Writing to the Windows Event Log with PowerShell

Odds are,  you were Googling something like ‘write event log PowerShell’ and you stumbled on this page.  If that’s the case and you just want to write an event to the Event Log to test something like a monitoring or alerting app, I won’t disappoint, below is what you need to know.  If you want a little more information on writing to the Event Log as part of a script, keep going.

Write-eventlog requires 4 parameters, EventID, LogName, Message and Source.  It’s the -Source part that trip people up.  If you don’t know what the source is, simply make one up.  Create the new source with the New-Eventlog command like this:

New-EventLog -LogName <Log you are writing to> -Source ‘Make one up’

For example, Adding the source HAL to the application log looks like this:

New-EventLog -LogName Application -Source ‘HAL’

 

Now that is finished, use the Write-Eventlog command to create the event like the example below.  Although not required to add an EntryType, I suggest you add one. Especially if your monitoring software does something like filter out Informational events.

 

Write-EventLog -LogName Application -EventID 2001 -EntryType Warning -Source ‘HAL’ -Message ‘Just what do you think you are doing, Dave?’

Event Log and PowerShell Scripting

Now that that is out of the way we can focus on Write-EventLog as part of a script.  The above information holds true for scripts as well as generating ad hoc events.  First create the source, then write to the Event Log.  The obstacle is that the source needs to be created, but can only be created once.  So, for example, if your script includes this line:

New-EventLog -LogName Application -Source ‘MyScript’

It will run the first time, but the next time the script runs it will return an error because you can’t create the MyScript source when it already exists.

There is a simple fix, well, kind of.  There is no way (that I found) to check if an Event Log Source exists with PowerShell, but there is with .NET.  The code below checks the System.Diagnostics.Eventlog Namespace to see if the source exists and if not, it is created.  That code looks like:

If ([System.Diagnostics.EventLog]::SourceExists(‘MyScript’) -eq $False) {

New-EventLog -LogName Application -Source ‘MyScript’

}

Believe it or not, that is the most complicated part.  Now we can run the Write-EventLog command to create the log entry:

Write-EventLog -LogName Application -EventID 3000 -EntryType Warning -Source ‘MyScript’ -Message ‘This is a test’

That works, but let’s take this a step further.  In this example I am going to create a function along with the Try Catch statement to write error to the event log.

Start by defining variables:

$eventLog = "Application"
$eventSource = "MyScript"
$eventID = 4000
$entryType = "Error"

Set the Error Action Preference to Stop for the Try Catch code:

$ErrorActionPreference = "stop"

Next, check if the Event Log Source exists and create it if not:

If ([System.Diagnostics.EventLog]::SourceExists($eventSource) -eq $False) {
 New-EventLog -LogName Application -Source $eventSource
 }

Once that’s finished, create the function to write to the Event Log:

function write-AppEventLog {
 Param($errorMessage)
 Write-EventLog -LogName $eventLog -EventID $eventID -EntryType $entryType -Source $eventSource -Message $errorMessage 
}

Now the code.  This is a simple try-catch block that will attempt to divide by 0 and fail, writing the error message to the Application Event Log:

Try {
 1/0
}
Catch {
 $ErrorMessage = $_.Exception.message
 write-AppEventLog $ErrorMessage
}

Here is what the output looks like in the Application event log:

 

 

 

 

 

 

 

 

 

That’s all there is to it.  Here is the complete code from above:

# Set Variables
$eventLog = "Application"
$eventSource = "MyScript"
$eventID = 4000
$entryType = "Error"

# Set Error Action Preference to Stop for Try Catch code
$ErrorActionPreference = "stop"

# Check if the source exists and create if needed
If ([System.Diagnostics.EventLog]::SourceExists($eventSource) -eq $False) {
 New-EventLog -LogName Application -Source $eventSource
 }


# Write EventLog Function
function write-AppEventLog {
 Param($errorMessage)
 Write-EventLog -LogName $eventLog -EventID $eventID -EntryType $entryType -Source $eventSource -Message $errorMessage 
}

# Code
Try {
 1/0
}
Catch {
 $ErrorMessage = $_.Exception.message
 write-AppEventLog $ErrorMessage
}

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.