Using log4net

The <log4net> section of the Responder configuration files allow you to determine the degree of diagnostic messages that appear in a message viewer (such as an event log or Microsoft DebugView).

Within the list of diagnostic message types, there exists the following hierarchy:

  • ALL

  • DEBUG

  • INFO 

  • WARN

  • ERROR

  • FATAL

  • OFF

Depending on the level selected, those messages - and the level of messages below that - appear in the messaging views. For example, if you select to include warnings, then both errors and fatal messages appear as well. If you select to include errors, then only fatal messages will appear also.

Error logs, and the messages they contain, can be viewed via your computer's event log, or through other applications, such as Microsoft's DebugView (http://download.sysinternals.com/files/DebugView.zip).

TIP: When trying to view Responder server-side diagnostics messages using DebugView, you may not see any messages getting logged. The following may help when that occurs:
  • Enable Global Capture by selecting Capture Global Win32 from the Capture menu.

  • Attempt to run DebugView with administrator privileges by right-clicking the DebugView and selecting Run as Administrator.

Configure Messages for a Message Viewer

Look for the following example in a configuration file. By default, these files are installed here: C:\Program Files (x86)\Miner and Miner\Responder\[Client or Server].

  <log4net>
    <appender name="OutputDebugStringAppender" type="log4net.Appender.OutputDebugStringAppender">
      <layout type="log4net.Layout.PatternLayout">
        <param name="ConversionPattern" value="[%t] %-5p %c - %m%n" />
      </layout>
    </appender>
    <appender name="EventLogAppender" type="Miner.EventLogAppender, Miner.System, Version=10.0.0.0, Culture=neutral,PublicKeyToken=196beceb052ed5dc">
      <param name="LogName" value="Miner" />
      <param name="ApplicationName" value="Responder Explorer" />
      <param name="Threshold" value="WARN" />
      <layout type="log4net.Layout.PatternLayout">
        <param name="ConversionPattern" value="%d [%t] %-5p %c [%x] - %m%n" />
      </layout>
    </appender>
...
    <root>
      <level value="WARN" />
      <appender-ref ref="EventLogAppender" />
      <appender-ref ref="OutputDebugStringAppender" />
    </root>
...
    <logger name="Miner.Responder.Shared.Channels.MSMQ">
      <level value="WARN" />
    </logger>
    <logger name="Miner.Responder.PubSub">
      <level value="WARN" />
    </logger>
  </log4net>

After determining which types of messages should be visible in the event log, set the following:

  • <appender name="OutputDebugStringAppender"> section: The default level is ALL. The Debug Viewer can filter the needed messages within the application.

  • <appender name="EventLogAppender"> section: The default is WARN.

    IMPORTANT: We do not recommend changing the EventLogAppender to a Threshold value above Warning (such as Info, Debug, or All) due to the large number of messages that can fill the event log. However, viewing ALL messages for a short period of time can help determine which level of message and which namespaces should be configured.
  • <Root> section: Set the level value to the required level (such as WARN). You can further filter out unnecessary message types by namespace in the <Logger> section.

  • <Logger> section: While a namespace inherits the level of messages from its parent (and ultimately, the root), you can further filter out message types by setting the level value for a specific level (such as FATAL). Below are common namespaces to configure:

    • Miner.Responder.Shared.Channels.MSMQ: Responder's MSMQ communication channel

    • Miner.Responder.PubSub: Responder Pub/Sub 

    • Miner.Data.Access: Responder's Database Access (includes all queries executed against the database)

    • Miner.Responder.Processors.Prediction: Prediction logging

    • Miner.Responder.Processors: Responder server-side processing (general)

QR code for this page

Was this helpful?