Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to write an event log entry with structured XML data?

Question: How to write an event log entry with structured XML data using PowerShell?

My PowerShell script writes to the Windows event log using the Write-EventLog cmdlet. Currently I use the -Message parameter to set the event log message:

Write-EventLog -LogName $EventLogName -Source $EventSource -EntryType Error -EventId 1 -Message "MyMessageHere"

If you look at the message using Windows EventViewer you get an XML like this:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    [...]
  </System>
  <EventData>
    <Data>MyMessageHere</Data> 
  </EventData>
</Event>

I.e. the message is set as event data. Now I want to write structured event data, where the contents of the Data element is XML (see your own Windows\Security log for an example).

I tried using Write-EventLog as follows: -Message "<Data Name=""MyKey1"">MyValue1</Data> but that does not work properly, it looks like the message is added as CDATA to the inside the Data element.

So, how to write an event log entry with structured XML data using PowerShell?

like image 567
D.R. Avatar asked Feb 18 '15 12:02

D.R.


People also ask

How do I create a custom event log?

To create special log views, Click on the Administrative events. Click on Create Custom View on the right side of the window to open Create Custom View window. Under the Filter, there is Logged drop-down list. You can either choose an appropriate predefined time or use a custom time range for your Custom log views.

What are event logs and its example?

An event log is a basic "log book" that is analyzed and monitored for higher level "network intelligence." It can capture many different types of information. For example, it can capture all logon sessions to a network, along with account lockouts, failed password attempts, etc.

What are the three main types of event logs that come with Windows?

This Windows edition came with three Windows logs: Application event log, System event log and Security event log. Modern versions of Windows come with more than a hundred of Windows eventlogs, and third party applications can create and integrate into Windows logging their own event logs.


1 Answers

Here's the real answer on how to do this: https://kevinholman.com/2016/04/02/writing-events-with-parameters-using-powershell/

#Script to create events with parameters

#Define the event log and your custom event source
$evtlog = "Application"
$source = "MyEventSource"

#These are just examples to pass as parameters to the event
$hostname = "computername.domain.net"
$timestamp = (get-date)

#Load the event source to the log if not already loaded.  This will fail if the event source is already assigned to a different log.
if ([System.Diagnostics.EventLog]::SourceExists($source) -eq $false) {
    [System.Diagnostics.EventLog]::CreateEventSource($source, $evtlog)
}

#function to create the events with parameters
function CreateParamEvent ($evtID, $param1, $param2, $param3)
  {
    $id = New-Object System.Diagnostics.EventInstance($evtID,1); #INFORMATION EVENT
    #$id = New-Object System.Diagnostics.EventInstance($evtID,1,2); #WARNING EVENT
    #$id = New-Object System.Diagnostics.EventInstance($evtID,1,1); #ERROR EVENT
    $evtObject = New-Object System.Diagnostics.EventLog;
    $evtObject.Log = $evtlog;
    $evtObject.Source = $source;
    $evtObject.WriteEvent($id, @($param1,$param2,$param3))
  }


#Command line to call the function and pass whatever you like
CreateParamEvent 1234 "The server $hostname was logged at $timestamp" $hostname $timestamp
like image 111
user561253 Avatar answered Oct 01 '22 06:10

user561253