Recipe8.3.Creating a New Event Log

Recipe 8.3. Creating a New Event Log

Problem

You want to create a custom event log. This can be useful if you have a custom application that needs to write a bunch of events to the event log and you do not want to clutter one of the default logs.

Solution

Using a graphical interface

Open the Registry Editor (regedit.exe).
In the left pane, browse to HKLM
Right-click on Eventlog and select New
Enter the name of the new event log and hit Enter.

Using a command-line interface

Create the following registry key and replace <LogName> with the name of the new log:

> reg add \\<ServerName>\HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\<LogName>

Using VBScript

' This code creates a new event log.  ' ------ SCRIPT CONFIGURATION ------ strNewLog = "<LogName>"      ' e.g., MyLog strServer = "<ServerName>"   ' e.g., fs01 (use "." for local server) ' ------ END CONFIGURATION --------- const HKLM = &H80000002 strKeyPath = "SYSTEM\CurrentControlSet\Services\EventLog\" & strNewLog set objReg = GetObject("winmgmts:\\" & strServer & "\root\default:StdRegProv") objReg.CreateKey HKLM, strKeyPath WScript.Echo "Created Event log " & strNewLog

Discussion

When you view events in an event log using a tool such as Event Viewer, you are actually interacting with the Event Log service. It is this service that applications interface with to write and retrieve events. Each event log is defined as a subkey under the HKLM\SYSTEM\CurrentControlSet\Services\Eventlog key. The name of the subkey is the name of the event log. The Event Log service constantly monitors this key for the creation of new subkeys. When it finds a new one, it creates a new event log. After it finds a new subkey, the Event Log service creates a file under the %SystemRoot%\System32\config directory to contain the event log messages. If you named the subkey Test, the file name would be Test.evt. You can then configure the new event log like you would one of the defaults (setting the maximum size, retention period, etc.).