Forward application log to windows Event log - powershell

I want to create a new EventLog for an application running on my server and the log should be taken from the default log file of the application.
Any idea on how to achieve this??.

Do you mean event source?
PowerShell would be
New-EventLog command found here
MSDM New-eventLog
Edit after more detail supplied.
Basic principle of what you want is to query the log file and write the lines found into a event log. This is done like the below:
#Get the content of the error log, gets the top 10 lines ONLY!!
$GetLog = Get-Content -Path D:\Errorlog.txt -totalcount 10
#Now take the data found and write it to the event log under the source and log below
Write-EventLog -LogName "Application" -Source "My Application" -Eventid 1001
-EntryType Error -Message "$Getlog" -Category 1

Related

Check if last created file exists and create an event log entry with PowerShell

I'm writing files with PowerShell to store specific information in it.
I also want to create windows event log entries to check if the file which was "newly" created is really there.
New-EventLog -LogName System -Source "Files I store information in"
Write-EventLog -LogName System -Source "Files I store information in" -EntryType Information -EventId 1 -Message "Information written to file script started"
$FilePath = "C:\Path\Files"
command.exe -Out-File $FilePath\${env:computername}_$(get-date -f dd-MM-yyyy-hhmm).file
Basically I'm searching for a way to verify if the above command.exe created a file. I'm not sure how to do that when I'm using the "get-date" option to append this to the file name.
If the file was created I want to create a successful event log entry. If it wasn't created I want to create a non successful event log entry.
Anyone a hint on this ?
Try catch, would work
try{
$FilePath = "C:\Path\Files"
command.exe -Out-File $FilePath\${env:computername}_$(get-date -f dd-MM-yyyy-hhmm).file
--write below successfull log entry
you also could add more checks like below
if (test-path "$FilePath\${env:computername}_$(get-date -f dd-MM-yyyy-hhmm)"){
write here successfull log entry
}
else
{
---write here unsuccessfull log entry
}
catch{
---write here unsuccessfull log entry
}

Write-EventLog for errors

When running the following one liner:
Write-EventLog -LogName Application -Source 'Application Error' -EntryType Error -EventID 1001 -Message 'Problem description'
We see the entry in the log Application:
According to Microsoft for EventID 1001, one should provide the values for %1, %2 and %3:
Detection of product '%1', feature '%2' failed during request for
component '%3'
How is this possible in PowerShell? When adding the switch -RawData 10, 20 only the type is filled in as following:
Is there a way to not have the other text available without creating a new log name or source in the Event log? Or to be able to fill in the variables? I'm writing to Application error in case the custom made log name or source isn't available. So there is somewhere a trace.
Thank you for your help.
The Event ID 1001 description you link to is specific to the MsiInstaller source.
For your own custom error events, use a custom Source identifier. You can check whether a source definition already exists on the machine, and if not, create it:
$CustomSource = 'MyCustomApplication'
# Wrap check i try/false to catch SourceExists() throwing access denied on failure
$SourceExists = try {
[System.Diagnostics.EventLog]::SourceExists($CustomSource)
} catch {
$false
}
if(-not $SourceExists)
{
# Create the Source definition
New-EventLog -Source $CustomSource -LogName Application
}
Write-EventLog -LogName Application -Source $CustomSource -EntryType Error -EventID 1001 -Message 'Problem description'
If you have a message resource file (the file containing the "templates" for your events), you can also include that in the call to New-EventLog

