.NET : How to set user information in an EventLog Entry?

Question

The System.Diagnostics.EventLog class provides a way to interact with a windows event log. I use it all the time for simple logging...

System.Diagnostics.EventLog.WriteEntry("MyEventSource", "My Special Message")

Is there a way to set the user information in the resulting event log entry using .NET?

Answer 1

Toughie ...

I looked for a way to fill the user field with a .NET method. Unfortunately there is none, and you must import the plain old Win32 API [ReportEvent function](http://msdn.microsoft.com/en-us/library/aa363679(VS.85).aspx) with a DLLImportAttribute

You must also redeclare the function with the right types, as Platform Invoke Data Types says

So

BOOL ReportEvent(
__in  HANDLE hEventLog,
__in  WORD wType,
__in  WORD wCategory,
__in  DWORD dwEventID,
__in  PSID lpUserSid,
__in  WORD wNumStrings,
__in  DWORD dwDataSize,
__in  LPCTSTR *lpStrings,
__in  LPVOID lpRawData
);

becomes

[DllImport("Advapi32.dll", EntryPoint="ReportEventW",  SetLastError=true,
CharSet=CharSet.Unicode)]
bool WriteEvent(
  IntPtr hEventLog, //Where to find it ?
  ushort  wType,
  ushort  wCategory,
  ulong dwEventID,
  IntPtr lpUserSid, // We'll leave this struct alone, so just feed it a pointer
  ushort wNumStrings,
  ushort dwDataSize,
  string[] lpStrings,
  IntPtr lpRawData
);

You also want to look at [OpenEventLog](http://msdn.microsoft.com/en-us/library/aa363672(VS.85).aspx) and [ConvertStringSidToSid](http://msdn.microsoft.com/en-us/library/aa376402(VS.85).aspx)

Oh, and you're writing unmanaged code now... Watch out for memory leaks.Good luck :p

Answer 2

You need to add it yourself into the event message.

Use the System.Security.Principal namespace to get the current identity of the thread logging the event.

Answer 3

Usually, the user executing the code that calls the EventLog.WriteEntry method will be the user displayed in the event log for the entry.

You could try impersonating another user by creating your own Principal and Identity and associating it with the current thread, however this is not advised as it could introduce security issues and will definitely complicate your application.