Create a new Event Log using PowerShell function

Posted on by Pawel Janowicz
event

Find out how to create your own event log. Recently I was asked to prepare PowerShell script for generating custom events. In this article, I want to share with you how this can be done using a simple PowerShell function.

Create a new Event Log

You can create event using simple command Write-EventLog. To write an event to an event log, the event log must exist on the computer and the source must be registered for the event log.

The cmdlets that contain the EventLog noun (the EventLog cmdlets) work only on classic event logs. To get events from logs that use the Windows Event Log technology in Windows Vista and later versions of the Windows operating system, use the Get-WinEvent cmdlet.

Example from Microsoft Docs:

Write-EventLog -LogName "Application" -Source "MyApp" -EventID 3001 -EntryType Information -Message "MyApp added a user-requested feature to the display." -Category 1 -RawData 10,20

In this case, we will use the EventLog class – System.Diagnostics.EventLog to create a simple PowerShell function.

For the purpose of the demonstration I created the following event message:

#Event message
$Message = @"
#####################################################
                                        PowerShellBros                
#####################################################                                             
                                                                      	 
Description: 
This is a test event :)

                █▀▀▄░░░░░░░░░░░▄▀▀█
                ░█░░░▀▄░▄▄▄▄▄░▄▀░░░█
                ░░▀▄░░░▀░░░░░▀░░░▄▀
                ░░░░▌░▄▄░░░▄▄░▐▀▀
                ░░░▐░░█▄░░░▄█░░▌▄▄▀▀▀▀█ 
                ░░░▌▄▄▀▀░▄░▀▀▄▄▐░░░░░░█
                ▄▀▀▐▀▀░▄▄▄▄▄░▀▀▌▄▄▄░░░█
                █░░░▀▄░█░░░█░▄▀░░░░█▀▀▀
                ░▀▄░░▀░░▀▀▀░░▀░░░▄█▀
                ░░░█░░░░░░░░░░░▄▀▄░▀▄
                ░░░█░░░░░░░░░▄▀█░░█░░█
                ░░░█░░░░░░░░░░░█▄█░░▄▀
                ░░░█░░░░░░░░░░░████▀
                ░░░▀▄▄▀▀▄▄▀▀▄▄▄█▀
                           
"@

Your event should look like this in Event Viewer:

Create a new Event Log

Default function parameters:

  • Eventlog – Application
  • Event source – PowerShellBros
  • Event ID – 1000
  • Event Instance – Error

Function

Final script and usage (Remember to run as an admin):

#Function
Function New-CustomEvent {
        [CmdletBinding()]
               
        # Parameters used in this function
        param
        ( 
            [Parameter(Position=0, Mandatory = $false, HelpMessage="Provide eventlog name", ValueFromPipeline = $true)] $EventLog  = "Application",
            [Parameter(Position=1, Mandatory = $false, HelpMessage="Provide event source", ValueFromPipeline = $true)]  $Source    = "PowerShellBros",
            [Parameter(Position=2, Mandatory = $false, HelpMessage="Provide event source", ValueFromPipeline = $true)]  $EventID   = "1000",
            [Parameter(Position=3, Mandatory = $true, HelpMessage="Provide event message", ValueFromPipeline = $false)] $Message,
            [Parameter(Position=4, Mandatory = $false, HelpMessage="Select event instance", ValueFromPipeline = $false)]
            [ValidateSet("Information","Warning","Error")] $EventInstance = 'Error'
        ) 
    
        #Load the event source
        If ([System.Diagnostics.EventLog]::SourceExists($Source) -eq $false) {[System.Diagnostics.EventLog]::CreateEventSource($Source, $EventLog)}


        Switch ($EventInstance){
            {$_ -match 'Error'}       {$id = New-Object System.Diagnostics.EventInstance($EventID,1,1)} #ERROR EVENT
            {$_ -match 'Warning'}     {$id = New-Object System.Diagnostics.EventInstance($EventID,1,2)} #WARNING EVENT
            {$_ -match 'Information'} {$id = New-Object System.Diagnostics.EventInstance($EventID,1)}   #INFORMATION EVENT
        }

        $Object = New-Object System.Diagnostics.EventLog;
	    $Object.Log       = $EventLog;
	    $Object.Source    = $Source;

	    $Object.WriteEvent($id, @($Message))

}

#Event message
$Message = @"
#####################################################
                                        PowerShellBros                
#####################################################                                             
                                                                      	 
Description: 
This is a test event :)

                █▀▀▄░░░░░░░░░░░▄▀▀█
                ░█░░░▀▄░▄▄▄▄▄░▄▀░░░█
                ░░▀▄░░░▀░░░░░▀░░░▄▀
                ░░░░▌░▄▄░░░▄▄░▐▀▀
                ░░░▐░░█▄░░░▄█░░▌▄▄▀▀▀▀█ 
                ░░░▌▄▄▀▀░▄░▀▀▄▄▐░░░░░░█
                ▄▀▀▐▀▀░▄▄▄▄▄░▀▀▌▄▄▄░░░█
                █░░░▀▄░█░░░█░▄▀░░░░█▀▀▀
                ░▀▄░░▀░░▀▀▀░░▀░░░▄█▀
                ░░░█░░░░░░░░░░░▄▀▄░▀▄
                ░░░█░░░░░░░░░▄▀█░░█░░█
                ░░░█░░░░░░░░░░░█▄█░░▄▀
                ░░░█░░░░░░░░░░░████▀
                ░░░▀▄▄▀▀▄▄▀▀▄▄▄█▀
                           
"@

#Run function
New-CustomEvent -Message $Message

To display all events for with PowerShellBros source you can run:

	        #Events criteria
	        $Filter = @{
	            LogName      = 'Application'
                ProviderName = 'PowerShellBros'
	            ID           = 1000
            }

            Get-WinEvent $Filter -MaxEvents 10 | select LogName,ProviderName,ID,TimeCreated

I hope this was informative for you ( ͡° ͜ʖ ͡°) See you in the next articles.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.