PowerShell Write-Eventlog

PowerShell Write-Eventlog Cmdlet

PowerShell's Write-Eventlog is one of the most difficult cmdlets to master.  The problem is that we are asking a script to mimic how the operating system or an application writes to eventlog.  For that to be successful we need to understand valid source and EventIDs. 

PowerShell Write-Eventlog Topics


Firstly, Let Us Have a Refresher with Get-Eventlog

PowerShell Eventlog -List

Visit Microsoft's site and download the correct version of PowerShell for your operating system.

So that you can focus on the properties of the message, I suggest that you become familiar with Get-Eventlog before graduating to Write-Eventlog.

Our first task is to list the logs on your machine.  My idea is to see which logs are present, and then to select a log to write messages:

# PowerShell script to list the event logs.
Get-Eventlog -List

Learning Points

Note 1: -List is correct, please note that you do need that dash.

Action Point:  Launch the Windows Eventvwr and then visit the actual logs to check that the result of the above script matches what you see in the Event Viewer's GUI.  As a general tactic I encourage you have the Windows GUI open to compare with the PowerShell scripts.

PowerShell Write-Eventlog Preparation

  • Not only must the eventlog you specify exist, but also the -Source application must be able to write to the log. 
  • If you have Microsoft Vista, Windows 7, Server 2008 or later, launch Windows PowerShell with the "Run as administrator" option.

Write-Eventlog Example Using Windows PowerShell's Own Log

There is no business case, or technical reason for using this script, my idea is merely to provide a working example.  Thus feel free to alter the properties and parameters.  I am sure there will be many failures before you achieve just the script for your task.

# Example of Write-Eventlog to 'Windows PowerShell' log
Write-Eventlog -ComputerName LocalHost -Logname 'Windows PowerShell' `
-Source PowerShell -EventID 600 -EntryType Warning `
-Message "Guy is at work."
# Optional Section to display the newly written event
[System.Threading.Thread]::CurrentThread.CurrentCulture = `
New-Object "System.Globalization.CultureInfo" "en-US"
Get-WinEvent -LogName 'Windows PowerShell' -MaxEvents 10

Note 2:
-ComputerName is optional. I suggest that you omit and thus start with the local machine.
-Logname must exist.  You could try Windows PowerShell.
-EventID use a number you can see in the log, just to get started.
-EntryType defaults to 'Application'.
-Message - I suggest something with your name in it, just so you can see if it worked.

Note 3: I recommend PowerShell splatting to format your parameters.

Guy Recommends:  SolarWinds' Log & Event Management ToolSolarwinds Log and Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool's most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches - give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Write-Eventlog Example Using the Application Log

# PowerShell Write-Eventlog to Application log.
Write-Eventlog  -Logname 'Application' -Source 'Application' `
-EventID 1000 -EntryType Information -Message "Guy is at work."
#Invoke-Item "C:\Windows\system32\eventvwr.msc"

Note 4: I omitted the -computerName parameter.Write-EventLog

Note 5: Originally, I appended Invoke-Item so that you can look for the new item in the Event Viewer; it helps me to have the appropriate Windows GUI open when I run my PowerShell scripts.  Then I discovered PowerShell has cmdlet for this job called: Show-Eventlog

Note 6: To make this work for real you need a clear rational of what you want to write into the log - Application, PowerShell or other.  My aim is just to give you examples of the mechanics and to make you aware of all the parameters that you must consider.

Get-Eventlog Displays New Messages

Key point, Get-Eventlog is followed by the name of the log, in this case 'Application'.

# PowerShell script to find Error messages in the Application eventlog.
Get-EventLog Application -Newest 10 | where {$_.EntryType -Match "Information"}

Learning Points

Note 7: You could simplify the script further and just type:
Get-EventLog Application

Note 8: Each word, and indeed every symbol, has deep meaning to PowerShell.  (|) pipes the output of the first clause into the 'Where' statement.  As a result the output is filtered so that you see only error messages, and not information or warning messages.

