When we write scripts for SCOM workflows, we often log events as the output, for general logging, debug, or for the output as events to trigger other rules for alerting. One of the common things I need when logging, is the ability to write parameters to the event. This helps in making VERY granular criteria for SCOM alert rules to match on.
One of the things I HATE about the MOM Script API LogScriptEvent method, is that it places all the text into a single blob of text in the event description, all of this being Parameter 1.
Luckily – there is a fairly simple method to create paramitized events to output using your own PowerShell scripts. I got this from Mark Manty, a fellow PFE.
Here is a basic script that demonstrates the capability:
#Script to create events with parameters #Define the event log and your custom event source $evtlog = "Application" $source = "MyEventSource" #These are just examples to pass as parameters to the event $hostname = "computername.domain.net" $timestamp = (get-date) #Load the event source to the log if not already loaded. This will fail if the event source is already assigned to a different log. if ([System.Diagnostics.EventLog]::SourceExists($source) -eq $false) { [System.Diagnostics.EventLog]::CreateEventSource($source, $evtlog) } #function to create the events with parameters function CreateParamEvent ($evtID, $param1, $param2, $param3) { $id = New-Object System.Diagnostics.EventInstance($evtID,1); #INFORMATION EVENT #$id = New-Object System.Diagnostics.EventInstance($evtID,1,2); #WARNING EVENT #$id = New-Object System.Diagnostics.EventInstance($evtID,1,1); #ERROR EVENT $evtObject = New-Object System.Diagnostics.EventLog; $evtObject.Log = $evtlog; $evtObject.Source = $source; $evtObject.WriteEvent($id, @($param1,$param2,$param3)) } #Command line to call the function and pass whatever you like CreateParamEvent 1234 "The server $hostname was logged at $timestamp" $hostname $timestamp
The script uses some variables to set which log you want to write to, and what your custom source is.
The rest is pretty self explanatory from the comments.
You can add additional params if needed to the function and the command line calling the function.
Here is an event example:
But the neat stuff shows up in the XML view where you can see the parameters:
I need to be able to write events as data name and parameters. Can you advise how to do so?
Similar to this –
–
C:\Windows\Explorer.EXE ()
D00000
Operating System: Service pack (Planned)
0x0
restart
domain\username
Thanks Kevin. Very useful to be able to pick apart your own event logs with some custom parameters when trying to avoid this situation https://kevinholman.com/2008/04/22/using-event-description-as-criteria-for-a-rule/ and also for alert suppression when the other event fields won’t help.
1 is info, 1,2 is warning, 1,1 is error.. but what is verbose?
The information line should have ($evtID,1,4) The ‘1’ in ‘($evtID,1)’ is the category. I mention this for those needing to specify category as well as entry type. You can see the category of ‘(1)’ in the screen shot. The ($evtID,1) works because it used ‘Information’ as the default for the entry type. The entry types are: 4 = Information, 2 = Warning, and 1 = Error.
So, I might make this clearer by rewriting the function above like so:
function CreateParamEvent ($evtID, $param1, $param2, $param3) {
$InformationType = 4
$WarningType = 2
$ErrorType = 1
$Category = 0
$id = New-Object System.Diagnostics.EventInstance($evtID,$Category,$InformationType) #INFORMATION EVENT
#$id = New-Object System.Diagnostics.EventInstance($evtID,$Category,$WarningType) #WARNING EVENT
#$id = New-Object System.Diagnostics.EventInstance($evtID,$Category,$ErrorType) #ERROR EVENT
$evtObject = New-Object System.Diagnostics.EventLog;
$evtObject.Log = $evtlog;
$evtObject.Source = $source;
$evtObject.WriteEvent($id, @($param1,$param2,$param3))
}
I created a function based on this if you think it would be helpful to folks.
Function Write-TestEventWithParameter {
# Modified from
# https://kevinholman.com/2016/04/02/writing-events-with-parameters-using-powershell
[CmdletBinding()]
param(
[int]$EventID = 999,
[String]$Log = ‘Application’,
[string]$Source = ‘MyEventSource’,
[ValidateSet(‘INFORMATION’,’WARNING’,’ERROR’)]
[string]$Type = ‘INFORMATION’,
[string]$Param1 = ‘Param1’,
[string]$Param2 = ‘Param2’
)
Switch ($Type) {
‘INFORMATION’ { $EntryType = 4 ; Break }
‘WARNING’ { $EntryType = 2 ; Break }
‘ERROR’ { $EntryType = 1 ; Break }
}
Function CreateParamEvent ($EvtID, $EntryType, $Message, $Param1, $Param2) {
$Category = 0
$ID = New-Object System.Diagnostics.EventInstance($EvtID,$Category,$EntryType)
$EventObject = New-Object System.Diagnostics.EventLog;
$EventObject.Log = $Log;
$EventObject.Source = $Source;
$EventObject.WriteEvent($ID, @($Message,$Param1,$Param2))
}
CreateParamEvent $EventID $EntryType “Test entry with parameter 1 as `’$Param1`’ and parameter 2 as `’$Param2`'” $Param1 $Param2
}
Very helpful! Pages like this make it worth browsing a myriad of google result pages. Thank you!