Otto's recent post on event log triggers explains how to: start a program, send an email or show a message on the occurence of an event in the Event Log. This is a great step forward, however, some might feel that it is not enough to deploy a large scale logging and notification environment with a focus on autonomy.
The alternative is to develop a piece of code that will subscribe to the __InstanceCreationEvent of the Forwarded Events log. The obstacle to using the existing System.Diagnostics.Eventlog class is that the class does not interface with the channeled structure of the new Event Log in Vista/2008. (The Forwarded Event log is not visible to Eventlog.GetEventLogs() because it is a channel.)
The following steps rectify this shortcoming:
1. Create an overlapping ForwardedEvents classic log.
EventLog.CreateEventSource("ForwardedEvents", "ForwardedEvents")
2. Export and Remove ForwardedEvents channel from registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ForwardedEvents
3. Recreate the Source Initiated subscription on the server.
4. Restart the Windows Event Collector service on the server.
5. Restart the WINRM service on the client.
If everything worked, you should see incoming events in the ForwardedEvents log. Notice that the log name does not contain a space anymore. This was done to match the full name of our new event log to that of the removed channel.
ForwardedEvents log will now be part of the Eventlog.GetEventLogs() array. You can deploy a ManagementEventWatcher to successfully intercept, parse and take action on incoming events.