Using WMI Event Log Event Consumer DSC resource
If you have not seen the earlier articles in this series, I had written about:
- DSC resource for managing WMI permanent event filters, consumers, and bindings
- Troubleshooting WMI standard event consumer issues
- Using the WMI Commandline Event Consumer DSC resource
- Using WMI Active Script Event Consumer DSC Resource
- Using WMI Log File Event Consumer DSC resource
In today’s article, I will show you how the WMI Event Log Event Consumer DSC resource can be used. I will show you how this specific DSC resource is used and then show you a complete configuration script using this resource to write an entry in the application event log every time a removable device is inserted into the system.
Creating WMI NT Event Log Event Consumer
The WMI Event Log Consumer DSC resource has only two mandatory properties. The Name property uniquely identifies the consumer instance and the EventID is the numerical ID assigned to identify the event log entry. However, it does not make sense to log an event entry without the message text and event source and so on. The other properties of this DSC resource provide a way to specify this.
Let us see the configuration script that shows an example of using this DSC resource.
cWMIEventLogConsumer UFDEventLog { Name = 'UFDEventLog' EventID = 10011 Category = 0 EventType = 'information' SourceName = 'WMI' InsertionStringTemplates = 'A new UFD drive with volume name Backup is found' Ensure = 'Present' }
In this example, we are writing a log entry with an event message text indicating that a new UFD device with volume name “Backup” is attached to the system. The InsertionStringTemplates property is used to specify the message text in the event log entry. This property takes an array of strings. The number of array elements is controlled by the NumberOfInsertionStrings property. By default, this is set to 1 and therefore not shown in the above configuration script. The following complete configuration script shows the event filter, consumer, and the binding that writes an event log entry in response to a Win32_VolumeChangeEvent.
Configuration BackuptoUFD {
Import-DscResource -Module cWMIPermanentEvents
cWMIEventFilter UFDDetection {
Name = 'UFDFilter'
Query = "SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE
TargetInstance ISA 'Win32_Volume' AND
TargetInstance.Label='Backup'"
EventNamespace = 'root\cimv2'
Ensure = 'Present'
}
cWMIEventLogConsumer UFDEventLog {
Name = 'UFDEventLog'
EventID = 10011
Category = 0
EventType = 'information'
SourceName = 'WMI'
InsertionStringTemplates = 'A new UFD drive with volume name Backup is found'
Ensure = 'Present'
}
cWMIEventBinding UFDCommandLineBinding {
Filter = 'UFDFilter'
Consumer = 'UFDEventLog'
ConsumerType = 'EventLog'
DependsOn = '[WMIEventFilter]UFDDetection','[WMIEventLogConsumer]UFDEventLog'
Ensure = 'Present'
}
}
BackuptoUFD
This completes the overview of using WMI Event Log consumer DSC resource. In the next article in this series, we will look at the final WMI SMTP standard consumer for sending emails in response to an event.
Share on: