Thursday, 3 July 2014

Writing Custom Events to the Event Logs

Writing Custom Events to the Event Logs

Whenever you work with automated scripts, scheduled tasks, or custom applications, you might want those scripts, tasks, or applications to write custom events to the event logs. For example, if a script runs normally, you might want to write an informational event in the application log that specifies this so it is easier to determine that the script ran and completed normally. Similarly, if a script doesn’t run normally and generates errors, you might want to log an error or warning event in the application log so that you’ll know to examine the script and determine what happened.
Tip 
You can track errors that occur in scripts using %ErrorLevel%. This environment variable tracks the exit code of the most recently used command. If the command executes normally, the error level is zero (0). If an error occurs while executing the command, the error level is set to a nonzero value. To learn more about working with error levels, see the section of Chapter 3 titled, “Getting Acquainted with Variables.”
To create custom events, you’ll use the Eventcreate utility. Custom events can be logged in any available log except the security log, and can include the event source, ID and description you want to use. The syntax for Eventcreate is

eventcreate /l LogName /so EventSource /t EventType /id EventID /d 



EventDescr
where
  • LogName  Sets the name of the log to which the event should be written. Use quotation marks if the log name contains spaces, as in “DNS Server.”
    Tip 
    You cannot write custom events to the security logs. You can, however, write custom events to the DNS Server, Directory Service, File Replication Service, or other service-related logs. Start by writing a dummy event using the event source you want to register for use with that log. The initial event for that source will be written to the application log. You can then use the source with the specified log and your custom events.
  • EventSource  Specifies the source to use for the event and can be any string of characters. If the string contains spaces, use quotation marks, as in “Event Tracker.” In most cases, you’ll want the event source to identify the application, task, or script that is generating the error.
    Caution 
    Carefully plan the event source you want to use before you write events to the logs using those sources. Each event source you use must be unique and cannot be the same name as an existing source used by an installed service or application. For example, you cannot use DNS, W32Time or Ntfrs as sources because these sources are already used by installed services or applications. Additionally, once you use an event source with a particular log, the event source is registered for use with that log on the specified system. For example, you cannot use “EventChecker” as a source in the application log and in the system log on MAILER1. If you try to write an event using “EventChecker” to the system log after writing a previous event with that source to the application log, you will see the following error message: “ERROR: Source already exists in ‘Application’ log. Source cannot be duplicated.”
  • EventType  Sets the event type as Information, Warning, or Error. “Success Audit” and “Failure Audit” event types are not valid; these events are used with the security logs and you cannot write custom events to the security logs.
  • EventID  Specifies the numeric ID for the event and can be any value from 1 to 1000. Before you assign event IDs haphazardly, you may want to write a list of the general events that can occur and then break these down into categories. You could then assign a range of event IDs to each category. For example, events in the 100s could be general events, events in the 200s could be status events, events in the 500s could be warning events, and events in the 900s could be error events.
  • EventDescr  Sets the description for the event and can be any string of characters. Be sure to enclose the description in quotation marks.
    Note 
    Eventcreate runs by default on the local computer with the permissions of the user who is currently logged on. As necessary, you can also specify the remote computer whose tasks you want to query and the Run As permissions using /S Computer /u [Domain\]User [/P Password], where Computer is the remote computer name or IP address, Domain is the optional domain name in which the user account is located, User is the name of the user account whose permissions you want to use, and Password is the optional password for the user account.
To see how Eventcreate can be used, consider the following examples:
Create an information event in the application log with the source Event Tracker and event ID 209: 

eventcreate /l "application" /t information /so "Event Tracker" /id 



209 /d "evs.bat script ran without errors."
Create a warning event in the system log with the source CustApp and event ID 511: 

eventcreate /l "system" /t warning /so "CustApp" /id 511 /d 



"sysck.exe didn't complete successfully."
Create an error event in the system log on MAILER1 with the source “SysMon” and event ID 918: 

eventcreate /s Mailer1 /l "system" /t error /so "SysMon" /id 918 /d 



"sysmon.exe was unable to verify write operation."

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)