Edouard A. wrote:
Not sure what exactly you mean, but no, I don't think so. Event categories are defined in the .mc file and they are compiled into a binary resource, which is then utilized by the Event Viewer. This resource cannot be modified, other than by recompiling it.
In the call to RegisterEventSource, you specify a source. My question is how do you handle non existing source? Do you create it? Do you let the default behavior occur (log to application)? Do you throw an exception?
AFAIT from MSDN, this API will silently use the Application log source, if the specified source is not found in the registry. The sink reflects that behavior.
To create an event source you need to create a key in the registry and then set appropriate rights to make sure that it cannot be modified by unauthorized users/processes.
There is a potential security issue here. If an external process creates the source before you do it, it will get all rights and possibly will remove entries (or add ones, but generally you want to remove/modify entries) as it may see fit. Sometimes the malicious application purpose is only log duplication.
Therefore, you need to have clear behavior when creating the log source so that when you use the sink you know what to expect. What you can do is have a different call to create the source and throw an exception when the source doesn't exist.
The source registration can be done either on-demand or forced. In the first case, if the source is already registered, the sink backend doesn't modify its registry entries. This mode can be useful if the source is already registered by, say, installer. In the forced mode the sink will overwrite the registration even if it's already present in the registry. In any case, if the source registration fails, you will have an exception. I believe, this option allows to detect such security problems.
Can I log to a different computer than localhost? No, not yet. That can be easily added, if I'm not missing anything.
That's very interesting for distributed computing where centralizing logging makes a lot of sense.
It's very straightforward, you just have to specify the name of the server (UNC format) in the call to RegisterEventSource.
That's true. I will add it.