I wrote an ETW EventSource using the Microsoft EventSource Libary 1.1.25 on Nuget. The purpose of the EventSource is to send events to a custom event log for a security application we maintain. The code works locally, but we can not get events to be written to the event log on the server.
The EventSource is named (similar too) Company-Security and sends events to the Admin Channel. Locally on my development machine, I can register the eventsource manifest with wevtutil, and see the Company-Security folder with the Admin log underneath in Windows Event Viewer. When I run the application, the events are recorded in the event log.
However, when I deploy the application to the test server (running Windows Server 2012), event logging is not working. The log is created and visible in Event Viewer after I register the manifest with wevtutil, though the name is slightly different. A folder named Company-Security/Admin is created with a log named Company-Security/Admin insider the folder. I can also run perfview on the server and see the events created. However, nothing is ever written to the event log. I have also put some debug statements in the EventSource code and can see that the EventSource IsEnabled() is returning true.
Below are code snippets of the base class and the implementation class of the eventsource I wrote.
I've researched and can't find any explanation as to why event logging does not work on the server, but works on the development machine. I assume I am missing something, but not sure what.
Abstract Base Class:
public abstract class SecurityEventsBase : EventSource {
protected unsafe void WriteEvent(int eventId, long arg1, string arg2, string arg3) {
if (IsEnabled()) {
if (arg2 == null) {
arg2 = "[not provided]";
}
if (arg3 == null) {
arg3 = "[not provided]"; ;
}
fixed (char* arg2Ptr = arg2) {
fixed (char* arg3Ptr = arg3) {
EventSource.EventData* dataDesc = stackalloc EventSource.EventData[3];
dataDesc[0].DataPointer = (IntPtr)(&arg1);
dataDesc[0].Size = 8;
dataDesc[1].DataPointer = (IntPtr)arg2Ptr;
dataDesc[1].Size = (arg2.Length + 1) * 2;
dataDesc[2].DataPointer = (IntPtr)arg3Ptr;
dataDesc[2].Size = (arg3.Length + 1) * 2;
WriteEventCore(eventId, 3, dataDesc);
}
}
}
}
EventSource Class:
[EventSource(Name="Company-Security",LocalizationResources="Events.Properties.Resources")]
public sealed class AuthorizationEvents : SecurityEventsBase {
public static AuthorizationEvents Log = new AuthorizationEvents();
[Event(2000,Level=EventLevel.Informational,Channel=EventChannel.Admin,Message="User '{1}' ({0}) logged in successfully from IP Address {2}")]
public void Login(long UserId, string UserName, string IPAddress) {
if (IsEnabled()) {
WriteEvent(2000, UserId, UserName, IPAddress);
}
}
** additional events would follow here**
}
I finally resolved this problem. It had to do with permissions on the folder the manifest and binary manifest resource files were stored in.
I found this StackOverflow answer which helped me resolve the problem: https://stackoverflow.com/a/13090615/5202678
I had to grant Read & Execute privileges to the folder to the local Users group to the folder the manifest files were stored in. Once I did this, events immediately started recording in the Event Log.