Login/Register
How to write an event log entry with structured XML data?
Asked Answered
xmlpowershellpowershell-3.0event-log
S

1

8

Question: How to write an event log entry with structured XML data using PowerShell?

My PowerShell script writes to the Windows event log using the Write-EventLog cmdlet. Currently I use the -Message parameter to set the event log message:

Write-EventLog -LogName $EventLogName -Source $EventSource -EntryType Error -EventId 1 -Message "MyMessageHere"

If you look at the message using Windows EventViewer you get an XML like this:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    [...]
  </System>
  <EventData>
    <Data>MyMessageHere</Data> 
  </EventData>
</Event>

I.e. the message is set as event data. Now I want to write structured event data, where the contents of the Data element is XML (see your own Windows\Security log for an example).

I tried using Write-EventLog as follows: -Message "<Data Name=""MyKey1"">MyValue1</Data> but that does not work properly, it looks like the message is added as CDATA to the inside the Data element.

So, how to write an event log entry with structured XML data using PowerShell?

Spinozism answered 18/2, 2015 at 12:59 Comment(4)
Actually, I would expect that it is added as CDATA. That is the only "safe" way to embedd arbitrary text data inside an existing XML (what the Event already is). But why is this a problem? When you read your events, you know that your data is actually XML and can use it as such.Confer
The customer has a tool in place which notices proper XML and harvests the data. It does not work with CDATA. (also it is the proper way to log event data, even the Windows EventViewer notices "real" XML and displays it in a tree-like structure in comparison to CDATA)Spinozism
As I understand it, the XML data is part of the new event logging interface that came with Vista and requires you to register a manifest -- you can't just dump any old XML in there. See blogs.msdn.com/b/dotnet/archive/2013/08/09/… for a package that does this in .NET -- using this in PowerShell would require wrapping that code with a custom cmdlet. In short: not trivial.Elaelaborate
Possible duplicate of How to store an object in the Windows Event Log?Canister
P
1

Here's the real answer on how to do this: https://kevinholman.com/2016/04/02/writing-events-with-parameters-using-powershell/

#Script to create events with parameters

#Define the event log and your custom event source
$evtlog = "Application"
$source = "MyEventSource"

#These are just examples to pass as parameters to the event
$hostname = "computername.domain.net"
$timestamp = (get-date)

#Load the event source to the log if not already loaded.  This will fail if the event source is already assigned to a different log.
if ([System.Diagnostics.EventLog]::SourceExists($source) -eq $false) {
    [System.Diagnostics.EventLog]::CreateEventSource($source, $evtlog)
}

#function to create the events with parameters
function CreateParamEvent ($evtID, $param1, $param2, $param3)
  {
    $id = New-Object System.Diagnostics.EventInstance($evtID,1); #INFORMATION EVENT
    #$id = New-Object System.Diagnostics.EventInstance($evtID,1,2); #WARNING EVENT
    #$id = New-Object System.Diagnostics.EventInstance($evtID,1,1); #ERROR EVENT
    $evtObject = New-Object System.Diagnostics.EventLog;
    $evtObject.Log = $evtlog;
    $evtObject.Source = $source;
    $evtObject.WriteEvent($id, @($param1,$param2,$param3))
  }


#Command line to call the function and pass whatever you like
CreateParamEvent 1234 "The server $hostname was logged at $timestamp" $hostname $timestamp
Postdate answered 31/8, 2016 at 14:6 Comment(1)
Why have you added the Google query that you used?Athalie

© 2022 - 2024 — McMap. All rights reserved.