PowerShell Logging

Bob Bradley 3 years ago updated by Adam van Vliet (Chief Information Security Officer) 3 years ago 7

Please provide reference information and an example of how to access the log record data using the PowerShell log writer.  I'm looking to write entries to OMS, and am looking at the feasibility of using this log writer in lieu of the email logger. Thanks

Take a look at this example script for writing to OMS/Azure Log Analytics: OMS-Log.ps1

Thanks Curtis/Adam.

FYI I've configured this for CSODBB now to write ERROR level alerts, and I've been firing these successfully into OMS on the basis of the following temporary exception handler:

#$response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
    #BOB >>
try {
$response = Invoke-WebRequest -Uri $uri -Method $method -ContentType $contentType -Headers $headers -Body $body -UseBasicParsing
        Write-EventLog -LogName Application -EventId 0 -Source "UNIFY MIM Event Broker" -EntryType Information -Message ("Post-OMSData,Succeeded in posting data to $uri." + "`n$json")
} catch {
        Write-EventLog -LogName Application -EventId 0 -Source "UNIFY MIM Event Broker" -EntryType Error -Message ("Post-OMSData,Failed to post data to $uri. " + $_.Exception.Message + "`n$json")
}     #BOB <<

The above works fine because the Event Broker" is a registered event source on the Application log - do you see any reason why the Write-EventLog idea couldn't stay in place?

It is useful for debug because I can see my sample JSON log entry ... sample to follow.


Technically there's no reason that I know for it to not stay in place. Whether it makes sense to stay - also something that's hard for me to say.

{"Timestamp":"\/Date(1525420342821)\/","LogEntrySource":"UNIFY MIM Event Broker","LogEntryModule":"Operations","LogEntrySeverity":3,"LogEntryMessage":"Operation Management Agent: FIM Portal - Run Profile: FI and DS with id daaa5c9a-6977-429c-9703-19fd3e95b253 failed in the operation list FIM MA Reload with id 429da589-5b25-4cb7-ade3-e25caf598402 for the following reason. This is retry number 0: System.Runtime.Remoting.ServerException: Operation for management agent with id cdf02640-02e3-4f9f-ab7e-ccfe42bd13aa with name FI and DS failed with result stopped-user-termination-from-wmi-or-ui\r\n   at Unify.Product.EventBroker.MIMAgent.ExecuteRunProfile(Guid agentId, Guid managementAgentDetailsKey, Guid runProfileDetailsKey)\r\n   at Unify.EventBroker.Agents.Audit.MIMAgentAuditingDecorator.ExecuteRunProfile(Guid agentId, Guid managementAgentKey, Guid runProfileKey)\r\n   at Unify.Product.EventBroker.RunProfilePlugIn.Execute()\r\n   at Unify.EventBroker.PlugIn.Audit.OperationAuditingDecorator.Execute()\r\n   at Unify.Product.EventBroker.OperationListExecutorBase.RunNextOperations(IEnumerator`1 operationEnumerator)","LogEntryLevel":3,"LogEntryData":null}

Now all we need is a way to present more of the data we're pumping into OMS, such as these error logs.