O
ognotongo
Guest
I'm working on a small console app to stream specific events from a remote server using a combo of EventLogSession, EventLogQuery, and the EventLogWatcher.EventRecordWritten event. I subscribe to around three event logs per server on three different servers. All of the logs are related to a third party application I'm trying to keep an eye on, so they are not the standard Windows Event Logs.
This works pretty well for a few minutes, but after a while, in my EventRecordWritten event handler, the EventRecordWrittenEventArgs object comes back as null and an exception is reported by the sender object. The exception message is "The remote procedure call failed." and of type System.Diagnostics.Eventing.Reader.EventLogException. After this exception happens, I won't receive any more events from that server. The other servers that I have set up event handlers for still work fine.
I've checked to make sure the RPC service is running and that the firewall has exceptions in place (on both the server and client). I'm not seeing anything in the event logs of the server that's experiencing the issue. Has anyone ran into anything like this or have any advice for troubleshooting?
Adding the event handler:
public string eventFilter = "*[System[(Level=0 or Level=1 or Level=2 or Level=3)]]";
EventLogSession session = new EventLogSession(serverName);
try
{
string logName = log;
EventLogQuery query = new EventLogQuery(logName, PathType.LogName, eventFilter);
query.TolerateQueryErrors = true;
query.Session = session;
EventLogWatcher logWatcher = new EventLogWatcher(query);
logWatcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(LogWatcher_EventRecordWritten);
logWatcher.Enabled = true;
}
catch (EventLogException ex)
{
Console.WriteLine("Exception: " + ex.Message);
}
The event handler itself:
public static void LogWatcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
if (e.EventRecord != null)
{
string message = e.EventRecord.FormatDescription();
Console.WriteLine($"{e.EventRecord.MachineName.Split('.')[0],-13}\t{e.EventRecord.LogName,-15}\t{e.EventRecord.TimeCreated,-15}\t{e.EventRecord.OpcodeDisplayName,-15}\t{e.EventRecord.LevelDisplayName,-8}\t");
Console.WriteLine($"{message,-119}");
Console.WriteLine(" ");
}
else
{
Console.WriteLine("Invalid EventRecord variable logged at " + DateTime.Now);
Console.WriteLine(e.EventException.Message);
}
}
Continue reading...
This works pretty well for a few minutes, but after a while, in my EventRecordWritten event handler, the EventRecordWrittenEventArgs object comes back as null and an exception is reported by the sender object. The exception message is "The remote procedure call failed." and of type System.Diagnostics.Eventing.Reader.EventLogException. After this exception happens, I won't receive any more events from that server. The other servers that I have set up event handlers for still work fine.
I've checked to make sure the RPC service is running and that the firewall has exceptions in place (on both the server and client). I'm not seeing anything in the event logs of the server that's experiencing the issue. Has anyone ran into anything like this or have any advice for troubleshooting?
Adding the event handler:
public string eventFilter = "*[System[(Level=0 or Level=1 or Level=2 or Level=3)]]";
EventLogSession session = new EventLogSession(serverName);
try
{
string logName = log;
EventLogQuery query = new EventLogQuery(logName, PathType.LogName, eventFilter);
query.TolerateQueryErrors = true;
query.Session = session;
EventLogWatcher logWatcher = new EventLogWatcher(query);
logWatcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(LogWatcher_EventRecordWritten);
logWatcher.Enabled = true;
}
catch (EventLogException ex)
{
Console.WriteLine("Exception: " + ex.Message);
}
The event handler itself:
public static void LogWatcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
if (e.EventRecord != null)
{
string message = e.EventRecord.FormatDescription();
Console.WriteLine($"{e.EventRecord.MachineName.Split('.')[0],-13}\t{e.EventRecord.LogName,-15}\t{e.EventRecord.TimeCreated,-15}\t{e.EventRecord.OpcodeDisplayName,-15}\t{e.EventRecord.LevelDisplayName,-8}\t");
Console.WriteLine($"{message,-119}");
Console.WriteLine(" ");
}
else
{
Console.WriteLine("Invalid EventRecord variable logged at " + DateTime.Now);
Console.WriteLine(e.EventException.Message);
}
}
Continue reading...