I want to write a program that monitors changes to the Event Log, and then
outputs any changes. I can’t quite use something off-the-shelf because it
has to interface with some other component of ours, but I’d love to see
example code if anyone knows of any.
The weird thing is that I can’t figure out how to safely write it.
Clearly, the function NotifyChangeEventLog is the starting point, and that
will signal you when there have been any changes to a log. However, it does
not provide a way to know how many new changes there are (it specifically
states that it will signal no more than once every 5 seconds, regardless of
the number of changes), or what the record index is to the start of the
changes.
So, it then seems that we need to store the last record that was processed.
That’s fine. However, how does one get the newest record? At first it
seems that GetNumberOfEventLogRecords is the right thing, but that only
tells you the number of records in the log – which will remain
semi-constant since the Event Log usually wraps. (Note that I say
semi-constant since I assume that as it deletes an old record, which might
have been large, it could actually fit multiple new records into the same
space, and thus the number of records in the same space will increase.)
GetOldestEventLogRecord helps a bit, but not enough.
Will this always find the newest record number?
oldestRecordNumber = GetOldestEventLogRecord (…);
if (oldestRecordNumber == 1)
newestRecordNumber = GetNumberOfEventLogRecords (…);
else
newestRecordNumber = oldestRecordNumber - 1;
But I’m also worried that new records might get added in between my calls to
the APIs such as GetOldestEventLogRecord and GetNumberOfEventLogRecords,
which would potentially cause me to miss events?
In general, it seems that there should exist a cleaner approach. Does
anyone know the solution or have any suggestions?