Programmatically creating an new Windows Event Viewer log can be quite useful during automated processes. While some folks know how this is done, others might needs some guidance. Here’s how to do it with PowerShell.
A lot of folks struggle with logging things from within their PowerShell scripts, going down the path of inventing a method of writing events to a text file or database. Why not use the Windows Event Viewer to log things? It’s already there, takes care of data file management for you, and can be viewed with standard tools.
As an added bonus, most good monitoring packages such as Splunk or SCOM already provide a method for watching these event logs, and can act on entries therein.
In a “normal” situation, an application or script will write to the Application event log, or possibly the System event log. In my old age, I’ve taken to logging just about everything that my script or application does, especially while I am in the process of building it. This helps me to debug the script, and instills a good documentation practice. So in order to not clog up the Application event log, I’ve taken to utilizing custom event logs.
Below is the short script that will build a sample event log on the local machine. Note that the first time it is run, it will need to run with Administrator privileges.
First, let’s set some constants up top. These will be used everywhere we want to work with the event log, and helps to prevent typos elsewhere in the script:
Warning! Watch out for line wrap on these code snippets!
$LogSource="Create-EventLog.ps1"
$LogName="SampleEventLog"
Next, we’ll try to create the event log, using the New-EventLog cmdlet, then write the success message to the log. Since we don’t want to let the log grow forever, we’ll set some limits with the Limit-EventLog cmdlet.
try
{
New-EventLog -LogName $LogName -Source $LogSource -ErrorAction SilentlyContinue
Write-Eventlog -LogName $LogName -Source $LogSource -EntryType Information -EventId 900 -Message "Create $LogName event log successfully."
Limit-EventLog -LogName $LogName -RetentionDays 365 -OverflowAction OverwriteOlder -MaximumSize 2GB
}
Catch
{
Write-Error "Failed to create $LogName event log, $_"
}
In the second half of the try/catch, we’re simply writing an error, saying that the log could not be created.
Finally, you can now write events to the log with the write-eventlog cmdlet. Below are examples of how you can write both a error and a warning to our shiny new custom event log.
Write-eventlog -LogName $LogName -Source $LogSource -EntryType Error -EventId 1001 -Message "This is where your error message would go"
Write-eventlog -LogName $LogName -Source $LogSource -EntryType Warning -EventId 1002 -Message "This is where your warning message would go"
I hope this helps you, and if you have any questions or comments, please post in the comments below.