Using WMI Event Log Event Consumer DSC resource

If you have not seen the earlier articles in this series, I had written about:

In today’s article, I will show you how the WMI Event Log Event Consumer DSC resource can be used. I will show you how this specific DSC resource is used and then show you a complete configuration script using this resource to write an entry in the application event log every time a removable device is inserted into the system.

Creating WMI NT Event Log Event Consumer

The WMI Event Log Consumer DSC resource has only two mandatory properties. The Name property uniquely identifies the consumer instance and the EventID is the numerical ID assigned to identify the event log entry. However, it does not make sense to log an event entry without the message text and event source and so on. The other properties of this DSC resource provide a way to specify this.

Let us see the configuration script that shows an example of using this DSC resource.

cWMIEventLogConsumer UFDEventLog {
   Name = 'UFDEventLog'
   EventID = 10011
   Category = 0
   EventType = 'information'
   SourceName = 'WMI'
   InsertionStringTemplates = 'A new UFD drive with volume name Backup is found'
   Ensure = 'Present'
}

In this example, we are writing a log entry with an event message text indicating that a new UFD device with volume name “Backup” is attached to the system. The InsertionStringTemplates property is used to specify the message text in the event log entry. This property takes an array of strings. The number of array elements is controlled by the NumberOfInsertionStrings property. By default, this is set to 1 and therefore not shown in the above configuration script. The following complete configuration script shows the event filter, consumer, and the binding that writes an event log entry in response to a Win32_VolumeChangeEvent.

Configuration BackuptoUFD {
    Import-DscResource -Module cWMIPermanentEvents
    cWMIEventFilter UFDDetection {
       Name = 'UFDFilter'
       Query = "SELECT * FROM __InstanceCreationEvent WITHIN 2 WHERE
       TargetInstance ISA 'Win32_Volume' AND
       TargetInstance.Label='Backup'"
       EventNamespace = 'root\cimv2'
       Ensure = 'Present'
    }

    cWMIEventLogConsumer UFDEventLog {
       Name = 'UFDEventLog'
       EventID = 10011
       Category = 0
       EventType = 'information'
       SourceName = 'WMI'
       InsertionStringTemplates = 'A new UFD drive with volume name Backup is found'
       Ensure = 'Present'
    }

    cWMIEventBinding UFDCommandLineBinding {
       Filter = 'UFDFilter'
       Consumer = 'UFDEventLog'
       ConsumerType = 'EventLog'
       DependsOn = '[WMIEventFilter]UFDDetection','[WMIEventLogConsumer]UFDEventLog'
       Ensure = 'Present'
    }
}

BackuptoUFD

This completes the overview of using WMI Event Log consumer DSC resource. In the next article in this series, we will look at the final WMI SMTP standard consumer for sending emails in response to an event.

Share on:
comments powered by Disqus