Windows Event Log WTF


  • SockDev

    So I have two projects for work with very similar names, because they do the same thing just using data from two different data sources and on two different schedules.

    Now i've abstracted most of the actual processing code into a shared library so really all these two projects do is connect to the source system, gather data, transform it into common format and hand it to the shared processor code to work on.

    I even set it up to write to windows event log when bad things happened so we cound track back and find errors without causing the whole pipeline to collapse (the errored record is ignored and not marked as processed int eh source system)

    a change request recently came through to separate the event logs for source systems so debugging can be done easier blah blah blah... easy enough. just hand the processor a logger object and write logs to that and the consumer can have the logger do whatever it wants. awesome.

    using System.Diagnostics;
    namespace AccaliasAwesomeNamespace
    {
        public class AccaliaProcessSource1 : OtherAwesomeClass
        {
            private EventLog logger = new EventLog("AccaliaProcessSource1");
        }
    }
    
    using System.Diagnostics;
    namespace AccaliasOtherAwesomeNamespace
    {
        public class AccaliaProcessSource2 : OtherAwesomeClass
        {
            private EventLog logger = new EventLog("AccaliaProcessSource2");
        }
    }
    

    .... anyone spot what's wrong?

    [spoiler]
    Log names are limited to eight characters. According to the system, AccaliaProcessSource1 and AccaliaProcessSource2 are the same log.

    [/spoiler]



  • Ignoring the obvious solution, you can differentiate them using the Source property.


  • SockDev

    @loopback0 said:

    Ignoring the obvious solution, you can differentiate them using the Source property.

    which is how i solved the issue, they log to the same log, but have different sources. good enough to close the ticket.

    but still Windows Why TF do you let me set such a long name but only listen to the first 8 characters? it's 2015 FFS, and you've long since moved past the windows 3.1 (or whatever OS introduced event logs) days.



  • Like most things like that, it's probably some kind of backwards compatibility.


  • SockDev

    @loopback0 said:

    it's probably some kind of backwards compatibility.

    ... you know at some point you have to cut backwards compatibility off.

    A phased solution would be best i think. there's probably a path forward there.

    of course it's probably never going to get fixed unless a rogue feature slips in because every change request starts at -100 points



  • @accalia said:

    ... you know at some point you have to cut backwards compatibility off.

    True but Windows can't really win here. They can make that decision, and everyone using something from a far too many years ago goes "OMG YOU BROKE MY SHIT, IT'LL TAKE ME WEEKS TO FIX THIS, WINDOZE IS THE WORST THING EVER", or it can do something that keeps those things happy and have something that people writing code in 2014 can workaround in like 3 seconds.
    It's a commercial product - keeping the maximum amount of people happy is the best solution.


  • SockDev

    @loopback0 said:

    or it can do something that keeps those things happy and have something that people writing code in 2014 can workaround in like 3 seconds.

    hence the change requests starting at -100 points...

    it's still completely against the principle of least surprise. like i wouldn't have an issue if it rejected log names longer than 8 character (possibly giving you the option to associate a"pretty" name with the log for the UI) but allowing 255 characters for the log name and then only using the first 8 characters of it is not intuitive.


  • mod

    @loopback0 said:

    Like most things like that, it's probably some kind of backwards compatibility.

    That doesn't even make sense. Allowing a newer OS version to accept a longer string wouldn't break compatibility with older software. Older software would pass in the shorter strings, and still work. Newer software would pass in the longer strings and work. So newer software says "Requires Windows ##", which is nothing new.

    Where's the break to backwards compatibility?



  • It's possible the truncation is unintended, but they never fixed their behavior because so few people use the Event Log that the names never collided (or didn't collide enough to make them fix it).

    @abarker said:

    Older software would pass in the shorter strings, and still work.

    Unless it was passing a longer string and is expecting another long string with different ending (say, in file logger_creator.c someone made const char* logger_name = "LOGGINGFACILTY", but everyone else is using "LOGGINGFACILITY").


