Writing to EventLogs

Windows has a series of event logs which capture information regarding the activities occurring on a machine. Administrators have found the event logs to be a very good diagnostic tool when things do not seem to be going well. PowerShell has a very powerful tool – get-eventlog – built in to it. This allows you to interrogate and filter the event logs.

Many administrators log information from their scripts to text based log files to enable a record of what has occurred to be kept. Another alternative is to write to the windows logs files. These should not be used for huge amounts of information but if you want to record that a particular script was run on a particular day by a specific user then the log files are a good candidate.

Unfortunately PowerShell does not supply us with a cmdlet to write to the event logs. Fortunately PowerShell is .NET based and .NET has a class – System.Diagnostics.EventLog which enables writing to the event log. It is possible to create your own event logs just for script information – I’ll discuss that in a future post. In this post I want to show how to write to the existing Application event log. I use the following function:

function Write-EventLog

{

param([string]$msg = "Default Message", [string]$type="Information")

$log = New-Object System.Diagnostics.EventLog

$log.set_log("Application")

$log.set_source("PSscript")

 

$log.WriteEntry($msg,$type)

}

The function takes two parameters – a message and the type of event you are recording. Windows has a number of event types including

• Warning
• Error
• Information

The list of possible types can be seen by using this line of code

PS> [enum]::GetNames([System.Diagnostics.EventLogEntryType])

Error

Warning

Information

SuccessAudit

FailureAudit

PS>

The last two are only used by the Security log for auditing events.

The function is very simple. We create an object that can access the event logs using System.Diagnostics.EventLog. We use the set_log(0 methof to tell it we are writing to the Application log and then we use the set_source() method to tell the event log the event source. Finally we use the WriteEntry() method to write our message to the log.

The only part of this that is not straight forward is the event source. An event source tells the log where the event is coming from and is often the name of the application. If required you take the code in the function and put it directly in your script and give each individual script its own event source. If an event source does not exist the first time it is called it will be created and a registry entry created for it. The available event sources can be viewed at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogApplication

If for any reason you wish to remove the event source you need to use this

$y = [System.Diagnostics.EventLog]::DeleteEventSource("Test")

We can use the function as follows.

write-eventlog "Testing as function" "Information"

In order to see the events written to the Application log by your event source you can use

PS> get-eventlog application | where{$_.Source -eq "PSscript"}

 

Index Time Type Source EventID Message

—– —- —- —— ——- ——-

…91 Mar 05 10:34 Info PSscript 0 Testing as function

…90 Mar 05 10:27 Info PSscript 0 Testing PSscript Source

 

By writing to the event log we can record when our scripts have been run. In a production environment this can be useful information to record as it keeps up to date information on what has been done readily accessible via standard windows tools. One thing to be aware of is that if too many entries are written too quickly to the event log you may lose some. This is a function of the logging process.

In a future post I’ll look at creating an event log specifically for scripts and how to record information such as the name of the running script and the user automatically.