Writing events with parameters using PowerShell


 

When we write scripts for SCOM workflows, we often log events as the output, for general logging, debug, or for the output as events to trigger other rules for alerting.  One of the common things I need when logging, is the ability to write parameters to the event.  This helps in making VERY granular criteria for SCOM alert rules to match on.

 

One of the things I HATE about the MOM Script API LogScriptEvent method, is that it places all the text into a single blob of text in the event description, all of this being Parameter 1.

Luckily – there is a fairly simple method to create paramitized events to output using your own PowerShell scripts.  I got this from Mark Manty, a fellow PFE.

 

Here is a basic script that demonstrates the capability:

 

#Script to create events with parameters #Define the event log and your custom event source $evtlog = "Application" $source = "MyEventSource" #These are just examples to pass as parameters to the event $hostname = "computername.domain.net" $timestamp = (get-date) #Load the event source to the log if not already loaded. This will fail if the event source is already assigned to a different log. if ([System.Diagnostics.EventLog]::SourceExists($source) -eq $false) { [System.Diagnostics.EventLog]::CreateEventSource($source, $evtlog) } #function to create the events with parameters function CreateParamEvent ($evtID, $param1, $param2, $param3) { $id = New-Object System.Diagnostics.EventInstance($evtID,1); #INFORMATION EVENT #$id = New-Object System.Diagnostics.EventInstance($evtID,1,2); #WARNING EVENT #$id = New-Object System.Diagnostics.EventInstance($evtID,1,1); #ERROR EVENT $evtObject = New-Object System.Diagnostics.EventLog; $evtObject.Log = $evtlog; $evtObject.Source = $source; $evtObject.WriteEvent($id, @($param1,$param2,$param3)) } #Command line to call the function and pass whatever you like CreateParamEvent 1234 "The server $hostname was logged at $timestamp" $hostname $timestamp

 

The script uses some variables to set which log you want to write to, and what your custom source is.

The rest is pretty self explanatory from the comments.

You can add additional params if needed to the function and the command line calling the function.

 

Here is an event example:

 

image

 

 

But the neat stuff shows up in the XML view where you can see the parameters:

 

image


Comments (8)

  1. Ron Nishiguchi says:

    Hi Kevin,

    This is exactly what I was looking for. What parameter do I need in the powershell script to create an event level of Error?

    Thanks,

    Ron

    1. Kevin Holman says:

      Hi Ron,

      I updated the script to include capability for info, warning, or error events. Just uncomment which line you want.

      1. Ron Nishiguchi says:

        Hi Kevin,

        Perfect! Thanks,

        Ron

  2. Jason Rydstrand says:

    Hello Kevin,

    Why does the event only show the data item in Event Viewer (General Properties), and yet if I go other events not created with this method, I see multiple data items in the general tab view?

    1. Kevin Holman says:

      I don’t know. But I kinda like it. This way I can input whatever variables I want in param 1 (which will show up in the event view) and then dump in all kinds of stuff in other params which will be hidden.

      1. Scott Banyas says:

        Is there a limitation on the number of params you may use? I appear to be getting “cutoff” after param4.

  3. Taksis Maksis says:

    Hi.

    Thanks for the script.
    Do you have any idea how to update Event’s XML metadata with attributes?
    E.g. attribute “Name” in this example

    File
    c:\temp\MyTestFile.txt

    See tag and “Name” attribute below:
    https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer

  4. Volkan Coskun says:

    Another Mr Holman saves the day again 🙂
    Thanks.

    Just made a slight mod to create warning or error events on the fly

    function CreateParamEvent ($evtID,$type,[array]$params)
    {

    If($type -eq ‘information’)
    {
    $id = New-Object System.Diagnostics.EventInstance($evtID,1); #INFORMATION EVENT
    }Elseif($type -eq ‘warning’)
    {
    $id = New-Object System.Diagnostics.EventInstance($evtID,1,2); #WARNING EVENT
    }Elseif($type -eq ‘error’)
    {
    $id = New-Object System.Diagnostics.EventInstance($evtID,1,1); #ERROR EVENT
    }Else {write-warning “Please specify Event type information / warning / error “}
    $evtObject = New-Object System.Diagnostics.EventLog;
    $evtObject.Log = $evtlog;
    $evtObject.Source = $source;
    $evtObject.WriteEvent($id, [array]$params)
    }

Skip to main content