Share via

EVENTCREATE Syntax clarification

Shane King 71 Reputation points
2021-04-21T01:46:46.177+00:00

I am trying to write some dummy events to the WIndows Server backup Event log with the util EVENTCREATE

In particular I am trying to write some dummy events to Applications and Services/Microsoft/Windows/Backup-Operational
89723-image.png

I've tried different syntaxes, some say it worked ok but nothing is created. I can create them in the Application and System logs

Some syntaxes tried

C:\Windows\system32>eventcreate /id 5 /d TEST /T Error /L SYSTEM
SUCCESS: An event of type 'Error' was created with 'SYSTEM' as the log.
C:\Windows\system32>eventcreate /id 5 /d TEST /T Error /L Microsoft-Windows-Backup/Operational
SUCCESS: An event of type 'Error' was created with 'Microsoft-Windows-Backup/Operational' as the log.
C:\Windows\system32>eventcreate /id 5 /d TEST /T Error /L Microsoft-Windows-Backup
ERROR: 'Microsoft-Windows-Backup' log does not exist. Cannot create the event.
C:\Windows\system32>eventcreate /id 5 /d TEST /T Error /L SYSTEM /S Backup
ERROR: The network path was not found.
C:\Windows\system32>eventcreate /id 5 /d TEST /T Error /L SYSTEM /so Backup
SUCCESS: An event of type 'Error' was created in the 'SYSTEM' log with 'Backup' as the source.
C:\Windows\system32>eventcreate /id 5 /d TEST /T Error /L Microsoft-Windows-Backup /so Backup
ERROR: 'Microsoft-Windows-Backup' log does not exist. Cannot create the event.

Windows for business Windows Server User experience Other

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-04-22T06:58:16.963+00:00

    Hello @Shane King ,

    Thank you for your patience.

    After my careful view of eventcreate command usage syntax based on the following link.

    eventcreate
    https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/eventcreate

    /l {APPLICATION | SYSTEM} Specifies the name of the event log where the event will be created. The valid log names are APPLICATION or SYSTEM.

    90220-ev1.png

    Based on the description "I've tried different syntaxes, some say it worked ok but nothing is created. I can create them in the Application and System logs", it should be right.

    For the first command:
    C:\Windows\system32>eventcreate /id 5 /d TEST /T Error /L SYSTEM
    SUCCESS: An event of type 'Error' was created with 'SYSTEM' as the log.
    I find the first command you have run is correct and successful.

    For the second command:
    C:\Windows\system32>eventcreate /id 5 /d TEST /T Error /L Microsoft-Windows-Backup/Operational
    SUCCESS: An event of type 'Error' was created with 'Microsoft-Windows-Backup/Operational' as the log.
    Microsoft-Windows-Backup/Operational is not the valid log names, such as APPLICATION or SYSTEM.

    For the fifth command:
    C:\Windows\system32>eventcreate /id 5 /d TEST /T Error /L SYSTEM /so Backup
    SUCCESS: An event of type 'Error' was created in the 'SYSTEM' log with 'Backup' as the source.

    /so <srcname> Specifies the source to use for the event. A valid source can be any string and should represent the application or component that is generating the event.

    Though "Backup" is "any string", it may not represent the application or component that is generating the event.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Shane King 71 Reputation points
    2021-04-22T22:39:05.267+00:00

    Thanks Daisy for your effort. How do I get one to appear in the Backup/Operational log?

  3. Shane King 71 Reputation points
    2021-04-26T21:55:56.167+00:00

    Can you ask someone at MSFT HQ?

    0 comments
  4. MotoX80 36,291 Reputation points
    2021-04-27T13:48:18.567+00:00

    Here's what I've found. Eventcreate uses the "old" eventlog API. You have to use the "new" API to write to the Applications and Services logs.

    You can write events with Powershell (via .Net class).

    Write-Eventlog - old API (same as eventcreate)
    New-Winevent - new API

    This user was able to get it to work.

    https://stackoverflow.com/questions/54933459/how-to-write-a-custom-event-log-by-an-already-existing-provider-with-powershell

    I've been trying to write events but I am not having any luck. My conclusion is that the "new" event logging mechanism was not designed to allow users to write their own events. You can't just create an event with some arbitrary text, the payload must exactly match the event definition. (I do not profess to be an expert on this new API.)

    Why do you want to write to the Backup log? Can't you just write your event to the "old" Application log?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.