The Fundamentals: #1 Next Generation Event Log

The first feature I want to discuss is the new event log, a benefit to IT Pros and developers alike. The event log in Longhorn is a major update of the NT event log service. It maintains 100% backwards compatibility with the existing APIs and functionality and uses the existing NT event log instrumentation in the applications and services. At the same time it eliminates some of the limitations of the NT event log and provides additional features to better support monitoring and diagnostics of Windows applications, services, components and drivers.

For event publishers, the new event log allows you to publish structured events based on -- surprise, surprise -- XML.  Event subscribers likewise provides ways for admins to richly query the event log.  Moreover, it provides event forwarding, such that certain events can be forwarded to another event log.

The best way to grok some of this functionality is to work through some samples.  There are some very simple and concise samples in the SDK that are quite explanatory. 

1. First, go to the SDK and compile the Simple Eventlog Publisher sample using msbuild.exe.  Run the sample. This sample demonstrates an application which reports a text XML event to a channel. To see this event, right click on My Computuer and go to manage.  There are still two event logs in the PDC build, the old event log and the new one (This will become one by RTM.)  The old event log is called the "Event Viewer" under System Tools -- you won't see your event there.   The new event log can be found under Services and Applictions and is called "Windows Event Viewer".   Here is the source code.

If you go to the Application bucket, you will see your event listed.  Double click on it and go to Details -- there you will see the XML of the event published.  Notice how additional elements are added to the custom XML published by the event, such as computer name, ProcessID, etc. 

2. Now, go to the SDK and compile the Query Log sample.  This sample demonstrates an Application which issues an XPath log query for all events in the Application log and then prints out the query results to the console. Note how the XPath query ("Global/Application/ComputerAddedToDomain") maps to the Application bucket of the Global channel.  You could imagine getting much more granular with how the XPath queries are structured. Here is the source code.

3. Now go to the SDK and compile the Subscriber sample. This sample demonstrates an Application which subscribes for event notifications in the Application channel and prints the received events to the console. The subscription is expressed as an XPath query. To see this sample in action, you will need to fire up a seperate console window and run the Publisher sample in order to get an event to fire.  Each time you run that sample, the event should fire on your subscriber sample.  Here is the source code.

These three samples show the basics of firing, querying and subscribing to events.