  • mod

    @Gaska said:

    Unless it was passing a longer string and is expecting another long string with different ending (say, in file logger_creator.c someone made const char* logger_name = "LOGGINGFACILTY", but everyone else is using "LOGGINGFACILITY").

    In which case, the software was coded wrong and needs to be fixed anyway. But then, I'm somewhat practical like that.



  • Microsoft has a long track record of supporting terrible programmers. See: system32, Program Files, default-off DEP etc.



  • Get ready for a few other problems. Creating a new event log or a new event source require some stupid high set of permissions usually only held by the Administrators group. If you don't hold the permission, the first attempt to log an event will fail because it will try to create the log or source on the fly.

    Because of this, I rarely log to the event log any more. Besides, it's better practice to access the log indirectly (I typically use the TraceSource class), so you can change the event logging details and/or implementation without changing your code.




  • SockDev

    @TwelveBaud said:

    It's more work, but it might give the Ops side a better experience.

    too late to retrofit into this project. but i'll remember for the nest one.



  • @abarker said:

    But then, I'm somewhat practical like that.

    Maybe but still. The front page proves the world ia full of bad coders and Microsoft do seem to take the overly safe approach to that stuff. It was a guess.



  • Reminds me of logging at my current company. We have about a dozen apps for the same department, and I have no idea why they weren't in the same app. Someone read too much about page as an app.

    So we have logging based on app name, with two different app names for these dozen or so apps. We have Flubbering, and FlubberInfo, so you have to find out which name the app uses, then wade through a ton of logging from other apps to find the info that you're looking for.



  • @accalia said:

    http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlog.log(v=vs.110).aspx

    So how is it Microsoft's own logs can have names longer than 8 characters?

    Application
    12345678901
    

    Oh, EventLog.LogDisplayName, never mind.



  • Linux/BSD aren't much better. You only get 32 characters, by spec:



  • @ben_lubar said:

    Linux/BSD aren't much better. You only get 32 characters, by spec:

    I don't know, 4x better ranks as much better in my opinion ;).



  • @accalia said:

    I even set it up to write to windows event log when bad things happened so we cound track back and find errors without causing the whole pipeline to collapse

    Why not take a leaf out of Windows Update's book, ignore the Windows event log completely, and just keep appending text containing uselessly arcane detail to a logfile somewhere obscure that grows without bounds? It's the Microsoft way, after all!


  • SockDev

    umm.... because i'm not getting yelled at when the log file fills the whole drive and takes down one of our production servers. it's fine id microsoft wants to do that but i'm not letting that happen with one of my apps. i'll let the sysadmins be the cause of production outages.



  • I spent two hours ten years ago writing a TraceListener that writes to a file, time stamps every line, renames files every day, and purges old files. I never worry about any of these problems any more.

    The event log was a good idea, but the implementation leaves a lot to be desired. I'll never log to it with anything that requires elevated permissions (custom event source or log) or something that requires a filter to be registered (ETW or the EventSource referenced by @TwelveBaud above).


  • SockDev

    i solve the elevated permissions by using an MSI isntaller for the service that sets up the elevated permission stuff.

    of course i would have preferred to have the rotating file logs (my objection to @flabdablet's suggestion was the growing without bounds) but that was not the business requirement i was handed.

    and since i'm getting paid for this, and the event log will work, i didn't argue.



  • @accalia said:

    i'm not getting yelled at when the log file fills the whole drive and takes down one of our production servers.

    Bah. If you need more disk storage, buy more disk storage.

    Make that log file XML while you're at it, so that instead of going to all the bother of rolling your own code for appending stuff to it you can just do a simple document-tree-parse/update/rewrite sequence using any standard XML parsing library.



  • Why would this break old shit? Allowing more characters in the event log should (allegedly) not impact old development. The worst case scenario would be that there are now two logs to monitor, and you could fix that by adding an option 'Combine short name logs' which uses the same behavior as today to combine on 8 letter items. (You could make that the default option too, if you are REALLY concerned.)

