Connect with us

Hi, what are you looking for?

Windows Server 2003

Creating a custom event log under Microsoft Event Viewer to log server events

By default, most applications write events to the Application Event Log.  This is a great central place to write logs to but sometimes you might have a requirement to log informational events from an application and you don’t want it filling up your Application Event Log because of the sheer number of informational events you might get a short period of time.  The solution is to create a custom event log for your application to hold these events.  You can then set max log size, overwrite rules, filters, etc. on this event log while your Application Event Log remains clean and intact.

The first step is to create the new log.  You have to do this in the registry.  Open up regedit and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog

Right click on the Eventlog key and click New > Key

Name this new key the same name you want your new event log to be named.  By default it will create the new .evt file here:

C:\WINDOWS\System32\Config\New Key #1.evt

You can always rename it by editing the string value data in the registry if you like.

Now you need to add Sources to your new event log.  Right click in the right window pane under your new key and add a new Multi-String value called “Sources” and add the name of each of your applications on each line.  It should look something like this:

Now you need to move the association of your application from the Application event log to your new Custom log.  Just expand the “Application” key located at:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application

and copy whatever key you see in there for your app under your new Custom log:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\CustomLog

There’s no copy/paste command so you can recreate the key if it’s small or you can export/import if it’s something complicated and you are afraid of mistyping something.  MAKE SURE to delete it from Application after you add it to the Custom log or it will not write events to your new log since Windows thinks its still associated with the Application log.  If it is a custom source, you need to create a DWORD value under this key with the value of 1:

You will also notice my custom app in this example is a .NET 2.0 appliaction so I want .NET to write the events to the log.  I have to create a string value called EventMessageFile and give it the path to the .NET 2.0 event log message dll:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll

Now you should reboot your server.  When it’s back up, check and see if your new event log appears under Event Viewer.  If your application is not writing events to your new log, test it manually by opening a command prompt and going to:

C:\WINDOWS\system32

and typing:

eventcreate /l CustomLog /t Information /so Application1 /id 1 /d "Test message"

You should get a message saying it was successfully written or you should get an error message with details on why it was not written.  If you followed the steps in this blog post, it should write the event just fine.

11 Comments

11 Comments

  1. AA

    February 22, 2010 at 11:31 AM

    This worked wonderfully. I used my own custom log and created a test log with the event create statement. one change is that it did not needed source (/so) parameter.

  2. Pingback: Use Eventlogs Properly! | the angry admin

  3. AB

    September 14, 2011 at 10:13 AM

    Can I create the EventLog using code instead of doing it manually and rebooting the server? I see that source for the eventlog can be created using the code.

    Thanks!

  4. Pedro

    January 18, 2012 at 3:18 PM

    Hey, I am trying to use this on a win7 but when I create the new key only the (default) field appears, where or how I add the source?

    Thanks

  5. Stephen

    February 15, 2012 at 9:13 AM

    Is there any issue with writing to the custom log when the web server and application is using medium trust?

  6. Astrogator7

    March 27, 2012 at 12:37 PM

    Does anybody have any luck using this approach to redirect SQL Server’s events?

    Following the article I created a new event log ‘SQLServer’, verified that it is visible in Event Log MMC, added a new event into it from command line via
    EventCreate /l "SQL Server" /t information /so Console /id 1 /d "Log created"
    SUCCESS: A 'information' type event is created in the 'Console' log/source.

    A new custom source key ‘Console’ got created under HKLM\System\CurrentControlSet\Services\Eventlog\SQLServer\, and it also got added to ‘Sources’ multi-sz value.

    Now when I try to follow a similar logic and switch ‘MSSQLSERVER’ source from ‘Application’ log to the new one (by moving the key and eliminating it from App’s ‘Sources’ multi-sz) I get the following:
    EventCreate /l "SQLServer" /t information /so MSSQLSERVER /id 1 /d "Log created"
    ERROR: Source parameter is used to identify custom application/scripts only (not built-in sources).

    If I add ‘DWORD:CustomSource=1’ value under HKLM\..\Eventlog\SQLServer\MSSQLSERVER\, then the error disappears, but besides explicit attempts from command line:
    EventCreate /l "SQLServer" /t information /so MSSQLSERVER /id 2 /d "Log created"
    SUCCESS: A 'information' type event is created in the 'MSSQLSERVER' log/source.

    nothing gets written to ‘SQLServer’ event log from the real SQL service.. or anywhere else for that matter! Once I restore back original MSSQLSERVER source under ‘Application’ log and restart SQL, it continues logging to App Event Log as it did originally.

    Would not be a problem, if it was not flooding App log with loads of unimportant fluff!

  7. Greynault

    March 30, 2012 at 2:25 PM

    If you are running an application on a 2008 server, then as you publish it using IIS 7.0, give your app pool an Administrator Identity. Make sure to add code into your application that creates the log.

    try{
    EventLog.CreateEventSource(“MyLog”, “MyLog”);
    }catch(Exception exc){ }

    Then write all your logs to that EventLog
    EventLog.WriteEntry(“MyLog”, “…something…”);

    Then navigate to your web application. Reference the page with the code that creates the log, and then you can reduce the permission of your app pool identity back to whatever it was before. It will continue to write to this EventLog.

  8. Stephen

    April 4, 2012 at 3:17 PM

    Due to security requirements we can not grant an app pool account local adminsitrator privileges. I would think that this bypass the intent of the new security model under IIS 7.x.

  9. Pingback: Redirect SQL Server’s events from std Application log into a custom one

  10. Pingback: Create test events | ohelge

  11. Phillip Maye

    February 15, 2017 at 7:42 PM

    i will create this custom

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Apache

In a worst case scenario and all your web servers have failed, what do you do? You could have a standby group of servers...

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com