key to the hashtable.         logsAndSources.Add(log, sourceNamesList);     }     return logsAndSources; }

This method returns a Hashtable with the log name as the key and a List<string> of source names as the Hashtable's value. The information in the Hashtable of List<string>s can be accessed using the following code:

 foreach (DictionaryEntry DE in logsAndSources) {     Console.WriteLine("Log: " + DE.Key); // Display the log.     foreach (string source in ((List<string>)DE.Value))     {         // Display all sources for this log.         Console.WriteLine("\tSource: " + source);     } }

Discussion

This recipe is similar to Recipe 8.7 in that you need to find information concerning an event log that can be obtained only through the registry. If you need to find the sources associated with a log called MyLog, you would look up all of the subkeys contained in the following location:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\MyLog\

If MyLog were associated with two sources called AppSource and MonitorSource, the following keys would exist under the MyLog key:

 \AppSource \MonitorSource

The full registry path for both keys would be:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\MyLog\AppSource HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\MyLog\MonitorSource

This recipe makes use of the Registry and RegistryKey classes to look up the subkeys under the event log's key in the registry. See Recipe 8.7 for more information dealing with opening registry keys using the Registry and RegistryKey classes.

The read-only SubKeyCount property and GetSubKeyNames method of the RegistryKey class are used to obtain the number of subkeys that reside under a particular key and a string array containing their names.

The FindSourceNamesFromLog method uses the GetSubKeyNames method to obtain a list of event logs from the EventLog registry key. It then searches these log names until the log name passed to this method through the logName parameter is found. Once the correct log is found, its subkeysrepresenting all of the sources tied to that logare saved to the sourceNamesList array. This array is then passed back to the caller.