    But this is one of those super low priority items, there is way bigger fish to fry.



  • @flabdablet said:

    Make that log file XML while you're at it

    Yeah that would be progress ... that way you can fill those disk even faster while you repeat the same elements over and over.



  • Exactly!

    In these tough economic times it's every citizen's duty to promote maximum consumption.


  • area_deu

    You mean we should use JSON for logs instead?



  • @aliceif said:

    You mean we should use JSON for logs instead?

    Don't know if that would be better ... It would at least be less overhead then xml.

    What happened to plain old text log files?


  • Discourse touched me in a no-no place

    @aliceif said:

    You mean we should use JSON for logs instead?

    Via systemd for added corruption!


  • Fake News

    Except that it should use BSON then - because computers are better at binary, of course.


  • Discourse touched me in a no-no place

    @flabdablet said:

    Make that log file XML while you're at it, so that instead of going to all the bother of rolling your own code for appending stuff to it you can just do a simple document-tree-parse/update/rewrite sequence using any standard XML parsing library.

    Gr8 b8 m8



  • @flabdablet said:

    In these tough economic times it's every citizen's duty to promote maximum consumption.



  • You have made light of the fundamental principles of our society and are now required to file a self-criticism with HR. Kindly use the correct cover sheet.

    1. What would you say is your greatest weakness?

    2. How can you best improve your performance as a team player?

    3. When did you stop stealing from the staff cookie jar?



  • @flabdablet said:

    What would you say is your greatest weakness?

    Magic damage.

    @flabdablet said:

    How can you best improve your performance as a team player?

    I will score more points than the opposing team in the allotted time.

    @flabdablet said:

    When did you stop stealing from the staff cookie jar?

    Who me? Yes, you! Couldn't be! Then who?


  • Discourse touched me in a no-no place

    @flabdablet said:

    What would you say is your greatest weakness?

    An ability to feel pain.
    @flabdablet said:
    How can you best improve your performance as a team player?

    Firing some of the other people on the team, or at least transferring them to HR.
    @flabdablet said:
    When did you stop stealing from the staff cookie jar?

    There's a staff cookie jar? Should I stop bringing cookies in then?



  • @flabdablet said:

    When did you stop stealing from the staff cookie jar?

    When I started licking the cookies and putting them back.


  • mod

    @flabdablet said:

    What would you say is your greatest weakness?

    Light.

    @flabdablet said:

    How can you best improve your performance as a team player?

    Fire my coworker. But he's already slated for that next week. Then I will be the team. :stuck_out_tongue:

    @flabdablet said:

    When did you stop stealing from the staff cookie jar?

    Who says I did? :smiling_imp:




  • Discourse touched me in a no-no place

    @boomzilla said:

    http://what.thedailywtf.com/uploads/default/10685/cac3a0e8ed9d147f.png

    Someone should send that fucker off to the Soviet Union.


  • Discourse touched me in a no-no place

    @FrostCat said:

    Someone should send that fucker off to the Soviet Union.

    Sure thing. We just need someone to figure out how to make the time machine work first.



  • @flabdablet said:

    What would you say is your greatest weakness?

    Eczema
    @flabdablet said:
    How can you best improve your performance as a team player?

    Join a team.
    @flabdablet said:
    When did you stop stealing from the staff cookie jar?

    Lies. I never stopped.


  • Discourse touched me in a no-no place

    I'm sure there are a few similar places. Maybe he'd enjoy Cuba.



  • @flabdablet said:

    What would you say is your greatest weakness?

    My little toe. I can't lift anything with it.

    @flabdablet said:

    How can you best improve your performance as a team player?

    Stop eating so many beans.

    @flabdablet said:

    When did you stop stealing from the staff cookie jar?

    When did we get a cookie jar?



  • Please resubmit after completing cover sheet. Your initial non-compliance with the mandatory optional employee initiative guidelines has been noted.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.