PowerShell's Write-Eventlog is one of the
most difficult cmdlets to master. The problem is that we are
asking a script to mimic how the operating system or an application writes to eventlog. For that
to be successful we need to understand valid source and eventids.
So that you can focus on the properties of the message, I suggest that
you become familiar with Get-Eventlog before you graduate to
Write-Eventlog.
Pre-requisite: Visit Microsoft's site and download the correct version of PowerShell for your operating system.
Our first task is to list the logs on your machine. My idea
is to see which logs are present, and to choose a log to write messages:
# PowerShell script to list the event logs. Get-Eventlog -list
Learning Points
Note 1:
-list is correct, please note that you do need that dash.
Action Point: Launch the Windows Eventvwr and then visit the actual logs
to check the result of the above script matches what you see in the
Event Viewer's GUI.
As a general tactic I encourage you have the GUI open to compare with the
PowerShell scripts.
Another Get-Eventlog Example Before We Tackle Write-Eventlog
Key point, Get-Eventlog is followed by the name of the log, in this case
'system'.
# PowerShell script to find Error messages in the System eventlog. Get-EventLog system -newest 2000 | where {$_.entryType -match "Error"}
Learning Points
Note
2: You could simplify the script further and just type: Get-EventLog system
Note
3: Each
word, and indeed every symbol, has deep meaning to PowerShell. (|)
pipes the output of the first clause into the 'Where' statement. As a result the output is filtered so that you see only error messages, and not information or warning messages.
Note
4:
PowerShell supports a whole family of conditional statements, for example, -like, -contains, or even plain -eq (Equals), but for this job, I chose
-match.
Not only must the eventlog you specify exist, but also the
-Source application must be able to write to the log.
If you have Vista, Windows 7, Server 2008 or later launch
Windows PowerShell with the "Run as administrator" option.
Guy Recommends: SolarWinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches.
There is no business case, or technical reason for using this script,
my idea is merely to provide a working example. Thus feel free to
alter the properties and parameters. I am sure there will be many
failures before you achieve just the script for your task.
# Example of Write-Eventlog to 'Windows PowerShell' log
Clear-Host Write-Eventlog -computername LocalHost -logname
'Windows PowerShell' ` -source PowerShell -eventID 600 -EntryType
Warning ` -message "Guy is at work."
Note 5: -ComputerName is optional. I suggest that
you omit and thus start with the local machine. -Logname must exist.
You could try Windows PowerShell. -EventID use a number you can see
in the log, just to get started. -EntryType defaults to
'Application'. -Message - I suggest something with your name in it,
just so you can see if it worked.
# PowerShell Write-Eventlog to Application log. Clear-Host Write-Eventlog -logname 'Application'
-source 'Application' ` -eventID 1000 -EntryType Information
-message "Guy is at work."
Note 6: I omitted the -computerName parameter.
Note 7: To make this work for real you need a
clear rational of what you want PowerShell to write to the logs.
My aim is just to give you examples of the mechanics and to make you
aware of all the parameters that you must consider.
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
SolarWinds'
Orion performance monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its
second best feature is the ability to monitor the health of individual VMware
virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you take advantage of SolarWinds' offer.
Whenever you discover a new PowerShell command, it benefits from being
surveyed with what I call the 'Trusty Twosome'. In this instance,
if you research a verb-noun command with Get-Help and Get-Member, then
you are sure to unearth new scripting possibilities. To see what I mean
try:
Get-Help confirms that in PowerShell v2.0 Write-Eventlog supports the
-ComputerName parameter, thus you can interrogate the Eventlogs on
network machines.
Other names of logs that you can substitute for 'system' are: Application, Security and even PowerShell itself
has a log. Windows Server is
likely to have yet more
logs, for example, Directory Service and DNS Server.
Encouraging computers to sleep when not in use is a great idea -
until you are away from your desk and need a file on that remote sleeping machine!
Wake-On-LAN really will save you that long walk to awaken a hibernating
machine; however my reason for encouraging you to download this utility is
just because it's so much fun sending those 'Magic Packets'. As Wake-On-LAN (WOL) is free, see
if I am right, and you get a kick from arousing those sleeping machines.
WOL also has business uses for example, wakening machines so that they can have
their patches applied.
If I were you I would master one the simpler cmdlets such as
Get-Eventlog before graduating to Write-Eventlog. Once you
start your real-life task, take the trouble to study parameters
such as -source and -eventId.
If you like this page then please share it with your friends
See more PowerShell examples to read, write and list Windows event logs
Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft operating systems.
Fortunately, SolarWinds
have created the
Free WMI Monitor so that you can actually see and understand these gems of
performance information. Take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
