2

每当将新日志条目添加到 Windows 事件查看器中的特定事件日志文件时,我想引发一个事件。我正在尝试做类似于这里提到的事情。http://msdn.microsoft.com/en-us/library/bb671202.aspx

这是我的代码:

static void Main()
    {
        EventLogWatcher watcher = null;
        try
        {                
            EventLogQuery eventQuery = new EventLogQuery("C:\\Windows\\System32\\winevt\\Logs\\Admin.evtx", PathType.FilePath);                             

            EventLogReader logReader = new EventLogReader(eventQuery);
            DisplayEventAndLogInformation(logReader);// this successfully opens the log and shows all logged events. 
            watcher = new EventLogWatcher(eventQuery);
            watcher.EventRecordWritten +=                       
                    new EventHandler<EventRecordWrittenEventArgs>(SomeEvent);
            watcher.Enabled = true; // here i get an unhandled exception which is as below:                         
        } //exception handling omitted here for conciseness

public static void SomeEvent(Object obj, EventRecordWrittenEventArgs arg){}
public static void DisplayEventAndLogInformation(EventLogReader logReader){}

我不能使用PathType.LogName,因为这不是标准的系统日志,并且它没有对应的注册表项

HKLM/系统/CurrentControlSet/服务/事件日志

. 当我使用像“系统”或“应用程序”这样的日志名称时,这段代码可以正常工作,但是当我使用它们对应的PathType.FilePath. 我希望它PathType.FilePath在将特定查询(此处未提及)输入日志时使用并触发事件。有关此代码为何不起作用的任何输入都会很棒!DisplayEventAndLogInformation当方法完美运行时,为什么我会收到“通道路径无效”错误?

异常消息:

System.Diagnostics.Eventing.Reader.EventLogException:指定的通道路径在 System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode ) 在 System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHand le session, SafeWaitHandle信号事件、字符串路径、字符串查询、EventLogHandl e 书签、IntPtr 上下文、IntPtr 回调、Int32 标志)在 System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing() 在 System.Diagnostics.Eventing.Reader.EventLogWatcher.set_Enabled(Boolean val ue) 在 C:\Users\username\documents\visual studio 2010\Projects\eventlogreader\eventlogreader\Program.cs: 第 40 行中的 eventlogreader.Program.Main() System.AppDomain._nExecuteAssembly(RuntimeAssembly 程序集,String[] args ) 在 System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args) 在 Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly() 在 System.Threading.ThreadHelper.ThreadStart_Context(Object state) 在 System .Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run System.Threading.ThreadHelper.ThreadStart() 处的(ExecutionContext executionContext、C ontextCallback 回调、对象状态)Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly() 在 System.Threading.ThreadHelper.ThreadStart_Context(Object state) 在 System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext , ContextCallback 回调, 对象状态, Boolean preserveSyncCtx) 在 System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback 回调, 对象状态, Boolean preserveSyncCtx) 在 System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback 回调, 对象状态) 在 System.Threading.ThreadHelper.ThreadStart()Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly() 在 System.Threading.ThreadHelper.ThreadStart_Context(Object state) 在 System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext , ContextCallback 回调, 对象状态, Boolean preserveSyncCtx) 在 System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback 回调, 对象状态, Boolean preserveSyncCtx) 在 System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback 回调, 对象状态) 在 System.Threading.ThreadHelper.ThreadStart()HostingProcess.HostProc.RunUsersAssembly() at System.Threading.ThreadHelper.ThreadStart_Context(Object state) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run( ExecutionContext executionContext, C ontextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart()HostingProcess.HostProc.RunUsersAssembly() at System.Threading.ThreadHelper.ThreadStart_Context(Object state) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run( ExecutionContext executionContext, C ontextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart()System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback callback, Object state) 处的 ContextCallback 回调,对象状态,布尔值 preserveSyncCtx)在 System.Threading.ThreadHelper.ThreadStart()System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C ontextCallback callback, Object state) 处的 ContextCallback 回调,对象状态,布尔值 preserveSyncCtx)在 System.Threading.ThreadHelper.ThreadStart()

4

0 回答 0