Windows Service event log full?

Hot Topic

biztalk and the System Messaging namespace
Databinding vs Multi-tier
Architecture Meetings
Information about Essential Unified Proccess
Any idea regarding generic UI from Business logic
Nhibernate O/R mapper with microsoft application block for data {.net 2.0}
Architecture question - how to store local copies of data on a server
Data access application block Vs Tool generated DAL
Clearing SHGetFileInfo cache
dll problem.

Architecture

Tools for Architects Blog
Lazy linking pattern
Middle Tier Design Question
Why architecture with OO methods?
Saving Composite Data Model
Architecting BLL, DAL and DB for bulk entity updates
Entity Aggregation in the BLL/DAL world
Entity Aggregation in the BLL/DAL world
UML/Modeling Tools you are using?
O/R mapper requirements for domain layer

Windows Service event log full?

I have a Windows Service which has been running happily for months, writing the occasional message to a private Windows event log using System.Diagnostics.EventLog.WriteEntry.

Just today, however, my service has stopped running, and the Application event log contains the error:

Service cannot be started. System.ComponentModel.Win32Exception: The event log file is full.

It didn't look that full to me; a few hundred events, certainly fewer than the Security log.

Even supposing I can't log that many events, how am I supposed to stop the OS from stopping my service when it thinks it has enough events Can I tell it to overwrite old events Should I delete old events How How do I know when the event log file "is full"



Answer this question

Windows Service event log full?

  • arongpan

    The framework does not seem to have an abstraction for it but some quick research brought up the following ... it appears to be controlled by a registry key (note the retention key). I would imagine there might also be a WMI interface to this but could not locate one.

    here is a c/p of the info.

    HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventLog

    Registry value Description
    CustomSD For more information, see Event Logging Security.
    DisplayNameFile Name of the file that stores the localized name of the event log. The name stored in this file appears as the log name in Event Viewer. If this entry does not appear in the registry for an event log, Event Viewer displays the name of the registry subkey as the log name. This value is of type REG_EXPAND_SZ. The default value is %SystemRoot%system32els.dll.
    DisplayNameID Message identification number of the log name string. This number indicates the message in which the localized display name appears. The message is stored in the file specified by the DisplayNameFile value. This value is of type REG_DWORD.
    File Full-qualified path to the file where each event log is stored. This enables Event Viewer and other applications to find the log files. This value is of type REG_EXPAND_SZ. The default is %SystemRoot%system32configAppEvent.evt.
    MaxSize Maximum size of the log file. This value is of type REG_DWORD and must be 0x10000 to 0xFFFF0000, in 64K increments. The default value is 0x80000 (512K).
    PrimaryModule Name of the subkey that contains the default values for the entries in the subkey for the event source. This value is of type REG_SZ.
    Retention Time interval, in seconds, that records of events are protected from being overwritten. When the age of an event reaches or exceeds thsi value, it can be overwritten. This value is of type REG_DWORD. The default value is 0x93A80 (604,800 seconds or 7 days). If this value is 0, the records are protected until the log reaches its maximum size. If this value is 0xFFFFFFFF, records are never overwritten. When the log file reaches its maximum size, you must clear the log manually; otherwise, new events are discarded. You must also clear the log before you can change its size.
    • 00000000 O means overwrite messages as needed,
    • 604800 O equals 7 days = (60 secs * 60 mins * 24 hrs * 7 days),
    • FFFFFFFF O means Do not Overwrite messages.
    Sources Names of the applications, services, or groups of applications that write events to this log. Each program listed has a corresponding subkey under the log. This value is of type REG_MULTI_SZ.

  • ozhonetech

    its a property on the event log ... do you need to know how to do it in general or how to do it via code during creation of the log If just in general you can do it through event viewer (http://www.rsinc.com/services/techtip.asp ttid=3469)

    Cheers,

    Greg

  • spelger

    Thanks for the quick reply. I would like to be able to do it from the installer, which creates the log.
  • Windows Service event log full?
Answer this question