发表新帖
发表新帖

How to write a custom event log by an already existing provider with PowerShell?

前端 未结
关注
1 1977
一个人的身影
一个人的身影 2021-01-26 19:50

I am trying to find out the Name/Value mappings of the \"State\" data in the message of the \'Network Connected\' event log: 

Path = Microsoft-Windows-NetworkPro
相关标签:
1条回答
  • 再見小時候
    2021-01-26 20:46

    I managed to make the first CmdLet New-WinEvent work. Oddly it was a data type issue.

    The 'Network Connected' event expects 6 arguments for its message. The expected types for these arguments can be seen in this Warning I got from PowerShell

    WARNING: Provided payload does not match with the template that was defined for event id 41. The defined template is following:

    I was passing the Guid argument as a string, but it expects it to have a [System.Guid] type, and apparently New-WinEvent doesn't give warnings when you pass the 6 arguments of the -Payload parameter in an array, even if one argument doesn't have the right type. It just creates a new event with some fixed default arguments (like what was happening in my problem).

    So I had to cast the right type to this argument Guid. I got the name of its type from this:

    $validEvent = (Get-WinEvent -ProviderName Microsoft-Windows-NetworkProfile -MaxEvents 500  | Where-Object {$_.Id -eq 10000} | Where-Object {$_.properties[4].Value -eq 9})[-1]
$validEvent.Properties[2].Value.GetType().FullName

    Then I casted the right types to the arguments and passed them to -Payload and it worked:

    $name = 'SSID'
$desc = 'Description'
[System.Guid]$guid = "c48f86ab-f35d-4f73-a41e-99ea359e1d08"
[System.UInt32]$type = 1
[System.UInt32]$state = 63
[System.UInt32]$categ = 2

New-WinEvent -ProviderName Microsoft-Windows-NetworkProfile -Id 10000 -Payload @($name, $desc, $guid, $type, $state, $categ)

    Then I could change the value of $state to get its name mapping from the $newLog.Message.

    However, the second CmdLet Write-EventLog didn't work; apparently it can't write to this log by the same provider.

    As Max mentioned, this CmdLet can only write to the "classic" event log, that's why it couldn't find the NetworkProfile source.

    Some links that helped me along the way:

    How to store an object in the Windows Event Log? [Answer] by Grady G Cooper
    Writing to the event log in .NET - the right way
    MSDN - Event Sources
    TechNet - New-WinEvent

    0 讨论(0)
 看不清?
提交回复
热议问题