Removing an Event Source from a Collector Initiated Subscription
You can remove an event source from a collector initiated subscription without deleting the entire subscription. You must know the address of the event source that you want to delete. You can find the address of an event source that is associated to a subscription by using the C++ example shown in Displaying the Properties of an Event Collector Subscription, or you can type the following command at the command prompt:
wecutil gs SubscriptionName
To list the current subscriptions on a local computer, you can use the C++ code example shown in Listing Event Collector Subscriptions, or you can type the following command at the command prompt:
wecutil es
Note
You can use this example to remove an event source from a collector initiated subscription or you can type the following command at the command prompt:
wecutil ss SubscriptionName **/esa:**EventSourceAddress /res
EventSourceAddress can be either localhost for the local computer or a fully qualified domain name for a remote computer.
This example follows a series of steps to remove an event source from a collector-initiated subscription.
To remove an event source from a collector-initiated subscription
- Open the existing subscription by providing the subscription name and access rights as parameters to the EcOpenSubscription function. For more information about access rights, see Windows Event Collector Constants.
- Get the event sources array of the subscription by calling the EcGetSubscriptionProperty function. For more information about subscription properties that can be retrieved, see the EC_SUBSCRIPTION_PROPERTY_ID enumeration.
- Search for the specified event source in the event sources array of the subscription by calling the EcGetObjectArrayProperty function. The value of the EcSubscriptionEventSourceAddress property will be either Localhost for the local computer or will be a fully qualified domain name for a remote computer. For more information about event source properties that can be retrieved, see the EC_SUBSCRIPTION_PROPERTY_ID enumeration.
- Delete the event source from the subscription by calling the EcRemoveObjectArrayElement function.
- Save the subscription by calling the EcSaveSubscription function.
- Close the subscription by calling the EcClose function.
The following C++ code example shows how to remove an event source from an Event Collector subscription.
#include <windows.h>
#include <EvColl.h>
#include <vector>
#include <string>
#include <strsafe.h>
#pragma comment(lib, "wecapi.lib")
// Subscription Information
DWORD GetSubscriptionProperty(EC_HANDLE hSubscription,
EC_SUBSCRIPTION_PROPERTY_ID propID,
DWORD flags,
std::vector<BYTE>& buffer,
PEC_VARIANT& vProperty);
DWORD GetEventSourceProperty(EC_OBJECT_ARRAY_PROPERTY_HANDLE hArray,
EC_SUBSCRIPTION_PROPERTY_ID propID,
DWORD arrayIndex,
DWORD flags,
std::vector<BYTE>& buffer,
PEC_VARIANT& vProper);
void __cdecl wmain()
{
EC_HANDLE hSubscription;
std::wstring eventSource = L"localhost";
BOOL foundEventSource = false;
LPCWSTR lpSubname = L"TestSubscription-CollectorInitiated";
DWORD dwEventSourceCount;
DWORD deleteEvent = 0;
DWORD dwRetVal = ERROR_SUCCESS;
PEC_VARIANT vProperty = NULL;
std::vector<BYTE> buffer;
LPVOID lpwszBuffer;
EC_OBJECT_ARRAY_PROPERTY_HANDLE hArray = NULL;
// Step 1: Open an existing subscription.
hSubscription = EcOpenSubscription(lpSubname,
EC_READ_ACCESS | EC_WRITE_ACCESS,
EC_OPEN_EXISTING);
if (!hSubscription)
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Step 2: Get the event sources array to remove an event
// source from the subscription.
dwRetVal = GetSubscriptionProperty(hSubscription,
EcSubscriptionEventSources,
0,
buffer,
vProperty);
if (ERROR_SUCCESS != dwRetVal)
{
goto Cleanup;
}
// Ensure that a handle to the event sources array has been obtained.
if (vProperty->Type != EcVarTypeNull &&
vProperty->Type != EcVarObjectArrayPropertyHandle)
{
dwRetVal = ERROR_INVALID_DATA;
goto Cleanup;
}
hArray = (vProperty->Type == EcVarTypeNull)? NULL:
vProperty->PropertyHandleVal;
if (!hArray)
{
dwRetVal = ERROR_INVALID_DATA;
goto Cleanup;
}
if (!EcGetObjectArraySize(hArray, &dwEventSourceCount))
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Step 3: Search for the specified event source in the event source array.
