I have an instance of Windows Server 2008 running some specific services that support my application.
There are events within the Windows Events System Log generated for my services but by other applications such as Service Control Manager which generates an event, in the system log, for my service if it is not able to start due to a bad password. I would like to capture and redirect these to a custom log e.g. MyApplication.Admin which contains all events that I log from within my service. This custom log is then monitored by other software and alerts specific people based on what events it sees. I could monitor both system and the custom log but I would rather keep the events logically grouped within my custom log.
My question is whether this is possible through creating some sort of Custom Rule within the event log to copy specific events from the System Log to MyApplication.Admin Log, or by other means?
1 Answer 1
If you can control which eventlog the service should use, you could create your own log and write to it:
PS C:\Windows\system32> New-EventLog -LogName "MyCustomApplicationLog" -Source "MyCustomApplication" PS C:\Windows\system32> Get-EventLog -List Max(K) Retain OverflowAction Entries Log ------ ------ -------------- ------- --- 20.480 0 OverwriteAsNeeded 15.518 Application 20.480 0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 Internet Explorer 20.480 0 OverwriteAsNeeded 0 Key Management Service 512 7 OverwriteOlder 13 Lenovo-Lenovo Patch Utility/Admin 512 7 OverwriteOlder 2 Lenovo-Message Center Plus/Admin 512 7 OverwriteOlder 0 MyCustomApplicationLog 128 0 OverwriteAsNeeded 86 OAlerts 20.480 0 OverwriteAsNeeded 18.768 Security 20.480 0 OverwriteAsNeeded 54.974 System 15.360 0 OverwriteAsNeeded 3.136 Windows PowerShell
I think you can do that with a wmi event handler. I'll post an example later.
-
I see what you mean here but these type of events do not come from the service itself but are still related. So for example the event generated for my service when it has bad credentials is generated by 'Service Control Manager' but is related to my service. These events are the ones I would like to capture and place into my custom log alongside the other events generated by the service itself. I did not make this clear and have edited the original question.gimg1– gimg12014年01月09日 18:43:12 +00:00Commented Jan 9, 2014 at 18:43
-
Do you have specific event ids that are generated indirectly by your service?megamorf– megamorf2014年01月09日 19:00:26 +00:00Commented Jan 9, 2014 at 19:00
-
Sure - so for example all my services require the correct login credentials to start on the vm. If someone changes the password for the login then when the services are restarted (due to deployment etc) they will not be able to start due to 'bad login credentials' this event is recorded in the Windows Event Log > System Log as id 7038 with description 'Logon failure: unknown user name or bad password'gimg1– gimg12014年01月10日 11:00:16 +00:00Commented Jan 10, 2014 at 11:00
You must log in to answer this question.
Explore related questions
See similar questions with these tags.