It has been a while since I wrote a Microsoft Identity Manager or even a Granfeldt PowerShell Management Agent related post. Primarily because it has been quite some time since I have done any development for MIM. The last few weeks though I have, and I wanted to output PowerShell Management Agent Events to the Windows Application Event Log. Something I have done before, but I could not find an example of where or how I’d previously done it. It took a few attempts and some debugging to get it working, so this time I am writing it up to save future Darren some time.
When Sending Granfeldt PowerShell Management Agent Events to the Windows Application Event Log you will want to specify your ‘source’ as the originator of those events. To do that you will need to register the new source.
As an Administrator in a PowerShell session on the MIM Sync Service Server running the following will register “Your Management Agent Name” as a new Source in the Application Log.
New-EventLog -Source "Your Management Agent Name" -LogName Application
Failure to register the source will result in the following error message enveloping what you send to the Event Log.
The description for Event ID <yourID> from source <yourSource> cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
<your message>
the message resource is present but the message is not found in the string/message table
Within my Granfeldt PowerShell Management Agent Scripts I then piggyback on the FIMSyncService Event ID’s. Primarily so that if the Event Logs are being parsed by a SIEM tool configured for FIM/MIM Event ID’s the events will be passed through. Near the top of the PowerShell MA Scripts I declare the following variables as the Event IDs for Information, Warning and Error.
# EventLog ID's (Shared with FIMSyncService to be picked up by SIEM) $LogInformationID = 2002 $LogWarningID = 6012 $LogErrorID = 6309
To send Informational Events to the Windows Application Event Log, in your script place a similar line at the appropriate place.
Write-EventLog -Source "My PSMA Management Agent" -LogName Application -EventId $LogInformationID -EntryType Information -Message "Example of an Informational Event Log message using '$($LogInformationID)'"
To send Warning Events to the Windows Application Event Log, in your script place a similar line at the appropriate place.
Write-EventLog -Source "My PSMA Management Agent" -LogName Application -EventId $LogWarningID -EntryType Warning -Message "Example of a Warning Event Log message using '$($LogWarningID)'"
To send Error Events to the Windows Application Event Log, in your script place a similar line at the appropriate place.
Write-EventLog -Source "My PSMA Management Agent" -LogName Application -EventId $LogErrorID -EntryType Error -Message "Example of an Error Event Log message using '$($LogErrorID)'"
To send a carriage return use the following escape code.
`n
e.g.
Write-EventLog -Source "My PSMA Management Agent" -LogName Application -EventId $LogErrorID -EntryType Error -Message "Error retrieving MA Objects from the 'XYZ' ObjectClass. `n $($error[0].Exception)
`n$($error[1].Exception)`nExiting Management Agent Run Profile Execution."
That is essentially it. Register the new source you want the events to appear from in the Event Log then using Write-EventLog with the appropriate EventId, EntryType and Message.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
View Comments