Writing to EventLogs

Windows has a series of event logs which capture information regarding the activities occurring on a machine. Administrators have found the event logs to be a very good diagnostic tool when things do not seem to be going well. PowerShell has a very powerful tool – get-eventlog – built in to it. This allows you to interrogate and filter the event logs.

Many administrators log information from their scripts to text based log files to enable a record of what has occurred to be kept. Another alternative is to write to the windows logs files. These should not be used for huge amounts of information but if you want to record that a particular script was run on a particular day by a specific user then the log files are a good candidate.

Unfortunately PowerShell does not supply us with a cmdlet to write to the event logs. Fortunately PowerShell is .NET based and .NET has a class – System.Diagnostics.EventLog which enables writing to the event log. It is possible to create your own event logs just for script information – I’ll discuss that in a future post. In this post I want to show how to write to the existing Application event log. I use the following function:

function Write-EventLog


param([string]$msg = "Default Message", [string]$type="Information")

$log = New-Object System.Diagnostics.EventLog






The function takes two parameters – a message and the type of event you are recording. Windows has a number of event types including

  • Warning
  • Error
  • Information

The list of possible types can be seen by using this line of code

PS> [enum]::GetNames([System.Diagnostics.EventLogEntryType])







The last two are only used by the Security log for auditing events.

The function is very simple. We create an object that can access the event logs using System.Diagnostics.EventLog. We use the set_log(0 methof to tell it we are writing to the Application log and then we use the set_source() method to tell the event log the event source. Finally we use the WriteEntry() method to write our message to the log.

The only part of this that is not straight forward is the event source. An event source tells the log where the event is coming from and is often the name of the application. If required you take the code in the function and put it directly in your script and give each individual script its own event source. If an event source does not exist the first time it is called it will be created and a registry entry created for it. The available event sources can be viewed at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogApplication

If for any reason you wish to remove the event source you need to use this

$y = [System.Diagnostics.EventLog]::DeleteEventSource("Test")

We can use the function as follows.

write-eventlog "Testing as function" "Information"

In order to see the events written to the Application log by your event source you can use

PS> get-eventlog application | where{$_.Source -eq "PSscript"}


Index Time Type Source EventID Message

—– —- —- —— ——- ——-

…91 Mar 05 10:34 Info PSscript 0 Testing as function

…90 Mar 05 10:27 Info PSscript 0 Testing PSscript Source


By writing to the event log we can record when our scripts have been run. In a production environment this can be useful information to record as it keeps up to date information on what has been done readily accessible via standard windows tools. One thing to be aware of is that if too many entries are written too quickly to the event log you may lose some. This is a function of the logging process.

In a future post I’ll look at creating an event log specifically for scripts and how to record information such as the name of the running script and the user automatically.


About these ads
This entry was posted in Script of the Week. Bookmark the permalink.

3 Responses to Writing to EventLogs

  1. Jonathan says:

    Thanks for taking the time to write up this post. Your write-eventlog function just saved me a bunch of research.

  2. Richard says:

    Glad you found it useful and thank you for letting me know

  3. Pat Emmons says:

    It still helping today. Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s