New Windows Event Log: Gateway to Native Windows Functionality in Vista
While the .NET Framework's feature coverage continues to increase—particularly with the WinFX release in Windows Vista, native code will continue to be the most powerful and flexible mechanism for producing applications that work closely with the host operating system (OS). To demonstrate that native development is alive and well in Vista, this article covers the new Windows Event Log features to prepare you for a plunge into the native libraries, which are the only way to access the new functionality.
Windows Event Logging
- Event Tracing for Windows (ETW). ETW offered a high-performance logging option, but its output was not readily accessible to operations staff. ETW log files were put in a location defined by the code using ETW and required a custom viewer for inspection.
- The Windows Event log. The Windows Event log was probably the most popular enterprise and system logging mechanism. It was not designed for high-volume logging, so it could miss events under high load. High-volume logging also had the tendency to flood the common Application event log with high-frequency events from a single application. As a result, important events raised by other applications could be overwritten by trivial debug statements. The Event Log did ship with an built-in viewer, but it was feature-poor and required a more advanced offering like Microsoft Operations Manager to deal with enterprise scenarios.
- Windows Management Instrumentation (WMI). WMI offered a rich event model at the expense of performance. WMI events also required a custom viewer.
- printf or OutputDebugString. The use of printf or OutputDebugString was a popular developer method of adding basic instrumentation to an application, but these statements rarely were captured by logging tools run by operations staff. Even if they were, the log information typically required the original developer to interpret it.
The New Event Tracing Framework
Figure 1. Windows Vista Event Viewer
Starting on the left pane, the Event Viewer still has the familiar Windows Logs, where events from the Windows XP-style event logging API will end up. One of the new features of the left pane is the ability to define a standard query of log events that can be persisted as a custom view. This can be incredibly useful for operations staff who are interested only in events of a certain severity from a particular event source. The other new feature is the hierarchal presentation of custom application logs. While you could create custom logs with the old Event Logging framework, it had no concept of log hierarchies.
The main pane of the Event Viewer shows the list of events in a list-view (as is the case in XP). It also includes a new preview pane that negates the need to bring up a dialog in order to inspect the details of the event. It is still possible to bring up a dialog box, and the dialog box in Vista will not be modal, enabling you to bring up multiple details dialog boxes and compare events. The Event Viewer also presents an XML view of the data in an event record, and you can query all the events across multiple logs with XPath.
The Actions Pane on the right presents various options for opening, filtering, and closing various filters. One of the more interesting features is the ability to attach a task to a specific event. The task can be any Windows Task Scheduler task. You can use this feature to alert operations staff that need to respond to any event or even to respond to an event automatically.
The new event logging framework for Windows Vista is a part of the Vista operating system, and Microsoft will not back-port it to Windows XP or Windows Server 2003.
The new Event Logging in Vista is built on top of ETW. ETW was the most comprehensive and robust logging framework in the NT5.x kernel, and building on top of it allowed the Vista team to concentrate on adding new functionality rather than re-inventing an existing logging framework.
- Admin Events. These are top-level issues that an administrator may need to act on, such as the inability to acquire an IP address, and they are accompanied by instructions on how to rectify the problem.
- Operational Events. These notify an administrator or user that an expected or usual event has happened. Successfully acquiring an IP address is an example of an operational event.
 
 
No comments:
Post a Comment