SCCM Compliance state always 'Compliant' when remediation script runs

We're trying to use SCCM 2012 R2 to run some checks on clients and fix problems when needed. For this we use the PowerShell 'Script' option.
Problem description:
When a 'Discovery script' reports ‘Non-Compliant’ the ‘Remediation script’ is launched. Regardless of the output of the ‘Remediation script’, the result in the report on the client in ‘Configuration Manager > Configurations’ is always ‘Compliant’ even when the ‘Remediation script’ failed to fix the issue and as a result has different output then defined in the ‘Rules for compliance conditions’.
It seems that from the moment a ‘Remediation script’ is selected, the output of the SCCM Compliance State is always ‘Compliant’.
Example:
- Situation:
When there are files or folders in the folder ‘C:\Users\me\Downloads\Input_Test’ the ‘Discovery script’ reports ‘Not compliant to anything’ and kicks of the ‘Remediation script’. The remediation script takes action and can’t fix the problem so it reports back something else then ‘Compliant’, like ‘Non-Compliant’. The SCCM Compliance State should say after execution of the ‘Remediation script’: ‘Non-Compliant’ (which is not the case).
- PowerShell Discovery script:
$Paths = Get-ChildItem -Path 'C:\Users\me\Downloads\Input_Test' | Select -ExpandProperty FullName
New-EventLog -LogName Application -Source SCCMCompliance
if ($Paths) {
$Compliance = 'Non-Compliant'
Write-EventLog -LogName Application -Source SCCMCompliance -EntryType Warning -EventID 1 -Message “Discovery script: Non-Compliant”
}
else {
$Compliance = 'Compliant'
Write-EventLog -LogName Application -Source SCCMCompliance -EntryType Information -EventID 0 -Message “Discovery script: Compliant”
}
$Compliance
- PowerShell Remediation script:
Write-Output 'Non-Compliant'
Write-EventLog -LogName Application -Source SCCMCompliance -EntryType Warning -EventID 1 -Message “Remediation script: Non-Compliant $Paths”
- SCCM Rules for compliance conditions:
- SCCM Compliance State in the Configuration Manager:
In the Windows event viewer all steps can be tracked easily. Am I missing something super obvious here?
After much pain and hurt myself and #DarkLite1 have found that SCCM does not check compliance state after it has performed remediation
From the moment you use a 'Remediation script' the only 2 possible Compliance statusses are: 'Compliant' or 'Exit with error code'. This is done in PowerShell with 'Exit 1'.
For more information please see.
https://social.technet.microsoft.com/Forums/en-US/0f0f3e6f-7e9f-4376-a926-fc0b6aef5bf1/sccm-compliance-state-always-compliant-when-remediation-script-runs?forum=configmanagersecurity

Powershell Write-EventLog / Get-WinEvent Message issues

The first command creates an entry in the event log, it seems to be working because I can see the message data in event viewer. The issue is when reading it back from powershell the message field is empty.
write-eventlog System -source 'Microsoft-Windows-Kernel-General' -eventid 999 -message 'Kernel something or other'
get-winevent -filterHashTable #{Logname = 'System'; ID = '999'}| select-object -first 10
Maybe this picture explains it better. Notice the message column is blank.
The event is being written correctly, to read it back use this:
get-winevent -filterHashTable #{Logname = 'System'; ID = '999'}|
select-object -first 10 | select timecreated,providername,
#{n="Message";e={$_.properties.Value}}
The reason you can't see it in the message column is evident when launching eventvwr:
The description for Event ID 999 from source Microsoft-Windows-Kernel-General cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If you want to write custom messages from custom sources use New-EventLog cmdlet, here is the Scripting Guy's tutorial: http://blogs.technet.com/b/heyscriptingguy/archive/2013/06/20/how-to-use-powershell-to-write-to-event-logs.aspx
Here is the snip that ended up making it work. Credit to Raf for the link where I found this answer.
$source = "Some Name"
If ([System.Diagnostics.EventLog]::SourceExists("$source") -eq $false)
{New-EventLog -LogName $log -Source "$source"}

Creating a log for a powershell command

I have a simple command to create a CSV file in powershell. Is there a way to log this information separate from the file? I will be needing to manipulate the CSV file, so I don't want to rely on it being my only way of logging the data.
You can also export the output of commands by using the > and >> operators.
example:
You can write all of the Adobe services and their information to a file with this code:
get-service -DisplayName Adobe* > C:\services.txt
if you wanted to append to that with Windows services:
get-service -DisplayName Windows* >> C:\services.txt
so if you wanted to export your CSV to a file you can easily do so by adding a > at the end of the command pointing to the filename you wish to export it to:
> C:\Log_$date.csv
and if you ever needed to append more logs you can simply do so by using the >>
>> C:\Log_$date.csv
if you use > it will overwrite and existing data in the file with new data. >> appends.
If you need a log for people who are in charge of the production you can add your own application log using dedicated Cmdlets. A the moment I create and use one PowerShell log for all my scripts to publish details of the execution (information) and errors (in coordination with good exception handling) for people who are in charge of the production. You can dedicate a log for one script (as it exists a log for DNS etc.)
Here is an example :
# List of logs
Get-EventLog -list
# Creating your own log
New-EventLog -LogName "SlxScripting" -Source "MaSource"
# List of logs
Get-EventLog -list
# Writting in your own log
Write-EventLog -LogName "SlxScripting" -EventId 12 `
-Message "Mon Message"
-Source "MaSource" -EntryType Warning
# Reading in your own log
Get-EventLog -LogName "SlxScripting"
# Suppressing your log
Remove-EventLog -LogName "SlxScripting"