Windows Event Log Integration
AppProfileSafe can write audit events to the Windows Application Event Log, making them visible in Event Viewer alongside other system events. This integration is useful for environments that centralize monitoring via Windows Event Forwarding (WEF) or agents that read the local Event Log.
Configuration
The Windows Event Log sink is declared inline in eventpipeline.xml (it has no separate configuration file):
<Sink id="eventlog" critical="false" enabled="true"
sourceName="AppProfileSafe" logName="Application" />| Attribute | Description | Default |
|---|---|---|
enabled |
Enable/disable the Event Log sink | true |
critical |
Whether Event Log failures affect overall delivery state | false |
sourceName |
Event Log source name | AppProfileSafe |
logName |
Target Event Log | Application |
Event Source Registration
The event source AppProfileSafe must be registered in the Windows Event Log before events can be written. Registration happens automatically on the first run, but requires administrator privileges. If the application runs without admin rights and the source does not exist, Event Log writing is silently disabled and a warning is logged.
To pre-register the source manually (e.g. during deployment), run in an elevated PowerShell:
New-EventLog -LogName Application -Source "AppProfileSafe"Event IDs
Each audit action is mapped to a numeric Event ID for filtering in Event Viewer:
| Range | Category | Event IDs |
|---|---|---|
| 1000–1003 | Export | 1000 Started, 1001 Completed, 1002 Failed, 1003 CompletedWithErrors |
| 2000–2003 | Import | 2000 Started, 2001 Completed, 2002 Failed, 2003 CompletedWithErrors |
| 3000–3001 | Configuration | 3000 MappingChanged, 3001 SettingsChanged |
| 4000 | Validation | 4000 AppSchemaValidationFailed |
| 5000–5001 | Security | 5000 UnauthorizedAccess, 5001 IntegrityCheckFailed |
| 6000–6001 | Privacy | 6000 PersonalDataExported, 6001 PersonalDataImported |
| 7000–7001 | Log Management | 7000 LogRotation, 7001 LogArchived |
Use these IDs to create custom Event Viewer filters, e.g. Event ID = 1002 OR Event ID = 2002 to monitor all failed operations.
Severity Mapping
Event severity is mapped to Windows Event Log entry types:
| EventSeverity | Windows Entry Type |
|---|---|
| Info | Information |
| Warning | Warning |
| Error | Error |
| Critical | Error (Windows has no Critical level) |
Message Format
Each Event Log entry contains a structured text message with the following fields: Action, Severity, Result (Success/Failure), User, Machine, Target, UTC Timestamp, Duration, and OperationId (if set). File count, data size, and registry value count are included when available. Error messages are appended for failed operations.