From me experience and little research Index
property shows the index of event that was written beginning from the creation of event log.
But there are several things that you missed.
First, you have to remember that event logs have limited size. For example, imagine "Security" log can hold only 1000 entries (the actual size in mb shown in eventlog properties, if you look in eventvwr.msc). So when, event log is full there are 3 ways:
- Write new events over old ones. In this case, remembering the last readed event index is not good. because the event pointed by that index could be simply overwritten.
- Make an archive. In this case, remembered index can now point event that is in archive, not in current .evtx file of the eventlog
- Do not write new events, manualy clear event log. I don't think this is interesting, because you want an automated tool.
So, one could set eventlog to be archived and remember the last index of event. Then when reading again eventlog, first get the oldest recored of current event log file:
EventLog log = new System.Diagnostics.EventLog("Security");
int oldestIndex = log.Entries[(int)eli.OldestRecordNumber].Index;
Then compare oldestIndex
with yours lastReadedIndex
and if lastReadedIndex < oldestIndex
you first have to read archives, and only than read the current event log file.
All archives are stored by default in the same directory where the current event log file exists (.evtx). Archives can be easily readed by using EventLogReader class. Try to look at EventRecord and it's RecordId
property, I think it's the same as Index
property of the EventLogEntry
class (can't check at the moment).
Another approach is to remember the time, when event was written, and use it as starting point for searching new events, in case Index
and RecordId
wouldn't help.
Good luck!