{"id":4228,"date":"2013-02-01T00:01:00","date_gmt":"2013-02-01T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/02\/01\/use-powershell-to-create-and-to-use-a-new-event-log\/"},"modified":"2013-02-01T00:01:00","modified_gmt":"2013-02-01T00:01:00","slug":"use-powershell-to-create-and-to-use-a-new-event-log","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-create-and-to-use-a-new-event-log\/","title":{"rendered":"Use PowerShell to Create and to Use a New Event Log"},"content":{"rendered":"

Summary:<\/strong> Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to create and to use a new event log.<\/span>\nMicrosoft Scripting Guy, Ed Wilson, is here. Well, it’s the weekend, baby! At least for the Scripting Wife and me. You see, the Scripting Manager gave me today and Monday off as sort of “comp time” because of all the long hours I have been working recently. I said cool, and Teresa said, “I know, let’s go to the beach,” so we are back at the beach. <\/span>And I am back at the coffee house, sitting near the sand and playing around with Windows PowerShell. <\/span>\nNow, if this sounds familiar, it is. <\/span>Teresa and I headed to the beach last week<\/a> and like they say in some cheesy movies, “we’re baaack …” I will admit it is really hard to see if I am taking time off, or if I am “working,” even for me, because the two activities overlap so much. If truth be told, I am sitting here right now working—but hey, it’s all fun—and I would be doing this anyway, even if I was not working, which I am not, because my boss told me to take some time off. <\/span>Now, I did read about a company recently that would pay for you to take vacation—cool, I thought, but you had to leave your cell phone, laptop, surface, etc. behind. That is not a vacation—that sounds more like torture (at least to me).<\/span><\/p>\n

Use PowerShell to create my own event log<\/h2>\n

One of the cool things to do with Windows PowerShell is to create my own event logs. Here, I am talking about an event log that is like one of the traditional event logs (traditional event logs are System, Security, and Application). By using Windows PowerShell, these traditional types of event logs are easy to read, easy to write to, easy to back up, and easy to clear.<\/p>\n

Use PowerShell to create an event log<\/h2>\n

I use the New-EventLog<\/strong> cmdlet to create a new event log. To use this cmdlet, I need three things:<\/p>\n

    \n
  1. Open the Windows PowerShell console with admin rights—an error occurs when attempting to create a new event log without elevated rights.<\/li>\n
  2. I need the name for the log.<\/li>\n
  3. I need to specify a source for the events that write to the log.<\/li>\n<\/ol>\n

    The following command creates a new traditional event log named ScriptingGuys<\/em> with a source named scripts<\/em>. <\/p>\n

    New-EventLog -LogName ScriptingGuys -Source scripts\nWhen the command runs, no output appears to the Windows PowerShell console. To ensure the command actually created a new event log, I use the Get-EventLog<\/strong> cmdlet with the –List<\/strong> parameter. Here is the command and the associated output.<\/p>\n

    10:06 C:> Get-EventLog -List<\/p>\n

      Max(K) Retain OverflowAction        Entries Log<\/p>\n

      —— —— ————–        ——- —<\/p>\n

      20,480      0 OverwriteAsNeeded      18,504 Application<\/p>\n

      20,480      0 OverwriteAsNeeded           0 HardwareEvents<\/p>\n

         512      7 OverwriteOlder              0 Internet Explorer<\/p>\n

      20,480      0 OverwriteAsNeeded           0 Key Management Service<\/p>\n

      10,240      0 OverwriteAsNeeded           4 Lenovo-Customer Feedback<\/p>\n

         512      7 OverwriteOlder              2 Lenovo-Lenovo Patch Utility\/Admin<\/p>\n

         128      0 OverwriteAsNeeded          30 OAlerts<\/p>\n

         512      7 OverwriteOlder              0 ScriptingGuys<\/p>\n

                                                  Security<\/p>\n

      20,480      0 OverwriteAsNeeded      21,437 System<\/p>\n

      15,360      0 OverwriteAsNeeded      10,059 Windows PowerShell<\/p>\n

    Configuring my event log<\/h2>\n

    One of the things I notice when I check the ScriptingGuys event log is that it is set to 512 KB, and it will retain entries for 7 days when it will begin deleting older events. This is not the behavior I want. What I want is for the log to be 64 KB in size and to overwrite as needed. To do this, I would think that I use the Set-EventLog<\/strong> cmdlet—but no, there is not such a thing. The cmdlet is named Limit-EventLog<\/strong>. Looking at the Help, it appears there is only one parameter set. Well, I want to OverWriteAsNeeded, <\/em>so I guess I also need to set a retention days of 0. I craft the following command, but as you can see, it fails.<\/p>\n

