PowerShell Write-Eventlog Cmdlet
PowerShell s Write-Eventlog is one of the most difficult cmdlets to master. The problem is that we are asking a script to mimic how the operating system or an application writes to eventlog. For that to be successful we need to understand valid source and EventIDs.
PowerShell Write-Eventlog Topics
PowerShell Eventlog -List
Visit Microsoft’s site and download the correct version of PowerShell for your operating system.
So that you can focus on the properties of the message, I suggest that you become familiar with Get-Eventlog before graduating to Write-Eventlog.
Our first task is to list the logs on your machine. My idea is to see which logs are present, and then to select a log to write messages:
# PowerShell script to list the event logs.
Note 1: -List is correct, please note that you do need that dash.
Action Point: Launch the Windows Eventvwr and then visit the actual logs to check that the result of the above script matches what you see in the Event Viewer’s GUI. As a general tactic I encourage you have the Windows GUI open to compare with the PowerShell scripts.
- Not only must the eventlog you specify exist, but also the -Source application must be able to write to the log.
- If you have Microsoft Vista, Windows 7, Server 2008 or later, launch Windows PowerShell with the Run as administrator option.
There is no business case, or technical reason for using this script, my idea is merely to provide a working example. Thus feel free to alter the properties and parameters. I am sure there will be many failures before you achieve just the script for your task.
# Example of Write-Eventlog to Windows PowerShell log
Write-Eventlog -ComputerName LocalHost -Logname Windows PowerShell `
-Source PowerShell -EventID 600 -EntryType Warning `
-Message Guy is at work.
# Optional Section to display the newly written event
[System.Threading.Thread]::CurrentThread.CurrentCulture = `
New-Object System.Globalization.CultureInfo en-US
Get-WinEvent -LogName Windows PowerShell -MaxEvents 10
-ComputerName is optional. I suggest that you omit and thus start with the local machine.
-Logname must exist. You could try Windows PowerShell.
-EventID use a number you can see in the log, just to get started.
-EntryType defaults to ‘Application’.
-Message – I suggest something with your name in it, just so you can see if it worked.
Guy Recommends: SolarWinds’ Log Event Management Tool
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.
# PowerShell Write-Eventlog to Application log.
Write-Eventlog -Logname ‘Application’ -Source ‘Application’ `
-EventID 1000 -EntryType Information -Message Guy is at work.
Note 5: Originally, I appended Invoke-Item so that you can look for the new item in the Event Viewer; it helps me to have the appropriate Windows GUI open when I run my PowerShell scripts. Then I discovered PowerShell has cmdlet for this job called: Show-Eventlog
Note 6: To make this work for real you need a clear rational of what you want to write into the log – Application, PowerShell or other. My aim is just to give you examples of the mechanics and to make you aware of all the parameters that you must consider.
Get-Eventlog Displays New Messages
Key point, Get-Eventlog is followed by the name of the log, in this case ‘Application’.
# PowerShell script to find Error messages in the Application eventlog.
Get-EventLog Application -Newest 10 | where <$_.EntryType -Match Information >
Note 7: You could simplify the script further and just type:
Note 8: Each word, and indeed every symbol, has deep meaning to PowerShell. (|) pipes the output of the first clause into the ‘Where’ statement. As a result the output is filtered so that you see only error messages, and not information or warning messages.
Note 9: PowerShell supports a whole family of conditional statements, for example, -Like, -Contains, or even plain -eq (Equals), but for this job, I chose -Match. See more on PowerShell conditional statements .
Guy Recommends: A Free Trial of the Network Performance Monitor (NPM) v11.5
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
More Research into PowerShell s Write-Eventlog
Whenever you discover a new PowerShell command, it benefits from being surveyed with what I call the ‘Trusty Twosome’. In this instance, if you research a Verb-Noun command with Get-Help and Get-Member, then you are sure to unearth new scripting possibilities. To see what I mean try:
Get-Help (For Parameter Research)
# Investigate PowerShell Write-Eventlog -parameters
Get-Help Write-Eventlog -full
Get-Help confirms that starting in PowerShell v2.0 Write-Eventlog supports the -ComputerName parameter, thus you can interrogate the Eventlogs on network machines.
Other names of logs that you can substitute for ‘System’ are: Application, Security and even PowerShell itself has a log. Windows Server is likely to have yet more logs, for example, Directory Service and DNS Server.
Get-Member (To Display Properties)
# Investigate PowerShell Get-Eventlog Properties
Write-Eventlog system | Get-Member -MemberType property
Note 10: You could omit the -MemberType property parameter and thus display methods.
Discover Other Members of the PowerShell Eventlog Family
# Find more Eventlog cmdlets
Get-Command -Noun eventlog
Guy Recommends: SolarWinds Free Network Bandwidth Monitor
This freeware monitor is great for checking whether your network’s load-balancing is performing as expected, for example, are two interfaces are getting about equal traffic?
It’s easy to install and straightforward to configure. You will soon be running tests to see how much network bandwidth your applications consume.
The GUI has a lovely balance between immediate network traffic data in the middle, combined with buttons to seek related data and configuration settings. Give this monitor a try, it’s free!
Get-WinEvent is the successor to Get-Eventlog. Remember that to test this cmdlet you need PowerShell v 2.0.
Take the opportunity to learn more about PowerShell while you undertake the worthwhile task of examining the various event logs, for example, system, windows or DNS.
Summary of PowerShell Write-Eventlog Scripts
If I were you, I would master one the simpler cmdlets such as Get-Eventlog before graduating to Write-Eventlog. Once you start scripting real-life task, take the trouble to study parameters such as -Source and -EventID.