none
Dynamically Create Custom Event Log/Source RRS feed

  • Question

  • I'm trying to get my scripts to dynamically create new event logs and/or sources based on the name of the script using the code below. 

    Try
    {
            $EventLog_Source = "OX_PowerShell: " + $MyInvocation.MyCommand.Name
            If (!([System.Diagnostics.EventLog]::SourceExists($EventLog_Source)))
            {
                New-EventLog -Source "$EventLog_Source"
            }
    }
    
    Catch
    {
            $ErrMsg = $_.Exception.Message
            $ErrLine = $_.InvocationInfo.ScriptLineNumber
            $ErrColumn = $_.InvocationInfo.OffsetInLine
    
            $Message = "[Line: $ErrLine Column: $ErrColumn] $ErrMsg"        
    
            Write-EventLog -LogName 'Windows PowerShell' -Source $EventLog_Source `
            -EntryType Error -EventID 1 -Message $Message
    }

    Modifying the event log requires elevated permissions. I've found several code examples online that outline how to enable self-elevation in a script but each suggests adding the code to the beginning of the script. I'd rather not bloat my scripts (which are almost always advanced functions for use as modules) with self-elevating code. Especially since the log/source only needs to be created once when the function is first invoked.

    The ideal solution would be to modify the permissions for the Event Log via Group Policy. We use a small handful of dedicated virtual machines that do nothing but house scripts and automation tools so the GPO would be very limited in scope. Is this possible? If not, are there any other suggested methods for doing this dynamically?

    Saturday, March 25, 2017 12:48 AM

Answers

  • You cannot bypass UAC.  You cannot use GP to bypass UAC.

    See: https://social.technet.microsoft.com/Forums/en-US/21afa490-a74e-4052-8c34-e997cdc593b3/you-cannot-bypass-the-uac-prompt?forum=ITCG

    You do not want to use the Event log to log from scripts.  It is considered a bad practice.  It you need to log scripts then create one custom log and add sources to it but doing this broadly can make management much harder.

    The reason creating sources and logs is protected is to prevent arbitrary use of a critical system resource.

    When you create a new script you only need to elevate once to create the new source.    If you create a custom log file then you can set the permissions once on a group that will allow you to write to the log as needed.

    I recommend studying the online documentation on how to set up and manage a custom even log before proceeding.


    \_(ツ)_/


    • Edited by jrv Saturday, March 25, 2017 1:04 AM
    • Marked as answer by apriliarsv4 Monday, March 27, 2017 6:32 PM
    Saturday, March 25, 2017 1:04 AM

All replies

  • You cannot bypass UAC.  You cannot use GP to bypass UAC.

    See: https://social.technet.microsoft.com/Forums/en-US/21afa490-a74e-4052-8c34-e997cdc593b3/you-cannot-bypass-the-uac-prompt?forum=ITCG

    You do not want to use the Event log to log from scripts.  It is considered a bad practice.  It you need to log scripts then create one custom log and add sources to it but doing this broadly can make management much harder.

    The reason creating sources and logs is protected is to prevent arbitrary use of a critical system resource.

    When you create a new script you only need to elevate once to create the new source.    If you create a custom log file then you can set the permissions once on a group that will allow you to write to the log as needed.

    I recommend studying the online documentation on how to set up and manage a custom even log before proceeding.


    \_(ツ)_/


    • Edited by jrv Saturday, March 25, 2017 1:04 AM
    • Marked as answer by apriliarsv4 Monday, March 27, 2017 6:32 PM
    Saturday, March 25, 2017 1:04 AM
  • Here are the settable permissions for a new event log and what they allow.

    https://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogpermissionaccess(v=vs.110).aspx


    \_(ツ)_/

    Saturday, March 25, 2017 1:11 AM
  • Thanks for the info and the prompt reply.  We're using NXLOG to query the Event Log and ship the logs to a Graylog2 server that centrally manages logs.

    The plan is to have a custom event log and/or dynamically created sources named after the scripts that we're running. The "OX_PowerShell:" prefix makes it easy to filter the logs from the scripts from other logs.

    This combined with a reasonable maximum log size set in the Event Viewer would make managing logs from scripts much easier without needing to have a separate script cleanup a designated log directory full of JSON files.

    That said, your point regarding it being against best practice is well advised and duly noted. Thanks for all your help!

    Monday, March 27, 2017 6:48 PM
  • The problem being that system logs are a strategic resource and should not be over used.  If a script only logs success or error per execution then this is OK.  Start by creating a custom log file and a custom source.  Define a set of messages and data structures to log with. Use the string data to post the script name and arguments or other needed bits in the message.

    For this kind of logging you should not write directly to the application log. Use a custom log.

    You cannot control the SYSTEM dat portion of an event but you can add anything to the user data.

    Note that a source is an application (exe) and not a script.  Note also that the PowerShell log already can log all execution elements of any script run by PowerShell= including the name of the event and all parameters and execution information.

    get-winevent Microsoft-Windows-PowerShell/Operational -MaxEvents 3|fl


    \_(ツ)_/


    • Edited by jrv Monday, March 27, 2017 6:59 PM
    Monday, March 27, 2017 6:58 PM