Note 9:  PowerShell supports a whole family of conditional statements, for example, -Like, -Contains, or even plain -eq (Equals), but for this job, I chose -Match.  See more on PowerShell conditional statements.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds' Network Performance Monitor will help you discover what's happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds' Network Performance Monitor

More Research into PowerShell's Write-Eventlog

Trusty Twosome (Get-Help and Get-Member)

Whenever you discover a new PowerShell command, it benefits from being surveyed with what I call the 'Trusty Twosome'.  In this instance, if you research a Verb-Noun command with Get-Help and Get-Member, then you are sure to unearth new scripting possibilities. To see what I mean try:

Get-Help (For Parameter Research)

# Investigate PowerShell Write-Eventlog -parameters
Get-Help Write-Eventlog -full

Get-Help confirms that starting in PowerShell v2.0 Write-Eventlog supports the -ComputerName parameter, thus you can interrogate the Eventlogs on network machines.

Other names of logs that you can substitute for 'System' are: Application, Security and even PowerShell itself has a log.  Windows Server is likely to have yet more logs, for example, Directory Service and DNS Server.

Get-Member (To Display Properties)

# Investigate PowerShell Get-Eventlog Properties
Write-Eventlog system | Get-Member -MemberType property

Note 10: You could omit the -MemberType property parameter and thus display methods.

Discover Other Members of the PowerShell Eventlog Family

# Find more Eventlog cmdlets
Get-Command -Noun eventlog

Write-EventLog   (also Write-Progress)

Guy Recommends: SolarWinds Free Network Bandwidth MonitorFree Real-Time Bandwidth Monitor

This freeware monitor is great for checking whether your network's load-balancing is performing as expected, for example, are two interfaces are getting about equal traffic?

It's easy to install and straightforward to configure. You will soon be running tests to see how much network bandwidth your applications consume.

The GUI has a lovely balance between immediate network traffic data in the middle, combined with buttons to seek related data and configuration settings. Give this monitor a try, it's free! 

Download your free network bandwidth monitor

If you need more comprehensive network analysis software:
Download a free trial of NPM (Network Performance Monitor)

Get-WinEvent Cmdlet

Get-WinEvent is the successor to Get-Eventlog.  Remember that to test this cmdlet you need PowerShell v 2.0.

Take the opportunity to learn more about PowerShell while you undertake the worthwhile task of examining the various event logs, for example, system, windows or DNS.

See more PowerShell Write-Eventlog examples ยป

Summary of PowerShell Write-Eventlog Scripts

If I were you, I would master one the simpler cmdlets such as Get-Eventlog before graduating to Write-Eventlog.  Once you start scripting real-life task, take the trouble to study parameters such as -Source and -EventID.

If you like this page then please share it with your friends


See more PowerShell examples to read, write and list Windows event logs

PowerShell Home   • Get-Eventlog   • EventVwr -list  • Clear-WinEvent Function   • Remote Eventlog

PowerShell Limit-Eventlog   • Windows 8 Event Viewer   • Get-WinEvent  • Log Event Manager

Write-Eventlog (Basic)   • PowerShell Write-Eventlog (Adv)  • PowerShell Clear-Eventlog

Please email me if you have a better example script. Also please report any factual mistakes, grammatical errors or broken links, I will be happy to correct the fault.



Custom Search

Site Home

Guy Recommends: WMI Monitor for PowershellSolarwinds WMI Monitor

Windows Management Instrumentation (WMI) is most useful for PowerShell scripting.

SolarWinds have produced this Free WMI Monitor to take the guess work out of which WMI counters to use for applications like Microsoft Active Directory, SQL or Exchange Server.

Download your free copy of WMI Monitor

Author: Guy Thomas Copyright © 1999-2017 Computer Performance LTD All rights reserved.

Please report a broken link, or an error to: