3

In our environment we want to force all our system engineers who write scripts to write logging to the EventLog. To keep track of all logging of our scripts we want to write this to a specific source in the Application log. Since you need server administrator privileges to create a new source in the Eventlog I would like to be able to push our custom EventLog source to all servers in our environment. That way scripts can log to the correct EventLog and don't need elevated permissions to create the EventLog source if it would not exist.

I looked around a bit but can't seem to find a way to create a new EventLog Source on servers using a GPO. Any suggestions?

Kind regards Tomas

Tomas
  • 91
  • 1
  • 1
  • 9
  • You might prefer doing this remoting with Powershell – curropar Jun 02 '16 at 14:36
  • I want it to be applied to new servers as well, so I would prefer it to be pushed using a GPO or something similar. I don't want our administrators to have to thing about it, it should just always be present. – Tomas Jun 02 '16 at 15:24

1 Answers1

2

First, it's not necessary to "create" an event source. When you log to the event log (even as rudimentary as eventcreate.exe), you can pick specify any event source you'd like, and it will work (and show up as that source).

Of course registering an event source, along with a message DLL, is preferable since it ensures that the event will be properly formatted when viewed in the event log.

Event sources are setup in the registry, so you could register one or more sources simply by deploying registry settings with group policy.

Here are some links that should help, they explain how event sources are configured:

http://www.eventsentry.com/blog/2008/04/event-log-message-files-the-de.html.

The last couple of paragraphs in particular should be helpful. The post is a bit old but still applies.

If you need some help creating a message DLL, then check out this article.

Lucky Luke
  • 1,634
  • 1
  • 11
  • 12
  • Very interesting info. Will definitely check it out, but it seems like a bit of over - kill because with the Write-EventLog PowerShell cmdlet you can combine eventID'S and messages all you want. Only prerequisite is that the source exists. But I'l look into your info and see what I can do with it. – Tomas Jun 04 '16 at 20:24
  • 1
    It's worth noting that creating an event source requires administrator privileges. If you're attempting to do this from code, your application will require administrator privileges (in c#, attempting to do so without the required permission will result in an InvalidOperationException). – Tim Feb 21 '17 at 23:52