Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, September 19, 2011 6:47 PM
One of the examples for this cmdlet,
write-eventlog -logname Application -source MyApp -eventID 3001 -entrytype Information -message "MyApp added a user-requested feature to the display." -category 1 -rawdata 10,20
...simply doesn't work. I get the following result:
PS C:\scripts> write-eventlog -logname Application -source MyApp -eventID 3001 -entrytype Information -message "MyApp added a user-requested feature to the display." -category 1 -rawdata 10,20
Write-EventLog : The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.
At line:1 char:15
- write-eventlog <<<< -logname Application -source MyApp -eventID 3001 -entrytype Information -message "MyApp added a user-requested feature to the display.
" -category 1 -rawdata 10,20
+ CategoryInfo : NotSpecified: (:) [Write-EventLog], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.WriteEventLogCommand
If I look at my events, and choose a source that already exists, I can successfully create an event. But, I ask, what use is this? Why can't I use my own name for an event source?
[string](0..9|%{[char][int](32+("39826578840055658268").substring(($_*2),2))})-replace "\s{1}\b"
All replies (10)
Monday, September 19, 2011 7:14 PM âś…Answered | 5 votes
Just to be clear, the Windows event log requires that your log source be created ahead of time (this is true of all apps that log to the Windows event system -- not just PowerShell scripts).
So, when you specify the parameter "-Source MyApp", it's with the expectation that there is a source in the event log system by that name.
As Will states above, you can use New-EventLog to handle the pre-creation. It only needs to be done once per system, not necessarily every time the script is run.
Edit: Example
New-EventLog -Source MyApp -LogName Application
Monday, September 19, 2011 7:00 PM
I did this just a little while ago and it worked:
new-eventlog -LogName "test" -Source "test"
Write-EventLog -LogName "test" -Source "test" -EventId 1 -Message "Test message"
Get-WinEvent -LogName "test"
I have no .dll named test. But, I tried something similar to yours and got this helpful error message:
PS C:\Users\wsteele> Write-EventLog -LogName Application -Source "test" -EventId 1 -Message "Test"
Write-EventLog : The source 'test' is not registered in log 'Application'. (It is registered in log 'test'.) " The Sour
ce and Log properties must be matched, or you may set Log to the empty string, and it will automatically be matched to
the Source property.
At line:1 char:15
+ Write-EventLog <<<< -LogName Application -Source "test" -EventId 1 -Message "Test"
+ CategoryInfo : InvalidOperation: (:) [Write-EventLog], Exception
+ FullyQualifiedErrorId : The source 'test' is not registered in log 'Application'. (It is registered in log 'test
'.) " The Source and Log properties must be matched, or you may set Log to the empty string, and it will automatic
ally be matched to the Source property.,Microsoft.PowerShell.Commands.WriteEventLogCommand
Monday, September 19, 2011 7:11 PM
Hi Will,
Exactly my point: Is it only possible to write to event logs that you create? Can one not register a new source for the application event log? It seems the logical place to put events generated by "MyApp", as per the Powershell example.
[string](0..9|%{[char][int](32+("39826578840055658268").substring(($_*2),2))})-replace "\s{1}\b"
Monday, September 19, 2011 8:26 PM | 2 votes
It might be worth playing around with various values stored beneath this registry key to find a value to work with: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog. When I used to New-EventLog cmdlet listed above, the value specified for Source was the name of the key created in the subkey listed here.
Monday, September 19, 2011 8:31 PM
I didn't realise New-Eventlog was used for writing new sources into existing event logs. I thought it was for creating new custom eventlogs only.[string](0..9|%{[char][int](32+("39826578840055658268").substring(($_*2),2))})-replace "\s{1}\b"
Monday, September 19, 2011 8:53 PM | 1 vote
one option you can use is eventcreate to register a new source. I've registered new sources with Powershell but can't find the command I used. The basic is
[System.Diagnostics.EventLog]::CreateEventSource('MyApp', 'Application')
But you have to run that as an admin. Once the source is registered you don't have to be an admin to use it.
Tuesday, September 20, 2011 3:58 AM
Hi theKastner. Thanks for that. The command in PS is to use 'New-Eventlog', as such:
New-EventLog -Source MyApp -LogName Application
I got that from Ben.
[string](0..9|%{[char][int](32+("39826578840055658268").substring(($_*2),2))})-replace "\s{1}\b"
Wednesday, September 21, 2011 1:46 PM
The one caveat here is that once the source is created for an event log, it can only be used for that event log. So you can't then use the same source to write to the application or system log.
Tuesday, March 18, 2014 3:03 PM
I'd also like to add: for this to work, be sure you're PS code is being run as Administrator (Elevated) if UAC is enabled.
Wednesday, February 10, 2016 4:15 PM | 1 vote
i've always done it this way, to keep from having to remember to create the sources:
Function Log-Event {
param (
[string] $LogName = "Application",
[string] $Source="MYAPP_changeme",
[string] $Type = "I",
[int] $eventID = 33,
[string] $message = "blah"
)
#conv switch:
switch($Type.ToUpper()) {
"I"{ $ET = "Information"}
"E" { $ET = "Error"}
"W" { $ET = "Warning"}
else { $ET = $type}
}
$eventScriptBlock = {Write-EventLog -LogName $logName -Source $Source -EntryType $ET -Message $message -EventId $eventID -ErrorAction STOP}
try { & $eventScriptBlock }
catch {
New-EventLog -LogName $logName -Source $Source
& $eventScriptBlock
}
}