How to create Windows EventLog source from command line?

Question

I'm creating an ASP.NET application that will log some stuff to Windows EventLog. To do this an event source has to be created first. This requires administrative priviledges so I cannot do it in the ASP.NET app.

Is there an existing command-line application that is bundled with Windows that can create an event log source, or must I roll out my own?

score 316 · Accepted Answer · edited Jun 20 '20 at 09:12

316

Try "eventcreate.exe"

An example:

eventcreate /ID 1 /L APPLICATION /T INFORMATION  /SO MYEVENTSOURCE /D "My first log"

This will create a new event source named MYEVENTSOURCE under APPLICATION event log as INFORMATION event type.

I think this utility is included only from XP onwards.

13

you have to right click on "cmd" and choose "run as admin" from vista on – Ian Ringrose Dec 17 '10 at 14:36
17

eventcreate records an event under an existing source, it will not create a new source from scratch as the OP requested. – Paul Chavez Oct 08 '12 at 18:17
6

@PaulChavez if the named source doesn't exist, it is created. – Farinha Oct 17 '13 at 13:27
This worked well for me- I can confirm that it created a source that did not previously exist. – stead Mar 17 '14 at 20:27
1

This won't create the event if the `MYEVENTSOURCE` already exists and was created using something other than eventcreate – Chris S Aug 12 '14 at 14:37
This worked well for me too. In my scenario, I have a .net windows service that doesn't have permission to create an event source. So running this command, fixed this by creating the source. Which means my code started logging to the event log, and I didn't have to expand the permissions for my windows service user context. – Mark At Ramp51 Aug 14 '14 at 03:41
2

whilst this worked and created a new source all my events all had "The description for Event ID 0 from source myApp cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted" so I had to edit the registry in the end – dibs487 Mar 11 '16 at 14:21
Great solution. Is there an alternative utility that would allow event IDs > 1000 ? – ianbeks Apr 01 '16 at 13:56

score 189 · Answer 2 · edited Feb 24 '23 at 13:42

189

Try PowerShell 2.0's EventLog cmdlets. For PowerShell 2.0 and upwards:

Run New-EventLog once to register the event source:

  New-EventLog -LogName Application -Source MyApp

Then use Write-EventLog to write to the log:

  Write-EventLog 
      -LogName Application 
      -Source MyApp 
      -EntryType Error 
      -Message "Immunity to iocaine powder not detected, dying now" 
      -EventId 1

edited Feb 24 '23 at 13:42

StayOnTarget

11,743
10
52
81

answered Aug 22 '11 at 23:29

roufamatic

18,187
7
57
86

9

This works fine, just remember to run PowerShell with elevated privileges. – Rod Feb 28 '14 at 17:25
4

I had to open and close event viewer to see the new log that I created – amackay11 Jul 15 '15 at 14:17
Also if you are actively developing and `New-EventLog`-ing and `Remove-EventLog`'-ing back and forth you might encounter a problem when `Source` is registered but does not write to specified `Log`. **Restarting** computer helps with that. Another tip: you can see what is going on with your event logs with _regedit_ here: `[Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\]` – Corio Jan 17 '18 at 16:26
@amackay11, while closing-and-reopening Event Viewer does work, a quicker/easier way is to simply click on its Action menu and select Refresh. – Rich Bayless Aug 28 '20 at 15:29

Luis Rocha · Answer 3 · 2010-02-20T00:16:05.467

52

You can also use Windows PowerShell with the following command:

if ([System.Diagnostics.EventLog]::SourceExists($source) -eq $false) {
    [System.Diagnostics.EventLog]::CreateEventSource($source, "Application")
}

Make sure to check that the source does not exist before calling CreateEventSource, otherwise it will throw an exception.

For more info:

http://msdn.microsoft.com/en-us/library/9t766zhb.aspx

edited Feb 20 '10 at 00:16

answered Feb 19 '10 at 22:53

Luis Rocha

1,369
10
7

score 12 · Answer 4 · answered Oct 05 '09 at 21:12

12

eventcreate2 allows you to create custom logs, where eventcreate does not.

answered Oct 05 '09 at 21:12

Nick Bolton

38,276
70
174
242

score 9 · Answer 5 · answered Nov 26 '15 at 12:14

If someone is interested, it is also possible to create an event source manually by adding some registry values.

Save the following lines as a .reg file, then import it to registry by double clicking it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\YOUR_EVENT_SOURCE_NAME_GOES_HERE]
"EventMessageFile"="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\EventLogMessages.dll"
"TypesSupported"=dword:00000007

This creates an event source named YOUR_EVENT_SOURCE_NAME_GOES_HERE.

score 1 · Answer 6 · answered Sep 10 '15 at 14:09

However the cmd/batch version works you can run into an issue when you want to define an eventID which is higher then 1000. For event creation with an eventID of 1000+ i'll use powershell like this:

$evt=new-object System.Diagnostics.Eventlog(“Define Logbook”)
$evt.Source=”Define Source”
$evtNumber=Define Eventnumber
$evtDescription=”Define description”
$infoevent=[System.Diagnostics.EventLogEntryType]::Define error level
$evt.WriteEntry($evtDescription,$infoevent,$evtNumber)

Sample:

$evt=new-object System.Diagnostics.Eventlog(“System”)
$evt.Source=”Tcpip”
$evtNumber=4227
$evtDescription=”This is a Test Event”
$infoevent=[System.Diagnostics.EventLogEntryType]::Warning
$evt.WriteEntry($evtDescription,$infoevent,$evtNumber)

score 1 · Answer 7 · answered May 22 '09 at 16:41

1

Or just use the command line command:

Eventcreate

answered May 22 '09 at 16:41

score 0 · Answer 8 · answered Oct 13 '22 at 20:13

PowerShell 7

This answer worked great in 5.x for me but not in 7.x. After some sleuthing, I got the following working:

Import-Module Microsoft.PowerShell.Management -UseWindowsPowerShell
New-EventLog -LogName Application -Source MyApp

I stumbled upon the module to import via this SO answer. Apparently, there's a set of modules you can import for Windows only cmdlet's depending upon your needs. I'm still trying to figure out how you would determine which module to import based upon your cmdlet.

score -3 · Answer 9 · answered May 31 '14 at 14:58

you can create your own custom event by using diagnostics.Event log class. Open a windows application and on a button click do the following code.

System.Diagnostics.EventLog.CreateEventSource("ApplicationName", "MyNewLog");

"MyNewLog" means the name you want to give to your log in event viewer.

for more information check this link [ http://msdn.microsoft.com/en-in/library/49dwckkz%28v=vs.90%29.aspx]

How to create Windows EventLog source from command line?

9 Answers9

Try "eventcreate.exe"

Further reading

Linked