As I discussed in my previous post, you can log information to a file, but sometimes you may want to log to the Windows Event Log.
Profile gravatar of Josh Rickard

Josh Rickard

Josh's primary focus is in Windows security and PowerShell automation. He is a GIAC Certified Windows Security Administrator (GCWN) and GIAC Certified Forensic Analyst (GCFA). You can reach Josh at MSAdministrator.com or on Twitter at @MS_dministrator.
Profile gravatar of Josh Rickard
Contents of this article

To log to the Windows Event Log, you will need to use the following cmdlets:

Writing directly to an existing source

Writing directly to an existing source

You can write directly to an existing source in the Windows Event Log, but sifting through these logs can become tedious at best. To make it easier to find a specified log one of your scripts created, I believe you should first create a new source in the Windows Event Log.

To do this, you have to run the New-EventLog cmdlet. In this introduction, we will not need all parameters the cmdlet offers. The ones below are relevant:

  • ComputerName: This parameter sets the computer for creating the new Event Log source. Typically, you will only create this on the local system, but you could add the source to all of your systems if you choose.
  • LogName: This specifies the Event Log name you want to use when creating your Event Log. Consider this the "Folder" name within the Windows Event Viewer.
  • Source: This parameter sets the source of the event to log. Think of this as a list of functions that may throw errors within your PowerShell module. This parameter can take an array of strings.
Example of a new Event LogName created by New-EventLog

Example of a new Event LogName created by New-EventLog

In my example, I will store the parameters in a hash table. As mentioned above, the Source parameter accepts an array of strings. Make sure your new LogName and Source exist on the systems where you intend to log information.

Now that we have defined our new LogName and Source, we can start logging to our Event Log with Write-EventLog. But we should understand our options first:

  • ComputerName: This sets the computer for creating the new Event Log source.
  • EntryType: This sets the event type you would like to log. By default it is set to Informational, but you can specify Error, Warning, Informational, SuccessAudit, and FailureAudit (see EventLogEntryType Enumeration for more information).
  • EventId: This specifies the event ID you would to use when logging to the Event Log.
  • LogName: This parameter will need to be the same as the LogName you specified when you created the Event Log.
  • Message: This contains the information associated with your log entry.
  • RawData: This associates any binary data you choose with your logged event.
  • Source: This will need to be one of the sources you specified when you created the Event Log.

For this example, we will only use a select few of the parameters listed above. In most cases, this will be good enough to get started.

Now you should be able to view the event in the Event Viewer.

Example log added to our new Event Log

Example log added to our new Event Log

Wrap-up ^

Writing to the Windows Event Log with PowerShell is easy and straightforward. The advantage over logging to a text file is that you can use Event Log management tools centrally to retrieve log data in your network. By working with a standardized location in your PowerShell scripts, you can streamline troubleshooting.

Take part in our competition and win $100!

Share
2+

Users who have LIKED this post:

  • avatar

Related Posts

6 Comments
  1. avatar
    Itamar 2 months ago

    Hi,

    You didn't specified how do you check if the source already exist

    10x

    Itamar

    1+

    Users who have LIKED this comment:

    • avatar
    • avatar
      Kirill Nikolaev 2 months ago

      You can check it with:

      If it returns $true, the source exists.

      Note, that you also have to catch errors using the following expression:

      then proceed assuming that the source does not exist.

      2+

      Users who have LIKED this comment:

      • avatar
  2. Profile gravatar of David Figueroa
    David Figueroa 2 months ago

    One important thing.. you can use New-EventLog multiple times with multiple sources, and each pass will register the new source.. It's very handy if you forgot to register your sources initiailly.

    David F.

    2+

    Users who have LIKED this comment:

    • avatar
  3. Profile gravatar of Josh Rickard Author
    Josh Rickard 2 months ago

    Thank you all! If someone wants to add a Pull Request I'll review and accept. If not, I will add this functionality as soon as I have time.

    Thank you for reading!

    1+
  4. avatar
    Ingmar Koecher 1 month ago

    Great article, the event log is a great logging subsystem in Windows - thanks for making it more accessible. For reference purposes, I wrote a similar article involving Perl & Python a while ago.

    0
  5. avatar
    Anshuman Misra 1 month ago

    In your first screen shot you have multiple lines of text in the 'Message'. How can we pass an array as the 'Message' ?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account