What was once easy, is now exceptionally convoluted and difficult. There is some chance that your automated script is already logging to the event log (PowerShell Core/Operational) but there’s every chance that log is full of Warnings too. Good luck. LOL
New-WinEvent
The New-WinEvent
cmdlet creates an Event Tracing for Windows (ETW) event for an event provider. You can use this cmdlet to add events to ETW channels from PowerShell.
New-WinEvent [-ProviderName] <String> [-Id] <Int32> [-Version <Byte>] [[-Payload] <Object[]>] [<CommonParameters>]
Examples:
New-WinEvent -ProviderName Microsoft-Windows-PowerShell -Id 45090 -Payload @("Workflow", "Running")
More on New-WinEvent here.
Get-WinEvent
The Get-WinEvent
cmdlet gets events from event logs, including classic logs, such as the System and Application logs. The cmdlet gets data from event logs that are generated by the Windows Event Log technology introduced in Windows Vista and events in log files generated by Event Tracing for Windows (ETW). By default, Get-WinEvent
returns event information in the order of newest to oldest.
Get-WinEvent [[-LogName] <String[]>] [-MaxEvents <Int64>] [-ComputerName <String>] [-Credential <PSCredential>] [-FilterXPath <String>] [-Force] [-Oldest] [<CommonParameters>]
More on Get-WinEvent here.
The post below is the deprecated way of interacting with the Event Log from PowerShell. In Powershell 7 onwards, use New-WinEvent and Get-WinEvent cmdlets.
The command Get-Command -Name *Event will still list the deprecated commands shown below but they will not work and will error with “The term ‘New-EventLog’ is not recognised as a name of a cmdlet…”
The command Get-Command -Name *WinEvent will list the supported cmdlets, namely New-WinEvent and Get-WinEvent
PowerShell Commands to interact with Windows Event Log
New-EventLog
Get-EventLog
Show-EventLog
Clear-EventLog
Write-EventLog
Limit-EventLog
Remove-EventLog
New-EventLog
Creates a new event log and a new event source on a local or remote computer.
This cmdlet creates a new classic event log on a local or remote computer. It can also register an event source that writes to the new log or to an existing log.
New-EventLog
[-LogName]
[-Source]
[[-ComputerName] ]
[-CategoryResourceFile ]
[-MessageResourceFile ]
[-ParameterResourceFile ]
[]
Get-EventLog
Gets the events in an event log, or a list of the event logs, on the local computer or remote computers.
Get-EventLog
[-LogName]
[-ComputerName ]
[-Newest ]
[-After ]
[-Before ]
[-UserName ]
[[-InstanceId] ]
[-Index ]
[-EntryType ]
[-Source ]
[-Message ]
[-AsBaseObject]
[]
Show-EventLog
Displays the event logs of the local or a remote computer in Event Viewer.
The Show-EventLog cmdlet opens Event Viewer on the local computer and displays in it all of the classic event logs on the local computer or a remote computer.
Show-EventLog
[[-ComputerName] ]
[]
Clear-EventLog
Clears all entries from specified event logs on the local or remote computers.
The Clear-EventLog cmdlet deletes all of the entries from the specified event logs on the local computer or on remote computers. To use Clear-EventLog, you must be a member of the Administrators group on the affected computer.
Clear-EventLog
[-LogName]
[[-ComputerName] ]
[-WhatIf]
[-Confirm]
[]
Write-EventLog
Writes an event to an event log.
To write an event to an event log, the event log must exist on the computer and the source must be registered for the event log.
Write-EventLog
[-LogName]
[-Source]
[[-EntryType] ]
[-Category ]
[-EventId]
[-Message]
[-RawData ]
[-ComputerName ]
[]
Limit-EventLog
Sets the event log properties that limit the size of the event log and the age of its entries.
The Limit-EventLog cmdlet sets the maximum size of a classic event log, how long each event must be retained, and what happens when the log reaches its maximum size. You can use it to limit the event logs on local or remote computers.
Limit-EventLog
[-LogName]
[-ComputerName ]
[-RetentionDays ]
[-OverflowAction ]
[-MaximumSize ]
[-WhatIf]
[-Confirm]
[]
Remove-EventLog
Deletes an event log or unregisters an event source.
The Remove-EventLogcmdlet deletes an event log file from a local or remote computer and unregisters all its event sources for the log. You can also use this cmdlet to unregister event sources without deleting any event logs.
Remove-EventLog
[[-ComputerName] ]
[-LogName]
[-WhatIf]
[-Confirm]
[]
Example: Write events from a powershell script to the Windows Event Viewer Application Log.
First register a new Application EventLog source.
New-EventLog -LogName Application -Source 'MyScript.ps1'
The Event Log itself requires five pieces of information before an event can be written to it.
- LogName (Application)
- Source (Script Name)
- EventID
- EntryType (Information, Error or Warning)
- Message
The following code demonstrates how you might gather these pieces of information inside a statement and how you’d then write the event itself.
$filePath = 'C:\MyFile.txt' $parameters = @ { 'LogName' = 'Application' 'Source' = 'MyScript.ps1' } if (Test-Path –Path $filePath) { $parameters += @{ 'EventId' = 1111 'EntryType' = 'Information' 'Message' = 'The file already exists' } Write-EventLog @parameters } else { $parameters += @{ 'EventId' = 1112 'EntryType' = 'Error' 'Message' = 'The file does not exist' } Write-EventLog @parameters }
Top Tip: You may already have a Function in your script to perform Logging to a file. You could augment it to include some code to add an event to the Windows event log depending on the outcome of the script or code loop.