for (DWORD I = 0; I < dwEventSourceCount; I++)
{
dwRetVal = GetEventSourceProperty(hArray,
EcSubscriptionEventSourceAddress,
I,
0,
buffer,
vProperty);
if (ERROR_SUCCESS != dwRetVal)
{
goto Cleanup;
}
if (vProperty->StringVal == eventSource)
{
foundEventSource = true;
deleteEvent = I;
break;
}
}
// Step 4: If the event source was found in the array, remove it.
if (foundEventSource)
{
if (!EcRemoveObjectArrayElement(hArray, deleteEvent))
{
dwRetVal = GetLastError();
goto Cleanup;
}
}
else
{
wprintf(L"Could not remove the event source from the subscription.\n");
goto Cleanup;
}
// Step 5: Save the subscription to finalize the removal of the event source.
if( !EcSaveSubscription(hSubscription, NULL) )
{
dwRetVal = GetLastError();
goto Cleanup;
}
// Step 6: Close the subscription.
Cleanup:
if (hArray)
EcClose(hArray);
if (hSubscription)
EcClose(hSubscription);
if (dwRetVal != ERROR_SUCCESS)
{
FormatMessageW( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
dwRetVal,
0,
(LPWSTR) &lpwszBuffer,
0,
NULL);
if (!lpwszBuffer)
{
wprintf(L"Failed to FormatMessage. Operation Error Code: %u." \
L"Error Code from FormatMessage: %u\n", dwRetVal, GetLastError());
return;
}
wprintf(L"\nFailed to Perform Operation.\nError Code: %u\n" \
L"Error Message: %s\n", dwRetVal, lpwszBuffer);
LocalFree(lpwszBuffer);
}
}
DWORD GetSubscriptionProperty(EC_HANDLE hSubscription,
EC_SUBSCRIPTION_PROPERTY_ID propID,
DWORD flags,
std::vector<BYTE>& buffer,
PEC_VARIANT& vProperty)
{
DWORD dwBufferSize, dwRetVal = ERROR_SUCCESS;
buffer.resize(sizeof(EC_VARIANT));
if (!hSubscription)
return ERROR_INVALID_PARAMETER;
// Get the value for the specified property.
if (!EcGetSubscriptionProperty(hSubscription,
propID,
flags,
(DWORD) buffer.size(),
(PEC_VARIANT)&buffer[0],
&dwBufferSize))
{
dwRetVal = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER == dwRetVal)
{
dwRetVal = ERROR_SUCCESS;
buffer.resize(dwBufferSize);
if (!EcGetSubscriptionProperty(hSubscription,
propID,
flags,
(DWORD) buffer.size(),
(PEC_VARIANT)&buffer[0],
&dwBufferSize))
{
dwRetVal = GetLastError();
}
}
}
if (dwRetVal == ERROR_SUCCESS)
{
vProperty = (PEC_VARIANT) &buffer[0];
}
else
{
vProperty = NULL;
}
return dwRetVal;
}
DWORD GetEventSourceProperty(EC_OBJECT_ARRAY_PROPERTY_HANDLE hArray,
EC_SUBSCRIPTION_PROPERTY_ID propID,
DWORD arrayIndex,
DWORD flags,
std::vector<BYTE>& buffer,
PEC_VARIANT& vProperty)
{
UNREFERENCED_PARAMETER(flags);
UNREFERENCED_PARAMETER(propID);
DWORD dwBufferSize, dwRetVal = ERROR_SUCCESS;
buffer.resize(sizeof(EC_VARIANT));
if (!hArray)
return ERROR_INVALID_PARAMETER;
// Obtain the value for the specified property.
if (!EcGetObjectArrayProperty(hArray,
EcSubscriptionEventSourceAddress,
arrayIndex,
0,
(DWORD) buffer.size(),
(PEC_VARIANT)&buffer[0],
&dwBufferSize))
{
dwRetVal = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER == dwRetVal)
{
dwRetVal = ERROR_SUCCESS;
buffer.resize(dwBufferSize);
if (!EcGetObjectArrayProperty(hArray,
EcSubscriptionEventSourceAddress,
arrayIndex,
0,
(DWORD) buffer.size(),
(PEC_VARIANT)&buffer[0],
&dwBufferSize))
{
dwRetVal = GetLastError();
}
}
}
if (dwRetVal == ERROR_SUCCESS)
{
vProperty = (PEC_VARIANT) &buffer[0];
}
else
{
vProperty = NULL;
}
return dwRetVal;
}
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for