Event Log Creator is giving me a generic message on remote machine

Question

I created an event log creator and it works perfect locally. When trying to create an event log remotely it gives me this message:

If the event originated on another computer, the display information had to be saved with the event.

And it adds it to the event log. My current method involves making registry changes on the remote servers. I read online that you can perform an event log remotely using a web service? I am completely lost in creating a web service as I have never made one before, can someone point me in the right direction. I'm also trying to avoid making registry changes on remote servers because they are in a production environment.

My current code:

else if (RemoteText.Text != "")
{
    int EventID = Convert.ToInt32(EventIdText.Text);
    string myLogName = "";

    if (!EventLog.SourceExists(SourceText.Text))
    {
        //Create source.
        EventLog.CreateEventSource(SourceText.Text, myLogName, RemoteText.Text);
        Console.WriteLine("Creating EventSource");
    }
    else
    {
        // Get the EventLog associated if the source exists.
        myLogName = EventLog.LogNameFromSourceName(SourceText.Text, RemoteText.Text);

        EventLog myEventLog1 = new EventLog(myLogName, RemoteText.Text);
        myEventLog1.Source = myLogName;
        // Write an entry into log.
        myEventLog1.WriteEntry("This is for your information",
        EventLogEntryType.Error, EventID);
    }

    MessageBox.Show("Event Creation was SUCCESSFUL");

My goal is to remove the generic message on remote computer and avoid making registry changes on remote computer.

Answer 1

Creating an event source does indeed need write access priviliege on the HKLM\System\CurrentControlSet\eventlog key.

Try EventSourceCreationData, you may be missing the message file.

If you have administrator access on the remote machine and that said servers do not have remote registry turned off, you could use WMI to make registry permission changes and try your approach again.

Answer 2

If the event originated on another computer, the display information had to be saved with the event

You get this error if the event source is undefined. When you write an event log entry to the event log you basically only write an ID and some parameters associated with the event log entry. When you then view the event log entry Windows will use the message file associated with the event source to actually format the entry. From the ID a message template is retrieved and the parameters are replaced in the message template to create the formatted message that you can view in the event viewer. This approach makes it possible to provide translated event log messages for different language versions of Windows.

If the event source is undefined Windows cannot locate the message file and when you try to view the event log entry in the event viewer you get the error that you describe.

So to correctly log an event log entry to a source on a computer you need to create the source and this requires administrative write access to the registry (it can be done using an elevated installer). So your current approach seems to be the correct one and not something you should try to avoid.

Often .NET developers do not have any experience working with event log message files. The basic API in .NET to write to the event log will register and use a generic message file that simply substitutes whatever string parameter you supplied into the formatted message. This makes is quite easy to write to the event log from .NET but it also makes it a bit confusing because you do not realize that there is an intermediate message file required for it to work.