Use PowerShell to Create Custom Log Events

Last time I showed how to use the command tool EVENTCREATE.EXE, to create your own custom event log entries. Today I want to demonstrate how to accomplish this task using Windows PowerShell. Here we’ll use the Write-EventLog cmdlet. The first step should be to look at cmdlet help.

​PS C:\> help Write-EventLog

When using this cmdlet you must specify the log name, a source, an event id and a message. In this regard it is very similar to EVENTCREATE.EXE. But you can’t use a non-standard source or something ad hoc. You must use a pre-defined or existing source. An easy way to discover the source names is to use Windows Management Instrumentation (WMI).

​PS C:\> $log=Get-WmiObject win32_nteventlogfile -filter "filename='system'"
PS C:\> $log.Sources

If one of these sources seems appropriate, then you can log your own entry like this.

​PS C:\> write-eventlog System -source Server -eventid 12345 -message "I am a custom event log message"

The default entry type is Information. I created my own eventID which has its drawbacks.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

​PS C:\> get-eventlog system -newest 1 | format-list EventID,EntryType,Source,Message
EventID   : 12345
EntryType : Information
Source    : Server
Message   : The description for Event ID '12345' in Source 'Server' cannot be
            found.  The local computer may not have the necessary registry
            information or message DLL files to display the message, or you
            may not have permission to access them.  The following inform
            ation is part of the event:'I am a custom event log message'

I suppose if you wanted to be able to search for the event ID or the message, you could live with the minor “error” in the message.

​PS C:\> get-eventlog system -newest 1 -message "*custom event*"
   Index Time          EntryType   Source             InstanceID Message
   ----- ----          ---------   ------              ---------- -------
 1512222 Jan 25 10:05  Information Server                  12345 The des...

Not perfect, but functional. While it is theoretically possible to register new sources, if you are going to go to that length you might as well create a new event log using the New-Eventlog cmdlet.

Normally this cmdlet is aimed at application developers building a formal event log. But IT Pros can use this as well. I’m going to create a custom log and define a few sources as well.

​PS C:\> new-eventlog -LogName PSLogging -Source ADSI,WMI,Test,Other

What did I just create?

​PS C:\> $log=Get-WmiObject win32_NTEventlogfile -filter "filename='PSLogging'"
PS C:\> $log | fl
FileSize        : 69632
LogfileName     : PSLogging
Name            : C:\Windows\System32\Winevt\Logs\PSLogging.evtx
NumberOfRecords : 0

A brand new log. Let’s check my sources.

​PS C:\> $log.sources

Finally, let’s write something to it.

​PS C:\> Write-EventLog PSLogging -Source Test -eventID 1000 -Message "I am the first entry"

You can use any event ID you choose, but you’ll likely want to define them in advance.

​PS C:\> get-eventlog PSLogging | format-list
Index              : 14
EntryType          : Information
InstanceId         : 1000
Message            : I am the first entry
Category           : (1)
CategoryNumber     : 1
ReplacementStrings : {I am the first entry}
Source             : Test
TimeGenerated      : 1/25/2012 10:45:47 AM
TimeWritten        : 1/25/2012 10:45:47 AM
UserName           :

Windows doesn’t care now about the event ID. If I need to add another source, all I need to do is rerun the New-Eventlog cmdlet:

​PS C:\> New-EventLog PSLogging -source Scripting

Now I have a new source.

​PS C:\> Get-WmiObject win32_NTEventlogfile -filter "filename='PSLogging'" | Select -expand Sources


The New-Eventlog cmdlet has a –computername parameter so it would be very easy to define a new eventlog on all servers or desktops where you wanted your own custom logging. Have you implemented custom logging? If so, I’d love to hear about it.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: