How to Use PowerShell to Write to Event Logs

How to Use PowerShell to Write to Event Logs

  • Comments 16
  • Likes

Summary: Guest blogger, Jonathan Tyler, talks about how to write to Windows event logs by using Windows PowerShell—and avoid errors in doing so.

Microsoft Scripting Guy, Ed Wilson, is here. While I was at TechEd in New Orleans, I had the chance to talk to Jonathan Tyler. I see him from time-to-time, although he only lives a few hours away from us. Jonathan is an active member of the Windows PowerShell community, and he has written other posts for the Hey, Scripting Guy! Blog.

I am happy to welcome back guest blogger, Jonathan Tyler…

Let’s start with a poll. How many of you like to get feedback from your Windows PowerShell scripts, either by a verbose switch or in some sort of log file? Great, you can put your hands down. Now, how many of you like to get feedback from a script that you have running as a scheduled task? And now, how many simply write to a text file or simply forget about getting feedback unless you find that there is a problem?

By the end of this post, I will show you how you can leverage the premier logging system on any Windows Server: the event log! If you work in an enterprise, you most likely have some type of central monitoring system that collects errors from your event logs. Why not use that same system to capture and report when one of your Windows PowerShell scripts goes wrong? The best thing is that you don’t even have to stick to errors.

To begin with, let’s flip over to the Windows PowerShell console and see what cmdlets are available that deal with the event logs.

Image of command output

It looks like the one we probably need is Write-EventLog. To try this out, I am going to write a test message to the Application event log. This should be fairly straightforward:

Write-EventLog –LogName Application –Source “My Script” –EntryType Information –EventID 1
 –Message “This is a test message.”

In this command, the LogName, Source, EventID, and Message are required parameters. After running this command, I would expect a new message to show up in the Application event log. Run this on your computer and then check the event logs. I’ll wait…

What? You got an error message? I’m betting it is because your computer doesn’t have a source called “My Script.”

Image of error message

Note   If you received a slightly different error that states not all event logs (Security) could be scanned, you need to run Windows PowerShell as an Administrator. I will explain a little more about this later.

So, how in the world can we use the event log if we have to have a Source parameter but the source we want to use is not on the server? If you look back at the first screenshot, you will see another cmdlet in the list that will help us out: New-EventLog.

The New-EventLog cmdlet can be used not only to create a brand new event log on the computer, but it can also create a new source that can be used when you write to the event log. I have actually used this in some instances for custom code in a SharePoint farm. The custom code being deployed needed to write information to the event logs, but the application pool account did not have the administrative rights to create the source. Instead of elevating the application pool’s rights on all the servers, I used this cmdlet to create a new source, and then the custom code was happy to report to the event logs.

To fix our previous error, we can use the following line as an Administrator on the computer:

New-EventLog –LogName Application –Source “My Script”

Image of command output

As you can see, the Write-EventLog now returns with no error. And if we check the event log entries, we should now see our test message.

Image of event log

And the details of the message:

Image of message

As you can see, the source is now populated with “My Script.”

To create a new source for an event log, administrative privileges are required. But the nice thing is that you only have to do this once for the source. When it is installed on the computer, you don’t have to worry about it again. Additionally, you can leverage Windows PowerShell to make the change across multiple machines by supplying the ComputerName parameter. You can also use this to create an event log specifically for your script or to create a source for event logs other than the Application log.

~Jonathan

Thank you, Jonathan, for sharing your time and knowledge with us today. Hopefully, it will not be another year before I get to see you again.

Join me tomorrow when I have another guest blog by Honorary Scripting Guy and Microsoft PowerShell MVP, Sean Kearney, as he continues his series about using Windows PowerShell with Hyper-V. It is cool stuff and you do not want to miss it.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi Jonathan,

    thank you for your information about event logs!

    We can create new event logs and write to them very easily using Powershell.

    Reporting progress, errors or information that way, especially in background jobs, is a great idea!

    btw: There is a minor typo "Write-EevntLog" instead of "Write-EventLog" in :

    Write-EevntLog –LogName Application –Source “My Script” –EntryType Information –EventID 1

    –Message “This is a test message.”

    Thanks!

    Klaus.

  • Hi Jonathan,

    Nice post, thank you for sharing.

    In large(r) scripts you way want to create a small function you can call to write to the eventlog: jeffwouters.nl/.../use-powershell-to-write-to-the-event-log

    Keep on sharing, happy to read more from your hand :-)

    Jeff.

  • @Klaus Thanks for the heads-up on the typo.  Too bad I can't blame auto-correct on a phone for that one! :)  Anyways, I have reached out to try to get it corrected.  Glad you found the article helpful.

    @Jeff I absolutely agree with creating a small function to handle the logging.  You could create a function that can log information to the screen (pending verbose/debug settings) as well as to the event log in one call.  Thanks for the comment!

  • FYI: Just under the listing to "see what cmdlets are available that deal with the event logs", the first code example starts with the command, "Write-EevntLog".  Should that actually be "Write-EventLog"?

  • Typo has been noted. Trying to get it corrected. Thanks

  • @K_Schulte @Jonathan Tyler @Typo Alert I just fixed the typo. Everything should be groovy now. Thank you for pointing this out.

    @Jonathan dude you rock. Awesome job again on the article.

  • @IamMred Thanks for the opportunity.  I enjoyed writing it.

  • Anyone tried to combine this with Start-Transcript to record the items in the Message field of the commands executed?

  • Really useful stuff, thanks.  I'm looking forward to dumping my error variables into a new event log.

  • Jonathan - this came in handy for me this morning. Thanks for the post!

  • Hey! Scripting Guy,

    I am very thankful to you as your posts help me to learn a lot about Windows Powershell. I am new to Powershell and do not know much about powershell scripting yet but you really rock man!!!

    Thanks

  • Hi, i have txt file that is log file from my app and i nead to create Log in EventLog, for example in application.

    txt file is like

    5.11.2013 14:29:46 -- Uspešno potvrdjena otpremnica 240201300001 -- 000003.XML

    11.11.2013 14:14:56 -- Nije potvrdjena otpremnica 240201300072 -- 000009.XML

    11.11.2013 14:14:58 -- Nije pronadjena otpremnica -23363947    iz fajla 000008.XML u UPIS-u!

    11.11.2013 14:14:58 -- Nije pronadjena otpremnica -23366575    iz fajla 000008.XML u UPIS-u!

    11.11.2013 14:14:58 -- Nije pronadjena otpremnica -23364064    iz fajla 000008.XML u UPIS-u!

    and for each time (5.11.2013 14:29:46) have to create one log, but

    error is "11.11.2013 14:14:56 -- Nije potvrdjena otpremnica 240201300072 -- 000009.XML "

    and information is "5.11.2013 14:29:46 -- Uspešno potvrdjena otpremnica 240201300001 -- 000003.XML "

  • Ed you and the PowerShell team are awesome. I needed a quick way to write events to the event log and you didn't disappoint.

  • Great article.  

    One item that might be a nice potential add:

    A command to test if you need to execute the new-eventlog command.  The following can be ran prior to a New-Eventlog command using the "LogName" and "Source" used in your post.  The command goes well in a script/function to test if you need to create a new source prior to adding an event associated with it.  This way you'll be able to run (and rerun) the associated script/funciton without any provisioning of a system ahead of time:

    if (!(Get-Eventlog -LogName "Application" -Source "MyScript")){

         New-Eventlog -LogName "Application" -Source "MyScript"

    }

    Thanks!

    Jeff

  • I found the following was a lot more efficient when the source doesn't exist:

    [System.Diagnostics.EventLog]::SourceExists("MyScript")