    10:19 C:> Limit-EventLog -OverflowAction OverWriteAsNeeded -RetentionDays 0 -Maximum<\/p>\n

    Size 64KB<\/p>\n

    Limit-EventLog : Cannot validate argument on parameter ‘RetentionDays’. The 0 argument is less than the minimum allowed range of 1. Supply an argument that is greater than or equal to 1 and then try the command again.<\/p>\n

    At line:1 char:65<\/p>\n

    + Limit-EventLog -OverflowAction OverWriteAsNeeded -RetentionDays 0 -MaximumSize<\/p>\n

    +                                                                 ~<\/p>\n

        + CategoryInfo          : InvalidData: (:) [Limit-EventLog], ParameterBindingValidationException<\/p>\n

        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.PowerShell<\/p>\n

       .Commands.LimitEventLogCommand\nMajor bummer. Ok, so I try it without the RetentionDays<\/strong> parameter … and it works.<\/p>\n

    Limit-EventLog -OverflowAction OverWriteAsNeeded -MaximumSize 64KB -LogName scriptingguys\nI now use Get-EventLog<\/strong> to confirm my changes took place … the output below confirms that the command worked properly.<\/p>\n

    10:23 C:> Get-EventLog -list | ? log -eq scriptingguys<\/p>\n

      Max(K) Retain OverflowAction        Entries Log<\/p>\n

      —— —— ————–        ——- —<\/p>\n

          64      0 OverwriteAsNeeded           0 ScriptingGuys<\/p>\n

    I can’t get <\/em>an event log without entries<\/h2>\n

    Interestingly enough, I cannot get an event log that has no entries in it … at least not yet. Because if I use the Get-EventLog<\/strong> cmdlet to attempt to retrieve the ScriptingGuys event log, an error appears. The command and error are here.<\/p>\n

    10:23 C:> Get-EventLog -LogName scriptingguys<\/p>\n

    Get-EventLog : No matches found<\/p>\n

    At line:1 char:1<\/p>\n

    + Get-EventLog -LogName scriptingguys<\/p>\n

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n

        + CategoryInfo          : ObjectNotFound: (:) [Get-EventLog], ArgumentException<\/p>\n

        + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Comman<\/p>\n

       ds.GetEventLogCommand<\/p>\n

    Writing to the event log<\/h2>\n

    To write to my new event log, I need to specify the following information:<\/p>\n

      \n
    1. The log name (scriptingguys in my example)<\/li>\n
    2. The source (scripting in my case)<\/li>\n
    3. EventID (I generally start with 1)<\/li>\n
    4. EntryType (Information, Warning, Error)<\/li>\n
    5. Message (this is what I want to log)<\/li>\n<\/ol>\n

      In this example, I add a new entry to the ScriptingGuys event log.<\/p>\n

      Write-EventLog -LogName ScriptingGuys -Source scripts -Message “Dude, it works … COOL!” -EventId 0 -EntryType information\nI can now use the Get-EventLog<\/strong> cmdlet to retrieve the event. This is shown here.<\/p>\n

      10:27 C:> Get-EventLog -LogName scriptingguys<\/p>\n

         Index Time          EntryType   Source                 InstanceID Message<\/p>\n

         —– —-          ———   ——                 ———- ——-<\/p>\n

             1 Jan 29 10:27  Information scripts                         0 Dude, it wor…\nThat is all there is to using Windows PowerShell to create and to manage event logs. Join me tomorrow when I will talk about more cool stuff.\nI invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.\nEd Wilson, Microsoft Scripting Guy<\/strong> <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

      Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to create and to use a new event log. Microsoft Scripting Guy, Ed Wilson, is here. Well, it’s the weekend, baby! At least for the Scripting Wife and me. You see, the Scripting Manager gave me today and Monday off as sort of “comp […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,45],"class_list":["post-4228","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"

      Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to create and to use a new event log. Microsoft Scripting Guy, Ed Wilson, is here. Well, it’s the weekend, baby! At least for the Scripting Wife and me. You see, the Scripting Manager gave me today and Monday off as sort of “comp […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=4228"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/4228\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=4228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=4228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=4228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}